All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH V2 ipsec-next 0/2] xfrm: bug fixes when processing multiple transforms
@ 2018-09-03 11:36 Sowmini Varadhan
  2018-09-03 11:36 ` [PATCH V2 ipsec-next 1/2] xfrm: reset transport header back to network header after all input transforms ahave been applied Sowmini Varadhan
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Sowmini Varadhan @ 2018-09-03 11:36 UTC (permalink / raw)
  To: netdev, steffen.klassert; +Cc: davem, sowmini.varadhan

This series contains bug fixes that were encountered when I set
up a libreswan tunnel using the config below, which will set up
an IPsec policy involving 2 tmpls.

    type=transport
    compress=yes
    esp=aes_gcm_c-128-null # offloaded to Niantic
    auto=start

The non-offload test case uses  esp=aes_gcm_c-256-null.

Each patch has a technical description of the contents of the fix.

V2: added Fixes tag so that it can be backported to the stable trees.

Sowmini Varadhan (2):
  xfrm: reset transport header back to network header after all input
    transforms ahave been applied
  xfrm: reset crypto_done when iterating over multiple input xfrms

 net/ipv4/xfrm4_input.c          |    1 +
 net/ipv4/xfrm4_mode_transport.c |    4 +---
 net/ipv6/xfrm6_input.c          |    1 +
 net/ipv6/xfrm6_mode_transport.c |    4 +---
 net/xfrm/xfrm_input.c           |    1 +
 5 files changed, 5 insertions(+), 6 deletions(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH V2 ipsec-next 1/2] xfrm: reset transport header back to network header after all input transforms ahave been applied
  2018-09-03 11:36 [PATCH V2 ipsec-next 0/2] xfrm: bug fixes when processing multiple transforms Sowmini Varadhan
@ 2018-09-03 11:36 ` Sowmini Varadhan
  2018-09-03 11:36 ` [PATCH V2 ipsec-next 2/2] xfrm: reset crypto_done when iterating over multiple input xfrms Sowmini Varadhan
  2018-09-05  7:40 ` [PATCH V2 ipsec-next 0/2] xfrm: bug fixes when processing multiple transforms Steffen Klassert
  2 siblings, 0 replies; 4+ messages in thread
From: Sowmini Varadhan @ 2018-09-03 11:36 UTC (permalink / raw)
  To: netdev, steffen.klassert; +Cc: davem, sowmini.varadhan

A policy may have been set up with multiple transforms (e.g., ESP
and ipcomp). In this situation, the ingress IPsec processing
iterates in xfrm_input() and applies each transform in turn,
processing the nexthdr to find any additional xfrm that may apply.

This patch resets the transport header back to network header
only after the last transformation so that subsequent xfrms
can find the correct transport header.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Suggested-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
---
v2: added "Fixes" tag

 net/ipv4/xfrm4_input.c          |    1 +
 net/ipv4/xfrm4_mode_transport.c |    4 +---
 net/ipv6/xfrm6_input.c          |    1 +
 net/ipv6/xfrm6_mode_transport.c |    4 +---
 4 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index bcfc00e..f8de248 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -67,6 +67,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
 
 	if (xo && (xo->flags & XFRM_GRO)) {
 		skb_mac_header_rebuild(skb);
+		skb_reset_transport_header(skb);
 		return 0;
 	}
 
diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c
index 3d36644..1ad2c2c 100644
--- a/net/ipv4/xfrm4_mode_transport.c
+++ b/net/ipv4/xfrm4_mode_transport.c
@@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb)
 static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 {
 	int ihl = skb->data - skb_transport_header(skb);
-	struct xfrm_offload *xo = xfrm_offload(skb);
 
 	if (skb->transport_header != skb->network_header) {
 		memmove(skb_transport_header(skb),
@@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 		skb->network_header = skb->transport_header;
 	}
 	ip_hdr(skb)->tot_len = htons(skb->len + ihl);
-	if (!xo || !(xo->flags & XFRM_GRO))
-		skb_reset_transport_header(skb);
+	skb_reset_transport_header(skb);
 	return 0;
 }
 
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index 841f4a0..9ef490d 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -59,6 +59,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
 
 	if (xo && (xo->flags & XFRM_GRO)) {
 		skb_mac_header_rebuild(skb);
+		skb_reset_transport_header(skb);
 		return -1;
 	}
 
diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
index 9ad07a9..3c29da5 100644
--- a/net/ipv6/xfrm6_mode_transport.c
+++ b/net/ipv6/xfrm6_mode_transport.c
@@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
 static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 {
 	int ihl = skb->data - skb_transport_header(skb);
-	struct xfrm_offload *xo = xfrm_offload(skb);
 
 	if (skb->transport_header != skb->network_header) {
 		memmove(skb_transport_header(skb),
@@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 	}
 	ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
 					   sizeof(struct ipv6hdr));
-	if (!xo || !(xo->flags & XFRM_GRO))
-		skb_reset_transport_header(skb);
+	skb_reset_transport_header(skb);
 	return 0;
 }
 
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH V2 ipsec-next 2/2] xfrm: reset crypto_done when iterating over multiple input xfrms
  2018-09-03 11:36 [PATCH V2 ipsec-next 0/2] xfrm: bug fixes when processing multiple transforms Sowmini Varadhan
  2018-09-03 11:36 ` [PATCH V2 ipsec-next 1/2] xfrm: reset transport header back to network header after all input transforms ahave been applied Sowmini Varadhan
@ 2018-09-03 11:36 ` Sowmini Varadhan
  2018-09-05  7:40 ` [PATCH V2 ipsec-next 0/2] xfrm: bug fixes when processing multiple transforms Steffen Klassert
  2 siblings, 0 replies; 4+ messages in thread
From: Sowmini Varadhan @ 2018-09-03 11:36 UTC (permalink / raw)
  To: netdev, steffen.klassert; +Cc: davem, sowmini.varadhan

We only support one offloaded xfrm (we do not have devices that
can handle more than one offload), so reset crypto_done in
xfrm_input() when iterating over multiple transforms in xfrm_input,
so that we can invoke the appropriate x->type->input for the
non-offloaded transforms

Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")

Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
---
v2: added "Fixes" tag

 net/xfrm/xfrm_input.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index b89c9c7..be3520e 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -458,6 +458,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
 			goto drop;
 		}
+		crypto_done = false;
 	} while (!err);
 
 	err = xfrm_rcv_cb(skb, family, x->type->proto, 0);
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH V2 ipsec-next 0/2] xfrm: bug fixes when processing multiple transforms
  2018-09-03 11:36 [PATCH V2 ipsec-next 0/2] xfrm: bug fixes when processing multiple transforms Sowmini Varadhan
  2018-09-03 11:36 ` [PATCH V2 ipsec-next 1/2] xfrm: reset transport header back to network header after all input transforms ahave been applied Sowmini Varadhan
  2018-09-03 11:36 ` [PATCH V2 ipsec-next 2/2] xfrm: reset crypto_done when iterating over multiple input xfrms Sowmini Varadhan
@ 2018-09-05  7:40 ` Steffen Klassert
  2 siblings, 0 replies; 4+ messages in thread
From: Steffen Klassert @ 2018-09-05  7:40 UTC (permalink / raw)
  To: Sowmini Varadhan; +Cc: netdev, davem

On Mon, Sep 03, 2018 at 04:36:51AM -0700, Sowmini Varadhan wrote:
> This series contains bug fixes that were encountered when I set
> up a libreswan tunnel using the config below, which will set up
> an IPsec policy involving 2 tmpls.
> 
>     type=transport
>     compress=yes
>     esp=aes_gcm_c-128-null # offloaded to Niantic
>     auto=start
> 
> The non-offload test case uses  esp=aes_gcm_c-256-null.
> 
> Each patch has a technical description of the contents of the fix.
> 
> V2: added Fixes tag so that it can be backported to the stable trees.
> 
> Sowmini Varadhan (2):
>   xfrm: reset transport header back to network header after all input
>     transforms ahave been applied
>   xfrm: reset crypto_done when iterating over multiple input xfrms

All applied to the ipsec tree, thanks a lot Sowmini!

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-09-05 12:09 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-03 11:36 [PATCH V2 ipsec-next 0/2] xfrm: bug fixes when processing multiple transforms Sowmini Varadhan
2018-09-03 11:36 ` [PATCH V2 ipsec-next 1/2] xfrm: reset transport header back to network header after all input transforms ahave been applied Sowmini Varadhan
2018-09-03 11:36 ` [PATCH V2 ipsec-next 2/2] xfrm: reset crypto_done when iterating over multiple input xfrms Sowmini Varadhan
2018-09-05  7:40 ` [PATCH V2 ipsec-next 0/2] xfrm: bug fixes when processing multiple transforms Steffen Klassert

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.