Merge tag 'ipsec-2025-08-11' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Steffen Klassert says:

====================
pull request (net): ipsec 2025-08-11

1) Fix flushing of all states in xfrm_state_fini.
From Sabrina Dubroca.

2) Fix some IPsec software offload features. These
got lost with some recent HW offload changes.
From Sabrina Dubroca.

Please pull or let me know if there are problems.

* tag 'ipsec-2025-08-11' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
udp: also consider secpath when evaluating ipsec use for checksumming
xfrm: bring back device check in validate_xmit_xfrm
xfrm: restore GSO for SW crypto
xfrm: flush all states in xfrm_state_fini
====================

Link: https://patch.msgid.link/20250811092008.731573-1-steffen.klassert@secunet.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Paolo Abeni 7 months ago c04fdca8 74078816

+12 -6

4 changed files

expand all

net

ipv4

udp_offload.c

ipv6

xfrm6_tunnel.c

xfrm

xfrm_device.c

xfrm_state.c

+1 -1

net/ipv4/udp_offload.c

··· 217 217 remcsum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_TUNNEL_REMCSUM); 218 218 skb->remcsum_offload = remcsum; 219 219 220 - need_ipsec = skb_dst(skb) && dst_xfrm(skb_dst(skb)); 220 + need_ipsec = (skb_dst(skb) && dst_xfrm(skb_dst(skb))) || skb_sec_path(skb); 221 221 /* Try to offload checksum if possible */ 222 222 offload_csum = !!(need_csum && 223 223 !need_ipsec &&

+1 -1

net/ipv6/xfrm6_tunnel.c

··· 334 334 struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net); 335 335 unsigned int i; 336 336 337 - xfrm_state_flush(net, IPSEC_PROTO_ANY, false); 337 + xfrm_state_flush(net, 0, false); 338 338 xfrm_flush_gc(); 339 339 340 340 for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)

+9 -3

net/xfrm/xfrm_device.c

··· 155 155 return skb; 156 156 } 157 157 158 - if (skb_is_gso(skb) && unlikely(xmit_xfrm_check_overflow(skb))) { 158 + if (skb_is_gso(skb) && (unlikely(x->xso.dev != dev) || 159 + unlikely(xmit_xfrm_check_overflow(skb)))) { 159 160 struct sk_buff *segs; 160 161 161 162 /* Packet got rerouted, fixup features and segment it. */ ··· 416 415 struct net_device *dev = x->xso.dev; 417 416 bool check_tunnel_size; 418 417 419 - if (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED) 418 + if (!x->type_offload || 419 + (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED && x->encap)) 420 420 return false; 421 421 422 - if ((dev == xfrm_dst_path(dst)->dev) && !xdst->child->xfrm) { 422 + if ((!dev || dev == xfrm_dst_path(dst)->dev) && 423 + !xdst->child->xfrm) { 423 424 mtu = xfrm_state_mtu(x, xdst->child_mtu_cached); 424 425 if (skb->len <= mtu) 425 426 goto ok; ··· 433 430 return false; 434 431 435 432 ok: 433 + if (!dev) 434 + return true; 435 + 436 436 check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET && 437 437 x->props.mode == XFRM_MODE_TUNNEL; 438 438 switch (x->props.family) {

+1 -1

net/xfrm/xfrm_state.c

··· 3297 3297 unsigned int sz; 3298 3298 3299 3299 flush_work(&net->xfrm.state_hash_work); 3300 - xfrm_state_flush(net, IPSEC_PROTO_ANY, false); 3300 + xfrm_state_flush(net, 0, false); 3301 3301 flush_work(&xfrm_state_gc_work); 3302 3302 3303 3303 WARN_ON(!list_empty(&net->xfrm.state_all));