Commit a461b2fe authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'ipsec-2025-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 

Steffen Klassert says:

====================
pull request (net): ipsec 2025-09-22

1) Fix 0 assignment for SPIs. 0 is not a valid SPI,
   it means no SPI assigned.

2) Fix offloading for inter address family tunnels.

* tag 'ipsec-2025-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
  xfrm: fix offloading of cross-family tunnels
  xfrm: xfrm_alloc_spi shouldn't use 0 as SPI
====================

Link: https://patch.msgid.link/20250922073512.62703-1-steffen.klassert@secunet.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 91fc6177 91d8a53d

net/xfrm/xfrm_device.c

+1 −1
Original line number Diff line number Diff line
@@ -438,7 +438,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) 


	check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&

			    x->props.mode == XFRM_MODE_TUNNEL;

	switch (x->props.family) {

	switch (x->inner_mode.family) {

	case AF_INET:

		/* Check for IPv4 options */

		if (ip_hdr(skb)->ihl != 5)

net/xfrm/xfrm_state.c

+3 −0
Original line number Diff line number Diff line
@@ -2583,6 +2583,8 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high, 


	for (h = 0; h < range; h++) {

		u32 spi = (low == high) ? low : get_random_u32_inclusive(low, high);

		if (spi == 0)

			goto next;

		newspi = htonl(spi);



		spin_lock_bh(&net->xfrm.xfrm_state_lock);
@@ -2598,6 +2600,7 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high, 
		xfrm_state_put(x0);

		spin_unlock_bh(&net->xfrm.xfrm_state_lock);



next:

		if (signal_pending(current)) {

			err = -ERESTARTSYS;

			goto unlock;