Re: [PATCH ipsec] xfrm: add documentation for xfrm device offload api

On Mon, Nov 20, 2017 at 02:26:07PM -0800, Shannon Nelson wrote: > Add a writeup on how to use the XFRM device offload API, and > mention this new file in the index. > > Signed-off-by: Shannon Nelson Applied to ipsec-next, thanks a lot for this documentation!

Re: [PATCH ipsec-next] net: xfrm: allow clearing socket xfrm policies.

On Mon, Nov 20, 2017 at 07:26:02PM +0900, Lorenzo Colitti wrote: > Currently it is possible to add or update socket policies, but > not clear them. Therefore, once a socket policy has been applied, > the socket cannot be used for unencrypted traffic. > > This patch allows (privileged) users to

Re: flow cache removed = xfrm doesnt work

On Mon, Nov 27, 2017 at 05:46:28PM +0100, Tomas Charvat wrote: > Gentoo-sources has no change vs vanilla in ipsec. However here is result > from Vanila 4.14.2 with OFFLOAD=N > > [ 2338.440735] BUG: unable to handle kernel NULL pointer dereference at > 0018 > [ 2338.440830] IP:

Re: [Patch net] xfrm: check id proto in validate_tmpl()

2 > does in xfrm_xfrmproto_getbyname(). > > Reported-by: syzbot <syzkal...@googlegroups.com> > Cc: Steffen Klassert <steffen.klass...@secunet.com> > Cc: Herbert Xu <herb...@gondor.apana.org.au> > Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com> Patch applied, thanks!

Re: ipsec: ipcomp alg problem on vti interface

On Mon, Nov 27, 2017 at 04:00:38PM +0300, Alexey Kodanev wrote: > On 11/27/2017 03:07 PM, Steffen Klassert wrote: > > On Wed, Nov 22, 2017 at 07:06:13PM +0300, Alexey Kodanev wrote: > >> > >> Is there some flaw in setup or vti not designed to handle ipcomp alg

Re: flow cache removed = xfrm doesnt work

Cc netdev@vger.kernel.org, remove sta...@vger.kernel.org from Cc. On Mon, Nov 27, 2017 at 01:36:50PM +0100, Tomas Charvat wrote: > It was on gentoo-sources-4.14.2 (almost vanila), config is attached. Could you please test with a vanilla v4.14.2 from kernel.org with the referred patch? If the

Re: ipsec: ipcomp alg problem on vti interface

On Wed, Nov 22, 2017 at 07:06:13PM +0300, Alexey Kodanev wrote: > Hi Steffen, > > LTP has vti test-cases which fail on ipcomp alg, e.g. > "tcp_ipsec_vti.sh -p comp -m tunnel -s 100" > > Basically, the setupconsists of the following commands: > > ip li add ltp_vti0 type vti local 10.0.0.2 remote

Re: WARNING in xfrm_state_fini

On Tue, Nov 21, 2017 at 06:44:04PM -0800, Cong Wang wrote: > On Tue, Nov 21, 2017 at 2:00 AM, syzbot > > wrote: > > Hello, > > > > syzkaller hit the following crash on > > c8a0739b185d11d6e2ca7ad9f5835841d1cfc765 > >

Re: [PATCH RFC 0/5] Support asynchronous crypto for IPsec GSO.

On Mon, Nov 20, 2017 at 10:20:40AM -0800, John Fastabend wrote: > On 11/20/2017 05:09 AM, David Miller wrote: > > From: Steffen Klassert <steffen.klass...@secunet.com> > > Date: Mon, 20 Nov 2017 08:37:47 +0100 > > > >> This patchset implements asynchronous cr

[PATCH RFC 5/5] esp: Don't require synchronous crypto fallback on offloading anymore.

We support asynchronous crypto on layer 2 ESP now. So no need to force synchronous crypto fallback on offloading anymore. Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/ipv4/esp4.c | 12 ++-- net/ipv6/esp6.c | 12 ++-- 2 files changed, 4 insertions(

[PATCH RFC 2/5] net: Add asynchronous callbacks for xfrm on layer 2.

the packet in a backlog queue. Joint work with: Aviv Heller <av...@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- include/linux/netdevice.h | 6 ++- include/net/xfrm.h| 15 ++- net/core/dev.c| 16 +--- net

[PATCH RFC 4/5] xfrm: Allow IPsec GSO with software crypto for local sockets.

With support of async crypto operations in the GSO codepath we have everything in place to allow GSO for local sockets. This patch enables the GSO codepath. Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- include/net/xfrm.h | 2 ++ 1 file changed, 2 insertions(+) diff

[PATCH RFC 0/5] Support asynchronous crypto for IPsec GSO.

This patchset implements asynchronous crypto handling in the layer 2 TX path. With this we can allow IPsec ESP GSO for software crypto. This also merges the IPsec GSO and non-GSO paths to both use validate_xmit_xfrm(). 1) Separate ESP handling from segmentation for GRO packets. This unifies

[PATCH RFC 1/5] xfrm: Separate ESP handling from segmentation for GRO packets.

We change the ESP GSO handlers to only segment the packets. The ESP handling and encryption is defered to validate_xmit_xfrm() where this is done for non GRO packets too. This makes the code more robust and prepares for asynchronous crypto handling. Signed-off-by: Steffen Klassert <steffen.kl

[PATCH RFC 3/5] xfrm: Allow to use the layer2 IPsec GSO codepath for software crypto.

We now have support for asynchronous crypto operations in the layer 2 TX path. This was the missing part to allow the GSO codepath for software crypto, so allow this codepath now. Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_device.c | 4 ++-- 1 file c

Re: Bisected 4.14 Regression: IPsec transport mode breakage

On Wed, Nov 15, 2017 at 09:46:19AM -0700, Kevin Locke wrote: > Hi all, > > I am using an L2TP/IPsec (transport mode) VPN connection from a client > behind a NAT running Debian with strongswan 5.6.0-2 and xl2tpd > 1.3.10-1 to a Cisco Meraki MX60 with a public IP. The connection > works with

pull request (net): ipsec 2017-11-16

1-15 06:42:28 +0100) Herbert Xu (1): xfrm: Copy policy family in clone_policy Steffen Klassert (1): Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find." net/xfrm/xfrm_policy.c | 30 +++--- 1 file changed, 19 insertions(+), 11 deletions(-)

[PATCH 1/2] xfrm: Copy policy family in clone_policy

field. This triggers a BUG_ON check in the af_key code when the cloned policy is retrieved. This patch fixes it by copying the family field over. Reported-by: syzbot <syzkal...@googlegroups.com> Signed-off-by: Herbert Xu <herb...@gondor.apana.org.au> Signed-off-by: Steffen Klass

[PATCH 2/2] Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find."

This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e. This commit breaks transport mode when the policy template has widlcard addresses configured, so revert it. Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_policy.

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

On Mon, Nov 06, 2017 at 11:16:46AM +0100, Steffen Klassert wrote: > > Subject: [PATCH ipsec] xfrm: Fix stack-out-of-bounds read in xfrm_state_find. > > When we do tunnel or beet mode, we pass saddr and daddr from the > template to xfrm_state_find(), this is ok. On transport

Re: kernel BUG at net/key/af_key.c:LINE!

On Fri, Nov 10, 2017 at 02:14:06PM +1100, Herbert Xu wrote: > On Fri, Nov 10, 2017 at 01:30:38PM +1100, Herbert Xu wrote: > > > > I found the problem. This crap is coming from clone_policy. Now > > let me where this code came from. > > ---8<--- > Subject: xfrm: Copy policy family in

Re: [regression, 4.14] xfrm: Fix stack-out-of-bounds read in xfrm_state_find breaks selinux-testsuite

On Tue, Nov 14, 2017 at 03:46:30PM -0500, Stephen Smalley wrote: > Hi, > > 4.14 is failing the selinux-testsuite labeled IPSEC tests despite > having just been fixed in commit cf37966751747727 ("xfrm: do > unconditional template resolution before pcpu cache check"). The > breaking commit is the

[PATCH 3/3] xfrm: Fix stack-out-of-bounds read in xfrm_state_find.

IPv6 case, packet is IPv4 and template is IPv6. Fix this by using the addresses from the template unconditionally. Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_policy.c | 29 +++-- 1 file changed, 11 insertions(+), 18 deletions(-)

[PATCH 1/3] xfrm: defer daddr pointer assignment after spi parsing

ported-by: syzbot <syzkal...@googlegroups.com> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_input.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/xfrm/xfrm_input.c

pull request (net): ipsec 2017-11-09

assignment after spi parsing xfrm: do unconditional template resolution before pcpu cache check Steffen Klassert (1): xfrm: Fix stack-out-of-bounds read in xfrm_state_find. net/xfrm/xfrm_input.c | 4 +-- net/xfrm/xfrm_policy.c | 71 +- 2

[PATCH 2/3] xfrm: do unconditional template resolution before pcpu cache check

phen Smalley <s...@tycho.nsa.gov> Tested-by: Stephen Smalley <s...@tycho.nsa.gov> Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Paul Moore <p...@paul-moore.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_policy.c | 42

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

On Fri, Nov 03, 2017 at 01:10:12PM +0100, Steffen Klassert wrote: > On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote: > > Steffen Klassert <steffen.klass...@secunet.com> wrote: > > > > > I'd propose to use the addresses from the template uncondition

Re: [PATCH ipsec-next] xfrm: don't pull esp/auth header in xfrm_parse_spi

On Thu, Nov 02, 2017 at 01:54:10PM +0100, Florian Westphal wrote: > syzbot reported an issue where pointer to ip header content was not > reloaded after xfrm_parse_spi(). > > Its not intuitive that this function changes skb->head, so switch to > skb_pointer_header. I have to admit that this is

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote: > Steffen Klassert <steffen.klass...@secunet.com> wrote: > > > I'd propose to use the addresses from the template unconditionally, > > like the (untested) patch below does. > > > > Unfort

Re: [PATCH ipsec] xfrm: do unconditional template resolution before pcpu cache check

On Thu, Nov 02, 2017 at 06:57:29PM -0400, Paul Moore wrote: > On Thu, Nov 2, 2017 at 11:46 AM, Florian Westphal wrote: > > Stephen Smalley says: > > Since 4.14-rc1, the selinux-testsuite has been encountering sporadic > > failures during testing of labeled IPSEC. git bisect

Re: [PATCH net] xfrm: defer daddr pointer assignment after spi parsing

On Wed, Nov 01, 2017 at 08:30:49PM +0100, Florian Westphal wrote: > syzbot reports: > BUG: KASAN: use-after-free in __xfrm_state_lookup+0x695/0x6b0 > Read of size 4 at addr 8801d434e538 by task syzkaller647520/2991 > [..] > __xfrm_state_lookup+0x695/0x6b0 net/xfrm/xfrm_state.c:833 >

Re: KASAN: stack-out-of-bounds Read in xfrm_state_find (2)

On Wed, Nov 01, 2017 at 11:06:08PM +0100, Florian Westphal wrote: > syzbot > > wrote: > > [ cc Thomas Egerer ] > > > syzkaller hit the following crash on > > 36ef71cae353f88fd6e095e2aaa3e5953af1685d > >

[PATCH 3/3] xfrm: Fix GSO for IPsec with GRE tunnel.

. Fixes: f1bd7d659ef0 ("xfrm: Add encapsulation header offsets while SKB is not encrypted") Reported-by: Vicente De Luca <vdel...@zendesk.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_output.c | 4 +++- 1 file changed, 3 insertions(+

pull request (net): ipsec 2017-11-01

changes up to 73b9fc49b4c0116a04eda3979f64ed9b540b153c: xfrm: Fix GSO for IPsec with GRE tunnel. (2017-10-31 09:20:35 +0100) Jonathan Basseri (1): xfrm: Clear sk_dst_cache when applying per-socket policy. Steffen Klassert (2

[PATCH 1/3] xfrm: Fix xfrm_dst_cache memleak

for the dummy bundle case. Fix the memleak by removing this refcount. Fixes: 3ca28286ea80 ("xfrm_policy: bypass flow_cache_lookup") Reported-by: Maxime Bizon <mbi...@freebox.fr> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_policy.c | 1 - 1 fi

[PATCH 2/3] xfrm: Clear sk_dst_cache when applying per-socket policy.

https://android-review.googlesource.com/517555 Tested: https://android-review.googlesource.com/418659 Signed-off-by: Jonathan Basseri <misterik...@google.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_state.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/

Re: Using the aesni generic gcm(aes) aead in atomic context

On Tue, Oct 31, 2017 at 09:41:24AM +, Ilya Lesokhin wrote: > > Are you sure supporting ASYNC crypto for fallback is worth the trouble? It is not just for fallback, I plan to support the IPsec GSO codepath for software crypto too. In this case we should be able to handle all algorithms,

Re: Using the aesni generic gcm(aes) aead in atomic context

On Tue, Oct 31, 2017 at 03:44:38PM +0800, Herbert Xu wrote: > On Tue, Oct 31, 2017 at 07:39:08AM +, Ilya Lesokhin wrote: > > > > I think we should consider having a synchronous implementation that falls > > back > > to integer implementation when the FPU is not available. > > This would

[PATCH 2/8] xfrm: make xfrm_alg_len() return unsigned int

From: Alexey Dobriyan <adobri...@gmail.com> Key lengths can't be negative. Comparison with nla_len() is left signed just in case negative value can sneak in there. Signed-off-by: Alexey Dobriyan <adobri...@gmail.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.co

[PATCH 5/8] xfrm: eradicate size_t

mall numbers like 1500 or 65536. Propagate unsignedness and flip some "int" to "unsigned int" as well. This is preparation to switching nlmsg_new() to "unsigned int". Signed-off-by: Alexey Dobriyan <adobri...@gmail.com> Signed-off-by: Steffen Klassert <stef

[PATCH 7/8] net: xfrm_user: use BUG_ON instead of if condition followed by BUG

From: "Gustavo A. R. Silva" <garsi...@embeddedor.com> Use BUG_ON instead of if condition followed by BUG. This issue was detected with the help of Coccinelle. Signed-off-by: Gustavo A. R. Silva <garsi...@embeddedor.com> Signed-off-by: Steffen Klassert <steffen.klass

[PATCH 8/8] ipv6: esp6: use BUG_ON instead of if condition followed by BUG

rb...@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/ipv6/esp6.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 1696401..4000b71 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@

[PATCH 6/8] esp6: remove redundant initialization of esph

esp6.c:562:21: warning: Value stored to 'esph' during its initialization is never read Signed-off-by: Colin Ian King <colin.k...@canonical.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/ipv6/esp6.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

[PATCH 4/8] xfrm: make xfrm_replay_state_esn_len() return unsigned int

-6 xfrm_replay_notify_esn 349 337 -12 xfrm_replay_notify_bmp 345 333 -12 Signed-off-by: Alexey Dobriyan <adobri...@gmail.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- include/net/xfrm.h

[PATCH 1/8] xfrm: make aead_len() return unsigned int

From: Alexey Dobriyan <adobri...@gmail.com> Key lengths can't be negative. Comparison with nla_len() is left signed just in case negative value can sneak in there. Signed-off-by: Alexey Dobriyan <adobri...@gmail.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.co

pull request (net-next): ipsec-next 2017-10-30

1) Change some variables that can't be negative from int to unsigned int. From Alexey Dobriyan. 2) Remove a redundant header initialization in esp6. From Colin Ian King. 3) Some BUG to BUG_ON conversions. From Gustavo A. R. Silva. Please pull or let me know if there are problems.

[PATCH 3/8] xfrm: make xfrm_alg_auth_len() return unsigned int

From: Alexey Dobriyan <adobri...@gmail.com> Key lengths can't be negative. Comparison with nla_len() is left signed just in case negative value can sneak in there. Signed-off-by: Alexey Dobriyan <adobri...@gmail.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.co

Re: [PATCH v2] ipv6: esp6: use BUG_ON instead of if condition followed by BUG

On Fri, Oct 27, 2017 at 06:38:36AM +0800, Herbert Xu wrote: > On Thu, Oct 26, 2017 at 07:51:06AM -0500, Gustavo A. R. Silva wrote: > > Use BUG_ON instead of if condition followed by BUG in esp_remove_trailer. > > > > This issue was detected with the help of Coccinelle. > > > > Signed-off-by:

Re: [PATCH v2] net: xfrm_user: use BUG_ON instead of if condition followed by BUG

On Thu, Oct 26, 2017 at 06:31:35AM -0500, Gustavo A. R. Silva wrote: > Use BUG_ON instead of if condition followed by BUG. > > This issue was detected with the help of Coccinelle. > > Signed-off-by: Gustavo A. R. Silva Applied to ipsec-next, thanks Gustavo!

Re: [PATCH net v2] xfrm: Clear sk_dst_cache when applying per-socket policy.

On Wed, Oct 25, 2017 at 09:52:27AM -0700, Jonathan Basseri wrote: > If a socket has a valid dst cache, then xfrm_lookup_route will get > skipped. However, the cache is not invalidated when applying policy to a > socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are > sometimes

Re: [RFC PATCH 07/12] xfrm: Move child route linkage into xfrm_dst.

On Wed, Oct 25, 2017 at 11:03:59PM +0900, David Miller wrote: > > XFRM bundle child chains look like this: > > xdst1 --> xdst2 --> xdst3 --> path_dst > > All of xdstN are xfrm_dst objects and xdst->u.dst.xfrm is non-NULL. > The final child pointer in the chain, here called 'path_dst', is

Re: [PATCH net-next 2/3] xfrm: Fix offload dev state addition to occur after insertion

On Wed, Oct 25, 2017 at 01:09:44PM +, Aviv Heller wrote: > -Original message- > > From: Steffen Klassert > > Sent: Wednesday, October 25 2017, 10:22 am > > To: av...@mellanox.com > > Cc: Herbert Xu; Boris Pismenny; Yossi Kuperman; Yevgeny Kliteynik;

Re: [PATCH] net: xfrm_user: use BUG_ON instead of if condition followed by BUG

On Wed, Oct 25, 2017 at 01:22:22PM +0900, David Miller wrote: > From: Herbert Xu > Date: Wed, 25 Oct 2017 12:05:41 +0800 > > > On Tue, Oct 24, 2017 at 05:48:42PM +0900, David Miller wrote: > >> > >> This discussion has happened before. > >> > >> But I'll explain

Re: [PATCH net-next 2/3] xfrm: Fix offload dev state addition to occur after insertion

On Tue, Oct 24, 2017 at 06:10:30PM +0300, av...@mellanox.com wrote: > From: Aviv Heller > > Adding the state to the offload device prior to replay init in > xfrm_state_construct() will result in NULL dereference if a matching > ESP packet is received in between. > > Adding

Re: [PATCH net] xfrm: Clear sk_dst_cache when applying per-socket policy.

On Tue, Oct 24, 2017 at 09:58:48AM -0700, Jonathan Basseri  wrote: > On Tue, Oct 24, 2017 at 12:04 AM, Steffen Klassert > <steffen.klass...@secunet.com> wrote: > > > > On Mon, Oct 23, 2017 at 06:18:55PM -0700, Jonathan Basseri wrote: > > > If a socket has a valid

Re: pull request (net): ipsec 2017-10-24

On Tue, Oct 24, 2017 at 08:18:32PM +0900, David Miller wrote: > From: Steffen Klassert <steffen.klass...@secunet.com> > Date: Tue, 24 Oct 2017 12:37:38 +0200 > > > 1) Fix a memleak when we don't find a inner_mode > >during bundle creation. From David Miller. > &g

pull request (net): ipsec 2017-10-24

1) Fix a memleak when we don't find a inner_mode during bundle creation. From David Miller. 2) Fix a xfrm policy dump crash. We may crash on error when dumping policies via netlink. Fix this by initializing the policy walk with the cb->start method. This fix is a serious stable

[PATCH 1/2] ipsec: Fix dst leak in xfrm_bundle_create().

From: David Miller <da...@davemloft.net> If we cannot find a suitable inner_mode value, we will leak the currently allocated 'xdst'. The fix is to make sure it is linked into the chain before erroring out. Signed-off-by: David S. Miller <da...@davemloft.net> Signed-off-by: Stef

[PATCH 2/2] ipsec: Fix aborted xfrm policy dump crash

the dump list") Signed-off-by: Herbert Xu <herb...@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_user.c | 25 +++-- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/net/xfrm/xfrm_user.c b/net

Re: [PATCH net] xfrm: Clear sk_dst_cache when applying per-socket policy.

On Mon, Oct 23, 2017 at 06:18:55PM -0700, Jonathan Basseri wrote: > If a socket has a valid dst cache, then xfrm_lookup_route will get > skipped. However, the cache is not invalidated when applying policy to a > socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are > sometimes

Re: [PATCH] esp6: remove redundant initialization of esph

On Thu, Oct 19, 2017 at 03:09:47PM +0200, Colin King wrote: > From: Colin Ian King > > The pointer esph is being initialized with a value that is never > read and then being updated. Remove the redundant initialization > and move the declaration and initializtion of

Re: [PATCH v2] ipsec: Fix aborted xfrm policy dump crash

On Thu, Oct 19, 2017 at 08:51:10PM +0800, Herbert Xu wrote: > On Thu, Oct 19, 2017 at 02:33:20PM +0300, Timo Teras wrote: > > > > > Fixes: 4c563f7669c1 ("[XFRM]: Speed up xfrm_policy and xfrm_state...") > > > > This is not correct. The original commit works just fine. > > OK, I'll change it. >

Re: ipsec: Fix dst leak in xfrm_bundle_create().

On Tue, Oct 10, 2017 at 08:59:38PM -0700, David Miller wrote: > > If we cannot find a suitable inner_mode value, we will leak > the currently allocated 'xdst'. > > The fix is to make sure it is linked into the chain before > erroring out. > > Signed-off-by: David S. Miller

[PATCH 1/4] xfrm: Fix deletion of offloaded SAs on failure.

t;shannon.nel...@oracle.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_user.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 2bfbd91..b997f13 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_u

pull request (net): ipsec 2017-10-09

Savkov (1): xfrm: don't call xfrm_policy_cache_flush under xfrm_state_lock Steffen Klassert (2): xfrm: Fix deletion of offloaded SAs on failure. xfrm: Fix negative device refcount on offload failure. net/xfrm/xfrm_device.c | 1 + net/xfrm/xfrm_input.c | 6 -- net/xfrm

[PATCH 4/4] xfrm: don't call xfrm_policy_cache_flush under xfrm_state_lock

cy detected" warnings on flush. Fixes: ec30d78c14a8 xfrm: add xdst pcpu cache Signed-off-by: Artem Savkov <asav...@redhat.com> Acked-by: Florian Westphal <f...@strlen.de> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_state.c | 4 ++-- 1 file ch

[PATCH 3/4] vti: fix NULL dereference in xfrm_input()

t secpath. Fix it by adding a check that skb->sp is not NULL. Fixes: 7e9e9202bccc ("xfrm: Clear RX SKB secpath xfrm_offload") Signed-off-by: Alexey Kodanev <alexey.koda...@oracle.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_inp

[PATCH 2/4] xfrm: Fix negative device refcount on offload failure.

Reset the offload device at the xfrm_state if the device was not able to offload the state. Otherwise we drop the device refcount twice. Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") Reported-by: Shannon Nelson <shannon.nel...@oracle.com> Signed-off-by:

[PATCH net] ipv4: Fix traffic triggered IPsec connections.

. This makes the connection unusable. Fix this by marking the dst_entry directly at allocation time as 'dead', so it is used only once. Fixes: b838d5e1c5b6 ("ipv4: mark DST_NOGC and remove the operation of dst_free()") Reported-by: Tobias Brunner <tob...@strongswan.org> Signed-off-by:

[PATCH net] ipv6: Fix traffic triggered IPsec connections.

. This makes the connection unusable. Fix this by marking the dst_entry directly at allocation time as 'dead', so it is used only once. Fixes: 587fea741134 ("ipv6: mark DST_NOGC and remove the operation of dst_free()") Reported-by: Tobias Brunner <tob...@strongswan.org> Signed-off-by:

Re: [PATCH] xfrm: don't call xfrm_policy_cache_flush under xfrm_state_lock

On Wed, Sep 27, 2017 at 02:31:03PM +0200, Florian Westphal wrote: > Artem Savkov wrote: > > I might be wrong but it doesn't look like xfrm_state_lock is required > > for xfrm_policy_cache_flush and calling it under this lock triggers both > > "sleeping function called from

Re: [PATCH 5/5] xfrm: eradicate size_t

On Thu, Sep 21, 2017 at 11:48:54PM +0300, Alexey Dobriyan wrote: > All netlink message sizes are a) unsigned, b) can't be >= 4GB in size > because netlink doesn't support >= 64KB messages in the first place. > > All those size_t across the code are a scam especially across networking > which

Re: [PATCH] vti: fix NULL dereference in xfrm_input()

On Tue, Sep 12, 2017 at 02:53:46PM +0300, Alexey Kodanev wrote: > Can be reproduced with LTP tests: > # icmp-uni-vti.sh -p ah -a sha256 -m tunnel -S fffe -k 1 -s 10 > > IPv4: > RIP: 0010:xfrm_input+0x7f9/0x870 > ... > Call Trace: > > vti_input+0xaa/0x110 [ip_vti] > ?

pull request (net-next): ipsec-next 2017-09-01

changes up to 8598112d04af21cf6c895670e72dcb8a9f58e74f: xfrm: Fix return value check of copy_sec_ctx. (2017-08-31 10:37:00 +0200) Steffen Klassert (1): xfrm: Fix return value check of copy_sec_ctx. Yossi Kuperman (1): xfrm

[PATCH 2/2] xfrm: Fix return value check of copy_sec_ctx.

A recent commit added an output_mark. When copying this output_mark, the return value of copy_sec_ctx is overwitten without a check. Fix this by copying the output_mark before the security context. Fixes: 077fbac405bf ("net: xfrm: support setting an output mark.") Signed-off-by: Steffe

[PATCH 1/2] xfrm: Add support for network devices capable of removing the ESP trailer

man <yoss...@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- include/net/xfrm.h| 1 + net/ipv4/esp4.c | 70 ++- net/ipv6/esp6.c | 51 ++--- net/xfrm/xfrm_input

Re: [PATCH net-next] xfrm: Add support for network devices capable of removing the ESP trailer

On Wed, Aug 30, 2017 at 11:30:39AM +0300, yoss...@mellanox.com wrote: > From: Yossi Kuperman > > In conjunction with crypto offload [1], removing the ESP trailer by > hardware can potentially improve the performance by avoiding (1) a > cache miss incurred by reading the

[PATCH 3/7] esp: Fix skb tailroom calculation

skb_tailroom instead. Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/ipv4/esp4.c | 2 +- net/ipv6/esp6.c | 2 +- 2 f

[PATCH 5/7] xfrm_user: fix info leak in xfrm_notify_sa()

<herb...@gondor.apana.org.au> Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete notification") Signed-off-by: Mathias Krause <mini...@googlemail.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_user.c | 1 + 1 file changed, 1 i

[PATCH 2/7] esp: Fix locking on page fragment allocation

never possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/ipv4/esp4.c | 5 +++-- net/ipv6/esp6.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/net/ipv4/esp4

[PATCH 6/7] xfrm_user: fix info leak in build_expire()

isn't needed as copy_to_user_state() already takes care of clearing the padding bytes within the 'state' member. Signed-off-by: Mathias Krause <mini...@googlemail.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_user.c | 2 ++ 1 file changed, 2 inserti

[PATCH 7/7] xfrm_user: fix info leak in build_aevent()

atatu.com> Fixes: d51d081d6504 ("[IPSEC]: Sync series - user") Signed-off-by: Mathias Krause <mini...@googlemail.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_user.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/xfrm_u

[PATCH 4/7] xfrm_user: fix info leak in copy_user_offload()

From: Mathias Krause <mini...@googlemail.com> The memory reserved to dump the xfrm offload state includes padding bytes of struct xfrm_user_offload added by the compiler for alignment. Add an explicit memset(0) before filling the buffer to avoid the heap info leak. Cc: Steffen Kl

[PATCH 1/7] net: xfrm: don't double-hold dst when sk_policy in use.

76 passes on net-next Signed-off-by: Lorenzo Colitti <lore...@google.com> Acked-by: Wei Wang <wei...@google.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_policy.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/xfrm/xfrm_policy.c b/net

pull request (net): ipsec 2017-08-29

in use. Mathias Krause (4): xfrm_user: fix info leak in copy_user_offload() xfrm_user: fix info leak in xfrm_notify_sa() xfrm_user: fix info leak in build_expire() xfrm_user: fix info leak in build_aevent() Steffen Klassert (2): esp: Fix locking on page fragment

Re: [PATCH net 0/4] xfrm_user info leaks

On Mon, Aug 28, 2017 at 03:52:32PM -0700, David Miller wrote: > From: Mathias Krause > Date: Sat, 26 Aug 2017 17:08:56 +0200 > > > Hi David, Steffen, > > > > the following series fixes a few info leaks due to missing padding byte > > initialization in the xfrm_user

Re: [PATCH net] ipv6: Fix may be used uninitialized warning in rt6_check

On Fri, Aug 25, 2017 at 09:05:42AM +0200, Steffen Klassert wrote: > rt_cookie might be used uninitialized, fix this by > initializing it. > > Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node") > Signed-off-by: Steffen Klassert <steffen.klass.

[PATCH net] ipv6: Fix may be used uninitialized warning in rt6_check

rt_cookie might be used uninitialized, fix this by initializing it. Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node") Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/ipv6/route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletio

Re: [PATCH net] net: xfrm: don't double-hold dst when sk_policy in use.

On Wed, Aug 23, 2017 at 05:14:39PM +0900, Lorenzo Colitti wrote: > While removing dst_entry garbage collection, commit 52df157f17e5 > ("xfrm: take refcnt of dst when creating struct xfrm_dst bundle") > changed xfrm_resolve_and_create_bundle so it returns an xdst with > a refcount of 1 instead of

Re: skb_over_panic when sending esp traffic from a vmware guest

On Thu, Aug 17, 2017 at 07:19:03PM +, Nick Huber wrote: > I've been experience the following traceback since upgrading from the 4.9 > kernel to the 4.11 branch. I've only seen this in a few VMWare guests and I > haven't been able to narrow down what exactly is causing it. I'm not familiar >

IPsec workshop at netdevconf

failure using decrypted packet vs. plaintext packet Steffen Klassert: Presentation: The IPsec status update. Discussion: Redesigning the IPsec VTI interfaces.

[PATCH 4/4] esp: Fix error handling on layer 2 xmit.

ut") Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/ipv4/esp4_offload.c | 2 +- net/ipv6/esp6_offload.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index e066601..5011232 100644 --- a/net/ipv

[PATCH 2/4] xfrm: fix null pointer dereference on state and tmpl sort

g rule, which would fruitlessly affect all but the aforementioned case. Signed-off-by: Koichiro Den <d...@klaipeden.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_state.c | 8 1 file changed, 8 insertions(+) diff --git a/net/xfrm/xfrm_

[PATCH 3/4] xfrm: policy: check policy direction value

https://bugzilla.redhat.com/show_bug.cgi?id=1474928 Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") Cc: <sta...@vger.kernel.org> # v2.6.21-rc1 Reported-by: "bo Zhang" <zhangbo5891...@gmail.com> Signed-off-by: Vladis Dronov <vdro...@re

[PATCH 1/4] esp: Fix memleaks on error paths.

We leak the temporary allocated resources in error paths, fix this by freeing them. Fixes: fca11ebde3f ("esp4: Reorganize esp_output") Fixes: 383d0350f2c ("esp6: Reorganize esp_output") Fixes: 3f29770723f ("ipsec: check return value of skb_to_sgvec always") S

pull request (net): ipsec 2017-08-21

) Koichiro Den (1): xfrm: fix null pointer dereference on state and tmpl sort Steffen Klassert (2): esp: Fix memleaks on error paths. esp: Fix error handling on layer 2 xmit. Vladis Dronov (1): xfrm: policy

[PATCH 4/8] esp6: Fix RX checksum after header pull

xthdrs.c and rawv6_rcv() in raw.c Signed-off-by: Yossi Kuperman <yoss...@mellanox.com> Signed-off-by: Ilan Tayari <il...@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/ipv6/esp6.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv

[PATCH 5/8] xfrm: Auto-load xfrm offload modules

esp.ko) Signed-off-by: Ilan Tayari <il...@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- include/net/xfrm.h | 4 +++- net/ipv4/esp4_offload.c | 1 + net/ipv6/esp6_offload.c | 1 + net/xfrm/xfrm_device.c | 2 +- net/xfrm/xfrm_state.c | 16

[PATCH 6/8] xfrm: Clear RX SKB secpath xfrm_offload

by: Ilan Tayari <il...@mellanox.com> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> --- net/xfrm/xfrm_input.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 923205e..f07eec5 100644 --- a/net/xfrm/xfrm_input.c +++ b/

[PATCH 7/8] net: Allow IPsec GSO for local sockets

This patch allows local sockets to make use of XFRM GSO code path. Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com> Signed-off-by: Ilan Tayari <il...@mellanox.com> --- include/net/xfrm.h | 19 +++ net/core/sock.c| 2 +- 2 files changed, 20 inse

<    1   2   3   4   5   6   7   8   9   >