On Fri, Apr 16, 2021 at 11:27:59AM +0200, Sabrina Dubroca wrote:
> Jianwen reported that IPv6 Interoperability tests are failing in an
> IPsec case where one of the links between the IPsec peers has an MTU
> of 1280. The peer generates a packet larger than this MTU, the router
> replies with a "Pac
On Fri, Apr 16, 2021 at 05:11:46PM +0200, Sabrina Dubroca wrote:
> While testing ipcomp on a realtime kernel, Xiumei reported a "sleeping
> in atomic" bug, caused by a memory allocation while preemption is
> disabled (ipcomp_decompress -> alloc_page -> ... get_page_from_freelist).
>
> As Sebastian
On Wed, Apr 14, 2021 at 06:12:50PM +0200, Florian Westphal wrote:
> First patch gets rid of SPI key from flowi struct.
> xfrm_policy populates this but there are no consumers.
>
> This is part of a different patch (not part of this) to replace
> xfrm_decode_session internals with the flow dissecto
dware at
> ndo_start_xmit.
>
> For example, ConnectX6-DX IPsec device needs the plaintext's
> IP protocol to support partial checksum offload on
> VXLAN/GENEVE packet over IPsec transport mode tunnel.
>
> Signed-off-by: Raed Salem
> Signed-off-by: Huy Nguyen
> C
u Mar 11 10:07:56 2021 +0800
esp6: remove a duplicative condition
Fixes coccicheck warnings:
./net/ipv6/esp6_offload.c:319:32-34:
WARNING !A || A && B is equivalent to !A || B
Signed-off-by: Junlin Yang
Signed-off-by: Steffen Klassert
From: Jiapeng Chong
Fix the following coccicheck warnings:
./net/ipv4/esp4.c:757:16-18: WARNING !A || A && B is equivalent to !A || B.
Reported-by: Abaci Robot
Signed-off-by: Jiapeng Chong
Signed-off-by: Steffen Klassert
---
net/ipv4/esp4.c | 2 +-
1 file changed, 1 inserti
From: Junlin Yang
Fixes coccicheck warnings:
./net/ipv6/esp6_offload.c:319:32-34:
WARNING !A || A && B is equivalent to !A || B
Signed-off-by: Junlin Yang
Signed-off-by: Steffen Klassert
---
net/ipv6/esp6_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/
l %u, which has the same effect
but avoids the warning.
Signed-off-by: Arnd Bergmann
Signed-off-by: Steffen Klassert
---
net/ipv6/ah6.c | 2 +-
net/ipv6/esp6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 440080da805b..01c638f5d8b8 100
Not much this time:
1) Simplification of some variable calculations in esp4 and esp6.
From Jiapeng Chong and Junlin Yang.
2) Fix a clang Wformat warning in esp6 and ah6.
From Arnd Bergmann.
Please pull or let me know if there are problems.
Thanks!
The following changes since commit 34bb9
Hi netdev,
I want to announce a new public mailinglist for technical discussion
about IPsec implementation and specification.
Discussion topics are development on IPsec implementation (ESP, IKEv2 etc.)
and specification. Patches for an early review are welcome too.
If you are interested, please
so handlers for esp4 and esp6")
Signed-off-by: Xin Long
Signed-off-by: Steffen Klassert
---
net/ipv4/esp4_offload.c | 6 --
net/ipv6/esp6_offload.c | 6 --
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index 601f5f
d-by: Xiumei Mu
Signed-off-by: Xin Long
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_output.c | 13 +
1 file changed, 13 insertions(+)
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index b81ca117dac7..e4cb0ff4dcf4 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfr
eea6b7e8f ("xfrm/compat: Attach xfrm dumps to 64=>32 bit translator")
Cc: "David S. Miller"
Cc: Eric Dumazet
Cc: Herbert Xu
Cc: Jakub Kicinski
Cc: Steffen Klassert
Cc: netdev@vger.kernel.org
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Safonov
Signed-off-by: Steffen Kla
this lock association is compiled out and has
neither storage size nor runtime overhead.
Signed-off-by: Ahmed S. Darwish
Signed-off-by: Steffen Klassert
---
include/net/netns/xfrm.h | 2 +-
net/xfrm/xfrm_state.c| 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/net/netn
t;xfrm_state_hash_generation"
data type from seqcount_t to seqcount_LOCKNAME_t in further commits.
Fixes: b65e3d7be06f ("xfrm: state: add sequence count to detect hash resizes")
Signed-off-by: Ahmed S. Darwish
Signed-off-by: Steffen Klassert
---
include/net/netns/xfrm.h | 4 +++-
ck to honor ip header df
vti: fix ipv4 pmtu check to honor ip header df
vti6: fix ipv4 pmtu check to honor ip header df
Steffen Klassert (2):
xfrm: Fix NULL pointer dereference on policy lookup
xfrm: Provide private skb extensions for segmented and hw offloaded ESP
packets
fixed some of these issues however a similar
problem existed in the xfrm code.
Fixes: 31c70d5956fc ("l2tp: keep original skb ownership")
Signed-off-by: Evan Nimmo
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 2 +-
net/ipv4/ah4.c | 2 +-
net/ipv4/esp4.c
ned-off-by: Eyal Birger
Reviewed-by: Sabrina Dubroca
Signed-off-by: Steffen Klassert
---
net/ipv4/ip_vti.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index abc171e79d3e..613741384490 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv
Signed-off-by: Eyal Birger
Reviewed-by: Sabrina Dubroca
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_interface.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 495b1f5c979b..8831f5a9e992 100644
--- a/net/xfrm/xfrm_interfa
ransformed correctly when segmentation happens at layer 3.
Fix this by using private skb extensions for segmented and hw offloaded
ESP packets.
Fixes: 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec crypto
offload.")
Signed-off-by: Steffen Klassert
---
net/ipv4
cking of skb_dst(skb) before accessing it.
Fixes: f203b76d78092 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index bfbc7810df9
t;)
Signed-off-by: Eyal Birger
Reviewed-by: Sabrina Dubroca
Signed-off-by: Steffen Klassert
---
net/ipv6/ip6_vti.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 0225fd694192..2f0be5ac021c 100644
--- a/net/ipv6/ip6_vti.c
> (for every type)
>
> Reported-by: syzbot+834ffd1afc7212eb8...@syzkaller.appspotmail.com
> Fixes: 5f3eea6b7e8f ("xfrm/compat: Attach xfrm dumps to 64=>32 bit
> translator")
> Cc: "David S. Miller"
> Cc: Eric Dumazet
> Cc: Herbert Xu
> Cc: Jakub Kicinski
>
On Fri, Mar 26, 2021 at 09:44:48AM +0100, Steffen Klassert wrote:
> Commit 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec
> crypto offload.") added a XFRM_XMIT flag to avoid duplicate ESP trailer
> insertion on HW offload. This flag is set on the secpath that
On Mon, Mar 22, 2021 at 12:56:49PM +0100, Arnd Bergmann wrote:
> From: Arnd Bergmann
>
> When building with 'make W=1', clang warns about a mismatched
> format string:
>
> net/ipv6/ah6.c:710:4: error: format specifies type 'unsigned short' but the
> argument has type 'int' [-Werror,-Wformat]
>
ransformed correctly when segmentation happens at layer 3.
Fix this by using private skb extensions for segmented and hw offloaded
ESP packets.
Fixes: 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec crypto
offload.")
Signed-off-by: Steffen Klassert
---
net/ipv4
On Tue, Mar 23, 2021 at 01:02:35PM +0100, Florian Westphal wrote:
> Steffen Klassert wrote:
> > Commit 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec
> > crypto offload.") added a XFRM_XMIT flag to avoid duplicate ESP trailer
> > insertion on HW o
On Tue, Mar 23, 2021 at 09:26:44AM +0100, Steffen Klassert wrote:
> When xfrm interfaces are used in combination with namespaces
> and ESP offload, we get a dst_entry NULL pointer dereference.
> This is because we don't have a dst_entry attached in the ESP
> offloading case an
On Fri, Mar 19, 2021 at 06:27:58PM +0800, Xin Long wrote:
> BEET mode replaces the IP(6) Headers with new IP(6) Headers when sending
> packets. However, when it's a fragment before the replacement, currently
> kernel keeps the fragment flag and replace the address field then encaps
> it with ESP. I
cking of skb_dst(skb) before accessing it.
Fixes: f203b76d78092 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index b2a06f10b62
ransformed correctly when segmentation happens at layer 3.
Fix this by using private skb extensions for segmented and hw offloaded
ESP packets.
Fixes: 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec crypto
offload.")
Signed-off-by: Steffen Klassert
---
include/linux/s
On Fri, Mar 19, 2021 at 03:35:07PM +0800, Xin Long wrote:
> Now in esp4/6_gso_segment(), before calling inner proto .gso_segment,
> NETIF_F_CSUM_MASK bits are deleted, as HW won't be able to do the
> csum for inner proto due to the packet encrypted already.
>
> So the UDP/TCP packet has to do the
On Tue, Mar 16, 2021 at 11:56:28AM +0100, Ahmed S. Darwish wrote:
> Hi,
>
> This is a small series to trasform xfrm_state_hash_generation sequence
> counter to seqcount_spinlock_t, instead of plain seqcount_t.
>
> In general, seqcount_LOCKNAME_t sequence counters allows to associate
> the lock us
On Wed, Mar 10, 2021 at 10:36:11AM +0100, Antony Antony wrote:
> When ESP offload is not supported by the device return an error,
> -EINVAL, instead of silently ignoring it, creating a SA without offload,
> and returning success.
>
> with this fix ip x s a would return
> RTNETLINK answers: Invalid
On Thu, Mar 11, 2021 at 10:07:56AM +0800, angkery wrote:
> From: Junlin Yang
>
> Fixes coccicheck warnings:
> ./net/ipv6/esp6_offload.c:319:32-34:
> WARNING !A || A && B is equivalent to !A || B
>
> Signed-off-by: Junlin Yang
Applied to ipsec-next, thanks!
On Mon, Mar 01, 2021 at 06:46:02PM +0800, Jiapeng Chong wrote:
> Fix the following coccicheck warnings:
>
> ./net/ipv4/esp4.c:757:16-18: WARNING !A || A && B is equivalent to !A || B.
>
> Reported-by: Abaci Robot
> Signed-off-by: Jiapeng Chong
Now applied to ipsec-next, thanks!
On Tue, Mar 02, 2021 at 08:00:04AM +1300, Evan Nimmo wrote:
> A situation can occur where the interface bound to the sk is different
> to the interface bound to the sk attached to the skb. The interface
> bound to the sk is the correct one however this information is lost inside
> xfrm_output2 and
On Tue, Mar 02, 2021 at 10:32:13AM +0100, Sabrina Dubroca wrote:
> 2021-02-26, 23:35:04 +0200, Eyal Birger wrote:
> > This series aligns vti(6) handling of non-df IPv4 packets exceeding
> > the size of the tunnel MTU to avoid sending "Frag needed" and instead
> > fragment the packets after encapsul
On Sat, Feb 20, 2021 at 11:18:23AM +0800, Yang Li wrote:
> Fix the following sparse warnings:
> net/xfrm/xfrm_policy.c:1303:22: warning: incorrect type in assignment
> (different address spaces)
>
> Reported-by: Abaci Robot
> Signed-off-by: Yang Li
Please add a proper 'Fixes' tag so that it can
On Mon, Mar 01, 2021 at 05:02:08PM +1300, Evan Nimmo wrote:
> A situation can occur where the interface bound to the sk is different
> to the interface bound to the sk attached to the skb. The interface
> bound to the sk is the correct one however this information is lost inside
> xfrm_output2 and
On Tue, Feb 23, 2021 at 04:12:34PM +0100, Sabrina Dubroca wrote:
> 2021-02-20, 15:01:15 +0200, Eyal Birger wrote:
> > Frag needed should only be sent if the header enables DF.
> >
> > This fix allows packets larger than MTU to pass the xfrm interface
> > and be fragmented after encapsulation, alig
From: Zheng Yongjun
When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
Signed-off-by: Zheng Yongjun
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
1) Support TSO on xfrm interfaces.
From Eyal Birger.
2) Variable calculation simplifications in esp4/esp6.
From Jiapeng Chong / Jiapeng Zhong.
3) Fix a return code in xfrm_do_migrate.
From Zheng Yongjun.
Please pull or let me know if there are problems.
Thanks!
The following changes s
From: Jiapeng Chong
Fix the following coccicheck warnings:
./net/ipv6/esp6.c:791:16-18: WARNING !A || A && B is equivalent
to !A || B.
Reported-by: Abaci Robot
Signed-off-by: Jiapeng Chong
Signed-off-by: Steffen Klassert
---
net/ipv6/esp6.c | 2 +-
1 file changed, 1 inserti
From: Jiapeng Zhong
Fix the following coccicheck warnings:
./net/ipv4/esp4_offload.c:288:32-34: WARNING !A || A && B is
equivalent to !A || B.
Reported-by: Abaci Robot
Signed-off-by: Jiapeng Zhong
Signed-off-by: Steffen Klassert
---
net/ipv4/esp4_offload.c | 2 +-
1 file ch
From: Eyal Birger
Underlying xfrm output supports gso packets.
Declare support in hw_features and adapt the xmit MTU check to pass GSO
packets.
Signed-off-by: Eyal Birger
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_interface.c | 10 +-
1 file changed, 9 insertions(+), 1
On Thu, Feb 04, 2021 at 03:42:54PM +0800, Zheng Yongjun wrote:
> When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
>
> Signed-off-by: Zheng Yongjun
Applied to ipsec-next, thanks!
On Wed, Feb 03, 2021 at 10:44:30AM +0800, Jiapeng Chong wrote:
> Fix the following coccicheck warnings:
>
> ./net/ipv6/esp6.c:791:16-18: WARNING !A || A && B is equivalent
> to !A || B.
>
> Reported-by: Abaci Robot
> Signed-off-by: Jiapeng Chong
Applied to ipsec-next, thanks!
On Mon, Jan 25, 2021 at 02:41:46PM +0800, Jiapeng Zhong wrote:
> Fix the following coccicheck warnings:
>
> ./net/ipv4/esp4_offload.c:288:32-34: WARNING !A || A && B is
> equivalent to !A || B.
>
> Reported-by: Abaci Robot
> Signed-off-by: Jiapeng Zhong
Patch applied, thanks!
t in
> __udp_gso_segment_list. It covers both SNAT and DNAT.
>
> Fixes: 9fd1ff5d2ac7 (udp: Support UDP fraglist GRO/GSO.)
> Signed-off-by: Dongseok Yi
> ---
> v1:
> Steffen Klassert said, there could be 2 options.
> https://lore.kernel.org/patchwork/patch/1362257
On Tue, Jan 26, 2021 at 09:31:29AM +0900, Dongseok Yi wrote:
> On 1/25/21 9:45 PM, Steffen Klassert wrote:
> > On Thu, Jan 21, 2021 at 10:24:39PM +0900, Dongseok Yi wrote:
> > >
> > > +static void __udpv4_gso_segment_csum(struct sk_buff *seg,
> > > +
On Wed, Jan 20, 2021 at 03:55:42PM +0900, Dongseok Yi wrote:
> On 2021-01-18 22:27, Steffen Klassert wrote:
> > On Fri, Jan 15, 2021 at 10:20:35PM +0900, Dongseok Yi wrote:
> > > UDP/IP header of UDP GROed frag_skbs are not updated even after NAT
> > > forwarding. Only
er than a panic.
Reported-by: syzbot+b2bf2652983d23734...@syzkaller.appspotmail.com
Cc: Steffen Klassert
Cc: Herbert Xu
Signed-off-by: Cong Wang
Signed-off-by: Steffen Klassert
---
net/key/af_key.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/key/af_key.c
ned-off-by: Steffen Klassert
---
tools/testing/selftests/net/xfrm_policy.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/net/xfrm_policy.sh
b/tools/testing/selftests/net/xfrm_policy.sh
index 7a1bf94c5bd3..5922941e70c6 100755
--- a/tools/testing/sel
one equivalence class.
Fixes: 9cf545ebd591d ("xfrm: policy: store inexact policies in a tree ordered
by destination address")
Signed-off-by: Visa Hankala
Acked-by: Florian Westphal
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 26 +
too
thms.
Augment the fix, by *always* calling 'recheck()' - irrespective if we're
using async crypto.
Fixes: 0ebea8ef3559 ("[IPSEC]: Move state lock into x->type->input")
Signed-off-by: Shmulik Ladkani
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_inp
1) Fix a rare panic on SMP systems when packet reordering
happens between anti replay check and update.
From Shmulik Ladkani.
2) Fix disable_xfrm sysctl when used on xfrm interfaces.
From Eyal Birger.
3) Fix a race in PF_KEY when the availability of crypto
algorithms is set. From Cong
when invoked by xfrmi as if_id != 0.
Similarly it's unlikely for the 'no policy exists on net' check to yield
any performance benefits when invoked from xfrmi.
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Eyal Birger
Signed-off-by: Steffe
segment list
> in __udp_gso_segment_list. It covers both SNAT and DNAT.
>
> Fixes: 9fd1ff5d2ac7 (udp: Support UDP fraglist GRO/GSO.)
> Signed-off-by: Dongseok Yi
> ---
> v1:
> Steffen Klassert said, there could be 2 options.
> https://lore.kernel.org/patchwork/patch/1362257
On Mon, Jan 18, 2021 at 12:17:34PM +, Alexander Lobakin wrote:
> > From: Steffen Klassert
> > Date: Mon, 18 Jan 2021 07:37:59 +0100
> > On Fri, Jan 15, 2021 at 05:12:33PM +, Alexander Lobakin wrote:
> >>
> >> I used another approach, tried to make
gment list but copy
> > only the MAC header.
> >
> > Update dport, daddr and checksums of each skb of the segment list
> > in __udp_gso_segment_list. It covers both SNAT and DNAT.
> >
> > Fixes: 9fd1ff5d2ac7 (udp: Support UDP fraglist GRO/GSO.)
> >
On Fri, Jan 15, 2021 at 05:55:22PM +0900, Dongseok Yi wrote:
> On 2021-01-15 17:12, Steffen Klassert wrote:
> > On Fri, Jan 15, 2021 at 02:58:24PM +0900, Dongseok Yi wrote:
> > > UDP/IP header of UDP GROed frag_skbs are not updated even after NAT
> > > forwarding. Only
ses?
We copy only the MAC header in skb_segment_list(), so I think
this is a valid bug when NAT changed the UDP header.
>
> Update dport, daddr and checksums of each skb of the segment list
> after __udp_gso_segment.
>
> Fixes: 9fd1ff5d2ac7 (udp: Support UDP fraglist GRO/GSO.)
> Signed-off
On Mon, Jan 11, 2021 at 11:02:42AM +0900, Dongseok Yi wrote:
> On 2021-01-08 22:35, Steffen Klassert wrote:
> > On Fri, Jan 08, 2021 at 09:52:28PM +0900, Dongseok Yi wrote:
> > > It is a workaround patch.
> > >
> > > UDP/IP header of UDP GROed frag
6a27 ("esp6: Avoid skb_cow_data whenever possible")
> Signed-off-by: Willem de Bruijn
> Cc: Steffen Klassert
As this patchset goes through the net tree:
Acked-by: Steffen Klassert
Thanks!
On Wed, Jan 06, 2021 at 08:10:46AM +0200, Eyal Birger wrote:
> Underlying xfrm output supports gso packets.
> Declare support in hw_features and adapt the xmit MTU check to pass GSO
> packets.
>
> Signed-off-by: Eyal Birger
Applied, thanks a lot Eyal!
On Fri, Jan 08, 2021 at 09:52:28PM +0900, Dongseok Yi wrote:
> It is a workaround patch.
>
> UDP/IP header of UDP GROed frag_skbs are not updated even after NAT
> forwarding. Only the header of head_skb from ip_finish_output_gso ->
> skb_gso_segment is updated but following frag_skbs are not updat
On Mon, Dec 28, 2020 at 09:03:28AM +0200, Eyal Birger wrote:
> Hi Steffen,
>
> On Mon, Dec 7, 2020 at 11:55 AM Steffen Klassert
> wrote:
> >
> > On Fri, Nov 27, 2020 at 02:32:44PM +0200, Eyal Birger wrote:
> > > Hi Steffen,
> > >
> > >
On Mon, Jan 04, 2021 at 07:50:49PM +0200, Eyal Birger wrote:
> Hi Steffen,
>
> On Mon, Jan 4, 2021 at 10:44 AM Steffen Klassert
> wrote:
> >
> > On Wed, Dec 23, 2020 at 09:15:38AM +0200, Eyal Birger wrote:
> > > Underlying xfrm output supports gso packets.
>
On Wed, Dec 30, 2020 at 04:15:53PM +, Visa Hankala wrote:
> Use three-way comparison for address components to avoid integer
> wraparound in the result of xfrm_policy_addr_delta(). This ensures
> that the search trees are built and traversed correctly.
>
> Treat IPv4 and IPv6 similarly by retu
On Wed, Dec 30, 2020 at 05:52:04PM +0800, Po-Hsu Lin wrote:
> When running this xfrm_policy.sh test script, even with some cases
> marked as FAIL, the overall test result will still be PASS:
>
> $ sudo ./xfrm_policy.sh
> PASS: policy before exception matches
> FAIL: expected ping to .254 to fail (
test of ->available. We may waste some memory for a few
> of sizeof(struct sadb_comb), but it is still much better than a panic.
>
> Reported-by: syzbot+b2bf2652983d23734...@syzkaller.appspotmail.com
> Cc: Steffen Klassert
> Cc: Herbert Xu
> Signed-off-by: Cong Wang
Patch applied, thanks!
On Wed, Dec 23, 2020 at 05:00:46PM +0200, Eyal Birger wrote:
> The disable_xfrm flag signals that xfrm should not be performed during
> routing towards a device before reaching device xmit.
>
> For xfrm interfaces this is usually desired as they perform the outbound
> policy lookup as part of thei
On Wed, Dec 23, 2020 at 09:15:38AM +0200, Eyal Birger wrote:
> Underlying xfrm output supports gso packets.
> Declare support in hw_features and adapt the xmit MTU check to pass GSO
> packets.
>
> Signed-off-by: Eyal Birger
Looks ok to me.
On Mon, Dec 14, 2020 at 03:38:32PM +0200, Shmulik Ladkani wrote:
> When setting xfrm replay_window to values higher than 32, a rare
> page-fault occurs in xfrm_replay_advance_bmp:
>
> BUG: unable to handle page fault for address: 8af350ad7920
> #PF: supervisor write access in kernel mode
>
On Thu, Nov 26, 2020 at 09:21:39AM +, Marler, Jonathan wrote:
> We've found an issue while running the following USGv6 tests where the kernel
> drops outgoing packets:
>
> 5.3.11 Tunnel Mode: Fragmentation
> 5.4.11 Tunnel Mode: Fragmentation
>
> During the test, an esp PING request is sent t
Just one patch this time:
1) Redact the SA keys with kernel lockdown confidentiality.
If enabled, no secret keys are sent to uuserspace.
From Antony Antony.
Please pull or let me know if there are problems.
Thanks!
The following changes since commit 8be33ecfc1ffd2da20cc29e957e4cb6eb99310c
>v3
- replace spaces with tabs for consistency
v3->v4
- use kernel lockdown instead of a /proc setting
v4->v5
- remove kconfig option
Reviewed-by: Stephan Mueller
Signed-off-by: Antony Antony
Signed-off-by: Steffen Klassert
---
include/linux/security.h | 1 +
net/xfrm/xfrm_use
From: Yu Kuai
if xfrm_get_translator() failed, xfrm_user_policy() return without
freeing 'data', which is allocated in memdup_sockptr().
Fixes: 96392ee5a13b ("xfrm/compat: Translate 32-bit user_policy from sockptr")
Reported-by: Hulk Robot
Signed-off-by: Yu Kuai
Si
+c43831072e7df506a...@syzkaller.appspotmail.com
Signed-off-by: Dmitry Safonov
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
index 17edbf935e35..556e9f33b815 100644
--- a/net/
On Fri, Nov 27, 2020 at 02:32:44PM +0200, Eyal Birger wrote:
> Hi Steffen,
>
> On Fri, Nov 27, 2020 at 11:44 AM Steffen Klassert
> wrote:
> >
> > On Sat, Nov 21, 2020 at 04:28:23PM +0200, Eyal Birger wrote:
> > > This commit adds support for 'collect_md'
case a new xfrm attribute
will be added.
Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator")
Reported-by: syzbot+a7e701c8385bd8543...@syzkaller.appspotmail.com
Signed-off-by: Dmitry Safonov
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_compat.c | 1 +
right place
xfrm/compat: Don't allocate memory with __GFP_ZERO
Steffen Klassert (1):
Merge branch 'xfrm/compat: syzbot-found fixes'
Yu Kuai (1):
net: xfrm: fix memory leak in xfrm_user_policy()
net/xfrm/xfrm_compat.c | 5 +++--
net/xfrm/xfrm_state.c | 4 +++-
ry Safonov
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
index 556e9f33b815..d8e8a11ca845 100644
--- a/net/xfrm/xfrm_compat.c
+++ b/net/xfrm/xfrm_compat.c
@@ -564,
On Sat, Nov 21, 2020 at 04:28:23PM +0200, Eyal Birger wrote:
> This commit adds support for 'collect_md' mode on xfrm interfaces.
>
> Each net can have one collect_md device, created by providing the
> IFLA_XFRM_COLLECT_METADATA flag at creation. This device cannot be
> altered and has no if_id or
Hi,
I've Cced netdev, maybe other people have an opinion on this too.
On Thu, Nov 19, 2020 at 01:39:29PM -0800, Nic Dade wrote:
> I've been investigating a problem which happens when I use IPsec
> (strongswan in userspace), ESN, the default anti-replay window (32
> seqnums), on a multi-core CPU.
On Tue, Nov 17, 2020 at 05:47:23PM +0100, Antony Antony wrote:
> redact XFRM SA secret in the netlink response to xfrm_get_sa()
> or dumpall sa.
> Enable lockdown, confidentiality mode, at boot or at run time.
>
> e.g. when enabled:
> cat /sys/kernel/security/lockdown
> none integrity [confidentia
On Tue, Nov 10, 2020 at 09:14:43AM +0800, Yu Kuai wrote:
> if xfrm_get_translator() failed, xfrm_user_policy() return without
> freeing 'data', which is allocated in memdup_sockptr().
>
> Fixes: 96392ee5a13b ("xfrm/compat: Translate 32-bit user_policy from sockptr")
> Reported-by: Hulk Robot
> Si
O as the memory is initialized during translation.
>
> Cc: Steffen Klassert
> Cc: "David S. Miller"
> Cc: Jakub Kicinski
> Cc: Herbert Xu
> Cc: Hillf Danton
> Cc: netdev@vger.kernel.org
>
> Thanks,
> Dmitry
>
> Dmitry Safonov (3):
> x
On Thu, Nov 05, 2020 at 01:52:01PM +0900, Lorenzo Colitti wrote:
> On Tue, Sep 15, 2020 at 4:30 PM Steffen Klassert
> wrote:
> > > In esp's tunnel mode,if inner interface is ipv4,outer is ipv4,one big
> > > packet which travels through tunnel will be fragmented wit
ch to using the new tasklet_setup()
> > and from_tasklet() to pass the tasklet pointer explicitly.
> >
> > Signed-off-by: Romain Perier
> > Signed-off-by: Allen Pais
>
> Steffen - ack for applying this to net-next?
Acked-by: Steffen Klassert
ate hash table sizing.")
Signed-off-by: zhuoliang zhang
Acked-by: Herbert Xu
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_state.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index efc89a92961d..ee6ac32bb06d 10
the future.
Reported-by: Nicolas Dichtel
Tested-by: Nicolas Dichtel
Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels
processing with .cb_handler")
FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels
processing with .cb_handler")
Si
1) Fix packet receiving of standard IP tunnels when the xfrm_interface
module is installed. From Xin Long.
2) Fix a race condition between spi allocating and hash list
resizing. From zhuoliang zhang.
Please pull or let me know if there are problems.
Thanks!
The following changes since com
On Fri, Oct 30, 2020 at 02:25:57AM +, Dmitry Safonov wrote:
> WARN_ON() for XFRMA_UNSPEC translation which likely no-one except
> syzkaller uses; properly zerofy tail-padding for 64-bit attribute;
> don't use __GFP_ZERO as the memory is initialized during translation.
>
>
On Fri, Oct 16, 2020 at 03:36:12PM +0200, Antony Antony wrote:
> redact XFRM SA secret in the netlink response to xfrm_get_sa()
> or dumpall sa.
> Enable this at build time and set kernel lockdown to confidentiality.
Wouldn't it be better to enable is at boot or runtime? This defaults
to 'No' at b
Same here, Dmitry please look into it.
I guess we can just remove the WARN_ON() that
triggeres here.
On Mon, Oct 26, 2020 at 06:58:28AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:f11901ed Merge tag 'xfs-5.10-merge-7' of git://git.kernel...
> git t
Dimitry, you added this code, can you please look into
that?
Thanks!
On Wed, Oct 28, 2020 at 05:00:22PM +0800, Hillf Danton wrote:
> On Fri, 23 Oct 2020 01:38:23 -0700
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:c4d6fe73 Merge tag 'xarray-5.9' of git://git.
On Thu, Oct 22, 2020 at 06:01:27PM +0800, Zhuoliang Zhang wrote:
> From: zhuoliang zhang
>
> we found that the following race condition exists in
> xfrm_alloc_userspi flow:
>
> user threadstate_hash_work thread
>
On Tue, Oct 13, 2020 at 02:41:18PM +0200, Nicolas Dichtel wrote:
> Le 13/10/2020 à 11:28, Steffen Klassert a écrit :
> > On Thu, Oct 08, 2020 at 04:13:24PM +0800, Xin Long wrote:
> >> As Nicolas noticed in his case, when xfrm_interface module is installed
> >> the standa
1 - 100 of 1351 matches
Mail list logo
