On Fri, Dec 29, 2017 at 06:15:23PM -0600, Eric Biggers wrote:
> From: Eric Biggers
>
> If a message sent to a PF_KEY socket ended with an incomplete extension
> header (fewer than 4 bytes remaining), then parse_exthdrs() read past
> the end of the message, into uninitialized memory. Fix it by re
On Fri, Dec 29, 2017 at 06:13:05PM -0600, Eric Biggers wrote:
> From: Eric Biggers
>
> If a message sent to a PF_KEY socket ended with one of the extensions
> that takes a 'struct sadb_address' but there were not enough bytes
> remaining in the message for the ->sa_family member of the 'struct
>
On Wed, Dec 27, 2017 at 11:25:45PM +0100, Florian Westphal wrote:
> syzkaller triggered following KASAN splat:
>
> BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xdbe/0xf00
> net/xfrm/xfrm_policy.c:618
> read of size 2 at addr 8801c8e92fe4 by task kworker/1:1/23 [..]
> Workqueue: events
On Tue, Dec 26, 2017 at 05:34:44PM +1100, Herbert Xu wrote:
> Currently we allow state updates to competely replace the contents
> of x->encap. This is bad because on the user side ESP only sets up
> header lengths depending on encap_type once when the state is first
> created. This could result
On Sat, Dec 23, 2017 at 10:56:12AM -0500, David Miller wrote:
> From: Steffen Klassert
> Date: Sat, 23 Dec 2017 10:22:17 +0100
>
> > On Thu, Nov 16, 2017 at 11:00:40AM +0100, Steffen Klassert wrote:
> >> This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
>
On Thu, Nov 16, 2017 at 11:00:40AM +0100, Steffen Klassert wrote:
> This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
>
> This commit breaks transport mode when the policy template
> has widlcard addresses configured, so revert it.
>
> Signed-off-by: Steffen Klasser
We support asynchronous crypto on layer 2 ESP now.
So no need to force synchronous crypto fallback on
offloading anymore.
Signed-off-by: Steffen Klassert
---
net/ipv4/esp4.c | 12 ++--
net/ipv6/esp6.c | 12 ++--
2 files changed, 4 insertions(+), 20 deletions(-)
diff --git a/net
the
packet in a backlog queue.
Joint work with: Aviv Heller
Signed-off-by: Steffen Klassert
---
include/linux/netdevice.h | 6 ++-
include/net/xfrm.h| 22 --
net/core/dev.c| 16 +---
net/ipv4/esp4.c | 24 +--
net/ipv6/esp6.c | 24
add and delete
xfrm: wrap xfrmdev_ops with offload config
xfrm: update the stats documentation
Steffen Klassert (5):
xfrm: Separate ESP handling from segmentation for GRO packets.
net: Add asynchronous callbacks for xfrm on layer 2.
xfrm: Allow to use the layer2 IPsec G
We change the ESP GSO handlers to only segment the packets.
The ESP handling and encryption is defered to validate_xmit_xfrm()
where this is done for non GRO packets too. This makes the code
more robust and prepares for asynchronous crypto handling.
Signed-off-by: Steffen Klassert
---
include
annon Nelson
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 357764a2bb4e..079ea9455bcd 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1933,7 +1933,8 @@ static i
From: Shannon Nelson
Add a couple of stats that aren't in the documentation file
and rework the top description to be a little more readable.
Signed-off-by: Shannon Nelson
Signed-off-by: Steffen Klassert
---
Documentation/networking/xfrm_proc.txt | 20 ++--
1 file change
ned-off-by: Shannon Nelson
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_device.c | 31 ++-
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 20a96181867a..75982506617b 100644
--- a/net/xfrm/xfrm_devi
From: Shannon Nelson
There's no reason to define netdev->xfrmdev_ops if
the offload facility is not CONFIG'd in.
Signed-off-by: Shannon Nelson
Signed-off-by: Steffen Klassert
---
include/linux/netdevice.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/
We now have support for asynchronous crypto operations in the layer 2 TX
path. This was the missing part to allow the GSO codepath for software
crypto, so allow this codepath now.
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions
With support of async crypto operations in the GSO codepath
we have everything in place to allow GSO for local sockets.
This patch enables the GSO codepath.
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/net/xfrm.h b/include
6 got NAT support.
Acked-by: Steffen Klassert
Thanks!
On Thu, Dec 21, 2017 at 02:26:18PM -0800, Shannon Nelson wrote:
> Add a couple of stats that aren't in the documentation file
> and rework the top description to be a little more readable.
>
> Signed-off-by: Shannon Nelson
Applied to ipsec-next, thanks Shannon!
ably not a valid value, at least
verify_newsa_info() doesn't consider it valid either.
This patch fixes it by checking the proto value in
validate_tmpl() and rejecting invalid ones, like what iproute2
does in xfrm_xfrmproto_getbyname().
Reported-by: syzbot
Cc: Steffen Klassert
Cc: Herbert X
apped IPv6 case, packet
is IPv4 and template is IPv6.
Fix this by catching address family missmatches of the policy
and the flow already before we do the lookup.
Reported-by: syzbot
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 8 +++-
1 file changed, 7 insertions(+), 1 del
-off-by: Yevgeny Kliteynik
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_input.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 347ab31574d5..da6447389ffb 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_i
e use the assumption that, on transport mode, the first templates
address family must match the address family of the policy selector.
Subsequent transport mode templates must mach the address family of
the previous template.
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_user.c | 9 +++
led
Signed-off-by: Antony Antony
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 1f5cee2269af..88d0a563e141 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -134
From: Michal Kubecek
This seems to be an obvious typo, NLA_U32 is type of the attribute, not its
(minimal) length.
Fixes: 077fbac405bf ("net: xfrm: support setting an output mark.")
Signed-off-by: Michal Kubecek
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_user.c | 2 +-
1 fi
Florian Westphal (1):
xfrm: put policies when reusing pcpu xdst entry
Herbert Xu (1):
xfrm: Reinject transport-mode packets through tasklet
Michal Kubecek (1):
xfrm: fix XFRMA_OUTPUT_MARK policy entry
Steffen Klassert (2):
xfrm: Fix stack-out-of-bounds read on socket poli
PV4/6]: Netfilter IPsec input hooks")
Signed-off-by: Herbert Xu
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 3 +++
net/ipv4/xfrm4_input.c | 12 ++-
net/ipv6/xfrm6_input.c | 10 -
net/xfrm/xfrm_input.c | 57 ++
4 fil
From: Florian Westphal
We need to put the policies when re-using the pcpu xdst entry, else
this leaks the reference.
Fixes: ec30d78c14a813db39a647b6a348b428 ("xfrm: add xdst pcpu cache")
Signed-off-by: Florian Westphal
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 1
On Tue, Dec 19, 2017 at 03:35:46PM -0800, Shannon Nelson wrote:
> These are a couple of little fixes to the xfrm_offload API to make
> life just a little easier for the poor driver developer.
>
> Changes from v2:
> - fix up another kbuild robot complaint when CONFIG_XFRM_OFFLOAD is off
> - split
On Fri, Dec 15, 2017 at 10:13:03AM +0100, Steffen Klassert wrote:
> This patchset implements asynchronous crypto handling
> in the layer 2 TX path. With this we can allow IPsec
> ESP GSO for software crypto. This also merges the IPsec
> GSO and non-GSO paths to both use valida
On Fri, Dec 15, 2017 at 04:40:44PM +1100, Herbert Xu wrote:
> This is an old bugbear of mine:
>
> https://www.mail-archive.com/netdev@vger.kernel.org/msg03894.html
>
> By crafting special packets, it is possible to cause recursion
> in our kernel when processing transport-mode packets at levels
>
On Mon, Dec 18, 2017 at 01:50:10PM +0200, Darius Ski wrote:
> Hi,
>
> running 4.14.6 with 3 IPSec tunnels via Racoon/setkey and today woke up to
> this:
>
> [Mon Dec 18 07:26:15 2017] [ cut here ]
> [Mon Dec 18 07:26:15 2017] WARNING: CPU: 0 PID: 10555 at
> ./include/net/
1) Currently we can add or update socket policies, but
not clear them. Support clearing of socket policies
too. From Lorenzo Colitti.
2) Add documentation for the xfrm device offload api.
From Shannon Nelson.
3) Fix IPsec extended sequence numbers (ESN) for
IPsec offloading. From Yoss
From: Aviv Heller
x is already initialized to the same value, above.
Signed-off-by: Aviv Heller
Signed-off-by: Yevgeny Kliteynik
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_input.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index
HW SA options.
Signed-off-by: Yossef Efraim
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 30e5746085b8..dc68d9c1fc8f 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net
("xfrm: Add xfrm_replay_overflow functions for offloading")
Signed-off-by: Yossef Efraim
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_replay.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 8b23c5bcf8e8..0250
., 0) to clear the
input policy and -XFRM_POLICY_OUT (i.e., -1) to clear the output
policy.
Tested: https://android-review.googlesource.com/539816
Signed-off-by: Lorenzo Colitti
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 2 +-
net/xfrm/xfrm_state.c | 7 +++
2 files changed
From: Shannon Nelson
Add a writeup on how to use the XFRM device offload API, and
mention this new file in the index.
Signed-off-by: Shannon Nelson
Signed-off-by: Steffen Klassert
---
Documentation/networking/00-INDEX| 2 +
Documentation/networking/xfrm_device.txt | 132
We change the ESP GSO handlers to only segment the packets.
The ESP handling and encryption is defered to validate_xmit_xfrm()
where this is done for non GRO packets too. This makes the code
more robust and prepares for asynchronous crypto handling.
Signed-off-by: Steffen Klassert
---
include
With support of async crypto operations in the GSO codepath
we have everything in place to allow GSO for local sockets.
This patch enables the GSO codepath.
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/net/xfrm.h b/include
We now have support for asynchronous crypto operations in the layer 2 TX
path. This was the missing part to allow the GSO codepath for software
crypto, so allow this codepath now.
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions
We support asynchronous crypto on layer 2 ESP now.
So no need to force synchronous crypto fallback on
offloading anymore.
Signed-off-by: Steffen Klassert
---
net/ipv4/esp4.c | 12 ++--
net/ipv6/esp6.c | 12 ++--
2 files changed, 4 insertions(+), 20 deletions(-)
diff --git a/net
the
packet in a backlog queue.
Joint work with: Aviv Heller
Signed-off-by: Steffen Klassert
---
include/linux/netdevice.h | 6 ++-
include/net/xfrm.h| 22 --
net/core/dev.c| 16 +---
net/ipv4/esp4.c | 24 +--
net/ipv6/esp6.c | 24
This patchset implements asynchronous crypto handling
in the layer 2 TX path. With this we can allow IPsec
ESP GSO for software crypto. This also merges the IPsec
GSO and non-GSO paths to both use validate_xmit_xfrm().
1) Separate ESP handling from segmentation for GRO packets.
This unifies the
On Mon, Dec 11, 2017 at 12:57:22PM -0800, Shannon Nelson wrote:
> The current XFRM code assumes that we've implemented the
> xdo_dev_state_free() callback, even if it is meaningless to the driver.
> This patch adds a check for it before calling, as done in other APIs,
> and is done for the xdo_stat
On Mon, Dec 11, 2017 at 06:23:09PM +0100, Florian Westphal wrote:
> We need to put the policies when re-using the pcpu xdst entry, else
> this leaks the reference.
>
> Fixes: ec30d78c14a813db39a647b6a348b428 ("xfrm: add xdst pcpu cache")
> Signed-off-by: Florian Westphal
Applied, thanks Florian!
On Tue, Dec 12, 2017 at 01:00:31PM -0800, Eric Biggers wrote:
> Hi Steffen,
>
> On Fri, Dec 01, 2017 at 08:27:43AM +0100, Steffen Klassert wrote:
> > On Wed, Nov 22, 2017 at 08:05:00AM -0800, syzbot wrote:
> > > syzkaller has found reproducer fo
On Wed, Dec 06, 2017 at 07:38:19PM +0300, Alexey Kodanev wrote:
> LTP/udp6_ipsec_vti tests fail when sending large UDP datagrams
> that require fragmentation and underlying device MTU <= 1500.
> This happens because ip6_vti sets mtu to ETH_DATA_LEN and not
> updating it depending on a destiantion a
On Thu, Dec 07, 2017 at 09:54:27PM +0100, Antony Antony wrote:
> copy geniv when cloning the xfrm state.
>
> x->geniv was not copied to the new state and migration would fail.
>
> xfrm_do_migrate
> ..
> xfrm_state_clone()
>..
>..
>esp_init_aead()
>crypto_alloc_aead()
> cry
on transport mode, the first templates
address family must match the address family of the policy selector.
Subsequent transport mode templates must mach the address family of
the previous template.
Reported-by: syzbot
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_user.c | 9 +
1
On Tue, Nov 28, 2017 at 07:55:41PM +0200, av...@mellanox.com wrote:
> From: Aviv Heller
>
> Adding the state to the offload device prior to replay init in
> xfrm_state_construct() will result in NULL dereference if a matching
> ESP packet is received in between.
>
> In order to inhibit driver of
On Tue, Nov 28, 2017 at 07:55:42PM +0200, av...@mellanox.com wrote:
> From: Aviv Heller
>
> x is already initialized to the same value, above.
>
> Signed-off-by: Aviv Heller
> Signed-off-by: Yevgeny Kliteynik
Applied to ipsec-next, thanks!
On Tue, Nov 28, 2017 at 07:55:40PM +0200, av...@mellanox.com wrote:
> From: Aviv Heller
>
> Code path when (encap_type < 0) does not verify the state is valid
> before progressing.
>
> This will result in a crash if, for instance, x->km.state ==
> XFRM_STATE_ACQ.
>
> Fixes: 7785bba299a8 ("esp:
On Tue, Nov 28, 2017 at 11:49:30AM +0200, yoss...@mellanox.com wrote:
> From: Yossef Efraim
>
> This patch adds ESN support to IPsec device offload.
> Adding new xfrm device operation to synchronize device ESN.
>
> Signed-off-by: Yossef Efraim
> ---
> include/linux/netdevice.h | 1 +
> includ
On Tue, Nov 28, 2017 at 11:49:29AM +0200, yoss...@mellanox.com wrote:
> From: Yossef Efraim
>
> xfrm_dev_state_add function returns success for unsupported HW SA options.
> Resulting the calling function to create SW SA without corrlating HW SA.
> Desipte IPSec device offloading option was chosen
On Tue, Nov 28, 2017 at 11:49:28AM +0200, yoss...@mellanox.com wrote:
> From: Yossef Efraim
>
> In case of wrap around, replay_esn->oseq_hi is not updated
> before it is tested for it's actual value, leading function
> to fail with overflow indication and packets being dropped.
>
> This patch up
On Wed, Nov 29, 2017 at 06:23:56PM +0100, Michal Kubecek wrote:
> This seems to be an obvious typo, NLA_U32 is type of the attribute, not its
> (minimal) length.
>
> Fixes: 077fbac405bf ("net: xfrm: support setting an output mark.")
> Signed-off-by: Michal Kubecek
Patch applied, thanks Michal!
On Mon, Nov 20, 2017 at 02:26:07PM -0800, Shannon Nelson wrote:
> Add a writeup on how to use the XFRM device offload API, and
> mention this new file in the index.
>
> Signed-off-by: Shannon Nelson
Applied to ipsec-next, thanks a lot for this documentation!
On Mon, Nov 20, 2017 at 07:26:02PM +0900, Lorenzo Colitti wrote:
> Currently it is possible to add or update socket policies, but
> not clear them. Therefore, once a socket policy has been applied,
> the socket cannot be used for unencrypted traffic.
>
> This patch allows (privileged) users to cle
On Mon, Nov 27, 2017 at 05:46:28PM +0100, Tomas Charvat wrote:
> Gentoo-sources has no change vs vanilla in ipsec. However here is result
> from Vanila 4.14.2 with OFFLOAD=N
>
> [ 2338.440735] BUG: unable to handle kernel NULL pointer dereference at
> 0018
> [ 2338.440830] IP: xfrm_out
at iproute2
> does in xfrm_xfrmproto_getbyname().
>
> Reported-by: syzbot
> Cc: Steffen Klassert
> Cc: Herbert Xu
> Signed-off-by: Cong Wang
Patch applied, thanks!
On Mon, Nov 27, 2017 at 04:00:38PM +0300, Alexey Kodanev wrote:
> On 11/27/2017 03:07 PM, Steffen Klassert wrote:
> > On Wed, Nov 22, 2017 at 07:06:13PM +0300, Alexey Kodanev wrote:
> >>
> >> Is there some flaw in setup or vti not designed to handle ipcomp alg that
Cc netdev@vger.kernel.org, remove sta...@vger.kernel.org from Cc.
On Mon, Nov 27, 2017 at 01:36:50PM +0100, Tomas Charvat wrote:
> It was on gentoo-sources-4.14.2 (almost vanila), config is attached.
Could you please test with a vanilla v4.14.2 from kernel.org with
the referred patch?
If the pro
On Wed, Nov 22, 2017 at 07:06:13PM +0300, Alexey Kodanev wrote:
> Hi Steffen,
>
> LTP has vti test-cases which fail on ipcomp alg, e.g.
> "tcp_ipsec_vti.sh -p comp -m tunnel -s 100"
>
> Basically, the setupconsists of the following commands:
>
> ip li add ltp_vti0 type vti local 10.0.0.2 remote
On Tue, Nov 21, 2017 at 06:44:04PM -0800, Cong Wang wrote:
> On Tue, Nov 21, 2017 at 2:00 AM, syzbot
>
> wrote:
> > Hello,
> >
> > syzkaller hit the following crash on
> > c8a0739b185d11d6e2ca7ad9f5835841d1cfc765
> > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> > compi
On Mon, Nov 20, 2017 at 10:20:40AM -0800, John Fastabend wrote:
> On 11/20/2017 05:09 AM, David Miller wrote:
> > From: Steffen Klassert
> > Date: Mon, 20 Nov 2017 08:37:47 +0100
> >
> >> This patchset implements asynchronous crypto handling
> >> in the
We support asynchronous crypto on layer 2 ESP now.
So no need to force synchronous crypto fallback on
offloading anymore.
Signed-off-by: Steffen Klassert
---
net/ipv4/esp4.c | 12 ++--
net/ipv6/esp6.c | 12 ++--
2 files changed, 4 insertions(+), 20 deletions(-)
diff --git a/net
the
packet in a backlog queue.
Joint work with: Aviv Heller
Signed-off-by: Steffen Klassert
---
include/linux/netdevice.h | 6 ++-
include/net/xfrm.h| 15 ++-
net/core/dev.c| 16 +---
net/ipv4/esp4.c | 24 +--
net/ipv6/esp6.c | 24
With support of async crypto operations in the GSO codepath
we have everything in place to allow GSO for local sockets.
This patch enables the GSO codepath.
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/net/xfrm.h b/include
This patchset implements asynchronous crypto handling
in the layer 2 TX path. With this we can allow IPsec
ESP GSO for software crypto. This also merges the IPsec
GSO and non-GSO paths to both use validate_xmit_xfrm().
1) Separate ESP handling from segmentation for GRO packets.
This unifies the
We change the ESP GSO handlers to only segment the packets.
The ESP handling and encryption is defered to validate_xmit_xfrm()
where this is done for non GRO packets too. This makes the code
more robust and prepares for asynchronous crypto handling.
Signed-off-by: Steffen Klassert
---
include
We now have support for asynchronous crypto operations in the layer 2 TX
path. This was the missing part to allow the GSO codepath for software
crypto, so allow this codepath now.
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions
On Wed, Nov 15, 2017 at 09:46:19AM -0700, Kevin Locke wrote:
> Hi all,
>
> I am using an L2TP/IPsec (transport mode) VPN connection from a client
> behind a NAT running Debian with strongswan 5.6.0-2 and xl2tpd
> 1.3.10-1 to a Cisco Meraki MX60 with a public IP. The connection
> works with kernel
1-15
06:42:28 +0100)
Herbert Xu (1):
xfrm: Copy policy family in clone_policy
Steffen Klassert (1):
Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find."
net/xfrm/xfrm_policy.c | 30 +++---
1 file changed, 19 insertions(+), 11 deletions(-)
the af_key code when the cloned policy is retrieved.
This patch fixes it by copying the family field over.
Reported-by: syzbot
Signed-off-by: Herbert Xu
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_policy.c b/net
This reverts commit c9f3f813d462c72dbe412cee6a5cbacf13c4ad5e.
This commit breaks transport mode when the policy template
has widlcard addresses configured, so revert it.
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 29 ++---
1 file changed, 18 insertions
On Mon, Nov 06, 2017 at 11:16:46AM +0100, Steffen Klassert wrote:
>
> Subject: [PATCH ipsec] xfrm: Fix stack-out-of-bounds read in xfrm_state_find.
>
> When we do tunnel or beet mode, we pass saddr and daddr from the
> template to xfrm_state_find(), this is ok. On transport mode
On Fri, Nov 10, 2017 at 02:14:06PM +1100, Herbert Xu wrote:
> On Fri, Nov 10, 2017 at 01:30:38PM +1100, Herbert Xu wrote:
> >
> > I found the problem. This crap is coming from clone_policy. Now
> > let me where this code came from.
>
> ---8<---
> Subject: xfrm: Copy policy family in clone_polic
On Tue, Nov 14, 2017 at 03:46:30PM -0500, Stephen Smalley wrote:
> Hi,
>
> 4.14 is failing the selinux-testsuite labeled IPSEC tests despite
> having just been fixed in commit cf37966751747727 ("xfrm: do
> unconditional template resolution before pcpu cache check"). The
> breaking commit is the v
apped IPv6 case, packet
is IPv4 and template is IPv6. Fix this by using the addresses
from the template unconditionally.
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 29 +++--
1 file changed, 11 insertions(+), 18 deletions(-)
diff --git a/net/xfrm/xfrm_polic
Signed-off-by: Florian Westphal
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_input.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 8ac9d32..1c6051c 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
assignment after spi parsing
xfrm: do unconditional template resolution before pcpu cache check
Steffen Klassert (1):
xfrm: Fix stack-out-of-bounds read in xfrm_state_find.
net/xfrm/xfrm_input.c | 4 +--
net/xfrm/xfrm_policy.c | 71 +-
2
igned-off-by: Florian Westphal
Acked-by: Paul Moore
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 42 --
1 file changed, 24 insertions(+), 18 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 8cafb3c.
On Fri, Nov 03, 2017 at 01:10:12PM +0100, Steffen Klassert wrote:
> On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote:
> > Steffen Klassert wrote:
> >
> > > I'd propose to use the addresses from the template unconditionally,
> > >
On Thu, Nov 02, 2017 at 01:54:10PM +0100, Florian Westphal wrote:
> syzbot reported an issue where pointer to ip header content was not
> reloaded after xfrm_parse_spi().
>
> Its not intuitive that this function changes skb->head, so switch to
> skb_pointer_header.
I have to admit that this is no
On Thu, Nov 02, 2017 at 01:25:28PM +0100, Florian Westphal wrote:
> Steffen Klassert wrote:
>
> > I'd propose to use the addresses from the template unconditionally,
> > like the (untested) patch below does.
> >
> > Unfortunalely the reproducer does not work
On Thu, Nov 02, 2017 at 06:57:29PM -0400, Paul Moore wrote:
> On Thu, Nov 2, 2017 at 11:46 AM, Florian Westphal wrote:
> > Stephen Smalley says:
> > Since 4.14-rc1, the selinux-testsuite has been encountering sporadic
> > failures during testing of labeled IPSEC. git bisect pointed to
> > commi
On Wed, Nov 01, 2017 at 08:30:49PM +0100, Florian Westphal wrote:
> syzbot reports:
> BUG: KASAN: use-after-free in __xfrm_state_lookup+0x695/0x6b0
> Read of size 4 at addr 8801d434e538 by task syzkaller647520/2991
> [..]
> __xfrm_state_lookup+0x695/0x6b0 net/xfrm/xfrm_state.c:833
> xfrm_state_
On Wed, Nov 01, 2017 at 11:06:08PM +0100, Florian Westphal wrote:
> syzbot
>
> wrote:
>
> [ cc Thomas Egerer ]
>
> > syzkaller hit the following crash on
> > 36ef71cae353f88fd6e095e2aaa3e5953af1685d
> > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
> > compiler: gcc
.
Fixes: f1bd7d659ef0 ("xfrm: Add encapsulation header offsets while SKB is not
encrypted")
Reported-by: Vicente De Luca
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_output.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_output.c
u to fetch changes up to 73b9fc49b4c0116a04eda3979f64ed9b540b153c:
xfrm: Fix GSO for IPsec with GRE tunnel. (2017-10-31 09:20:35 +0100)
Jonathan Basseri (1):
xfrm: Clear sk_dst_cache when applying per-socket policy.
Steffen K
555
Tested: https://android-review.googlesource.com/418659
Signed-off-by: Jonathan Basseri
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 1221347..1f5cee2 100644
--- a/net/xfrm/xfrm_sta
the
dummy bundle case. Fix the memleak by removing this refcount.
Fixes: 3ca28286ea80 ("xfrm_policy: bypass flow_cache_lookup")
Reported-by: Maxime Bizon
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c
On Tue, Oct 31, 2017 at 09:41:24AM +, Ilya Lesokhin wrote:
>
> Are you sure supporting ASYNC crypto for fallback is worth the trouble?
It is not just for fallback, I plan to support the IPsec GSO codepath
for software crypto too. In this case we should be able to handle all
algorithms, includ
On Tue, Oct 31, 2017 at 03:44:38PM +0800, Herbert Xu wrote:
> On Tue, Oct 31, 2017 at 07:39:08AM +, Ilya Lesokhin wrote:
> >
> > I think we should consider having a synchronous implementation that falls
> > back
> > to integer implementation when the FPU is not available.
> > This would spare
From: Alexey Dobriyan
Key lengths can't be negative.
Comparison with nla_len() is left signed just in case negative value
can sneak in there.
Signed-off-by: Alexey Dobriyan
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 2 +-
net/xfrm/xfrm_user.c | 2 +-
2 files chang
From: "Gustavo A. R. Silva"
Use BUG_ON instead of if condition followed by BUG.
This issue was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_user.c | 45 +++--
1 fi
From: "Gustavo A. R. Silva"
Use BUG_ON instead of if condition followed by BUG in esp_remove_trailer.
This issue was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva
Acked-by: Herbert Xu
Signed-off-by: Steffen Klassert
---
net/ipv6/esp6.c | 4 ++--
1 file
stored to 'esph' during its
initialization is never read
Signed-off-by: Colin Ian King
Signed-off-by: Steffen Klassert
---
net/ipv6/esp6.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 89910e2..1696401 100644
--- a/net/i
ke 1500 or 65536.
Propagate unsignedness and flip some "int" to "unsigned int" as well.
This is preparation to switching nlmsg_new() to "unsigned int".
Signed-off-by: Alexey Dobriyan
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_user.c | 44 ++
-6
xfrm_replay_notify_esn 349 337 -12
xfrm_replay_notify_bmp 345 333 -12
Signed-off-by: Alexey Dobriyan
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 2 +-
net/xfrm/xfrm_user.c | 10 +-
2 files changed, 6 insertions(
701 - 800 of 1351 matches
Mail list logo