On Mon, Nov 20, 2017 at 02:26:07PM -0800, Shannon Nelson wrote:
> Add a writeup on how to use the XFRM device offload API, and
> mention this new file in the index.
>
> Signed-off-by: Shannon Nelson
Applied to ipsec-next, thanks a lot for this documentation!
On Mon, Nov 20, 2017 at 07:26:02PM +0900, Lorenzo Colitti wrote:
> Currently it is possible to add or update socket policies, but
> not clear them. Therefore, once a socket policy has been applied,
> the socket cannot be used for unencrypted traffic.
>
> This patch allows (privileged) users to
On Mon, Nov 27, 2017 at 05:46:28PM +0100, Tomas Charvat wrote:
> Gentoo-sources has no change vs vanilla in ipsec. However here is result
> from Vanila 4.14.2 with OFFLOAD=N
>
> [ 2338.440735] BUG: unable to handle kernel NULL pointer dereference at
> 0018
> [ 2338.440830] IP:
2
> does in xfrm_xfrmproto_getbyname().
>
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Cc: Steffen Klassert <steffen.klass...@secunet.com>
> Cc: Herbert Xu <herb...@gondor.apana.org.au>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
Patch applied, thanks!
On Mon, Nov 27, 2017 at 04:00:38PM +0300, Alexey Kodanev wrote:
> On 11/27/2017 03:07 PM, Steffen Klassert wrote:
> > On Wed, Nov 22, 2017 at 07:06:13PM +0300, Alexey Kodanev wrote:
> >>
> >> Is there some flaw in setup or vti not designed to handle ipcomp alg
Cc netdev@vger.kernel.org, remove sta...@vger.kernel.org from Cc.
On Mon, Nov 27, 2017 at 01:36:50PM +0100, Tomas Charvat wrote:
> It was on gentoo-sources-4.14.2 (almost vanila), config is attached.
Could you please test with a vanilla v4.14.2 from kernel.org with
the referred patch?
If the
On Wed, Nov 22, 2017 at 07:06:13PM +0300, Alexey Kodanev wrote:
> Hi Steffen,
>
> LTP has vti test-cases which fail on ipcomp alg, e.g.
> "tcp_ipsec_vti.sh -p comp -m tunnel -s 100"
>
> Basically, the setupconsists of the following commands:
>
> ip li add ltp_vti0 type vti local 10.0.0.2 remote
On Tue, Nov 21, 2017 at 06:44:04PM -0800, Cong Wang wrote:
> On Tue, Nov 21, 2017 at 2:00 AM, syzbot
>
> wrote:
> > Hello,
> >
> > syzkaller hit the following crash on
> > c8a0739b185d11d6e2ca7ad9f5835841d1cfc765
> >
On Mon, Nov 20, 2017 at 10:20:40AM -0800, John Fastabend wrote:
> On 11/20/2017 05:09 AM, David Miller wrote:
> > From: Steffen Klassert <steffen.klass...@secunet.com>
> > Date: Mon, 20 Nov 2017 08:37:47 +0100
> >
> >> This patchset implements asynchronous cr
We support asynchronous crypto on layer 2 ESP now.
So no need to force synchronous crypto fallback on
offloading anymore.
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/ipv4/esp4.c | 12 ++--
net/ipv6/esp6.c | 12 ++--
2 files changed, 4 insertions(
the
packet in a backlog queue.
Joint work with: Aviv Heller <av...@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
include/linux/netdevice.h | 6 ++-
include/net/xfrm.h| 15 ++-
net/core/dev.c| 16 +---
net
With support of async crypto operations in the GSO codepath
we have everything in place to allow GSO for local sockets.
This patch enables the GSO codepath.
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
include/net/xfrm.h | 2 ++
1 file changed, 2 insertions(+)
diff
This patchset implements asynchronous crypto handling
in the layer 2 TX path. With this we can allow IPsec
ESP GSO for software crypto. This also merges the IPsec
GSO and non-GSO paths to both use validate_xmit_xfrm().
1) Separate ESP handling from segmentation for GRO packets.
This unifies
We change the ESP GSO handlers to only segment the packets.
The ESP handling and encryption is defered to validate_xmit_xfrm()
where this is done for non GRO packets too. This makes the code
more robust and prepares for asynchronous crypto handling.
Signed-off-by: Steffen Klassert <steffen.kl
We now have support for asynchronous crypto operations in the layer 2 TX
path. This was the missing part to allow the GSO codepath for software
crypto, so allow this codepath now.
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_device.c | 4 ++--
1 file c
On Wed, Nov 15, 2017 at 09:46:19AM -0700, Kevin Locke wrote:
> Hi all,
>
> I am using an L2TP/IPsec (transport mode) VPN connection from a client
> behind a NAT running Debian with strongswan 5.6.0-2 and xl2tpd
> 1.3.10-1 to a Cisco Meraki MX60 with a public IP. The connection
> works with
1-15
06:42:28 +0100)
Herbert Xu (1):
xfrm: Copy policy family in clone_policy
Steffen Klassert (1):
Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find."
net/xfrm/xfrm_policy.c | 30 +++---
1 file changed, 19 insertions(+), 11 deletions(-)
field. This triggers a BUG_ON
check in the af_key code when the cloned policy is retrieved.
This patch fixes it by copying the family field over.
Reported-by: syzbot <syzkal...@googlegroups.com>
Signed-off-by: Herbert Xu <herb...@gondor.apana.org.au>
Signed-off-by: Steffen Klass
This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
This commit breaks transport mode when the policy template
has widlcard addresses configured, so revert it.
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_policy.
On Mon, Nov 06, 2017 at 11:16:46AM +0100, Steffen Klassert wrote:
>
> Subject: [PATCH ipsec] xfrm: Fix stack-out-of-bounds read in xfrm_state_find.
>
> When we do tunnel or beet mode, we pass saddr and daddr from the
> template to xfrm_state_find(), this is ok. On transport
On Fri, Nov 10, 2017 at 02:14:06PM +1100, Herbert Xu wrote:
> On Fri, Nov 10, 2017 at 01:30:38PM +1100, Herbert Xu wrote:
> >
> > I found the problem. This crap is coming from clone_policy. Now
> > let me where this code came from.
>
> ---8<---
> Subject: xfrm: Copy policy family in
On Tue, Nov 14, 2017 at 03:46:30PM -0500, Stephen Smalley wrote:
> Hi,
>
> 4.14 is failing the selinux-testsuite labeled IPSEC tests despite
> having just been fixed in commit cf37966751747727 ("xfrm: do
> unconditional template resolution before pcpu cache check"). The
> breaking commit is the
IPv6 case, packet
is IPv4 and template is IPv6. Fix this by using the addresses
from the template unconditionally.
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_policy.c | 29 +++--
1 file changed, 11 insertions(+), 18 deletions(-)
ported-by: syzbot <syzkal...@googlegroups.com>
Signed-off-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_input.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/xfrm/xfrm_input.c
assignment after spi parsing
xfrm: do unconditional template resolution before pcpu cache check
Steffen Klassert (1):
xfrm: Fix stack-out-of-bounds read in xfrm_state_find.
net/xfrm/xfrm_input.c | 4 +--
net/xfrm/xfrm_policy.c | 71 +-
2
phen Smalley <s...@tycho.nsa.gov>
Tested-by: Stephen Smalley <s...@tycho.nsa.gov>
Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Paul Moore <p...@paul-moore.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_policy.c | 42
On Fri, Nov 03, 2017 at 01:10:12PM +0100, Steffen Klassert wrote:
> On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote:
> > Steffen Klassert <steffen.klass...@secunet.com> wrote:
> >
> > > I'd propose to use the addresses from the template uncondition
On Thu, Nov 02, 2017 at 01:54:10PM +0100, Florian Westphal wrote:
> syzbot reported an issue where pointer to ip header content was not
> reloaded after xfrm_parse_spi().
>
> Its not intuitive that this function changes skb->head, so switch to
> skb_pointer_header.
I have to admit that this is
On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote:
> Steffen Klassert <steffen.klass...@secunet.com> wrote:
>
> > I'd propose to use the addresses from the template unconditionally,
> > like the (untested) patch below does.
> >
> > Unfort
On Thu, Nov 02, 2017 at 06:57:29PM -0400, Paul Moore wrote:
> On Thu, Nov 2, 2017 at 11:46 AM, Florian Westphal wrote:
> > Stephen Smalley says:
> > Since 4.14-rc1, the selinux-testsuite has been encountering sporadic
> > failures during testing of labeled IPSEC. git bisect
On Wed, Nov 01, 2017 at 08:30:49PM +0100, Florian Westphal wrote:
> syzbot reports:
> BUG: KASAN: use-after-free in __xfrm_state_lookup+0x695/0x6b0
> Read of size 4 at addr 8801d434e538 by task syzkaller647520/2991
> [..]
> __xfrm_state_lookup+0x695/0x6b0 net/xfrm/xfrm_state.c:833
>
On Wed, Nov 01, 2017 at 11:06:08PM +0100, Florian Westphal wrote:
> syzbot
>
> wrote:
>
> [ cc Thomas Egerer ]
>
> > syzkaller hit the following crash on
> > 36ef71cae353f88fd6e095e2aaa3e5953af1685d
> >
.
Fixes: f1bd7d659ef0 ("xfrm: Add encapsulation header offsets while SKB is not
encrypted")
Reported-by: Vicente De Luca <vdel...@zendesk.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_output.c | 4 +++-
1 file changed, 3 insertions(+
changes up to 73b9fc49b4c0116a04eda3979f64ed9b540b153c:
xfrm: Fix GSO for IPsec with GRE tunnel. (2017-10-31 09:20:35 +0100)
Jonathan Basseri (1):
xfrm: Clear sk_dst_cache when applying per-socket policy.
Steffen Klassert (2
for the
dummy bundle case. Fix the memleak by removing this refcount.
Fixes: 3ca28286ea80 ("xfrm_policy: bypass flow_cache_lookup")
Reported-by: Maxime Bizon <mbi...@freebox.fr>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_policy.c | 1 -
1 fi
https://android-review.googlesource.com/517555
Tested: https://android-review.googlesource.com/418659
Signed-off-by: Jonathan Basseri <misterik...@google.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/
On Tue, Oct 31, 2017 at 09:41:24AM +, Ilya Lesokhin wrote:
>
> Are you sure supporting ASYNC crypto for fallback is worth the trouble?
It is not just for fallback, I plan to support the IPsec GSO codepath
for software crypto too. In this case we should be able to handle all
algorithms,
On Tue, Oct 31, 2017 at 03:44:38PM +0800, Herbert Xu wrote:
> On Tue, Oct 31, 2017 at 07:39:08AM +, Ilya Lesokhin wrote:
> >
> > I think we should consider having a synchronous implementation that falls
> > back
> > to integer implementation when the FPU is not available.
> > This would
From: Alexey Dobriyan <adobri...@gmail.com>
Key lengths can't be negative.
Comparison with nla_len() is left signed just in case negative value
can sneak in there.
Signed-off-by: Alexey Dobriyan <adobri...@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.co
mall numbers like 1500 or 65536.
Propagate unsignedness and flip some "int" to "unsigned int" as well.
This is preparation to switching nlmsg_new() to "unsigned int".
Signed-off-by: Alexey Dobriyan <adobri...@gmail.com>
Signed-off-by: Steffen Klassert <stef
From: "Gustavo A. R. Silva" <garsi...@embeddedor.com>
Use BUG_ON instead of if condition followed by BUG.
This issue was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva <garsi...@embeddedor.com>
Signed-off-by: Steffen Klassert <steffen.klass
rb...@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/ipv6/esp6.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 1696401..4000b71 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@
esp6.c:562:21: warning: Value stored to 'esph' during its
initialization is never read
Signed-off-by: Colin Ian King <colin.k...@canonical.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/ipv6/esp6.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
-6
xfrm_replay_notify_esn 349 337 -12
xfrm_replay_notify_bmp 345 333 -12
Signed-off-by: Alexey Dobriyan <adobri...@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
include/net/xfrm.h
From: Alexey Dobriyan <adobri...@gmail.com>
Key lengths can't be negative.
Comparison with nla_len() is left signed just in case negative value
can sneak in there.
Signed-off-by: Alexey Dobriyan <adobri...@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.co
1) Change some variables that can't be negative
from int to unsigned int. From Alexey Dobriyan.
2) Remove a redundant header initialization in esp6.
From Colin Ian King.
3) Some BUG to BUG_ON conversions.
From Gustavo A. R. Silva.
Please pull or let me know if there are problems.
From: Alexey Dobriyan <adobri...@gmail.com>
Key lengths can't be negative.
Comparison with nla_len() is left signed just in case negative value
can sneak in there.
Signed-off-by: Alexey Dobriyan <adobri...@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.co
On Fri, Oct 27, 2017 at 06:38:36AM +0800, Herbert Xu wrote:
> On Thu, Oct 26, 2017 at 07:51:06AM -0500, Gustavo A. R. Silva wrote:
> > Use BUG_ON instead of if condition followed by BUG in esp_remove_trailer.
> >
> > This issue was detected with the help of Coccinelle.
> >
> > Signed-off-by:
On Thu, Oct 26, 2017 at 06:31:35AM -0500, Gustavo A. R. Silva wrote:
> Use BUG_ON instead of if condition followed by BUG.
>
> This issue was detected with the help of Coccinelle.
>
> Signed-off-by: Gustavo A. R. Silva
Applied to ipsec-next, thanks Gustavo!
On Wed, Oct 25, 2017 at 09:52:27AM -0700, Jonathan Basseri wrote:
> If a socket has a valid dst cache, then xfrm_lookup_route will get
> skipped. However, the cache is not invalidated when applying policy to a
> socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are
> sometimes
On Wed, Oct 25, 2017 at 11:03:59PM +0900, David Miller wrote:
>
> XFRM bundle child chains look like this:
>
> xdst1 --> xdst2 --> xdst3 --> path_dst
>
> All of xdstN are xfrm_dst objects and xdst->u.dst.xfrm is non-NULL.
> The final child pointer in the chain, here called 'path_dst', is
On Wed, Oct 25, 2017 at 01:09:44PM +, Aviv Heller wrote:
> -Original message-
> > From: Steffen Klassert
> > Sent: Wednesday, October 25 2017, 10:22 am
> > To: av...@mellanox.com
> > Cc: Herbert Xu; Boris Pismenny; Yossi Kuperman; Yevgeny Kliteynik;
On Wed, Oct 25, 2017 at 01:22:22PM +0900, David Miller wrote:
> From: Herbert Xu
> Date: Wed, 25 Oct 2017 12:05:41 +0800
>
> > On Tue, Oct 24, 2017 at 05:48:42PM +0900, David Miller wrote:
> >>
> >> This discussion has happened before.
> >>
> >> But I'll explain
On Tue, Oct 24, 2017 at 06:10:30PM +0300, av...@mellanox.com wrote:
> From: Aviv Heller
>
> Adding the state to the offload device prior to replay init in
> xfrm_state_construct() will result in NULL dereference if a matching
> ESP packet is received in between.
>
> Adding
On Tue, Oct 24, 2017 at 09:58:48AM -0700, Jonathan Basseri wrote:
> On Tue, Oct 24, 2017 at 12:04 AM, Steffen Klassert
> <steffen.klass...@secunet.com> wrote:
> >
> > On Mon, Oct 23, 2017 at 06:18:55PM -0700, Jonathan Basseri wrote:
> > > If a socket has a valid
On Tue, Oct 24, 2017 at 08:18:32PM +0900, David Miller wrote:
> From: Steffen Klassert <steffen.klass...@secunet.com>
> Date: Tue, 24 Oct 2017 12:37:38 +0200
>
> > 1) Fix a memleak when we don't find a inner_mode
> >during bundle creation. From David Miller.
> &g
1) Fix a memleak when we don't find a inner_mode
during bundle creation. From David Miller.
2) Fix a xfrm policy dump crash. We may crash
on error when dumping policies via netlink.
Fix this by initializing the policy walk
with the cb->start method. This fix is a
serious stable
From: David Miller <da...@davemloft.net>
If we cannot find a suitable inner_mode value, we will leak
the currently allocated 'xdst'.
The fix is to make sure it is linked into the chain before
erroring out.
Signed-off-by: David S. Miller <da...@davemloft.net>
Signed-off-by: Stef
the dump list")
Signed-off-by: Herbert Xu <herb...@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_user.c | 25 +++--
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/net/xfrm/xfrm_user.c b/net
On Mon, Oct 23, 2017 at 06:18:55PM -0700, Jonathan Basseri wrote:
> If a socket has a valid dst cache, then xfrm_lookup_route will get
> skipped. However, the cache is not invalidated when applying policy to a
> socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are
> sometimes
On Thu, Oct 19, 2017 at 03:09:47PM +0200, Colin King wrote:
> From: Colin Ian King
>
> The pointer esph is being initialized with a value that is never
> read and then being updated. Remove the redundant initialization
> and move the declaration and initializtion of
On Thu, Oct 19, 2017 at 08:51:10PM +0800, Herbert Xu wrote:
> On Thu, Oct 19, 2017 at 02:33:20PM +0300, Timo Teras wrote:
> >
> > > Fixes: 4c563f7669c1 ("[XFRM]: Speed up xfrm_policy and xfrm_state...")
> >
> > This is not correct. The original commit works just fine.
>
> OK, I'll change it.
>
On Tue, Oct 10, 2017 at 08:59:38PM -0700, David Miller wrote:
>
> If we cannot find a suitable inner_mode value, we will leak
> the currently allocated 'xdst'.
>
> The fix is to make sure it is linked into the chain before
> erroring out.
>
> Signed-off-by: David S. Miller
t;shannon.nel...@oracle.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 2bfbd91..b997f13 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_u
Savkov (1):
xfrm: don't call xfrm_policy_cache_flush under xfrm_state_lock
Steffen Klassert (2):
xfrm: Fix deletion of offloaded SAs on failure.
xfrm: Fix negative device refcount on offload failure.
net/xfrm/xfrm_device.c | 1 +
net/xfrm/xfrm_input.c | 6 --
net/xfrm
cy detected" warnings on flush.
Fixes: ec30d78c14a8 xfrm: add xdst pcpu cache
Signed-off-by: Artem Savkov <asav...@redhat.com>
Acked-by: Florian Westphal <f...@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_state.c | 4 ++--
1 file ch
t secpath.
Fix it by adding a check that skb->sp is not NULL.
Fixes: 7e9e9202bccc ("xfrm: Clear RX SKB secpath xfrm_offload")
Signed-off-by: Alexey Kodanev <alexey.koda...@oracle.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_inp
Reset the offload device at the xfrm_state if the device was
not able to offload the state. Otherwise we drop the device
refcount twice.
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Reported-by: Shannon Nelson <shannon.nel...@oracle.com>
Signed-off-by:
. This makes the
connection unusable.
Fix this by marking the dst_entry directly at allocation time
as 'dead', so it is used only once.
Fixes: b838d5e1c5b6 ("ipv4: mark DST_NOGC and remove the operation of
dst_free()")
Reported-by: Tobias Brunner <tob...@strongswan.org>
Signed-off-by:
.
This makes the connection unusable.
Fix this by marking the dst_entry directly at allocation time
as 'dead', so it is used only once.
Fixes: 587fea741134 ("ipv6: mark DST_NOGC and remove the operation of
dst_free()")
Reported-by: Tobias Brunner <tob...@strongswan.org>
Signed-off-by:
On Wed, Sep 27, 2017 at 02:31:03PM +0200, Florian Westphal wrote:
> Artem Savkov wrote:
> > I might be wrong but it doesn't look like xfrm_state_lock is required
> > for xfrm_policy_cache_flush and calling it under this lock triggers both
> > "sleeping function called from
On Thu, Sep 21, 2017 at 11:48:54PM +0300, Alexey Dobriyan wrote:
> All netlink message sizes are a) unsigned, b) can't be >= 4GB in size
> because netlink doesn't support >= 64KB messages in the first place.
>
> All those size_t across the code are a scam especially across networking
> which
On Tue, Sep 12, 2017 at 02:53:46PM +0300, Alexey Kodanev wrote:
> Can be reproduced with LTP tests:
> # icmp-uni-vti.sh -p ah -a sha256 -m tunnel -S fffe -k 1 -s 10
>
> IPv4:
> RIP: 0010:xfrm_input+0x7f9/0x870
> ...
> Call Trace:
>
> vti_input+0xaa/0x110 [ip_vti]
> ?
changes up to 8598112d04af21cf6c895670e72dcb8a9f58e74f:
xfrm: Fix return value check of copy_sec_ctx. (2017-08-31 10:37:00 +0200)
Steffen Klassert (1):
xfrm: Fix return value check of copy_sec_ctx.
Yossi Kuperman (1):
xfrm
A recent commit added an output_mark. When copying
this output_mark, the return value of copy_sec_ctx
is overwitten without a check. Fix this by copying
the output_mark before the security context.
Fixes: 077fbac405bf ("net: xfrm: support setting an output mark.")
Signed-off-by: Steffe
man <yoss...@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
include/net/xfrm.h| 1 +
net/ipv4/esp4.c | 70 ++-
net/ipv6/esp6.c | 51 ++---
net/xfrm/xfrm_input
On Wed, Aug 30, 2017 at 11:30:39AM +0300, yoss...@mellanox.com wrote:
> From: Yossi Kuperman
>
> In conjunction with crypto offload [1], removing the ESP trailer by
> hardware can potentially improve the performance by avoiding (1) a
> cache miss incurred by reading the
skb_tailroom instead.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/ipv4/esp4.c | 2 +-
net/ipv6/esp6.c | 2 +-
2 f
<herb...@gondor.apana.org.au>
Fixes: 0603eac0d6b7 ("[IPSEC]: Add XFRMA_SA/XFRMA_POLICY for delete
notification")
Signed-off-by: Mathias Krause <mini...@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 i
never possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/ipv4/esp4.c | 5 +++--
net/ipv6/esp6.c | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/esp4
isn't needed as copy_to_user_state()
already takes care of clearing the padding bytes within the 'state'
member.
Signed-off-by: Mathias Krause <mini...@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_user.c | 2 ++
1 file changed, 2 inserti
atatu.com>
Fixes: d51d081d6504 ("[IPSEC]: Sync series - user")
Signed-off-by: Mathias Krause <mini...@googlemail.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_user.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_u
From: Mathias Krause <mini...@googlemail.com>
The memory reserved to dump the xfrm offload state includes padding
bytes of struct xfrm_user_offload added by the compiler for alignment.
Add an explicit memset(0) before filling the buffer to avoid the heap
info leak.
Cc: Steffen Kl
76 passes on net-next
Signed-off-by: Lorenzo Colitti <lore...@google.com>
Acked-by: Wei Wang <wei...@google.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_policy.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net
in use.
Mathias Krause (4):
xfrm_user: fix info leak in copy_user_offload()
xfrm_user: fix info leak in xfrm_notify_sa()
xfrm_user: fix info leak in build_expire()
xfrm_user: fix info leak in build_aevent()
Steffen Klassert (2):
esp: Fix locking on page fragment
On Mon, Aug 28, 2017 at 03:52:32PM -0700, David Miller wrote:
> From: Mathias Krause
> Date: Sat, 26 Aug 2017 17:08:56 +0200
>
> > Hi David, Steffen,
> >
> > the following series fixes a few info leaks due to missing padding byte
> > initialization in the xfrm_user
On Fri, Aug 25, 2017 at 09:05:42AM +0200, Steffen Klassert wrote:
> rt_cookie might be used uninitialized, fix this by
> initializing it.
>
> Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
> Signed-off-by: Steffen Klassert <steffen.klass.
rt_cookie might be used uninitialized, fix this by
initializing it.
Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/ipv6/route.c | 2 +-
1 file changed, 1 insertion(+), 1 deletio
On Wed, Aug 23, 2017 at 05:14:39PM +0900, Lorenzo Colitti wrote:
> While removing dst_entry garbage collection, commit 52df157f17e5
> ("xfrm: take refcnt of dst when creating struct xfrm_dst bundle")
> changed xfrm_resolve_and_create_bundle so it returns an xdst with
> a refcount of 1 instead of
On Thu, Aug 17, 2017 at 07:19:03PM +, Nick Huber wrote:
> I've been experience the following traceback since upgrading from the 4.9
> kernel to the 4.11 branch. I've only seen this in a few VMWare guests and I
> haven't been able to narrow down what exactly is causing it. I'm not familiar
>
failure using decrypted packet
vs. plaintext packet
Steffen Klassert:
Presentation: The IPsec status update.
Discussion: Redesigning the IPsec VTI interfaces.
ut")
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/ipv4/esp4_offload.c | 2 +-
net/ipv6/esp6_offload.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index e066601..5011232 100644
--- a/net/ipv
g rule, which would fruitlessly affect
all but the aforementioned case.
Signed-off-by: Koichiro Den <d...@klaipeden.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_state.c | 8
1 file changed, 8 insertions(+)
diff --git a/net/xfrm/xfrm_
https://bugzilla.redhat.com/show_bug.cgi?id=1474928
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint
address(es)")
Cc: <sta...@vger.kernel.org> # v2.6.21-rc1
Reported-by: "bo Zhang" <zhangbo5891...@gmail.com>
Signed-off-by: Vladis Dronov <vdro...@re
We leak the temporary allocated resources in error paths,
fix this by freeing them.
Fixes: fca11ebde3f ("esp4: Reorganize esp_output")
Fixes: 383d0350f2c ("esp6: Reorganize esp_output")
Fixes: 3f29770723f ("ipsec: check return value of skb_to_sgvec always")
S
)
Koichiro Den (1):
xfrm: fix null pointer dereference on state and tmpl sort
Steffen Klassert (2):
esp: Fix memleaks on error paths.
esp: Fix error handling on layer 2 xmit.
Vladis Dronov (1):
xfrm: policy
xthdrs.c and rawv6_rcv() in raw.c
Signed-off-by: Yossi Kuperman <yoss...@mellanox.com>
Signed-off-by: Ilan Tayari <il...@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/ipv6/esp6.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv
esp.ko)
Signed-off-by: Ilan Tayari <il...@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
include/net/xfrm.h | 4 +++-
net/ipv4/esp4_offload.c | 1 +
net/ipv6/esp6_offload.c | 1 +
net/xfrm/xfrm_device.c | 2 +-
net/xfrm/xfrm_state.c | 16
by: Ilan Tayari <il...@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
---
net/xfrm/xfrm_input.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 923205e..f07eec5 100644
--- a/net/xfrm/xfrm_input.c
+++ b/
This patch allows local sockets to make use of XFRM GSO code path.
Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
Signed-off-by: Ilan Tayari <il...@mellanox.com>
---
include/net/xfrm.h | 19 +++
net/core/sock.c| 2 +-
2 files changed, 20 inse
301 - 400 of 890 matches
Mail list logo