Commit d0de6167 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'ipsec-2024-05-02' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 

Steffen Klassert says:

====================
pull request (net): ipsec 2024-05-02

1) Fix an error pointer dereference in xfrm_in_fwd_icmp.
   From Antony Antony.

2) Preserve vlan tags for ESP transport mode software GRO.
   From Paul Davey.

3) Fix a spelling mistake in an uapi xfrm.h comment.
   From Anotny Antony.

* tag 'ipsec-2024-05-02' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
  xfrm: Correct spelling mistake in xfrm.h comment
  xfrm: Preserve vlan tags for transport mode software GRO
  xfrm: fix possible derferencing in error path
====================

Link: https://lore.kernel.org/r/20240502084838.2269355-1-steffen.klassert@secunet.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents f2d85904 b6d2e438

include/linux/skbuff.h

+15 −0
Original line number Diff line number Diff line
@@ -3031,6 +3031,21 @@ static inline void skb_mac_header_rebuild(struct sk_buff *skb) 
	}

}



/* Move the full mac header up to current network_header.

 * Leaves skb->data pointing at offset skb->mac_len into the mac_header.

 * Must be provided the complete mac header length.

 */

static inline void skb_mac_header_rebuild_full(struct sk_buff *skb, u32 full_mac_len)

{

	if (skb_mac_header_was_set(skb)) {

		const unsigned char *old_mac = skb_mac_header(skb);



		skb_set_mac_header(skb, -full_mac_len);

		memmove(skb_mac_header(skb), old_mac, full_mac_len);

		__skb_push(skb, full_mac_len - skb->mac_len);

	}

}



static inline int skb_checksum_start_offset(const struct sk_buff *skb)

{

	return skb->csum_start - skb_headroom(skb);

include/net/xfrm.h

+3 −0
Original line number Diff line number Diff line
@@ -1049,6 +1049,9 @@ struct xfrm_offload { 
#define CRYPTO_INVALID_PACKET_SYNTAX		64

#define CRYPTO_INVALID_PROTOCOL			128



	/* Used to keep whole l2 header for transport mode GRO */

	__u32			orig_mac_len;



	__u8			proto;

	__u8			inner_ipproto;

};

include/uapi/linux/xfrm.h

+1 −1
Original line number Diff line number Diff line
@@ -228,7 +228,7 @@ enum { 
#define XFRM_NR_MSGTYPES (XFRM_MSG_MAX + 1 - XFRM_MSG_BASE)



/*

 * Generic LSM security context for comunicating to user space

 * Generic LSM security context for communicating to user space

 * NOTE: Same format as sadb_x_sec_ctx

 */

struct xfrm_user_sec_ctx {

net/ipv4/xfrm4_input.c

+5 −1
Original line number Diff line number Diff line
@@ -63,7 +63,11 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async) 
	ip_send_check(iph);



	if (xo && (xo->flags & XFRM_GRO)) {

		skb_mac_header_rebuild(skb);

		/* The full l2 header needs to be preserved so that re-injecting the packet at l2

		 * works correctly in the presence of vlan tags.

		 */

		skb_mac_header_rebuild_full(skb, xo->orig_mac_len);

		skb_reset_network_header(skb);

		skb_reset_transport_header(skb);

		return 0;

	}

net/ipv6/xfrm6_input.c

+5 −1
Original line number Diff line number Diff line
@@ -58,7 +58,11 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async) 
	skb_postpush_rcsum(skb, skb_network_header(skb), nhlen);



	if (xo && (xo->flags & XFRM_GRO)) {

		skb_mac_header_rebuild(skb);

		/* The full l2 header needs to be preserved so that re-injecting the packet at l2

		 * works correctly in the presence of vlan tags.

		 */

		skb_mac_header_rebuild_full(skb, xo->orig_mac_len);

		skb_reset_network_header(skb);

		skb_reset_transport_header(skb);

		return 0;

	}