[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180313070953.21317-1-steffen.klassert@secunet.com>
Date: Tue, 13 Mar 2018 08:09:44 +0100
From: Steffen Klassert <steffen.klassert@...unet.com>
To: David Miller <davem@...emloft.net>
CC: Herbert Xu <herbert@...dor.apana.org.au>,
Steffen Klassert <steffen.klassert@...unet.com>,
<netdev@...r.kernel.org>
Subject: pull request (net): ipsec 2018-03-13
1) Refuse to insert 32 bit userspace socket policies on 64
bit systems like we do it for standard policies. We don't
have a compat layer, so inserting socket policies from
32 bit userspace will lead to a broken configuration.
2) Make the policy hold queue work without the flowcache.
Dummy bundles are not chached anymore, so we need to
generate a new one on each lookup as long as the SAs
are not yet in place.
3) Fix the validation of the esn replay attribute. The
The sanity check in verify_replay() is bypassed if
the XFRM_STATE_ESN flag is not set. Fix this by doing
the sanity check uncoditionally.
From Florian Westphal.
4) After most of the dst_entry garbage collection code
is removed, we may leak xfrm_dst entries as they are
neither cached nor tracked somewhere. Fix this by
reusing the 'uncached_list' to track xfrm_dst entries
too. From Xin Long.
5) Fix a rcu_read_lock/rcu_read_unlock imbalance in
xfrm_get_tos() From Xin Long.
6) Fix an infinite loop in xfrm_get_dst_nexthop. On
transport mode we fetch the child dst_entry after
we continue, so this pointer is never updated.
Fix this by fetching it before we continue.
7) Fix ESN sequence number gap after IPsec GSO packets.
We accidentally increment the sequence number counter
on the xfrm_state by one packet too much in the ESN
case. Fix this by setting the sequence number to the
correct value.
8) Reset the ethernet protocol after decapsulation only if a
mac header was set. Otherwise it breaks configurations
with TUN devices. From Yossi Kuperman.
9) Fix __this_cpu_read() usage in preemptible code. Use
this_cpu_read() instead in ipcomp_alloc_tfms().
From Greg Hackmann.
Please pull or let me know if there are problems.
Thanks!
The following changes since commit 743ffffefac1c670c6618742c923f6275d819604:
net: pxa168_eth: add netconsole support (2018-02-01 14:58:37 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master
for you to fetch changes up to 0dcd7876029b58770f769cbb7b484e88e4a305e5:
net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() (2018-03-13 07:46:37 +0100)
----------------------------------------------------------------
Florian Westphal (1):
xfrm_user: uncoditionally validate esn replay attribute struct
Greg Hackmann (1):
net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()
Steffen Klassert (4):
xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
xfrm: Fix policy hold queue after flowcache removal.
xfrm: Fix infinite loop in xfrm_get_dst_nexthop with transport mode.
xfrm: Fix ESN sequence number handling for IPsec GSO packets.
Xin Long (2):
xfrm: reuse uncached_list to track xdsts
xfrm: do not call rcu_read_unlock when afinfo is NULL in xfrm_get_tos
Yossi Kuperman (1):
xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto
include/net/ip6_route.h | 3 +++
include/net/route.h | 3 +++
net/ipv4/route.c | 21 +++++++++++++--------
net/ipv4/xfrm4_mode_tunnel.c | 3 ++-
net/ipv4/xfrm4_policy.c | 4 +++-
net/ipv6/route.c | 4 ++--
net/ipv6/xfrm6_mode_tunnel.c | 3 ++-
net/ipv6/xfrm6_policy.c | 5 +++++
net/xfrm/xfrm_ipcomp.c | 2 +-
net/xfrm/xfrm_policy.c | 13 ++++++++-----
net/xfrm/xfrm_replay.c | 2 +-
net/xfrm/xfrm_state.c | 5 +++++
net/xfrm/xfrm_user.c | 21 ++++++++-------------
13 files changed, 56 insertions(+), 33 deletions(-)
Powered by blists - more mailing lists