From patchwork Wed Mar 6 10:04:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 13583741 X-Patchwork-Delegate: kuba@kernel.org Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C60025EE84 for ; Wed, 6 Mar 2024 10:04:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719496; cv=none; b=l3HCjeLLSsbmCV7b0NDSXr8kXxn+zeBaS5VK1ElB5OWYGj4ES8fOJH6raNZ7+yCZ8vyJtugtLEbah5WwQKAyV9QFDEqDDal+/WW85CEHgh0NLS2z9UD7KAwJUd+U2N3g6X/HtbX2XKqwOv2yfcd4TKgCmITl8Jq4o4SymZegxjo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719496; c=relaxed/simple; bh=Wfl4t2QCLnnvqFdQmf88aoQmJVu/76wDmVV7Jp/Vm3w=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=toW9+tIkzcJi65ZB+Ty8q+jEUT0ojyQ+y4PV8ndRX6oT/cSDhNkV9FwUwG+ZkYAfXMsTd80MZ7oEDUzpPAzidSaEODnoNRMKd6yjUi/uCshcHekGOxbEbMOsAFmQskQHFEVs+HUlU+DLwcNB5gOgXnB1ReOkgQmqTyxXNRvji+8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=qdGequKo; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="qdGequKo" Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 476CB20748; Wed, 6 Mar 2024 11:04:52 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ri3l064wrSzw; Wed, 6 Mar 2024 11:04:51 +0100 (CET) Received: from mailout2.secunet.com (mailout2.secunet.com [62.96.220.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id C0DF520820; Wed, 6 Mar 2024 11:04:44 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.secunet.com C0DF520820 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1709719484; bh=435RrYgIMtBJyDmy2yUQ5NnCNuHUJyowrYG9yWfn8vA=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=qdGequKoac/g9SpziUueS4KG9imFPaBfrGT7SMXtEfPZ9zY+Dcny5C8tEuN+8ICay fejswMBs8pzhxvEhlUac5HUiPh3lX5s8M5kiCwjlKHFo8ku+2k3jl+FxwmQSCoGDcO HxhJvghD5JLNwsaDDtGT84PRlbcX0ezWKnxBwzC2qORXeN0RCo+ewyUkYLaKoYG5xx 0ZL5nOUNd2y9GcZGys1JvCRLkPAxRXU+gffs0vrOx5ymbft2MqrZ2XB25ibdrJmuep 53Fuau5k8Ks6H6fZ/M5vJJiGhpraIPy1UmTlcaIIGBsZnhmOfHBdh2u77nXLma4Ivq PSzd/VjSbcJkQ== Received: from cas-essen-02.secunet.de (unknown [10.53.40.202]) by mailout2.secunet.com (Postfix) with ESMTP id B2A1E80004A; Wed, 6 Mar 2024 11:04:44 +0100 (CET) Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-02.secunet.de (10.53.40.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:44 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:44 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id CA0383180404; Wed, 6 Mar 2024 11:04:43 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 1/5] xfrm: Clear low order bits of ->flowi4_tos in decode_session4(). Date: Wed, 6 Mar 2024 11:04:34 +0100 Message-ID: <20240306100438.3953516-2-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240306100438.3953516-1-steffen.klassert@secunet.com> References: <20240306100438.3953516-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Guillaume Nault Commit 23e7b1bfed61 ("xfrm: Don't accidentally set RTO_ONLINK in decode_session4()") fixed a problem where decode_session4() could erroneously set the RTO_ONLINK flag for IPv4 route lookups. This problem was reintroduced when decode_session4() was modified to use the flow dissector. Fix this by clearing again the two low order bits of ->flowi4_tos. Found by code inspection, compile tested only. Fixes: 7a0207094f1b ("xfrm: policy: replace session decode with flow dissector") Signed-off-by: Guillaume Nault Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_policy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 1b7e75159727..7351f32052dc 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -3416,7 +3416,7 @@ decode_session4(const struct xfrm_flow_keys *flkeys, struct flowi *fl, bool reve } fl4->flowi4_proto = flkeys->basic.ip_proto; - fl4->flowi4_tos = flkeys->ip.tos; + fl4->flowi4_tos = flkeys->ip.tos & ~INET_ECN_MASK; } #if IS_ENABLED(CONFIG_IPV6) From patchwork Wed Mar 6 10:04:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 13583742 X-Patchwork-Delegate: kuba@kernel.org Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 69F0D5EE8E for ; Wed, 6 Mar 2024 10:04:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719496; cv=none; b=mlyM3IrvA6qyQD76nGvo+38px/QLBvLnDwX0hR/Oybul+SYTowhqxpGFwkfSBwja0nSwUjucgC6Gzj3GREFL3ruaROIwMQObk9+SPhHwraMXGj3gyB0bL0A02UOBJYcpqnd/uIoDh9NcwZivlo8uOR+Df8NuxPHg5hDAYnP+84c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719496; c=relaxed/simple; bh=eb/89zoLezhZh2GWT8FG/tMhWAZ5quNy/76J/6WYi+g=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=KCb3MFiyviNtjMnXmdR0ZC4S+b62P57XPK29wP3jnnBHADAZI26gp9T3HDwuwyKFtmr21xwI3ZdNxLGnG6zleL86Ol6+5iyZv7MpnGH0V0XoG0NM9VxnS2qV9cmY5xgbbO7zqsBLD/97mRM0x5dSXcUEM1cnQtDDcMgxnDn0Dyw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=rSwNOI0+; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="rSwNOI0+" Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id BC7CB20799; Wed, 6 Mar 2024 11:04:52 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1kDx9vWZaMK; Wed, 6 Mar 2024 11:04:51 +0100 (CET) Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id E4FB620826; Wed, 6 Mar 2024 11:04:44 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.secunet.com E4FB620826 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1709719484; bh=Jd8b6CAdN5EUPhv+G9yyVNy0uzQDuqI3kXdZAwlqFm0=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=rSwNOI0+36tab4zt+Tb3vn6m/CAqEVH4qqee2WGrWy64dmAl68v0G/aG2VuvQY7m/ LENqgeJLPY9gIFG1U9dyLTU0HCyWMFIKEZoMjcWQEm+9D+PdOYpBoWv1cB5vEDmMBu MCEaJprQ/SqtKoSXf2KIzzyTVOQ5M/UtoNwD1hG/FshUhKLxzsENZHjksPpLuYPqds tFpaOGIW1SJyQiSQi+cw9RDVDuxWlmTVUxsJswqdlM+bNL8h8kPvO9d/E5fq2RcdfO NkhqrL7sFU1yWtnvhjcB61nVK6lCrfl7UQu4GZ3UEZGCb1c6LWzaEvgmIwGKHgVkFP 7D4COwKC5hZNA== Received: from cas-essen-02.secunet.de (unknown [10.53.40.202]) by mailout1.secunet.com (Postfix) with ESMTP id D63B380004A; Wed, 6 Mar 2024 11:04:44 +0100 (CET) Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-02.secunet.de (10.53.40.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:44 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:44 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id CED9731816A6; Wed, 6 Mar 2024 11:04:43 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 2/5] xfrm: Pass UDP encapsulation in TX packet offload Date: Wed, 6 Mar 2024 11:04:35 +0100 Message-ID: <20240306100438.3953516-3-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240306100438.3953516-1-steffen.klassert@secunet.com> References: <20240306100438.3953516-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Leon Romanovsky In addition to citied commit in Fixes line, allow UDP encapsulation in TX path too. Fixes: 89edf40220be ("xfrm: Support UDP encapsulation in packet offload mode") CC: Steffen Klassert Reported-by: Mike Yu Signed-off-by: Leon Romanovsky Signed-off-by: Saeed Mahameed Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 3784534c9185..653e51ae3964 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -407,7 +407,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x) struct xfrm_dst *xdst = (struct xfrm_dst *)dst; struct net_device *dev = x->xso.dev; - if (!x->type_offload || x->encap) + if (!x->type_offload) return false; if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET || From patchwork Wed Mar 6 10:04:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 13583743 X-Patchwork-Delegate: kuba@kernel.org Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 706B35F86C for ; Wed, 6 Mar 2024 10:04:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719499; cv=none; b=ql1n6fFQ+MdWcfwjVkTob8qQIFPoRoyrVCkRNMKdVONP08ha2WYQZ65N932SxJhRziHDImoC2xWgzvnPBaokaoPSvURmJaN7ELkRvBbNGHHwoddWM5tYjCATnCnKQwqsXxd4BiLQi2lmFL75NvGnTwOfYl1Gxvsgrs9sKdcH20E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719499; c=relaxed/simple; bh=Rk+nnc5ZzxQrpmJ5WR+tIRNihS3t7XH+hLtKV6qcDMQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=gofq6vOFVjLfqE/hgmrYSkbkRENIuj0ZyUKNcrIJPh2bmUALSuLi/cGPtLhyy3N9ye/ggX6q0SqZVP2gVVjX+V7MxDkJmgnQgeLbtzUqmchxbB71uXG75bF9n/nZeLFz5jWMWlPtRXoyGXbsidNIMz+V+soWGOtlpvIcsylHTaU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=v2TUdgXb; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="v2TUdgXb" Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 08BE0207D5; Wed, 6 Mar 2024 11:04:56 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QZsSuxuVs3lt; Wed, 6 Mar 2024 11:04:52 +0100 (CET) Received: from mailout2.secunet.com (mailout2.secunet.com [62.96.220.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 1C5262082B; Wed, 6 Mar 2024 11:04:45 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.secunet.com 1C5262082B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1709719485; bh=Q3DVRpKKAb/sEgnzGNOgSTByVSBUWReZzpQe9mBepTw=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=v2TUdgXbXYGkcpW/3OoLDdIs2N5cLZZ1VHe1ZXQgLIC89sa4yimAmxDsJKYfPMnzj XZmzMo3tSAwPC8xLuePLoQc/MI5KCv7kun2pK7iKhf5ofH81X3IUWYqJmTMVfMWEtt Ld2VexHNz/+h0mvcZIv3JGFdK9/JJipCdPbe/64n5cgXRw0EW97+/K17H2aHcm8qQ0 WJOy5M2jlCXxw8sLToond8c59WoG17/WBYQO5aAR918wBN1vsoVGySKpKz4RuYkux/ bkXM0naME7Nun4B1aECwqg6ongbjkauiMYjKdwx2ULpEUN9hkKWyaz6eTuf0B4YSN8 s76OqXY5Vx63g== Received: from cas-essen-02.secunet.de (unknown [10.53.40.202]) by mailout2.secunet.com (Postfix) with ESMTP id 0EBB580004A; Wed, 6 Mar 2024 11:04:45 +0100 (CET) Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-02.secunet.de (10.53.40.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:44 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:44 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id D2875318297D; Wed, 6 Mar 2024 11:04:43 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 3/5] xfrm: Avoid clang fortify warning in copy_to_user_tmpl() Date: Wed, 6 Mar 2024 11:04:36 +0100 Message-ID: <20240306100438.3953516-4-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240306100438.3953516-1-steffen.klassert@secunet.com> References: <20240306100438.3953516-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Nathan Chancellor After a couple recent changes in LLVM, there is a warning (or error with CONFIG_WERROR=y or W=e) from the compile time fortify source routines, specifically the memset() in copy_to_user_tmpl(). In file included from net/xfrm/xfrm_user.c:14: ... include/linux/fortify-string.h:438:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] 438 | __write_overflow_field(p_size_field, size); | ^ 1 error generated. While ->xfrm_nr has been validated against XFRM_MAX_DEPTH when its value is first assigned in copy_templates() by calling validate_tmpl() first (so there should not be any issue in practice), LLVM/clang cannot really deduce that across the boundaries of these functions. Without that knowledge, it cannot assume that the loop stops before i is greater than XFRM_MAX_DEPTH, which would indeed result a stack buffer overflow in the memset(). To make the bounds of ->xfrm_nr clear to the compiler and add additional defense in case copy_to_user_tmpl() is ever used in a path where ->xfrm_nr has not been properly validated against XFRM_MAX_DEPTH first, add an explicit bound check and early return, which clears up the warning. Cc: stable@vger.kernel.org Link: https://github.com/ClangBuiltLinux/linux/issues/1985 Signed-off-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index ad01997c3aa9..444e58bc3f44 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2017,6 +2017,9 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb) if (xp->xfrm_nr == 0) return 0; + if (xp->xfrm_nr > XFRM_MAX_DEPTH) + return -ENOBUFS; + for (i = 0; i < xp->xfrm_nr; i++) { struct xfrm_user_tmpl *up = &vec[i]; struct xfrm_tmpl *kp = &xp->xfrm_vec[i]; From patchwork Wed Mar 6 10:04:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 13583739 X-Patchwork-Delegate: kuba@kernel.org Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B64B55DF28 for ; Wed, 6 Mar 2024 10:04:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719495; cv=none; b=lyO/idZHfmQZfF6bsAF0IJ2g0NyX96LtUDOC7SRqQxivtILF9KDXUj+p766PYLui54/xyhvdKQxjQgbpB/zkv7JRQyRa4RwD4ZwTDw+l3/hMLSk3gaI5rQD8RdmK9wq7PLWOtHgpuoh7atAYdk7Km2xMpdolkJrSuZ9EIC2HBRI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719495; c=relaxed/simple; bh=QsJskSAwKu+28YAlY65+UaWVnI1acPgpmxxllkUe38Q=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=OvZlRaiVXj1ekK14J8SaV0UrZYOrL///aY0+doU3wMcta6I440WcsZtHGUrslR8fl7CvyD2fFcPxGoOc1UGC5H/MrRN0vkC78w1pzg5Qn3HMSZzs8bEGgHPrmk9pyJd+rf/FfCz5fisZ8Zxi3YSms5dQVUdC7FveNnLqU+NUacc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=vvvNWYzW; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="vvvNWYzW" Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 19C4B205CD; Wed, 6 Mar 2024 11:04:51 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qM70yqqO9Bif; Wed, 6 Mar 2024 11:04:50 +0100 (CET) Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 951ED20748; Wed, 6 Mar 2024 11:04:44 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.secunet.com 951ED20748 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1709719484; bh=ZeJPSvUj92F2DTfPbJ7ejUWzQlMP7SamGYTyh4qFcZY=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=vvvNWYzWB0vh3NyULg+HVxKRZtYmRRTjbZgTdgA03zGltE3OWvB6MluK1Y1rh7NPI AQ1tsm/JKXmIjey0vEFLGyXtc2F3BlyEXm2xOCkDWfHPOMRA6aSvJasQjOjHlG6mxR 6K5oOhjuLQoV5DzDA78DZ6B0j5GnO8R4W3qCSQfqxEshEdNJkuRu8Y6a2E3uR+D+hy LBGjAcLy2IblZMDsBMZWeIiXSUiuE0GaTn8fasBNJipOZZSfypu5NEE10D6TnCowjQ W23C8PXvbKRzWBKTkrpaJAvwsDFoy/Z648RbfYbp0nQo8P2WENQdII+2SnJbOYigs/ 8KbsQN7XdhkRA== Received: from cas-essen-02.secunet.de (unknown [10.53.40.202]) by mailout1.secunet.com (Postfix) with ESMTP id 86EEB80004A; Wed, 6 Mar 2024 11:04:44 +0100 (CET) Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-02.secunet.de (10.53.40.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:44 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:44 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id D66E931829AE; Wed, 6 Mar 2024 11:04:43 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 4/5] xfrm: fix xfrm child route lookup for packet offload Date: Wed, 6 Mar 2024 11:04:37 +0100 Message-ID: <20240306100438.3953516-5-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240306100438.3953516-1-steffen.klassert@secunet.com> References: <20240306100438.3953516-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Mike Yu In current code, xfrm_bundle_create() always uses the matched SA's family type to look up a xfrm child route for the skb. The route returned by xfrm_dst_lookup() will eventually be used in xfrm_output_resume() (skb_dst(skb)->ops->local_out()). If packet offload is used, the above behavior can lead to calling ip_local_out() for an IPv6 packet or calling ip6_local_out() for an IPv4 packet, which is likely to fail. This change fixes the behavior by checking if the matched SA has packet offload enabled. If not, keep the same behavior; if yes, use the matched SP's family type for the lookup. Test: verified IPv6-in-IPv4 packets on Android device with IPsec packet offload enabled Signed-off-by: Mike Yu Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_policy.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 7351f32052dc..da6ecc6b3e15 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2694,7 +2694,9 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy, if (xfrm[i]->props.smark.v || xfrm[i]->props.smark.m) mark = xfrm_smark_get(fl->flowi_mark, xfrm[i]); - family = xfrm[i]->props.family; + if (xfrm[i]->xso.type != XFRM_DEV_OFFLOAD_PACKET) + family = xfrm[i]->props.family; + oif = fl->flowi_oif ? : fl->flowi_l3mdev; dst = xfrm_dst_lookup(xfrm[i], tos, oif, &saddr, &daddr, family, mark); From patchwork Wed Mar 6 10:04:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffen Klassert X-Patchwork-Id: 13583744 X-Patchwork-Delegate: kuba@kernel.org Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 681D35EE84 for ; Wed, 6 Mar 2024 10:04:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=62.96.220.36 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719500; cv=none; b=bXKvSgoilc1mVMx/MaQz5H83VgF1rCeE7AfKxlseldHwBuEnao0jycLPPXiTnnCmeSr7Rbj10e0AkYBXjgvqK2N3+YDp2TKgoIw8RjUvrvHV3JxLyWziv6ZXeGxm+ChX2PiM7IRTVuDjGhmB+mhvCzj8SfNPjx5NI+5wwgXnnJI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709719500; c=relaxed/simple; bh=cQzdlCkOLomfGSDwUwvTOKYZxmoj2lfcCHlP2MSyOXQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Pz6MhWvw2yMwrut/XGQOonbzlutiJfEm0pCxcE3lTqU4/kkTEyRXff7ZNzNwCYXjQroRA5RhNv5iZuQnpZ6J+1uOUeSrPKeoamKmujkUqhzkF5XO3MUPBTjgmhW6X045jWPRMNi01oPP4IAtAcTvu0bvmTPBe2+mQjUb3i3J46g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com; spf=pass smtp.mailfrom=secunet.com; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b=QHiD/NxA; arc=none smtp.client-ip=62.96.220.36 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=secunet.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=secunet.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=secunet.com header.i=@secunet.com header.b="QHiD/NxA" Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id D35FF2074A; Wed, 6 Mar 2024 11:04:56 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQI6k32cNM3F; Wed, 6 Mar 2024 11:04:52 +0100 (CET) Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 3D94C20839; Wed, 6 Mar 2024 11:04:45 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 a.mx.secunet.com 3D94C20839 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secunet.com; s=202301; t=1709719485; bh=WAVD2OsxliRG+gx/HUNsRk6Z5TumUFYSPiwWIlC0l/Y=; h=From:To:CC:Subject:Date:In-Reply-To:References:From; b=QHiD/NxA6N4qAPd0AxE2wBuCW0Xs/wxX5A8LQYVzr0BVYkLkbfrC/ie7bDQlVJvnz aWniBZwJPp437XCp8MwLaioyp0koMbo4Qz3CcSzQc03Xc+QGt28j2OCUyC3OL7vhDb h3SyLpEFxkT2OU+04ZOp5vdHY68H4MaAr6Sz3MU1SI0t7SvceGAG0nNP7WT8S1XkzB n/SgkMJcf3V7O6dqkJK9z8sixM4nsBquec7bEuNK9/bR6IFkRPICP8XljYax41pETd l2N3vdfdI4ergsk8JJN5gE0y50v7bXmZBdKWBy55YBSLn1bKz0z4aHhOEy1DijUtyK COV/x/Xl/GHQg== Received: from cas-essen-02.secunet.de (unknown [10.53.40.202]) by mailout1.secunet.com (Postfix) with ESMTP id 3229280004A; Wed, 6 Mar 2024 11:04:45 +0100 (CET) Received: from mbx-essen-02.secunet.de (10.53.40.198) by cas-essen-02.secunet.de (10.53.40.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:45 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-02.secunet.de (10.53.40.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Wed, 6 Mar 2024 11:04:44 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id DA30A3182E3C; Wed, 6 Mar 2024 11:04:43 +0100 (CET) From: Steffen Klassert To: David Miller , Jakub Kicinski CC: Herbert Xu , Steffen Klassert , Subject: [PATCH 5/5] xfrm: set skb control buffer based on packet offload as well Date: Wed, 6 Mar 2024 11:04:38 +0100 Message-ID: <20240306100438.3953516-6-steffen.klassert@secunet.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240306100438.3953516-1-steffen.klassert@secunet.com> References: <20240306100438.3953516-1-steffen.klassert@secunet.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-02.secunet.de (10.53.40.198) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Patchwork-Delegate: kuba@kernel.org From: Mike Yu In packet offload, packets are not encrypted in XFRM stack, so the next network layer which the packets will be forwarded to should depend on where the packet came from (either xfrm4_output or xfrm6_output) rather than the matched SA's family type. Test: verified IPv6-in-IPv4 packets on Android device with IPsec packet offload enabled Signed-off-by: Mike Yu Signed-off-by: Steffen Klassert --- net/xfrm/xfrm_output.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 662c83beb345..e5722c95b8bb 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -704,9 +704,13 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) { struct net *net = dev_net(skb_dst(skb)->dev); struct xfrm_state *x = skb_dst(skb)->xfrm; + int family; int err; - switch (x->outer_mode.family) { + family = (x->xso.type != XFRM_DEV_OFFLOAD_PACKET) ? x->outer_mode.family + : skb_dst(skb)->ops->family; + + switch (family) { case AF_INET: memset(IPCB(skb), 0, sizeof(*IPCB(skb))); IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;