<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/ipv4/esp4.c, branch linux-5.6.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>xfrm: add espintcp (RFC 8229)</title>
<updated>2019-12-09T08:59:07+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2019-11-25T13:49:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e27cca96cd68fa2c6814c90f9a1cfd36bb68c593'/>
<id>e27cca96cd68fa2c6814c90f9a1cfd36bb68c593</id>
<content type='text'>
TCP encapsulation of IKE and IPsec messages (RFC 8229) is implemented
as a TCP ULP, overriding in particular the sendmsg and recvmsg
operations. A Stream Parser is used to extract messages out of the TCP
stream using the first 2 bytes as length marker. Received IKE messages
are put on "ike_queue", waiting to be dequeued by the custom recvmsg
implementation. Received ESP messages are sent to XFRM, like with UDP
encapsulation.

Some of this code is taken from the original submission by Herbert
Xu. Currently, only IPv4 is supported, like for UDP encapsulation.

Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
TCP encapsulation of IKE and IPsec messages (RFC 8229) is implemented
as a TCP ULP, overriding in particular the sendmsg and recvmsg
operations. A Stream Parser is used to extract messages out of the TCP
stream using the first 2 bytes as length marker. Received IKE messages
are put on "ike_queue", waiting to be dequeued by the custom recvmsg
implementation. Received ESP messages are sent to XFRM, like with UDP
encapsulation.

Some of this code is taken from the original submission by Herbert
Xu. Currently, only IPv4 is supported, like for UDP encapsulation.

Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>esp4: split esp_output_udp_encap and introduce esp_output_encap</title>
<updated>2019-12-09T08:59:07+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2019-11-25T13:49:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eecd227a9a3479038ba2a2f579b3ce9edb364b80'/>
<id>eecd227a9a3479038ba2a2f579b3ce9edb364b80</id>
<content type='text'>
Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>esp4: prepare esp_input_done2 for non-UDP encapsulation</title>
<updated>2019-12-09T08:59:07+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2019-11-25T13:49:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=25f6802b4c18817c82cd581d38ce155ad6412176'/>
<id>25f6802b4c18817c82cd581d38ce155ad6412176</id>
<content type='text'>
For espintcp encapsulation, we will need to get the source port from the
TCP header instead of UDP. Introduce a variable to hold the port.

Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
For espintcp encapsulation, we will need to get the source port from the
TCP header instead of UDP. Introduce a variable to hold the port.

Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm: remove get_mtu indirection from xfrm_type</title>
<updated>2019-07-01T04:16:40+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2019-06-24T20:04:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c7b37c769d2a5e711106a3c793140a4f46768e04'/>
<id>c7b37c769d2a5e711106a3c793140a4f46768e04</id>
<content type='text'>
esp4_get_mtu and esp6_get_mtu are exactly the same, the only difference
is a single sizeof() (ipv4 vs. ipv6 header).

Merge both into xfrm_state_mtu() and remove the indirection.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
esp4_get_mtu and esp6_get_mtu are exactly the same, the only difference
is a single sizeof() (ipv4 vs. ipv6 header).

Merge both into xfrm_state_mtu() and remove the indirection.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm: remove type and offload_type map from xfrm_state_afinfo</title>
<updated>2019-06-06T06:34:50+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2019-05-03T15:46:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4f518e802ccad30c9dccc895f2294398757b87c0'/>
<id>4f518e802ccad30c9dccc895f2294398757b87c0</id>
<content type='text'>
Only a handful of xfrm_types exist, no need to have 512 pointers for them.

Reduces size of afinfo struct from 4k to 120 bytes on 64bit platforms.

Also, the unregister function doesn't need to return an error, no single
caller does anything useful with it.

Just place a WARN_ON() where needed instead.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Only a handful of xfrm_types exist, no need to have 512 pointers for them.

Reduces size of afinfo struct from 4k to 120 bytes on 64bit platforms.

Also, the unregister function doesn't need to return an error, no single
caller does anything useful with it.

Just place a WARN_ON() where needed instead.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>treewide: Add SPDX license identifier for more missed files</title>
<updated>2019-05-21T08:50:45+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2019-05-19T12:08:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=09c434b8a0047c69e48499de0107de312901e798'/>
<id>09c434b8a0047c69e48499de0107de312901e798</id>
<content type='text'>
Add SPDX license identifiers to all files which:

 - Have no license information of any form

 - Have MODULE_LICENCE("GPL*") inside which was used in the initial
   scan/conversion to ignore the file

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add SPDX license identifiers to all files which:

 - Have no license information of any form

 - Have MODULE_LICENCE("GPL*") inside which was used in the initial
   scan/conversion to ignore the file

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>esp4: add length check for UDP encapsulation</title>
<updated>2019-03-26T07:39:30+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2019-03-25T13:30:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8dfb4eba4100e7cdd161a8baef2d8d61b7a7e62e'/>
<id>8dfb4eba4100e7cdd161a8baef2d8d61b7a7e62e</id>
<content type='text'>
esp_output_udp_encap can produce a length that doesn't fit in the 16
bits of a UDP header's length field. In that case, we'll send a
fragmented packet whose length is larger than IP_MAX_MTU (resulting in
"Oversized IP packet" warnings on receive) and with a bogus UDP
length.

To prevent this, add a length check to esp_output_udp_encap and return
 -EMSGSIZE on failure.

This seems to be older than git history.

Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
esp_output_udp_encap can produce a length that doesn't fit in the 16
bits of a UDP header's length field. In that case, we'll send a
fragmented packet whose length is larger than IP_MAX_MTU (resulting in
"Oversized IP packet" warnings on receive) and with a bogus UDP
length.

To prevent this, add a length check to esp_output_udp_encap and return
 -EMSGSIZE on failure.

This seems to be older than git history.

Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>esp: Skip TX bytes accounting when sending from a request socket</title>
<updated>2019-01-28T10:20:58+00:00</updated>
<author>
<name>Martin Willi</name>
<email>martin@strongswan.org</email>
</author>
<published>2019-01-28T08:35:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=09db51241118aeb06e1c8cd393b45879ce099b36'/>
<id>09db51241118aeb06e1c8cd393b45879ce099b36</id>
<content type='text'>
On ESP output, sk_wmem_alloc is incremented for the added padding if a
socket is associated to the skb. When replying with TCP SYNACKs over
IPsec, the associated sk is a casted request socket, only. Increasing
sk_wmem_alloc on a request socket results in a write at an arbitrary
struct offset. In the best case, this produces the following WARNING:

WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4]
refcount_t: addition on 0; use-after-free.
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2
Hardware name: Marvell Armada 380/385 (Device Tree)
[...]
[&lt;bf0ff354&gt;] (esp_output_head [esp4]) from [&lt;bf1006a4&gt;] (esp_output+0xb8/0x180 [esp4])
[&lt;bf1006a4&gt;] (esp_output [esp4]) from [&lt;c05dee64&gt;] (xfrm_output_resume+0x558/0x664)
[&lt;c05dee64&gt;] (xfrm_output_resume) from [&lt;c05d07b0&gt;] (xfrm4_output+0x44/0xc4)
[&lt;c05d07b0&gt;] (xfrm4_output) from [&lt;c05956bc&gt;] (tcp_v4_send_synack+0xa8/0xe8)
[&lt;c05956bc&gt;] (tcp_v4_send_synack) from [&lt;c0586ad8&gt;] (tcp_conn_request+0x7f4/0x948)
[&lt;c0586ad8&gt;] (tcp_conn_request) from [&lt;c058c404&gt;] (tcp_rcv_state_process+0x2a0/0xe64)
[&lt;c058c404&gt;] (tcp_rcv_state_process) from [&lt;c05958ac&gt;] (tcp_v4_do_rcv+0xf0/0x1f4)
[&lt;c05958ac&gt;] (tcp_v4_do_rcv) from [&lt;c0598a4c&gt;] (tcp_v4_rcv+0xdb8/0xe20)
[&lt;c0598a4c&gt;] (tcp_v4_rcv) from [&lt;c056eb74&gt;] (ip_protocol_deliver_rcu+0x2c/0x2dc)
[&lt;c056eb74&gt;] (ip_protocol_deliver_rcu) from [&lt;c056ee6c&gt;] (ip_local_deliver_finish+0x48/0x54)
[&lt;c056ee6c&gt;] (ip_local_deliver_finish) from [&lt;c056eecc&gt;] (ip_local_deliver+0x54/0xec)
[&lt;c056eecc&gt;] (ip_local_deliver) from [&lt;c056efac&gt;] (ip_rcv+0x48/0xb8)
[&lt;c056efac&gt;] (ip_rcv) from [&lt;c0519c2c&gt;] (__netif_receive_skb_one_core+0x50/0x6c)
[...]

The issue triggers only when not using TCP syncookies, as for syncookies
no socket is associated.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Martin Willi &lt;martin@strongswan.org&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
On ESP output, sk_wmem_alloc is incremented for the added padding if a
socket is associated to the skb. When replying with TCP SYNACKs over
IPsec, the associated sk is a casted request socket, only. Increasing
sk_wmem_alloc on a request socket results in a write at an arbitrary
struct offset. In the best case, this produces the following WARNING:

WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4]
refcount_t: addition on 0; use-after-free.
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2
Hardware name: Marvell Armada 380/385 (Device Tree)
[...]
[&lt;bf0ff354&gt;] (esp_output_head [esp4]) from [&lt;bf1006a4&gt;] (esp_output+0xb8/0x180 [esp4])
[&lt;bf1006a4&gt;] (esp_output [esp4]) from [&lt;c05dee64&gt;] (xfrm_output_resume+0x558/0x664)
[&lt;c05dee64&gt;] (xfrm_output_resume) from [&lt;c05d07b0&gt;] (xfrm4_output+0x44/0xc4)
[&lt;c05d07b0&gt;] (xfrm4_output) from [&lt;c05956bc&gt;] (tcp_v4_send_synack+0xa8/0xe8)
[&lt;c05956bc&gt;] (tcp_v4_send_synack) from [&lt;c0586ad8&gt;] (tcp_conn_request+0x7f4/0x948)
[&lt;c0586ad8&gt;] (tcp_conn_request) from [&lt;c058c404&gt;] (tcp_rcv_state_process+0x2a0/0xe64)
[&lt;c058c404&gt;] (tcp_rcv_state_process) from [&lt;c05958ac&gt;] (tcp_v4_do_rcv+0xf0/0x1f4)
[&lt;c05958ac&gt;] (tcp_v4_do_rcv) from [&lt;c0598a4c&gt;] (tcp_v4_rcv+0xdb8/0xe20)
[&lt;c0598a4c&gt;] (tcp_v4_rcv) from [&lt;c056eb74&gt;] (ip_protocol_deliver_rcu+0x2c/0x2dc)
[&lt;c056eb74&gt;] (ip_protocol_deliver_rcu) from [&lt;c056ee6c&gt;] (ip_local_deliver_finish+0x48/0x54)
[&lt;c056ee6c&gt;] (ip_local_deliver_finish) from [&lt;c056eecc&gt;] (ip_local_deliver+0x54/0xec)
[&lt;c056eecc&gt;] (ip_local_deliver) from [&lt;c056efac&gt;] (ip_rcv+0x48/0xb8)
[&lt;c056efac&gt;] (ip_rcv) from [&lt;c0519c2c&gt;] (__netif_receive_skb_one_core+0x50/0x6c)
[...]

The issue triggers only when not using TCP syncookies, as for syncookies
no socket is associated.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Martin Willi &lt;martin@strongswan.org&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: use skb_sec_path helper in more places</title>
<updated>2018-12-19T19:21:37+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2018-12-18T16:15:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2294be0f11e22b6197d025e5d3ab42888879ec4e'/>
<id>2294be0f11e22b6197d025e5d3ab42888879ec4e</id>
<content type='text'>
skb_sec_path gains 'const' qualifier to avoid
xt_policy.c: 'skb_sec_path' discards 'const' qualifier from pointer target type

same reasoning as previous conversions: Won't need to touch these
spots anymore when skb-&gt;sp is removed.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
skb_sec_path gains 'const' qualifier to avoid
xt_policy.c: 'skb_sec_path' discards 'const' qualifier from pointer target type

same reasoning as previous conversions: Won't need to touch these
spots anymore when skb-&gt;sp is removed.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next</title>
<updated>2018-10-02T05:31:17+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2018-10-02T05:31:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2240c12d7d3de741ffbcf22d7a96358a450051ac'/>
<id>2240c12d7d3de741ffbcf22d7a96358a450051ac</id>
<content type='text'>
Steffen Klassert says:

====================
pull request (net-next): ipsec-next 2018-10-01

1) Make xfrmi_get_link_net() static to silence a sparse warning.
   From Wei Yongjun.

2) Remove a unused esph pointer definition in esp_input().
   From Haishuang Yan.

3) Allow the NIC driver to quietly refuse xfrm offload
   in case it does not support it, the SA is created
   without offload in this case.
   From Shannon Nelson.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Steffen Klassert says:

====================
pull request (net-next): ipsec-next 2018-10-01

1) Make xfrmi_get_link_net() static to silence a sparse warning.
   From Wei Yongjun.

2) Remove a unused esph pointer definition in esp_input().
   From Haishuang Yan.

3) Allow the NIC driver to quietly refuse xfrm offload
   in case it does not support it, the SA is created
   without offload in this case.
   From Shannon Nelson.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
