Commit c04fdca8 authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge tag 'ipsec-2025-08-11' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 

Steffen Klassert says:

====================
pull request (net): ipsec 2025-08-11

1) Fix flushing of all states in xfrm_state_fini.
   From Sabrina Dubroca.

2) Fix some IPsec software offload features. These
   got lost with some recent HW offload changes.
   From Sabrina Dubroca.

Please pull or let me know if there are problems.

* tag 'ipsec-2025-08-11' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
  udp: also consider secpath when evaluating ipsec use for checksumming
  xfrm: bring back device check in validate_xmit_xfrm
  xfrm: restore GSO for SW crypto
  xfrm: flush all states in xfrm_state_fini
====================

Link: https://patch.msgid.link/20250811092008.731573-1-steffen.klassert@secunet.com


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents 74078816 d8369183

net/ipv4/udp_offload.c

+1 −1
Original line number Diff line number Diff line
@@ -217,7 +217,7 @@ static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb, 
	remcsum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_TUNNEL_REMCSUM);

	skb->remcsum_offload = remcsum;



	need_ipsec = skb_dst(skb) && dst_xfrm(skb_dst(skb));

	need_ipsec = (skb_dst(skb) && dst_xfrm(skb_dst(skb))) || skb_sec_path(skb);

	/* Try to offload checksum if possible */

	offload_csum = !!(need_csum &&

			  !need_ipsec &&

net/ipv6/xfrm6_tunnel.c

+1 −1
Original line number Diff line number Diff line
@@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net) 
	struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);

	unsigned int i;



	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);

	xfrm_state_flush(net, 0, false);

	xfrm_flush_gc();



	for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)

net/xfrm/xfrm_device.c

+9 −3
Original line number Diff line number Diff line
@@ -155,7 +155,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur 
		return skb;

	}



	if (skb_is_gso(skb) && unlikely(xmit_xfrm_check_overflow(skb))) {

	if (skb_is_gso(skb) && (unlikely(x->xso.dev != dev) ||

				unlikely(xmit_xfrm_check_overflow(skb)))) {

		struct sk_buff *segs;



		/* Packet got rerouted, fixup features and segment it. */
@@ -415,10 +416,12 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) 
	struct net_device *dev = x->xso.dev;

	bool check_tunnel_size;



	if (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED)

	if (!x->type_offload ||

	    (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED && x->encap))

		return false;



	if ((dev == xfrm_dst_path(dst)->dev) && !xdst->child->xfrm) {

	if ((!dev || dev == xfrm_dst_path(dst)->dev) &&

	    !xdst->child->xfrm) {

		mtu = xfrm_state_mtu(x, xdst->child_mtu_cached);

		if (skb->len <= mtu)

			goto ok;
@@ -430,6 +433,9 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) 
	return false;



ok:

	if (!dev)

		return true;



	check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&

			    x->props.mode == XFRM_MODE_TUNNEL;

	switch (x->props.family) {

net/xfrm/xfrm_state.c

+1 −1
Original line number Diff line number Diff line
@@ -3297,7 +3297,7 @@ void xfrm_state_fini(struct net *net) 
	unsigned int sz;



	flush_work(&net->xfrm.state_hash_work);

	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);

	xfrm_state_flush(net, 0, false);

	flush_work(&xfrm_state_gc_work);



	WARN_ON(!list_empty(&net->xfrm.state_all));