On Tue, Nov 27, 2018 at 01:28:54PM +0100, Florian Westphal wrote:
> Dan Carpenter reports following static checker warning:
> net/xfrm/xfrm_policy.c:1316 xfrm_hash_rebuild()
> warn: 'dir' is out of bounds '3' vs '2'
>
> | 1280 /* reset the bydst and inexact table in all directions */
On Mon, Nov 12, 2018 at 05:28:22PM +0800, Li RongQing wrote:
> if loopback_idev is NULL pointer, and the following access of
> loopback_idev will trigger panic, which is same as BUG_ON
>
> Signed-off-by: Li RongQing
Patch applied, thanks!
On Fri, Nov 16, 2018 at 08:12:46PM +0100, Steffen Klassert wrote:
> On Fri, Nov 16, 2018 at 08:48:00PM +0200, Lennert Buytenhek wrote:
> > On Sat, Nov 10, 2018 at 08:34:34PM +0100, Jean-Philippe Menil wrote:
> >
> > > we're seeing unexpected crashes from kernel 4.15 to 4.
On Thu, Nov 15, 2018 at 02:51:57AM +0100, Florian Westphal wrote:
> Colin Ian King says:
> Static analysis with CoverityScan found a potential issue [..]
> It seems that pointer pol is set to NULL and then a check to see if it
> is non-null is used to set pol to tmp; howeverm this check is
On Fri, Nov 16, 2018 at 08:48:00PM +0200, Lennert Buytenhek wrote:
> On Sat, Nov 10, 2018 at 08:34:34PM +0100, Jean-Philippe Menil wrote:
>
> > we're seeing unexpected crashes from kernel 4.15 to 4.18.17, using
> > IPsec VTI interfaces, on several vpn hosts, since upgrade from 4.4.
>
> I looked
On Thu, Nov 08, 2018 at 07:00:14PM -0800, David Miller wrote:
> From: Florian Westphal
> Date: Wed, 7 Nov 2018 23:00:30 +0100
>
> > This series attempts to improve xfrm policy lookup performance when
> > a lot of (several hundred or even thousands) inexact policies exist
> > on a system.
> >
>
On Mon, Nov 05, 2018 at 05:00:53PM +0900, Benjamin Poirier wrote:
> sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the
> hash mask.
>
> Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
> Signed-off-by: Benjamin Poirier
Patch applied, thanks!
On Sat, Oct 27, 2018 at 06:12:06AM +, Wei Yongjun wrote:
> xfrm_output_one() does not return a error code when there is
> no dst_entry attached to the skb, it is still possible crash
> with a NULL pointer dereference in xfrm_output_resume(). Fix
> it by return error code -EHOSTUNREACH.
>
>
On Tue, Oct 23, 2018 at 02:22:12PM +0200, Paolo Abeni wrote:
> On Tue, 2018-10-23 at 14:10 +0200, Steffen Klassert wrote:
>
> > Some quick benchmark numbers with UDP packet forwarding
> > (1460 byte packets) through two gateways:
> >
> > net-next: 16.4 Gbps
> >
[PATCH RFC] udp: Allow gro for the forwarding path.
This patch adds a early route lookup to inet_gro_receive()
in case forwarding is enabled on the receiving device.
To be forwarded packets are allowed to enter the UDP
GRO handlers then.
Signed-off-by: Steffen Klassert
---
include
On Mon, Oct 22, 2018 at 02:51:56PM +0200, Paolo Abeni wrote:
> > > +
> > > +static int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
> > > +{
> > > + struct sk_buff *next, *segs;
> > > + int ret;
> > > +
> > > + if (likely(!udp_unexpected_gso(sk, skb)))
> > > + return
On Fri, Oct 19, 2018 at 04:25:16PM +0200, Paolo Abeni wrote:
> +
> +static inline struct sk_buff *udp_rcv_segment(struct sock *sk,
> + struct sk_buff *skb)
> +{
> + struct sk_buff *segs;
> +
> + /* the GSO CB lays after the UDP one, no need to save
On Fri, Oct 19, 2018 at 04:25:12PM +0200, Paolo Abeni wrote:
>
> +#define UDO_GRO_CNT_MAX 64
Maybe better UDP_GRO_CNT_MAX?
Btw. do we really need this explicit limit?
We should not get more than 64 packets during
one napi poll cycle.
> +static struct sk_buff *udp_gro_receive_segment(struct
From: Li RongQing
if tstats of a device is not allocated, this device is not
registered correctly and can not be used.
Signed-off-by: Li RongQing
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_interface.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/xfrm/xfrm_interface.c b
1) Remove an unnecessary dev->tstats check in xfrmi_get_stats64.
From Li RongQing.
2) We currently do a sizeof(element) instead of a sizeof(array)
check when initializing the ovec array of the secpath.
Currently this array can have only one element, so code is
OK but error-prone.
From: Li RongQing
This place should want to initialize array, not a element,
so it should be sizeof(array) instead of sizeof(element)
but now this array only has one element, so no error in
this condition that XFRM_MAX_OFFLOAD_DEPTH is 1
Signed-off-by: Li RongQing
Signed-off-by: Steffen
chain which harms the
performance.
Use complete IPv6 addresses when calculating the hashes. Rather than just
adding two more words to the xor, use jhash2() for consistency with
__xfrm6_pref_hash() and __xfrm6_dpref_spref_hash().
Signed-off-by: Michal Kubecek
Signed-off-by: Steffen Klassert
Signed-off-by: Steffen Klassert
---
net/ipv6/xfrm6_policy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index ef3defaf43b9..d35bcf92969c 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -146,8 +146,8
From: Li RongQing
The device gro_cells has been initialized, it should be freed,
otherwise it will be leaked
Fixes: f203b76d78092faf2 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Zhang Yu
Signed-off-by: Li RongQing
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_inter
From: Florian Westphal
bydst table/list lookups use rcu, so insertions must use rcu versions.
Fixes: a7c44247f704e ("xfrm: policy: make xfrm_policy_lookup_bytype lockless")
Signed-off-by: Florian Westphal
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 8
1 fi
net/core/flow.c does not exist anymore, so remove it
from the IPSEC NETWORKING section of the MAINTAINERS
file.
Signed-off-by: Steffen Klassert
---
MAINTAINERS | 1 -
1 file changed, 1 deletion(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index dcb0191c4f54..4ff21dac9b45 100644
--- a/MAINTAINERS
interfaces
Steffen Klassert (1):
MAINTAINERS: Remove net/core/flow.c
MAINTAINERS | 1 -
net/ipv6/xfrm6_policy.c | 4 ++--
net/xfrm/xfrm_interface.c | 3 +++
net/xfrm/xfrm_policy.c| 8
4 files changed, 9 insertions(+), 7 deletions(-)
On Wed, Oct 10, 2018 at 06:02:21PM +0200, Florian Westphal wrote:
> bydst table/list lookups use rcu, so insertions must use rcu versions.
>
> Fixes: a7c44247f704e ("xfrm: policy: make xfrm_policy_lookup_bytype lockless")
> Signed-off-by: Florian Westphal
Applied, thanks Florian!
On Tue, Oct 09, 2018 at 09:59:36AM -0700, Alexei Starovoitov wrote:
> BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0
> net/ipv6/xfrm6_policy.c:161
> Read of size 1 at addr 8801d882eec7 by task syz-executor1/6667
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
>
On Sun, Oct 07, 2018 at 10:22:42AM +0800, Li RongQing wrote:
> This place should want to initialize array, not a element,
> so it should be sizeof(array) instead of sizeof(element)
>
> but now this array only has one element, so no error in
> this condition that XFRM_MAX_OFFLOAD_DEPTH is 1
>
>
On Sun, Oct 07, 2018 at 09:56:15AM +0800, Li RongQing wrote:
> if tstats of a device is not allocated, this device is not
> registered correctly and can not be used.
>
> Signed-off-by: Li RongQing
Applied to ipsec-next, thanks!
On Mon, Oct 08, 2018 at 11:13:36AM -0700, Benedict Wong wrote:
> This patch clears the skb->sp when transmitted over loopback. This
> ensures that the loopback-ed packet does not have any secpath
> information from the outbound transforms.
>
> At present, this causes XFRM tunnel mode packets to
On Fri, Oct 05, 2018 at 10:41:47AM -0400, Willem de Bruijn wrote:
> On Fri, Oct 5, 2018 at 9:53 AM Paolo Abeni wrote:
> >
> > Hi all,
> >
> > On Fri, 2018-09-14 at 13:59 -0400, Willem de Bruijn wrote:
> > > This is a *very rough* draft. Mainly for discussion while we also
> > > look at another
On Fri, Oct 05, 2018 at 11:23:28AM -0700, Benedict Wong wrote:
> This patch clears the skb->sp when transmitted over loopback. This
> ensures that the loopback-ed packet does not have any secpath
> information from the outbound transforms.
>
> At present, this causes XFRM tunnel mode packets to
On Sun, Sep 30, 2018 at 03:06:06PM +0800, Li RongQing wrote:
> The device gro_cells has been initialized, it should be freed,
> otherwise it will be leaked
>
> Fixes: f203b76d78092faf2 ("xfrm: Add virtual xfrm interfaces")
> Signed-off-by: Zhang Yu
> Signed-off-by: Li RongQing
Applied, thanks
t can't be offloaded.
This allows the user a little more flexibility in requesting
offloads and not needing to know every detail at all times about
each specific NIC when trying to create SAs.
Signed-off-by: Shannon Nelson
Signed-off-by: Steffen Klassert
---
Documentation/networking/xfrm_device.tx
1) Make xfrmi_get_link_net() static to silence a sparse warning.
From Wei Yongjun.
2) Remove a unused esph pointer definition in esp_input().
From Haishuang Yan.
3) Allow the NIC driver to quietly refuse xfrm offload
in case it does not support it, the SA is created
without offload
From: Haishuang Yan
The pointer 'esph' is defined but is never used hence it is redundant
and canbe removed.
Signed-off-by: Haishuang Yan
Signed-off-by: Steffen Klassert
---
net/ipv4/esp4.c | 7 +++
net/ipv6/esp6.c | 7 +++
2 files changed, 6 insertions(+), 8 deletions(-)
diff --git
From: Wei Yongjun
Fixes the following sparse warning:
net/xfrm/xfrm_interface.c:745:12: warning:
symbol 'xfrmi_get_link_net' was not declared. Should it be static?
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Wei Yongjun
Signed-off-by: Steffen Klassert
is invalid.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Air Icy
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_user.c | 12
1 file changed, 12 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 33878e6e0d0a..5151b3ebf068 100644
---
-by: Sean Tranchetti
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_user.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 5151b3ebf068..d0672c400c2f 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1455,6 +1455,9 @@ static
)
Sean Tranchetti (1):
xfrm: validate template mode
Sowmini Varadhan (2):
xfrm: reset transport header back to network header after all input
transforms ahave been applied
xfrm: reset crypto_done when iterating over multiple input xfrms
Steffen Klassert (2):
xfrm: Validate
loaded transforms
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Sowmini Varadhan
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_input.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 352abca260
) and drop the packet
in cast the dst_entry was cleared.
Fixes: 222d7dbd258d ("net: prevent dst uses after free")
Reported-by: Tobias Hommel
Reported-by: Kristian Evensen
Reported-by: Wolfgang Walter
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_output.c | 4
net/xfrm/xfrm_
the transport header back to network header
only after the last transformation so that subsequent xfrms
can find the correct transport header.
Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Suggested-by: Steffen Klassert
Signed-off-by: Sowmini Varadhan
Signed-off-by: Steffe
6e ("xfrm6: Don't call icmpv6_send on local error")
Signed-off-by: Thadeu Lima de Souza Cascardo
Reviewed-by: Sabrina Dubroca
Signed-off-by: Steffen Klassert
---
net/ipv6/xfrm6_output.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/
On Wed, Sep 19, 2018 at 01:54:56PM -0600, Sean Tranchetti wrote:
> XFRM mode parameters passed as part of the user templates
> in the IP_XFRM_POLICY are never properly validated. Passing
> values other than valid XFRM modes can cause stack-out-of-bounds
> reads to occur later in the XFRM
On Mon, Sep 17, 2018 at 10:19:22AM -0400, Willem de Bruijn wrote:
> On Mon, Sep 17, 2018 at 6:37 AM Steffen Klassert
> wrote:
> >
> > Maybe in case that forwarding is enabled on the receiving device,
> > inet_gro_receive() could do a route lookup and allow GRO if the
&
On Fri, Sep 14, 2018 at 01:59:40PM -0400, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> Avoid the socket lookup cost in udp_gro_receive if no socket has a
> gro callback configured.
It would be nice if we could do GRO not just for GRO configured
sockets, but also for flows that are going
On Fri, Sep 14, 2018 at 01:59:40PM -0400, Willem de Bruijn wrote:
> From: Willem de Bruijn
>
> Avoid the socket lookup cost in udp_gro_receive if no socket has a
> gro callback configured.
>
> Signed-off-by: Willem de Bruijn
...
> diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
y meaningful.
- This is early stage work, so the functional tests are only
done on a basic level, it might be still buggy.
- This still uses the skb->next, skb->prev pointers to build
skb lists. So needs to be converted to standard list handling
at some point.
Signed-off-by: Steffen K
This patchset consists of two patches. Patch 1 adds support for flow
sorted rx skb lists for IPv4. This means that it sorts the skb list so
that packets from the same flow can to travel together through the stack.
The second patch of this pachset is just a hack that disables GRO and does
skb list
This patch was used to test patch ("net: Support flow sorted skb lists
for IPv4.") It is just a hack that disables GRO and does skb list
receive instead. Not for merging!
Signed-off-by: Steffen Klassert
---
include/linux/netdevice.h | 5 -
net/core/dev.c
et
> > > in cast the dst_entry was cleared.
> > >
> > > Fixes: 222d7dbd258d ("net: prevent dst uses after free")
> > > Reported-by: Tobias Hommel
> > > Reported-by: Kristian Evensen
> > > Reported-by: Wolfgang Walter
> >
On Mon, Sep 10, 2018 at 10:18:47AM +0200, Kristian Evensen wrote:
> Hi,
>
> Thanks everyone for all the effort in debugging this issue.
>
> On Mon, Sep 10, 2018 at 8:39 AM Steffen Klassert
> wrote:
> > The easy fix that could be backported to stable would be
> &
On Fri, Sep 07, 2018 at 11:10:55PM +0200, Wolfgang Walter wrote:
> Hello Steffen,
>
> in one of your emails to Thomas you wrote:
> > xfrm_lookup+0x2a is at the very beginning of xfrm_lookup(), here we
> > find:
> >
> > u16 family = dst_orig->ops->family;
> >
> > ops has an offset of 32 bytes
On Mon, Sep 03, 2018 at 04:36:51AM -0700, Sowmini Varadhan wrote:
> This series contains bug fixes that were encountered when I set
> up a libreswan tunnel using the config below, which will set up
> an IPsec policy involving 2 tmpls.
>
> type=transport
> compress=yes
>
On Fri, Aug 31, 2018 at 08:38:49AM -0300, Thadeu Lima de Souza Cascardo wrote:
> After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU caching
> and reporting on xmit"), some too big skbs might be potentially passed down to
> __xfrm6_output, causing it to fail to transmit but not
to find any additional xfrm that may apply.
>
> This patch resets the transport header back to network header
> only after the last transformation so that subsequent xfrms
> can find the correct transport header.
>
> Suggested-by: Steffen Klassert
> Signed-off-by: Sowmini V
On Fri, Aug 31, 2018 at 09:08:59AM -0400, Willem de Bruijn wrote:
> On Fri, Aug 31, 2018 at 5:09 AM Paolo Abeni wrote:
> >
> > Hi,
> >
> > On Tue, 2018-04-17 at 17:07 -0400, Willem de Bruijn wrote:
> > > That said, for negotiated flows an inverse GRO feature could
> > > conceivably be implemented
On Thu, Aug 30, 2018 at 08:53:50PM +0200, Wolfgang Walter wrote:
> Hello,
>
> kernels > 4.12 do not work on one of our main routers. They crash as soon
> as ipsec-tunnels are configured and ipsec-traffic actually flows.
Can you please send the backtrace of this crash?
Thanks!
On Thu, Aug 30, 2018 at 03:23:11PM +0200, Sabrina Dubroca wrote:
> 2018-08-30, 09:58:16 -0300, Thadeu Lima de Souza Cascardo wrote:
> > After commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU
> > caching
> > and reporting on xmit"), some too big skbs might be potentially passed
On Thu, Aug 30, 2018 at 09:58:17AM -0300, Thadeu Lima de Souza Cascardo wrote:
> Before commit d6990976af7c5d8f55903bfb4289b6fb030bf754 ("vti6: fix PMTU
> caching
> and reporting on xmit"), skb was scrubbed before checking for ignore_df. The
> scrubbing meant ignore_df was false, making the check
On Wed, Aug 22, 2018 at 02:38:10PM -0700, Shannon Nelson wrote:
> If the "offload" attribute is used to create an IPsec SA
> and the .xdo_dev_state_add() fails, the SA creation fails.
> However, if the "offload" attribute is used on a device that
> doesn't offer it, the attribute is quietly
skb_dst_update_pmtu(skb, mtu);
This looks OK to me. If I remember correct, the !skb->ignore_df
check was taken from the native xfrm6 PMTU handling. There this
check makes sense because the packet can be still fragmented
along the way through the stack. In this case here it is too late
as we
On Sat, Jul 28, 2018 at 06:49:48AM +, Wei Yongjun wrote:
> Fixes the following sparse warning:
>
> net/xfrm/xfrm_interface.c:745:12: warning:
> symbol 'xfrmi_get_link_net' was not declared. Should it be static?
>
> Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
> Signed-off-by:
On Wed, Jul 25, 2018 at 03:36:47PM -0700, Nathan Harold wrote:
>
> diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
> index b669262682c9..ee212a7c91a9 100644
> --- a/net/xfrm/xfrm_state.c
> +++ b/net/xfrm/xfrm_state.c
> @@ -815,10 +815,10 @@ xfrm_init_tempstate(struct xfrm_state *x,
the time
stamps are part of the user API, there is nothing we can do to prevent
that.
Signed-off-by: Arnd Bergmann
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 24
net/xfrm/xfrm_state.c | 10 +-
2 files changed, 17 insertions(+), 17 deletions(-)
diff
Brunner
Co-developed-by: Eyal Birger
Co-developed-by: Lorenzo Colitti
Signed-off-by: Steffen Klassert
Signed-off-by: Tobias Brunner
Signed-off-by: Eyal Birger
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h| 9 -
include/uapi/linux/xfrm.h | 4 +++-
net/xfrm
ssume that template resolving always
returns xfrms")
Signed-off-by: YueHaibing
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 2f70fe68b9b0..69f06f879
rnd Bergmann
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 2 +-
net/ipv6/xfrm6_mode_ro.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index a5378613a49c..1350e2cf0749 100644
--- a/include/net/xfrm.h
+++ b/include/
This patch adds the xfrm interface id as a lookup key
for xfrm states and policies. With this we can assign
states and policies to virtual xfrm interfaces.
Signed-off-by: Steffen Klassert
Acked-by: Shannon Nelson
Acked-by: Benedict Wong
Tested-by: Benedict Wong
Tested-by: Antony Antony
see that the overall throughput is independent of the
number of tunnels, while before the throughput was reduced as the number
of tunnels increased.
Reported-by: Kristian Evensen
Signed-off-by: Florian Westphal
Signed-off-by: Steffen Klassert
---
include/net/xfrm.h | 1 -
net/xfrm
, or some other zero but meaningful value.
We can remove the checks for non-zero because there are plenty
other attributes also being checked to see if there is an offload
in place for the SA in question.
Signed-off-by: Shannon Nelson
Signed-off-by: Steffen Klassert
---
net/ipv4/esp4_offload.c | 6
):
xfrm: policy: remove pcpu policy cache
Nathan Harold (2):
xfrm: Allow Set Mark to be Updated Using UPDSA
xfrm: Allow xfrmi if_id to be updated by UPDSA
Shannon Nelson (1):
xfrm: don't check offload_handle for nonzero
Steffen Klassert (4):
xfrm: Extend the output_mark
separate steps:
1) allocation of a SPI
2) algorithm and key negotiation
3) insertion into the data path
Signed-off-by: Nathan Harold
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_state.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/xfrm/xfrm_state.c b/net
tunnel IPv4 and
IPv6 through the same interface and support all xfrm
modes (tunnel, transport and beet) on it.
Co-developed-by: Lorenzo Colitti
Co-developed-by: Benedict Wong
Signed-off-by: Lorenzo Colitti
Signed-off-by: Benedict Wong
Signed-off-by: Steffen Klassert
Acked-by: Shannon Nelson
the locks in
that order.
Signed-off-by: Nathan Harold
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_state.c | 9 +
1 file changed, 9 insertions(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index e04a510ec992..c9ffcdfa89f6 100644
--- a/net/xfrm/xfrm_state.c
+++
is
already part of the xfrm selector and used as a key to
enforce the output device after the transformation in the
policy/state lookup.
Signed-off-by: Steffen Klassert
Acked-by: Shannon Nelson
Acked-by: Benedict Wong
Tested-by: Benedict Wong
Tested-by: Antony Antony
Reviewed-by: Eyal Birger
has been tested against the Android Kernel Networking Tests,
with additional xfrmi_newlink tests here:
https://android-review.googlesource.com/c/kernel/tests/+/715755
Signed-off-by: Benedict Wong
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_interface.c | 32
: Benedict Wong
Signed-off-by: kbuild test robot
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_interface.c | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 481d7307ab51..31acc6f33d98 100644
--- a/net/xfrm/xfrm_i
the Android Kernel Networking Tests:
https://android.googlesource.com/kernel/tests/+/master/net/test
Signed-off-by: Benedict Wong
Signed-off-by: Steffen Klassert
---
include/net/dst.h | 14 +++
include/net/flow.h| 9 -
include/net/xfrm.h| 2 +-
net/xfrm
urn value of skb_to_sgvec always")
Signed-off-by: Zhen Lei
Signed-off-by: Steffen Klassert
---
net/ipv6/esp6.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 97513f35bcc5..88a7579c23bd 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6
xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
Byte 130 of 137 is uninitialized
Memory access starts at 88019550407f
Fixes: c0144beaeca42 ("[XFRM] netlink: Use nla_put()/NLA_PUT() variantes")
Signed-off-by: Eric Dumazet
Reported-by: syzbot
Cc: Steffen Klassert
Cc: Herbert Xu
1) Fix PMTU handling of vti6. We update the PMTU on
the xfrm dst_entry which is not cached anymore
after the flowchache removal. So update the
PMTU of the original dst_entry instead.
From Eyal Birger.
2) Fix a leak of kernel memory to userspace.
From Eric Dumazet.
3) Fix a
From: Florian Westphal
nlmsg_multicast() always frees the skb, so in case we cannot call
it we must do that ourselves.
Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire
notification")
Signed-off-by: Florian Westphal
Signed-off-by: Steffen Klassert
---
uot;xfrm: release dst_orig in case of error in xfrm_lookup()")
Signed-off-by: Tommi Rantala
Signed-off-by: Steffen Klassert
---
net/xfrm/xfrm_policy.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 5f48251c1319..7c5e8978aeaa
Add pmtu handling to vti6_xmit.")
Signed-off-by: Eyal Birger
Signed-off-by: Steffen Klassert
---
net/ipv6/ip6_vti.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index b7f28deddaea..c72ae3a4fe09 100644
--- a/net/ipv6/ip
On Thu, Jul 26, 2018 at 03:09:52PM +0800, kbuild test robot wrote:
> From: kbuild test robot
>
> net/xfrm/xfrm_interface.c:692:1-3: WARNING: PTR_ERR_OR_ZERO can be used
>
>
> Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
>
> Generated by: scripts/coccinelle/api/ptr_ret.cocci
>
>
On Wed, Jul 25, 2018 at 01:45:29PM -0700, Benedict Wong wrote:
> Currently all failure modes of xfrm interface creation return EEXIST.
> This change improves the granularity of errnos provided by also
> returning ENODEV or EINVAL if failures happen in looking up the
> underlying interface, or a
On Wed, Jul 25, 2018 at 11:53:45AM +0200, Gauvain Roussel-Tarbouriech wrote:
> Subject:
>
> Hello Netdev,
>
> I am working on WireGuard as part of Google Summer of Code and Jason and
> I are working on adding GRO to WireGuard, on the udp_tunnel side of
> things. The goal is to inform
On Thu, Jul 19, 2018 at 07:07:47PM -0700, Nathan Harold wrote:
> Allow attaching an SA to an xfrm interface id after
> the creation of the SA, so that tasks such as keying
> which must be done as the SA is created, can remain
> separate from the decision on how to route traffic
> from an SA. This
On Thu, Jul 19, 2018 at 10:50:44AM -0700, Benedict Wong wrote:
> In order to remove performance impact of having the extra u32 in every
> single flowi, this change removes the flowi_xfrm struct, prefering to
> take the if_id as a method parameter where needed.
>
> In the inbound direction, if_id
On Tue, Jun 26, 2018 at 02:19:10PM -0700, Shannon Nelson wrote:
> The offload_handle should be an opaque data cookie for the driver
> to use, much like the data cookie for a timer or alarm callback.
> Thus, the XFRM stack should not be checking for non-zero, because
> the driver might use that to
On Tue, Jul 17, 2018 at 02:40:04PM -0700, Benedict Wong wrote:
> @@ -2301,6 +2322,13 @@ int __xfrm_policy_check(struct sock *sk, int dir,
> struct sk_buff *skb,
> int reverse;
> struct flowi fl;
> int xerr_idx = -1;
> + const struct xfrm_if_cb *ifcb;
> + struct xfrm_if
On Tue, Jun 26, 2018 at 02:19:10PM -0700, Shannon Nelson wrote:
> The offload_handle should be an opaque data cookie for the driver
> to use, much like the data cookie for a timer or alarm callback.
> Thus, the XFRM stack should not be checking for non-zero, because
> the driver might use that to
On Mon, Jun 25, 2018 at 05:26:02PM +0200, Florian Westphal wrote:
> Kristian Evensen says:
> In a project I am involved in, we are running ipsec (Strongswan) on
> different mt7621-based routers. Each router is configured as an
> initiator and has around ~30 tunnels to different responders
On Mon, Jun 25, 2018 at 02:00:07PM +0200, Florian Westphal wrote:
> nlmsg_multicast() always frees the skb, so in case we cannot call
> it we must do that ourselves.
>
> Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire
> notification")
> Signed-off-by: Florian
On Mon, Jun 25, 2018 at 01:57:53PM +0200, Florian Westphal wrote:
> Kristian Evensen says:
> In a project I am involved in, we are running ipsec (Strongswan) on
> different mt7621-based routers. Each router is configured as an
> initiator and has around ~30 tunnels to different responders
On Tue, Jun 12, 2018 at 09:56:07AM +0200, Steffen Klassert wrote:
> This patchset introduces new virtual xfrm interfaces.
> The design of virtual xfrm interfaces interfaces was
> discussed at the Linux IPsec workshop 2018. This patchset
> implements these interfaces as the IPs
On Fri, Jun 15, 2018 at 08:55:14AM +0200, Steffen Klassert wrote:
> We already support setting an output mark at the xfrm_state,
> unfortunately this does not support the input direction and
> masking the marks that will be applied to the skb. This change
> adds support applying a
e_policy
> Variable was created at:
> dump_one_policy+0x78/0x1090 net/xfrm/xfrm_user.c:1689
> xfrm_policy_walk+0x45a/0xd00 net/xfrm/xfrm_policy.c:1013
>
> Byte 130 of 137 is uninitialized
> Memory access starts at 88019550407f
>
> Fixes: c0144beaeca42 ("[XFRM] netlink
On Tue, Jun 19, 2018 at 09:53:49AM +0200, Florian Westphal wrote:
> Li RongQing wrote:
> > The default NR_CPUS can be very large, but actual possible nr_cpu_ids
> > usually is very small. For some x86 distribution, the NR_CPUS is 8192
> > and nr_cpu_ids is 4, so replace NR_CPU to save some memory
Brunner
Co-developed-by: Eyal Birger
Co-developed-by: Lorenzo Colitti
Signed-off-by: Steffen Klassert
Signed-off-by: Tobias Brunner
Signed-off-by: Eyal Birger
Signed-off-by: Lorenzo Colitti
---
include/net/xfrm.h| 9 -
include/uapi/linux/xfrm.h | 4 +++-
net/xfrm
On Tue, Jun 12, 2018 at 11:33:41AM +0900, Lorenzo Colitti wrote:
> On Tue, Jun 12, 2018 at 11:12 AM Subash Abhinov Kasiviswanathan
> wrote:
> >
> > This patch adds support for OUTPUT_MARK in xfrm state to exercise the
> > functionality added by kernel commit 077fbac405bf
> > ("net: xfrm: support
1 - 100 of 890 matches
Mail list logo