<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/ipv4/esp4.c, branch v5.11</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>esp: avoid unneeded kmap_atomic call</title>
<updated>2021-01-12T02:20:09+00:00</updated>
<author>
<name>Willem de Bruijn</name>
<email>willemb@google.com</email>
</author>
<published>2021-01-09T22:18:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=9bd6b629c39e3fa9e14243a6d8820492be1a5b2e'/>
<id>9bd6b629c39e3fa9e14243a6d8820492be1a5b2e</id>
<content type='text'>
esp(6)_output_head uses skb_page_frag_refill to allocate a buffer for
the esp trailer.

It accesses the page with kmap_atomic to handle highmem. But
skb_page_frag_refill can return compound pages, of which
kmap_atomic only maps the first underlying page.

skb_page_frag_refill does not return highmem, because flag
__GFP_HIGHMEM is not set. ESP uses it in the same manner as TCP.
That also does not call kmap_atomic, but directly uses page_address,
in skb_copy_to_page_nocache. Do the same for ESP.

This issue has become easier to trigger with recent kmap local
debugging feature CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
esp(6)_output_head uses skb_page_frag_refill to allocate a buffer for
the esp trailer.

It accesses the page with kmap_atomic to handle highmem. But
skb_page_frag_refill can return compound pages, of which
kmap_atomic only maps the first underlying page.

skb_page_frag_refill does not return highmem, because flag
__GFP_HIGHMEM is not set. ESP uses it in the same manner as TCP.
That also does not call kmap_atomic, but directly uses page_address,
in skb_copy_to_page_nocache. Do the same for ESP.

This issue has become easier to trigger with recent kmap local
debugging feature CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Jakub Kicinski &lt;kuba@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ESP: Export esp_output_fill_trailer function</title>
<updated>2020-02-19T12:52:32+00:00</updated>
<author>
<name>Raed Salem</name>
<email>raeds@mellanox.com</email>
</author>
<published>2020-02-19T12:49:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=dda520c4d4623701dd70cf7b40d29a4eed232d0f'/>
<id>dda520c4d4623701dd70cf7b40d29a4eed232d0f</id>
<content type='text'>
The esp fill trailer method is identical for both
IPv6 and IPv4.

Share the implementation for esp6 and esp to avoid
code duplication in addition it could be also used
at various drivers code.

Signed-off-by: Raed Salem &lt;raeds@mellanox.com&gt;
Reviewed-by: Boris Pismenny &lt;borisp@mellanox.com&gt;
Reviewed-by: Saeed Mahameed &lt;saeedm@mellanox.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The esp fill trailer method is identical for both
IPv6 and IPv4.

Share the implementation for esp6 and esp to avoid
code duplication in addition it could be also used
at various drivers code.

Signed-off-by: Raed Salem &lt;raeds@mellanox.com&gt;
Reviewed-by: Boris Pismenny &lt;borisp@mellanox.com&gt;
Reviewed-by: Saeed Mahameed &lt;saeedm@mellanox.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm: add espintcp (RFC 8229)</title>
<updated>2019-12-09T08:59:07+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2019-11-25T13:49:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=e27cca96cd68fa2c6814c90f9a1cfd36bb68c593'/>
<id>e27cca96cd68fa2c6814c90f9a1cfd36bb68c593</id>
<content type='text'>
TCP encapsulation of IKE and IPsec messages (RFC 8229) is implemented
as a TCP ULP, overriding in particular the sendmsg and recvmsg
operations. A Stream Parser is used to extract messages out of the TCP
stream using the first 2 bytes as length marker. Received IKE messages
are put on "ike_queue", waiting to be dequeued by the custom recvmsg
implementation. Received ESP messages are sent to XFRM, like with UDP
encapsulation.

Some of this code is taken from the original submission by Herbert
Xu. Currently, only IPv4 is supported, like for UDP encapsulation.

Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
TCP encapsulation of IKE and IPsec messages (RFC 8229) is implemented
as a TCP ULP, overriding in particular the sendmsg and recvmsg
operations. A Stream Parser is used to extract messages out of the TCP
stream using the first 2 bytes as length marker. Received IKE messages
are put on "ike_queue", waiting to be dequeued by the custom recvmsg
implementation. Received ESP messages are sent to XFRM, like with UDP
encapsulation.

Some of this code is taken from the original submission by Herbert
Xu. Currently, only IPv4 is supported, like for UDP encapsulation.

Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>esp4: split esp_output_udp_encap and introduce esp_output_encap</title>
<updated>2019-12-09T08:59:07+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2019-11-25T13:49:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=eecd227a9a3479038ba2a2f579b3ce9edb364b80'/>
<id>eecd227a9a3479038ba2a2f579b3ce9edb364b80</id>
<content type='text'>
Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>esp4: prepare esp_input_done2 for non-UDP encapsulation</title>
<updated>2019-12-09T08:59:07+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2019-11-25T13:49:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=25f6802b4c18817c82cd581d38ce155ad6412176'/>
<id>25f6802b4c18817c82cd581d38ce155ad6412176</id>
<content type='text'>
For espintcp encapsulation, we will need to get the source port from the
TCP header instead of UDP. Introduce a variable to hold the port.

Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
For espintcp encapsulation, we will need to get the source port from the
TCP header instead of UDP. Introduce a variable to hold the port.

Co-developed-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Herbert Xu &lt;herbert@gondor.apana.org.au&gt;
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Acked-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm: remove get_mtu indirection from xfrm_type</title>
<updated>2019-07-01T04:16:40+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2019-06-24T20:04:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c7b37c769d2a5e711106a3c793140a4f46768e04'/>
<id>c7b37c769d2a5e711106a3c793140a4f46768e04</id>
<content type='text'>
esp4_get_mtu and esp6_get_mtu are exactly the same, the only difference
is a single sizeof() (ipv4 vs. ipv6 header).

Merge both into xfrm_state_mtu() and remove the indirection.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
esp4_get_mtu and esp6_get_mtu are exactly the same, the only difference
is a single sizeof() (ipv4 vs. ipv6 header).

Merge both into xfrm_state_mtu() and remove the indirection.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm: remove type and offload_type map from xfrm_state_afinfo</title>
<updated>2019-06-06T06:34:50+00:00</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2019-05-03T15:46:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=4f518e802ccad30c9dccc895f2294398757b87c0'/>
<id>4f518e802ccad30c9dccc895f2294398757b87c0</id>
<content type='text'>
Only a handful of xfrm_types exist, no need to have 512 pointers for them.

Reduces size of afinfo struct from 4k to 120 bytes on 64bit platforms.

Also, the unregister function doesn't need to return an error, no single
caller does anything useful with it.

Just place a WARN_ON() where needed instead.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Only a handful of xfrm_types exist, no need to have 512 pointers for them.

Reduces size of afinfo struct from 4k to 120 bytes on 64bit platforms.

Also, the unregister function doesn't need to return an error, no single
caller does anything useful with it.

Just place a WARN_ON() where needed instead.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>treewide: Add SPDX license identifier for more missed files</title>
<updated>2019-05-21T08:50:45+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2019-05-19T12:08:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=09c434b8a0047c69e48499de0107de312901e798'/>
<id>09c434b8a0047c69e48499de0107de312901e798</id>
<content type='text'>
Add SPDX license identifiers to all files which:

 - Have no license information of any form

 - Have MODULE_LICENCE("GPL*") inside which was used in the initial
   scan/conversion to ignore the file

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add SPDX license identifiers to all files which:

 - Have no license information of any form

 - Have MODULE_LICENCE("GPL*") inside which was used in the initial
   scan/conversion to ignore the file

These files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:

  GPL-2.0-only

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>esp4: add length check for UDP encapsulation</title>
<updated>2019-03-26T07:39:30+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2019-03-25T13:30:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8dfb4eba4100e7cdd161a8baef2d8d61b7a7e62e'/>
<id>8dfb4eba4100e7cdd161a8baef2d8d61b7a7e62e</id>
<content type='text'>
esp_output_udp_encap can produce a length that doesn't fit in the 16
bits of a UDP header's length field. In that case, we'll send a
fragmented packet whose length is larger than IP_MAX_MTU (resulting in
"Oversized IP packet" warnings on receive) and with a bogus UDP
length.

To prevent this, add a length check to esp_output_udp_encap and return
 -EMSGSIZE on failure.

This seems to be older than git history.

Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
esp_output_udp_encap can produce a length that doesn't fit in the 16
bits of a UDP header's length field. In that case, we'll send a
fragmented packet whose length is larger than IP_MAX_MTU (resulting in
"Oversized IP packet" warnings on receive) and with a bogus UDP
length.

To prevent this, add a length check to esp_output_udp_encap and return
 -EMSGSIZE on failure.

This seems to be older than git history.

Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>esp: Skip TX bytes accounting when sending from a request socket</title>
<updated>2019-01-28T10:20:58+00:00</updated>
<author>
<name>Martin Willi</name>
<email>martin@strongswan.org</email>
</author>
<published>2019-01-28T08:35:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=09db51241118aeb06e1c8cd393b45879ce099b36'/>
<id>09db51241118aeb06e1c8cd393b45879ce099b36</id>
<content type='text'>
On ESP output, sk_wmem_alloc is incremented for the added padding if a
socket is associated to the skb. When replying with TCP SYNACKs over
IPsec, the associated sk is a casted request socket, only. Increasing
sk_wmem_alloc on a request socket results in a write at an arbitrary
struct offset. In the best case, this produces the following WARNING:

WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4]
refcount_t: addition on 0; use-after-free.
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2
Hardware name: Marvell Armada 380/385 (Device Tree)
[...]
[&lt;bf0ff354&gt;] (esp_output_head [esp4]) from [&lt;bf1006a4&gt;] (esp_output+0xb8/0x180 [esp4])
[&lt;bf1006a4&gt;] (esp_output [esp4]) from [&lt;c05dee64&gt;] (xfrm_output_resume+0x558/0x664)
[&lt;c05dee64&gt;] (xfrm_output_resume) from [&lt;c05d07b0&gt;] (xfrm4_output+0x44/0xc4)
[&lt;c05d07b0&gt;] (xfrm4_output) from [&lt;c05956bc&gt;] (tcp_v4_send_synack+0xa8/0xe8)
[&lt;c05956bc&gt;] (tcp_v4_send_synack) from [&lt;c0586ad8&gt;] (tcp_conn_request+0x7f4/0x948)
[&lt;c0586ad8&gt;] (tcp_conn_request) from [&lt;c058c404&gt;] (tcp_rcv_state_process+0x2a0/0xe64)
[&lt;c058c404&gt;] (tcp_rcv_state_process) from [&lt;c05958ac&gt;] (tcp_v4_do_rcv+0xf0/0x1f4)
[&lt;c05958ac&gt;] (tcp_v4_do_rcv) from [&lt;c0598a4c&gt;] (tcp_v4_rcv+0xdb8/0xe20)
[&lt;c0598a4c&gt;] (tcp_v4_rcv) from [&lt;c056eb74&gt;] (ip_protocol_deliver_rcu+0x2c/0x2dc)
[&lt;c056eb74&gt;] (ip_protocol_deliver_rcu) from [&lt;c056ee6c&gt;] (ip_local_deliver_finish+0x48/0x54)
[&lt;c056ee6c&gt;] (ip_local_deliver_finish) from [&lt;c056eecc&gt;] (ip_local_deliver+0x54/0xec)
[&lt;c056eecc&gt;] (ip_local_deliver) from [&lt;c056efac&gt;] (ip_rcv+0x48/0xb8)
[&lt;c056efac&gt;] (ip_rcv) from [&lt;c0519c2c&gt;] (__netif_receive_skb_one_core+0x50/0x6c)
[...]

The issue triggers only when not using TCP syncookies, as for syncookies
no socket is associated.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Martin Willi &lt;martin@strongswan.org&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
On ESP output, sk_wmem_alloc is incremented for the added padding if a
socket is associated to the skb. When replying with TCP SYNACKs over
IPsec, the associated sk is a casted request socket, only. Increasing
sk_wmem_alloc on a request socket results in a write at an arbitrary
struct offset. In the best case, this produces the following WARNING:

WARNING: CPU: 1 PID: 0 at lib/refcount.c:102 esp_output_head+0x2e4/0x308 [esp4]
refcount_t: addition on 0; use-after-free.
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.0.0-rc3 #2
Hardware name: Marvell Armada 380/385 (Device Tree)
[...]
[&lt;bf0ff354&gt;] (esp_output_head [esp4]) from [&lt;bf1006a4&gt;] (esp_output+0xb8/0x180 [esp4])
[&lt;bf1006a4&gt;] (esp_output [esp4]) from [&lt;c05dee64&gt;] (xfrm_output_resume+0x558/0x664)
[&lt;c05dee64&gt;] (xfrm_output_resume) from [&lt;c05d07b0&gt;] (xfrm4_output+0x44/0xc4)
[&lt;c05d07b0&gt;] (xfrm4_output) from [&lt;c05956bc&gt;] (tcp_v4_send_synack+0xa8/0xe8)
[&lt;c05956bc&gt;] (tcp_v4_send_synack) from [&lt;c0586ad8&gt;] (tcp_conn_request+0x7f4/0x948)
[&lt;c0586ad8&gt;] (tcp_conn_request) from [&lt;c058c404&gt;] (tcp_rcv_state_process+0x2a0/0xe64)
[&lt;c058c404&gt;] (tcp_rcv_state_process) from [&lt;c05958ac&gt;] (tcp_v4_do_rcv+0xf0/0x1f4)
[&lt;c05958ac&gt;] (tcp_v4_do_rcv) from [&lt;c0598a4c&gt;] (tcp_v4_rcv+0xdb8/0xe20)
[&lt;c0598a4c&gt;] (tcp_v4_rcv) from [&lt;c056eb74&gt;] (ip_protocol_deliver_rcu+0x2c/0x2dc)
[&lt;c056eb74&gt;] (ip_protocol_deliver_rcu) from [&lt;c056ee6c&gt;] (ip_local_deliver_finish+0x48/0x54)
[&lt;c056ee6c&gt;] (ip_local_deliver_finish) from [&lt;c056eecc&gt;] (ip_local_deliver+0x54/0xec)
[&lt;c056eecc&gt;] (ip_local_deliver) from [&lt;c056efac&gt;] (ip_rcv+0x48/0xb8)
[&lt;c056efac&gt;] (ip_rcv) from [&lt;c0519c2c&gt;] (__netif_receive_skb_one_core+0x50/0x6c)
[...]

The issue triggers only when not using TCP syncookies, as for syncookies
no socket is associated.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Martin Willi &lt;martin@strongswan.org&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
