tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'ipsec-2024-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2024-07-11
1) Fix esp_output_tail_tcp() on unsupported ESPINTCP.
From Hagar Hemdan.
2) Fix two bugs in the recently introduced SA direction separation.
From Antony Antony.
3) Fix unregister netdevice hang on hardware offload. We had to add another
list where skbs linked to that are unlinked from the lists (deleted)
but not yet freed.
4) Fix netdev reference count imbalance in xfrm_state_find.
From Jianbo Liu.
5) Call xfrm_dev_policy_delete when killingi them on offloaded policies.
Jianbo Liu.
* tag 'ipsec-2024-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
xfrm: call xfrm_dev_policy_delete when kill policy
xfrm: fix netdev reference count imbalance
xfrm: Export symbol xfrm_dev_state_delete.
xfrm: Fix unregister netdevice hang on hardware offload.
xfrm: Log input direction mismatch error in one place
xfrm: Fix input error path memory access
net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP
====================
Link: https://patch.msgid.link/20240711100025.1949454-1-steffen.klassert@secunet.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+92
-43
+10
-26
include/net/xfrm.h
+10
-26
include/net/xfrm.h
···
178
178
struct hlist_node gclist;
179
179
struct hlist_node bydst;
180
180
};
181
-
struct hlist_node bysrc;
181
+
union {
182
+
struct hlist_node dev_gclist;
183
+
struct hlist_node bysrc;
184
+
};
182
185
struct hlist_node byspi;
183
186
struct hlist_node byseq;
184
187
···
1591
1588
static inline void xfrm_dev_state_update_stats(struct xfrm_state *x)
1592
1589
{
1593
1590
struct xfrm_dev_offload *xdo = &x->xso;
1594
-
struct net_device *dev = xdo->dev;
1591
+
struct net_device *dev = READ_ONCE(xdo->dev);
1595
1592
1596
1593
if (dev && dev->xfrmdev_ops &&
1597
1594
dev->xfrmdev_ops->xdo_dev_state_update_stats)
···
1949
1946
struct xfrm_user_offload *xuo, u8 dir,
1950
1947
struct netlink_ext_ack *extack);
1951
1948
bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x);
1949
+
void xfrm_dev_state_delete(struct xfrm_state *x);
1950
+
void xfrm_dev_state_free(struct xfrm_state *x);
1952
1951
1953
1952
static inline void xfrm_dev_state_advance_esn(struct xfrm_state *x)
1954
1953
{
1955
1954
struct xfrm_dev_offload *xso = &x->xso;
1955
+
struct net_device *dev = READ_ONCE(xso->dev);
1956
1956
1957
-
if (xso->dev && xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1958
-
xso->dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1957
+
if (dev && dev->xfrmdev_ops->xdo_dev_state_advance_esn)
1958
+
dev->xfrmdev_ops->xdo_dev_state_advance_esn(x);
1959
1959
}
1960
1960
1961
1961
static inline bool xfrm_dst_offload_ok(struct dst_entry *dst)
···
1977
1971
return true;
1978
1972
1979
1973
return false;
1980
-
}
1981
-
1982
-
static inline void xfrm_dev_state_delete(struct xfrm_state *x)
1983
-
{
1984
-
struct xfrm_dev_offload *xso = &x->xso;
1985
-
1986
-
if (xso->dev)
1987
-
xso->dev->xfrmdev_ops->xdo_dev_state_delete(x);
1988
-
}
1989
-
1990
-
static inline void xfrm_dev_state_free(struct xfrm_state *x)
1991
-
{
1992
-
struct xfrm_dev_offload *xso = &x->xso;
1993
-
struct net_device *dev = xso->dev;
1994
-
1995
-
if (dev && dev->xfrmdev_ops) {
1996
-
if (dev->xfrmdev_ops->xdo_dev_state_free)
1997
-
dev->xfrmdev_ops->xdo_dev_state_free(x);
1998
-
xso->dev = NULL;
1999
-
xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
2000
-
netdev_put(dev, &xso->dev_tracker);
2001
-
}
2002
1974
}
2003
1975
2004
1976
static inline void xfrm_dev_policy_delete(struct xfrm_policy *x)
+1
-2
net/ipv4/esp4.c
+1
-2
net/ipv4/esp4.c
+7
net/ipv4/esp4_offload.c
+7
net/ipv4/esp4_offload.c
···
56
56
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
57
57
(xfrm_address_t *)&ip_hdr(skb)->daddr,
58
58
spi, IPPROTO_ESP, AF_INET);
59
+
60
+
if (unlikely(x && x->dir && x->dir != XFRM_SA_DIR_IN)) {
61
+
/* non-offload path will record the error and audit log */
62
+
xfrm_state_put(x);
63
+
x = NULL;
64
+
}
65
+
59
66
if (!x)
60
67
goto out_reset;
61
68
+1
-2
net/ipv6/esp6.c
+1
-2
net/ipv6/esp6.c
+7
net/ipv6/esp6_offload.c
+7
net/ipv6/esp6_offload.c
···
83
83
x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
84
84
(xfrm_address_t *)&ipv6_hdr(skb)->daddr,
85
85
spi, IPPROTO_ESP, AF_INET6);
86
+
87
+
if (unlikely(x && x->dir && x->dir != XFRM_SA_DIR_IN)) {
88
+
/* non-offload path will record the error and audit log */
89
+
xfrm_state_put(x);
90
+
x = NULL;
91
+
}
92
+
86
93
if (!x)
87
94
goto out_reset;
88
95
+3
-5
net/xfrm/xfrm_input.c
+3
-5
net/xfrm/xfrm_input.c
···
474
474
if (encap_type < 0 || (xo && xo->flags & XFRM_GRO)) {
475
475
x = xfrm_input_state(skb);
476
476
477
-
if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
478
-
XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEDIRERROR);
479
-
goto drop;
480
-
}
481
-
482
477
if (unlikely(x->km.state != XFRM_STATE_VALID)) {
483
478
if (x->km.state == XFRM_STATE_ACQ)
484
479
XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
···
580
585
}
581
586
582
587
if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
588
+
secpath_reset(skb);
583
589
XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEDIRERROR);
590
+
xfrm_audit_state_notfound(skb, family, spi, seq);
584
591
xfrm_state_put(x);
592
+
x = NULL;
585
593
goto drop;
586
594
}
587
595
+2
-3
net/xfrm/xfrm_policy.c
+2
-3
net/xfrm/xfrm_policy.c
···
452
452
453
453
static void xfrm_policy_kill(struct xfrm_policy *policy)
454
454
{
455
+
xfrm_dev_policy_delete(policy);
456
+
455
457
write_lock_bh(&policy->lock);
456
458
policy->walk.dead = 1;
457
459
write_unlock_bh(&policy->lock);
···
1852
1850
1853
1851
__xfrm_policy_unlink(pol, dir);
1854
1852
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1855
-
xfrm_dev_policy_delete(pol);
1856
1853
cnt++;
1857
1854
xfrm_audit_policy_delete(pol, 1, task_valid);
1858
1855
xfrm_policy_kill(pol);
···
1892
1891
1893
1892
__xfrm_policy_unlink(pol, dir);
1894
1893
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1895
-
xfrm_dev_policy_delete(pol);
1896
1894
cnt++;
1897
1895
xfrm_audit_policy_delete(pol, 1, task_valid);
1898
1896
xfrm_policy_kill(pol);
···
2342
2342
pol = __xfrm_policy_unlink(pol, dir);
2343
2343
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
2344
2344
if (pol) {
2345
-
xfrm_dev_policy_delete(pol);
2346
2345
xfrm_policy_kill(pol);
2347
2346
return 0;
2348
2347
}
+61
-4
net/xfrm/xfrm_state.c
+61
-4
net/xfrm/xfrm_state.c
···
49
49
50
50
static DECLARE_WORK(xfrm_state_gc_work, xfrm_state_gc_task);
51
51
static HLIST_HEAD(xfrm_state_gc_list);
52
+
static HLIST_HEAD(xfrm_state_dev_gc_list);
52
53
53
54
static inline bool xfrm_state_hold_rcu(struct xfrm_state __rcu *x)
54
55
{
···
215
214
static struct xfrm_state_afinfo __rcu *xfrm_state_afinfo[NPROTO];
216
215
217
216
static DEFINE_SPINLOCK(xfrm_state_gc_lock);
217
+
static DEFINE_SPINLOCK(xfrm_state_dev_gc_lock);
218
218
219
219
int __xfrm_state_delete(struct xfrm_state *x);
220
220
···
685
683
}
686
684
EXPORT_SYMBOL(xfrm_state_alloc);
687
685
686
+
#ifdef CONFIG_XFRM_OFFLOAD
687
+
void xfrm_dev_state_delete(struct xfrm_state *x)
688
+
{
689
+
struct xfrm_dev_offload *xso = &x->xso;
690
+
struct net_device *dev = READ_ONCE(xso->dev);
691
+
692
+
if (dev) {
693
+
dev->xfrmdev_ops->xdo_dev_state_delete(x);
694
+
spin_lock_bh(&xfrm_state_dev_gc_lock);
695
+
hlist_add_head(&x->dev_gclist, &xfrm_state_dev_gc_list);
696
+
spin_unlock_bh(&xfrm_state_dev_gc_lock);
697
+
}
698
+
}
699
+
EXPORT_SYMBOL_GPL(xfrm_dev_state_delete);
700
+
701
+
void xfrm_dev_state_free(struct xfrm_state *x)
702
+
{
703
+
struct xfrm_dev_offload *xso = &x->xso;
704
+
struct net_device *dev = READ_ONCE(xso->dev);
705
+
706
+
if (dev && dev->xfrmdev_ops) {
707
+
spin_lock_bh(&xfrm_state_dev_gc_lock);
708
+
if (!hlist_unhashed(&x->dev_gclist))
709
+
hlist_del(&x->dev_gclist);
710
+
spin_unlock_bh(&xfrm_state_dev_gc_lock);
711
+
712
+
if (dev->xfrmdev_ops->xdo_dev_state_free)
713
+
dev->xfrmdev_ops->xdo_dev_state_free(x);
714
+
WRITE_ONCE(xso->dev, NULL);
715
+
xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
716
+
netdev_put(dev, &xso->dev_tracker);
717
+
}
718
+
}
719
+
#endif
720
+
688
721
void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
689
722
{
690
723
WARN_ON(x->km.state != XFRM_STATE_DEAD);
···
885
848
886
849
int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid)
887
850
{
851
+
struct xfrm_state *x;
852
+
struct hlist_node *tmp;
853
+
struct xfrm_dev_offload *xso;
888
854
int i, err = 0, cnt = 0;
889
855
890
856
spin_lock_bh(&net->xfrm.xfrm_state_lock);
···
897
857
898
858
err = -ESRCH;
899
859
for (i = 0; i <= net->xfrm.state_hmask; i++) {
900
-
struct xfrm_state *x;
901
-
struct xfrm_dev_offload *xso;
902
860
restart:
903
861
hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
904
862
xso = &x->xso;
···
906
868
spin_unlock_bh(&net->xfrm.xfrm_state_lock);
907
869
908
870
err = xfrm_state_delete(x);
871
+
xfrm_dev_state_free(x);
872
+
909
873
xfrm_audit_state_delete(x, err ? 0 : 1,
910
874
task_valid);
911
875
xfrm_state_put(x);
···
924
884
925
885
out:
926
886
spin_unlock_bh(&net->xfrm.xfrm_state_lock);
887
+
888
+
spin_lock_bh(&xfrm_state_dev_gc_lock);
889
+
restart_gc:
890
+
hlist_for_each_entry_safe(x, tmp, &xfrm_state_dev_gc_list, dev_gclist) {
891
+
xso = &x->xso;
892
+
893
+
if (xso->dev == dev) {
894
+
spin_unlock_bh(&xfrm_state_dev_gc_lock);
895
+
xfrm_dev_state_free(x);
896
+
spin_lock_bh(&xfrm_state_dev_gc_lock);
897
+
goto restart_gc;
898
+
}
899
+
900
+
}
901
+
spin_unlock_bh(&xfrm_state_dev_gc_lock);
902
+
903
+
xfrm_flush_gc();
904
+
927
905
return err;
928
906
}
929
907
EXPORT_SYMBOL(xfrm_dev_state_flush);
···
1331
1273
xso->dev = xdo->dev;
1332
1274
xso->real_dev = xdo->real_dev;
1333
1275
xso->flags = XFRM_DEV_OFFLOAD_FLAG_ACQ;
1334
-
netdev_tracker_alloc(xso->dev, &xso->dev_tracker,
1335
-
GFP_ATOMIC);
1276
+
netdev_hold(xso->dev, &xso->dev_tracker, GFP_ATOMIC);
1336
1277
error = xso->dev->xfrmdev_ops->xdo_dev_state_add(x, NULL);
1337
1278
if (error) {
1338
1279
xso->dir = 0;