28 Jul, 2020
1 commit
-
commit 17175d1a27c6 ("xfrm: esp6: fix encapsulation header offset
computation") changed esp6_input_done2 to correctly find the size of
the IPv6 header that precedes the TCP/UDP encapsulation header, but
didn't adjust the final call to skb_set_transport_header, which I
assumed was correct in using skb_network_header_len.Xiumei Mu reported that when we create xfrm states that include port
numbers in the selector, traffic from the user sockets is dropped. It
turns out that we get a state mismatch in __xfrm_policy_check, because
we end up trying to compare the encapsulation header's ports with the
selector that's based on user traffic ports.Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
Fixes: 26333c37fc28 ("xfrm: add IPv6 support for espintcp")
Reported-by: Xiumei Mu
Signed-off-by: Sabrina Dubroca
Signed-off-by: Steffen Klassert
07 Jul, 2020
1 commit
-
In commit 0146dca70b87, I incorrectly adapted the code that computes
the location of the UDP or TCP encapsulation header from IPv4 to
IPv6. In esp6_input_done2, skb->transport_header points to the ESP
header, so by adding skb_network_header_len, uh and th will point to
the ESP header, not the encapsulation header that's in front of it.Since the TCP header's size can change with options, we have to start
from the IPv6 header and walk past possible extensions.Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
Fixes: 26333c37fc28 ("xfrm: add IPv6 support for espintcp")
Reported-by: Tobias Brunner
Tested-by: Tobias Brunner
Signed-off-by: Sabrina Dubroca
Signed-off-by: Steffen Klassert
28 Apr, 2020
2 commits
-
This extends espintcp to support IPv6, building on the existing code
and the new UDPv6 encapsulation support. Most of the code is either
reused directly (stream parser, ULP) or very similar to the IPv4
variant (net/ipv6/esp6.c changes).The separation of config options for IPv4 and IPv6 espintcp requires a
bit of Kconfig gymnastics to enable the core code.Signed-off-by: Sabrina Dubroca
Signed-off-by: Steffen Klassert -
This patch adds support for encapsulation of ESP over UDPv6. The code
is very similar to the IPv4 encapsulation implementation, and allows
to easily add espintcp on IPv6 as a follow-up.Signed-off-by: Sabrina Dubroca
Signed-off-by: Steffen Klassert
19 Feb, 2020
1 commit
-
The esp fill trailer method is identical for both
IPv6 and IPv4.Share the implementation for esp6 and esp to avoid
code duplication in addition it could be also used
at various drivers code.Signed-off-by: Raed Salem
Reviewed-by: Boris Pismenny
Reviewed-by: Saeed Mahameed
Signed-off-by: Steffen Klassert
01 Jul, 2019
1 commit
-
esp4_get_mtu and esp6_get_mtu are exactly the same, the only difference
is a single sizeof() (ipv4 vs. ipv6 header).Merge both into xfrm_state_mtu() and remove the indirection.
Signed-off-by: Florian Westphal
Signed-off-by: Steffen Klassert
06 Jun, 2019
1 commit
-
Only a handful of xfrm_types exist, no need to have 512 pointers for them.
Reduces size of afinfo struct from 4k to 120 bytes on 64bit platforms.
Also, the unregister function doesn't need to return an error, no single
caller does anything useful with it.Just place a WARN_ON() where needed instead.
Signed-off-by: Florian Westphal
Signed-off-by: Steffen Klassert
21 May, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version this program is distributed in the
hope that it will be useful but without any warranty without even
the implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details you
should have received a copy of the gnu general public license along
with this program if not see http www gnu org licensesthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version this program is distributed in the
hope that it will be useful but without any warranty without even
the implied warranty of merchantability or fitness for a particular
purpose see the gnu general public license for more details [based]
[from] [clk] [highbank] [c] you should have received a copy of the
gnu general public license along with this program if not see http
www gnu org licensesextracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 355 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Kate Stewart
Reviewed-by: Jilayne Lovejoy
Reviewed-by: Steve Winslow
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190519154041.837383322@linutronix.de
Signed-off-by: Greg Kroah-Hartman
28 Jan, 2019
1 commit
-
On ESP output, sk_wmem_alloc is incremented for the added padding if a
socket is associated to the skb. When replying with TCP SYNACKs over
IPsec, the associated sk is a casted request socket, only. Increasing
sk_wmem_alloc on a request socket results in a write at an arbitrary
struct offset. In the best case, this produces the following WARNING:WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4]
refcount_t: addition on 0; use-after-free.
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2
Hardware name: Marvell Armada 380/385 (Device Tree)
[...]
[] (esp_output_head [esp4]) from [] (esp_output+0xb8/0x180 [esp4])
[] (esp_output [esp4]) from [] (xfrm_output_resume+0x558/0x664)
[] (xfrm_output_resume) from [] (xfrm4_output+0x44/0xc4)
[] (xfrm4_output) from [] (tcp_v4_send_synack+0xa8/0xe8)
[] (tcp_v4_send_synack) from [] (tcp_conn_request+0x7f4/0x948)
[] (tcp_conn_request) from [] (tcp_rcv_state_process+0x2a0/0xe64)
[] (tcp_rcv_state_process) from [] (tcp_v4_do_rcv+0xf0/0x1f4)
[] (tcp_v4_do_rcv) from [] (tcp_v4_rcv+0xdb8/0xe20)
[] (tcp_v4_rcv) from [] (ip_protocol_deliver_rcu+0x2c/0x2dc)
[] (ip_protocol_deliver_rcu) from [] (ip_local_deliver_finish+0x48/0x54)
[] (ip_local_deliver_finish) from [] (ip_local_deliver+0x54/0xec)
[] (ip_local_deliver) from [] (ip_rcv+0x48/0xb8)
[] (ip_rcv) from [] (__netif_receive_skb_one_core+0x50/0x6c)
[...]The issue triggers only when not using TCP syncookies, as for syncookies
no socket is associated.Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Martin Willi
Signed-off-by: Steffen Klassert
20 Dec, 2018
1 commit
-
skb_sec_path gains 'const' qualifier to avoid
xt_policy.c: 'skb_sec_path' discards 'const' qualifier from pointer target typesame reasoning as previous conversions: Won't need to touch these
spots anymore when skb->sp is removed.Signed-off-by: Florian Westphal
Signed-off-by: David S. Miller
29 Aug, 2018
1 commit
-
The pointer 'esph' is defined but is never used hence it is redundant
and canbe removed.Signed-off-by: Haishuang Yan
Signed-off-by: Steffen Klassert
27 Jun, 2018
1 commit
-
This ought to be an omission in e6194923237 ("esp: Fix memleaks on error
paths."). The memleak on error path in esp6_input is similar to esp_input
of esp4.Fixes: e6194923237 ("esp: Fix memleaks on error paths.")
Fixes: 3f29770723f ("ipsec: check return value of skb_to_sgvec always")
Signed-off-by: Zhen Lei
Signed-off-by: Steffen Klassert
17 Jan, 2018
1 commit
-
Overlapping changes all over.
The mini-qdisc bits were a little bit tricky, however.
Signed-off-by: David S. Miller
08 Jan, 2018
1 commit
-
Currently esp will happily create an xfrm state with an unknown
encap type for IPv4, without setting the necessary state parameters.
This patch fixes it by returning -EINVAL.There is a similar problem in IPv6 where if the mode is unknown
we will skip initialisation while returning zero. However, this
is harmless as the mode has already been checked further up the
stack. This patch removes this anomaly by aligning the IPv6
behaviour with IPv4 and treating unknown modes (which cannot
actually happen) as transport mode.Fixes: 38320c70d282 ("[IPSEC]: Use crypto_aead and authenc in ESP")
Signed-off-by: Herbert Xu
Signed-off-by: Steffen Klassert
20 Dec, 2017
2 commits
-
We support asynchronous crypto on layer 2 ESP now.
So no need to force synchronous crypto fallback on
offloading anymore.Signed-off-by: Steffen Klassert
-
This patch implements asynchronous crypto callbacks
and a backlog handler that can be used when IPsec
is done at layer 2 in the TX path. It also extends
the skb validate functions so that we can update
the driver transmit return codes based on async
crypto operation or to indicate that we queued the
packet in a backlog queue.Joint work with: Aviv Heller
Signed-off-by: Steffen Klassert
16 Nov, 2017
1 commit
-
Pull networking updates from David Miller:
"Highlights:1) Maintain the TCP retransmit queue using an rbtree, with 1GB
windows at 100Gb this really has become necessary. From Eric
Dumazet.2) Multi-program support for cgroup+bpf, from Alexei Starovoitov.
3) Perform broadcast flooding in hardware in mv88e6xxx, from Andrew
Lunn.4) Add meter action support to openvswitch, from Andy Zhou.
5) Add a data meta pointer for BPF accessible packets, from Daniel
Borkmann.6) Namespace-ify almost all TCP sysctl knobs, from Eric Dumazet.
7) Turn on Broadcom Tags in b53 driver, from Florian Fainelli.
8) More work to move the RTNL mutex down, from Florian Westphal.
9) Add 'bpftool' utility, to help with bpf program introspection.
From Jakub Kicinski.10) Add new 'cpumap' type for XDP_REDIRECT action, from Jesper
Dangaard Brouer.11) Support 'blocks' of transformations in the packet scheduler which
can span multiple network devices, from Jiri Pirko.12) TC flower offload support in cxgb4, from Kumar Sanghvi.
13) Priority based stream scheduler for SCTP, from Marcelo Ricardo
Leitner.14) Thunderbolt networking driver, from Amir Levy and Mika Westerberg.
15) Add RED qdisc offloadability, and use it in mlxsw driver. From
Nogah Frankel.16) eBPF based device controller for cgroup v2, from Roman Gushchin.
17) Add some fundamental tracepoints for TCP, from Song Liu.
18) Remove garbage collection from ipv6 route layer, this is a
significant accomplishment. From Wei Wang.19) Add multicast route offload support to mlxsw, from Yotam Gigi"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (2177 commits)
tcp: highest_sack fix
geneve: fix fill_info when link down
bpf: fix lockdep splat
net: cdc_ncm: GetNtbFormat endian fix
openvswitch: meter: fix NULL pointer dereference in ovs_meter_cmd_reply_start
netem: remove unnecessary 64 bit modulus
netem: use 64 bit divide by rate
tcp: Namespace-ify sysctl_tcp_default_congestion_control
net: Protect iterations over net::fib_notifier_ops in fib_seq_sum()
ipv6: set all.accept_dad to 0 by default
uapi: fix linux/tls.h userspace compilation error
usbnet: ipheth: prevent TX queue timeouts when device not ready
vhost_net: conditionally enable tx polling
uapi: fix linux/rxrpc.h userspace compilation errors
net: stmmac: fix LPI transitioning for dwmac4
atm: horizon: Fix irq release error
net-sysfs: trigger netlink notification on ifalias change via sysfs
openvswitch: Using kfree_rcu() to simplify the code
openvswitch: Make local function ovs_nsh_key_attr_size() static
openvswitch: Fix return value check in ovs_meter_cmd_features()
...
03 Nov, 2017
1 commit
-
Replace -EBUSY with -ENOSPC when handling transient busy
indication in the absence of backlog.Signed-off-by: Gilad Ben-Yossef
Signed-off-by: Herbert Xu
27 Oct, 2017
1 commit
-
Use BUG_ON instead of if condition followed by BUG in esp_remove_trailer.
This issue was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva
Acked-by: Herbert Xu
Signed-off-by: Steffen Klassert
23 Oct, 2017
1 commit
-
The pointer esph is being initialized with a value that is never
read and then being updated. Remove the redundant initialization
and move the declaration and initializtion of esph to the local
code block.Cleans up clang warning:
net/ipv6/esp6.c:562:21: warning: Value stored to 'esph' during its
initialization is never readSigned-off-by: Colin Ian King
Signed-off-by: Steffen Klassert
02 Sep, 2017
1 commit
-
Three cases of simple overlapping changes.
Signed-off-by: David S. Miller
31 Aug, 2017
1 commit
-
In conjunction with crypto offload [1], removing the ESP trailer by
hardware can potentially improve the performance by avoiding (1) a
cache miss incurred by reading the nexthdr field and (2) the necessity
to calculate the csum value of the trailer in order to keep skb->csum
valid.This patch introduces the changes to the xfrm stack and merely serves
as an infrastructure. Subsequent patch to mlx5 driver will put this to
a good use.[1] https://www.mail-archive.com/netdev@vger.kernel.org/msg175733.html
Signed-off-by: Yossi Kuperman
Signed-off-by: Steffen Klassert
25 Aug, 2017
2 commits
-
We use skb_availroom to calculate the skb tailroom for the
ESP trailer. skb_availroom calculates the tailroom and
subtracts this value by reserved_tailroom. However
reserved_tailroom is a union with the skb mark. This means
that we subtract the tailroom by the skb mark if set.
Fix this by using skb_tailroom instead.Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Steffen Klassert -
We allocate the page fragment for the ESP trailer inside
a spinlock, but consume it outside of the lock. This
is racy as some other cou could get the same page fragment
then. Fix this by consuming the page fragment inside the
lock too.Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Steffen Klassert
02 Aug, 2017
2 commits
-
Both ip6_input_finish (non-GRO) and esp6_gro_receive (GRO) strip
the IPv6 header without adjusting skb->csum accordingly. As a
result CHECKSUM_COMPLETE breaks and "hw csum failure" is written
to the kernel log by netdev_rx_csum_fault (dev.c).Fix skb->csum by substracting the checksum value of the pulled IPv6
header using a call to skb_postpull_rcsum.This affects both transport and tunnel modes.
Note that the fix occurs far from the place that the header was
pulled. This is based on existing code, see:
ipv6_srh_rcv() in exthdrs.c and rawv6_rcv() in raw.cSigned-off-by: Yossi Kuperman
Signed-off-by: Ilan Tayari
Signed-off-by: Steffen Klassert -
Keep the device's reported ip_summed indication in case crypto
was offloaded by the device. Subtract the csum values of the
stripped parts (esp header+iv, esp trailer+auth_data) to keep
value correct.Note: CHECKSUM_COMPLETE should be indicated only if skb->csum
has the post-decryption offload csum value.Signed-off-by: Ariel Levkovich
Signed-off-by: Ilan Tayari
Signed-off-by: Steffen Klassert
13 Jul, 2017
1 commit
-
We leak the temporary allocated resources in error paths,
fix this by freeing them.Fixes: fca11ebde3f ("esp4: Reorganize esp_output")
Fixes: 383d0350f2c ("esp6: Reorganize esp_output")
Fixes: 3f29770723f ("ipsec: check return value of skb_to_sgvec always")
Signed-off-by: Steffen Klassert
01 Jul, 2017
1 commit
-
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.Signed-off-by: Elena Reshetova
Signed-off-by: Hans Liljestrand
Signed-off-by: Kees Cook
Signed-off-by: David Windsor
Signed-off-by: David S. Miller
24 Jun, 2017
1 commit
-
Steffen Klassert says:
====================
pull request (net-next): ipsec-next 2017-06-231) Use memdup_user to spmlify xfrm_user_policy.
From Geliang Tang.2) Make xfrm_dev_register static to silence a sparse warning.
From Wei Yongjun.3) Use crypto_memneq to check the ICV in the AH protocol.
From Sabrina Dubroca.4) Remove some unused variables in esp6.
From Stephen Hemminger.5) Extend XFRM MIGRATE to allow to change the UDP encapsulation port.
From Antony Antony.6) Include the UDP encapsulation port to km_migrate announcements.
From Antony Antony.Please pull or let me know if there are problems.
====================Signed-off-by: David S. Miller
16 Jun, 2017
1 commit
-
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.Make these functions return void * and remove all the casts across
the tree, adding a (u8 *) cast only where the unsigned char pointer
was used directly, all done with the following spatch:@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_push, __skb_push, skb_push_rcsum };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)@@
expression E, SKB, LEN;
identifier fn = { skb_push, __skb_push, skb_push_rcsum };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)@@
expression SKB, LEN;
identifier fn = { skb_push, __skb_push, skb_push_rcsum };
@@
- fn(SKB, LEN)[0]
+ *(u8 *)fn(SKB, LEN)Note that the last part there converts from push(...)[0] to the
more idiomatic *(u8 *)push(...).Signed-off-by: Johannes Berg
Signed-off-by: David S. Miller
05 Jun, 2017
1 commit
-
Signed-off-by: Jason A. Donenfeld
Cc: Steffen Klassert
Cc: Herbert Xu
Cc: "David S. Miller"
Signed-off-by: David S. Miller
22 May, 2017
1 commit
-
Resolves warnings:
net/ipv6/esp6.c: In function ‘esp_ssg_unref’:
net/ipv6/esp6.c:121:10: warning: variable ‘seqhi’ set but not used [-Wunused-but-set-variable]
net/ipv6/esp6.c: In function ‘esp6_output_head’:
net/ipv6/esp6.c:227:21: warning: variable ‘esph’ set but not used [-Wunused-but-set-variable]Signed-off-by: Stephen Hemminger
Signed-off-by: Steffen Klassert
24 Apr, 2017
1 commit
-
A recent commit moved esp_alloc_tmp() out of a lock
protected region, but forgot to remove the unlock from
the error path. This patch removes the forgotten unlock.
While at it, remove some unneeded error assignments too.Fixes: fca11ebde3f0 ("esp4: Reorganize esp_output")
Fixes: 383d0350f2cc ("esp6: Reorganize esp_output")
Reported-by: Dan Carpenter
Signed-off-by: Steffen Klassert
14 Apr, 2017
5 commits
-
We need a fallback algorithm for crypto offloading to a NIC.
This is because packets can be rerouted to other NICs that
don't support crypto offloading. The fallback is going to be
implemented at layer2 where we know the final output device
but can't handle asynchronous returns fron the crypto layer.Signed-off-by: Steffen Klassert
-
This patch extends the xfrm_type by an encap function pointer
and implements esp4_gso_encap and esp6_gso_encap. These functions
doing the basic esp encapsulation for a GSO packet. In case the
GSO packet needs to be segmented in software, we add gso_segment
functions. This codepath is going to be used on esp hardware
offloads.Signed-off-by: Steffen Klassert
-
We need a fallback for ESP at layer 2, so split esp6_output
into generic functions that can be used at layer 3 and layer 2
and use them in esp_output. We also add esp6_xmit which is
used for the layer 2 fallback.Signed-off-by: Steffen Klassert
-
We are going to export the ipv4 and the ipv6
version of esp_input_done2. They are not static
anymore and can't have the same name. So rename
the ipv6 version to esp6_input_done2.Signed-off-by: Steffen Klassert
-
This patch adds all the bits that are needed to do
IPsec hardware offload for IPsec states and ESP packets.
We add xfrmdev_ops to the net_device. xfrmdev_ops has
function pointers that are needed to manage the xfrm
states in the hardware and to do a per packet
offloading decision.Joint work with:
Ilan Tayari
Guy Shapiro
Yossi KupermanSigned-off-by: Guy Shapiro
Signed-off-by: Ilan Tayari
Signed-off-by: Yossi Kuperman
Signed-off-by: Steffen Klassert
17 Jan, 2017
2 commits
-
We need to setup the trailer in two different cases,
so add a helper to avoid code duplication.Signed-off-by: Steffen Klassert
-
This patch tries to avoid skb_cow_data on esp6.
On the encrypt side we add the IPsec tailbits
to the linear part of the buffer if there is
space on it. If there is no space on the linear
part, we add a page fragment with the tailbits to
the buffer and use separate src and dst scatterlists.On the decrypt side, we leave the buffer as it is
if it is not cloned.With this, we can avoid a linearization of the buffer
in most of the cases.Joint work with:
Sowmini Varadhan
Ilan TayariSigned-off-by: Sowmini Varadhan
Signed-off-by: Ilan Tayari
Signed-off-by: Steffen Klassert