diff mbox series

xfrm: Allow transport-mode states with AF_UNSPEC selector

Message ID Y/RceGnV2JLvRmXC@gondor.apana.org.au (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series xfrm: Allow transport-mode states with AF_UNSPEC selector | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 103 this patch: 103
netdev/cc_maintainers warning 3 maintainers not CCed: edumazet@google.com pabeni@redhat.com kuba@kernel.org
netdev/build_clang success Errors and warnings before: 1 this patch: 1
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 103 this patch: 103
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Herbert Xu Feb. 21, 2023, 5:54 a.m. UTC 
On Tue, Feb 21, 2023 at 12:05:26PM +0800, Herbert Xu wrote:
> 
> OK I wasn't aware of this.  This definitely looks buggy.  We need
> to fix this bogus check.

It looks like I actually added this bogus check :)

Does this patch work for you?

---8<---
xfrm state selectors are matched against the inner-most flow
which can be of any address family.  Therefore middle states
in nested configurations need to carry a wildcard selector in
order to work at all.

However, this is currently forbidden for transport-mode states.

Fix this by removing the unnecessary check.

Fixes: 13996378e658 ("[IPSEC]: Rename mode to outer_mode and add inner_mode")
Reported-by: David George <David.George@sophos.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Comments

Steffen Klassert Feb. 27, 2023, 11:15 a.m. UTC | #1 
On Tue, Feb 21, 2023 at 01:54:00PM +0800, Herbert Xu wrote:
> On Tue, Feb 21, 2023 at 12:05:26PM +0800, Herbert Xu wrote:
> > 
> > OK I wasn't aware of this.  This definitely looks buggy.  We need
> > to fix this bogus check.
> 
> It looks like I actually added this bogus check :)
> 
> Does this patch work for you?
> 
> ---8<---
> xfrm state selectors are matched against the inner-most flow
> which can be of any address family.  Therefore middle states
> in nested configurations need to carry a wildcard selector in
> order to work at all.
> 
> However, this is currently forbidden for transport-mode states.
> 
> Fix this by removing the unnecessary check.
> 
> Fixes: 13996378e658 ("[IPSEC]: Rename mode to outer_mode and add inner_mode")
> Reported-by: David George <David.George@sophos.com>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Patch applied, thanks a lot Herbert!
diff mbox series

Patch

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 89c731f4f0c7..6f53841cd162 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2815,11 +2815,6 @@  int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload,
 			goto error;
 		}
 
-		if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
-			NL_SET_ERR_MSG(extack, "Only tunnel modes can accommodate an AF_UNSPEC selector");
-			goto error;
-		}
-
 		x->inner_mode = *inner_mode;
 
 		if (x->props.family == AF_INET)