* pull request (net): ipsec 2018-01-24
@ 2018-01-24 9:47 Steffen Klassert
2018-01-24 9:47 ` [PATCH 1/4] xfrm: Add SA to hardware at the end of xfrm_state_construct() Steffen Klassert
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Steffen Klassert @ 2018-01-24 9:47 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
1) Only offloads SAs after they are fully initialized.
Otherwise a NIC may receive packets on a SA we can
not yet handle in the stack.
From Yossi Kuperman.
2) Fix negative refcount in case of a failing offload.
From Aviad Yehezkel.
3) Fix inner IP ptoro version when decapsulating
from interaddress family tunnels.
From Yossi Kuperman.
4) Use true or false for boolean variables instead of an
integer value in xfrm_get_type_offload.
From Gustavo A. R. Silva.
Please pull or let me know if there are problems.
Thanks!
The following changes since commit ad9294dbc227cbc8e173b3b963e7dd9af5314f77:
bpf: fix cls_bpf on filter replace (2018-01-17 17:14:06 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master
for you to fetch changes up to 545d8ae7affff7fb4f8bfd327c7c7790056535c4:
xfrm: fix boolean assignment in xfrm_get_type_offload (2018-01-23 10:56:36 +0100)
----------------------------------------------------------------
Aviad Yehezkel (1):
xfrm: fix error flow in case of add state fails
Gustavo A. R. Silva (1):
xfrm: fix boolean assignment in xfrm_get_type_offload
Yossi Kuperman (2):
xfrm: Add SA to hardware at the end of xfrm_state_construct()
xfrm: Fix eth_hdr(skb)->h_proto to reflect inner IP version
net/ipv4/xfrm4_mode_tunnel.c | 1 +
net/ipv6/xfrm6_mode_tunnel.c | 1 +
net/xfrm/xfrm_device.c | 1 +
net/xfrm/xfrm_state.c | 12 ++++++++----
net/xfrm/xfrm_user.c | 18 +++++++++++-------
5 files changed, 22 insertions(+), 11 deletions(-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] xfrm: Add SA to hardware at the end of xfrm_state_construct()
2018-01-24 9:47 pull request (net): ipsec 2018-01-24 Steffen Klassert
@ 2018-01-24 9:47 ` Steffen Klassert
2018-01-24 9:47 ` [PATCH 2/4] xfrm: fix error flow in case of add state fails Steffen Klassert
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2018-01-24 9:47 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Yossi Kuperman <yossiku@mellanox.com>
Current code configures the hardware with a new SA before the state has been
fully initialized. During this time interval, an incoming ESP packet can cause
a crash due to a NULL dereference. More specifically, xfrm_input() considers
the packet as valid, and yet, anti-replay mechanism is not initialized.
Move hardware configuration to the end of xfrm_state_construct(), and mark
the state as valid once the SA is fully initialized.
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Aviad Yehezkel <aviadye@mellnaox.com>
Signed-off-by: Aviv Heller <avivh@mellanox.com>
Signed-off-by: Yossi Kuperman <yossiku@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_state.c | 10 +++++++---
net/xfrm/xfrm_user.c | 18 +++++++++++-------
2 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 429957412633..2d486492acdb 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2272,8 +2272,6 @@ int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload)
goto error;
}
- x->km.state = XFRM_STATE_VALID;
-
error:
return err;
}
@@ -2282,7 +2280,13 @@ EXPORT_SYMBOL(__xfrm_init_state);
int xfrm_init_state(struct xfrm_state *x)
{
- return __xfrm_init_state(x, true, false);
+ int err;
+
+ err = __xfrm_init_state(x, true, false);
+ if (!err)
+ x->km.state = XFRM_STATE_VALID;
+
+ return err;
}
EXPORT_SYMBOL(xfrm_init_state);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index bdb48e5dba04..7f52b8eb177d 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -598,13 +598,6 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
goto error;
}
- if (attrs[XFRMA_OFFLOAD_DEV]) {
- err = xfrm_dev_state_add(net, x,
- nla_data(attrs[XFRMA_OFFLOAD_DEV]));
- if (err)
- goto error;
- }
-
if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
attrs[XFRMA_REPLAY_ESN_VAL])))
goto error;
@@ -620,6 +613,14 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
/* override default values from above */
xfrm_update_ae_params(x, attrs, 0);
+ /* configure the hardware if offload is requested */
+ if (attrs[XFRMA_OFFLOAD_DEV]) {
+ err = xfrm_dev_state_add(net, x,
+ nla_data(attrs[XFRMA_OFFLOAD_DEV]));
+ if (err)
+ goto error;
+ }
+
return x;
error:
@@ -662,6 +663,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
goto out;
}
+ if (x->km.state == XFRM_STATE_VOID)
+ x->km.state = XFRM_STATE_VALID;
+
c.seq = nlh->nlmsg_seq;
c.portid = nlh->nlmsg_pid;
c.event = nlh->nlmsg_type;
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] xfrm: fix error flow in case of add state fails
2018-01-24 9:47 pull request (net): ipsec 2018-01-24 Steffen Klassert
2018-01-24 9:47 ` [PATCH 1/4] xfrm: Add SA to hardware at the end of xfrm_state_construct() Steffen Klassert
@ 2018-01-24 9:47 ` Steffen Klassert
2018-01-24 9:47 ` [PATCH 3/4] xfrm: Fix eth_hdr(skb)->h_proto to reflect inner IP version Steffen Klassert
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2018-01-24 9:47 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Aviad Yehezkel <aviadye@mellanox.com>
If add state fails in case of device offload, netdev refcount
will be negative since gc task is attempting to dev_free this state.
This is fixed by putting NULL in state dev field.
Signed-off-by: Aviad Yehezkel <aviadye@mellanox.com>
Signed-off-by: Boris Pismeny <borisp@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_device.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 30e5746085b8..ac9477189d1c 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -102,6 +102,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
err = dev->xfrmdev_ops->xdo_dev_state_add(x);
if (err) {
+ xso->dev = NULL;
dev_put(dev);
return err;
}
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] xfrm: Fix eth_hdr(skb)->h_proto to reflect inner IP version
2018-01-24 9:47 pull request (net): ipsec 2018-01-24 Steffen Klassert
2018-01-24 9:47 ` [PATCH 1/4] xfrm: Add SA to hardware at the end of xfrm_state_construct() Steffen Klassert
2018-01-24 9:47 ` [PATCH 2/4] xfrm: fix error flow in case of add state fails Steffen Klassert
@ 2018-01-24 9:47 ` Steffen Klassert
2018-01-24 9:47 ` [PATCH 4/4] xfrm: fix boolean assignment in xfrm_get_type_offload Steffen Klassert
2018-01-24 15:32 ` pull request (net): ipsec 2018-01-24 David Miller
4 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2018-01-24 9:47 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Yossi Kuperman <yossiku@mellanox.com>
IPSec tunnel mode supports encapsulation of IPv4 over IPv6 and vice-versa.
The outer IP header is stripped and the inner IP inherits the original
Ethernet header. Tcpdump fails to properly decode the inner packet in
case that h_proto is different than the inner IP version.
Fix h_proto to reflect the inner IP version.
Signed-off-by: Yossi Kuperman <yossiku@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv4/xfrm4_mode_tunnel.c | 1 +
net/ipv6/xfrm6_mode_tunnel.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index e6265e2c274e..20ca486b3cad 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -92,6 +92,7 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
skb_reset_network_header(skb);
skb_mac_header_rebuild(skb);
+ eth_hdr(skb)->h_proto = skb->protocol;
err = 0;
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
index 02556e356f87..dc93002ff9d1 100644
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -92,6 +92,7 @@ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
skb_reset_network_header(skb);
skb_mac_header_rebuild(skb);
+ eth_hdr(skb)->h_proto = skb->protocol;
err = 0;
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] xfrm: fix boolean assignment in xfrm_get_type_offload
2018-01-24 9:47 pull request (net): ipsec 2018-01-24 Steffen Klassert
` (2 preceding siblings ...)
2018-01-24 9:47 ` [PATCH 3/4] xfrm: Fix eth_hdr(skb)->h_proto to reflect inner IP version Steffen Klassert
@ 2018-01-24 9:47 ` Steffen Klassert
2018-01-24 15:32 ` pull request (net): ipsec 2018-01-24 David Miller
4 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2018-01-24 9:47 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
Assign true or false to boolean variables instead of an integer value.
This issue was detected with the help of Coccinelle.
Fixes: ffdb5211da1c ("xfrm: Auto-load xfrm offload modules")
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 2d486492acdb..a3785f538018 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -317,7 +317,7 @@ xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load)
if (!type && try_load) {
request_module("xfrm-offload-%d-%d", family, proto);
- try_load = 0;
+ try_load = false;
goto retry;
}
--
2.14.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: pull request (net): ipsec 2018-01-24
2018-01-24 9:47 pull request (net): ipsec 2018-01-24 Steffen Klassert
` (3 preceding siblings ...)
2018-01-24 9:47 ` [PATCH 4/4] xfrm: fix boolean assignment in xfrm_get_type_offload Steffen Klassert
@ 2018-01-24 15:32 ` David Miller
4 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2018-01-24 15:32 UTC (permalink / raw)
To: steffen.klassert; +Cc: herbert, netdev
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Wed, 24 Jan 2018 10:47:09 +0100
> 1) Only offloads SAs after they are fully initialized.
> Otherwise a NIC may receive packets on a SA we can
> not yet handle in the stack.
> From Yossi Kuperman.
>
> 2) Fix negative refcount in case of a failing offload.
> From Aviad Yehezkel.
>
> 3) Fix inner IP ptoro version when decapsulating
> from interaddress family tunnels.
> From Yossi Kuperman.
>
> 4) Use true or false for boolean variables instead of an
> integer value in xfrm_get_type_offload.
> From Gustavo A. R. Silva.
>
> Please pull or let me know if there are problems.
Pulled, thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-01-24 15:32 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-24 9:47 pull request (net): ipsec 2018-01-24 Steffen Klassert
2018-01-24 9:47 ` [PATCH 1/4] xfrm: Add SA to hardware at the end of xfrm_state_construct() Steffen Klassert
2018-01-24 9:47 ` [PATCH 2/4] xfrm: fix error flow in case of add state fails Steffen Klassert
2018-01-24 9:47 ` [PATCH 3/4] xfrm: Fix eth_hdr(skb)->h_proto to reflect inner IP version Steffen Klassert
2018-01-24 9:47 ` [PATCH 4/4] xfrm: fix boolean assignment in xfrm_get_type_offload Steffen Klassert
2018-01-24 15:32 ` pull request (net): ipsec 2018-01-24 David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).