From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 6/8] xfrm: Clear RX SKB secpath xfrm_offload
Date: Mon, 21 Aug 2017 07:49:31 +0200 [thread overview]
Message-ID: <1503294573-10206-7-git-send-email-steffen.klassert@secunet.com> (raw)
In-Reply-To: <1503294573-10206-1-git-send-email-steffen.klassert@secunet.com>
From: Ilan Tayari <ilant@mellanox.com>
If an incoming packet undergoes XFRM crypto-offload, its secpath is
filled with xfrm_offload struct denoting offload information.
If the SKB is then forwarded to a device which supports crypto-
offload, the stack wrongfully attempts to offload it (even though
the output SA may not exist on the device) due to the leftover
secpath xo.
Clear the ingress xo by zeroizing secpath->olen just before
delivering the decapsulated packet to the network stack.
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Ilan Tayari <ilant@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_input.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 923205e..f07eec5 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -424,6 +424,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
nf_reset(skb);
if (decaps) {
+ skb->sp->olen = 0;
skb_dst_drop(skb);
gro_cells_receive(&gro_cells, skb);
return 0;
@@ -434,6 +435,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
err = x->inner_mode->afinfo->transport_finish(skb, xfrm_gro || async);
if (xfrm_gro) {
+ skb->sp->olen = 0;
skb_dst_drop(skb);
gro_cells_receive(&gro_cells, skb);
return err;
--
2.7.4
next prev parent reply other threads:[~2017-08-21 5:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-21 5:49 pull request (net-next): ipsec-next 2017-08-21 Steffen Klassert
2017-08-21 5:49 ` [PATCH 1/8] esp4: Support RX checksum with crypto offload Steffen Klassert
2017-08-21 5:49 ` [PATCH 2/8] esp6: " Steffen Klassert
2017-08-21 5:49 ` [PATCH 3/8] xfrm6: Fix CHECKSUM_COMPLETE after IPv6 header push Steffen Klassert
2017-08-21 5:49 ` [PATCH 4/8] esp6: Fix RX checksum after header pull Steffen Klassert
2017-08-21 5:49 ` [PATCH 5/8] xfrm: Auto-load xfrm offload modules Steffen Klassert
2017-08-21 5:49 ` Steffen Klassert [this message]
2017-08-21 5:49 ` [PATCH 7/8] net: Allow IPsec GSO for local sockets Steffen Klassert
2017-08-21 5:49 ` [PATCH 8/8] net: xfrm: support setting an output mark Steffen Klassert
2017-08-21 16:30 ` pull request (net-next): ipsec-next 2017-08-21 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1503294573-10206-7-git-send-email-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.