Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2461314imd; Fri, 2 Nov 2018 11:48:49 -0700 (PDT) X-Google-Smtp-Source: AJdET5eNYrigl6tJRX24Eu85i1BjdrDWMISd5mrgu3GZsb4tDy7f3Y+Fsjq4IwTVEzPjjN71Svqt X-Received: by 2002:a17:902:15c5:: with SMTP id a5-v6mr12670901plh.136.1541184528939; Fri, 02 Nov 2018 11:48:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541184528; cv=none; d=google.com; s=arc-20160816; b=BVIglpqQspYdoBSA8z53l76d6rmG3gjCWC7ZBGv/8z/CzNNbSQ0VNguJjy+OaOXhGR OmpfgDkgUhyYdjSH6bH2aa3iCblSyFph7zIc+0KoXL1LZTcegPAtEZyePrbEbmHTh1v+ wd2ZD76Det1P+zr3ioqdQaBY87+zKAoUVlTSUrHFEDHIrZJHRzzoLJGi/E+QOPDayeER MAvwKIKhC+hFtB6JCrnimQRfV4NmOS18XC3tQFjGPIe9105MT8/yMYt9RhQJLwDQfreW SCIKvIYZQGk/MF90BOYI4XMCY0GwXk7nhnP3CbbC7d+P6qEU8cpu9vW5AwRyqtf9FvRb WT9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Anx2U3KmD/+c2/YmB5+F/PKGkOKMagAfCt/+FweiIE8=; b=v4d1MeqmW8vnsScsgtTZlwjugjAg4mufxuzM/BlBplupIrKlCJbT6ad18ms27jNA/W oUfhrPYNivZhvZXngJSXqLCrGix5OdBt8PPCNDM6O1VpvwFstKV6goGUDzPp+rHY4gbw otU339ohmL/XmDUIafBUIP1mLRr6IU+KMse1oPZ/n4+4JY2/3BdiL+W4OOhjDV3CJbYe j8eZIShi0FwynLi2jM4Xmmi0wJHDftD2Vmps/bbqdaIng6P0Fv3KaMC+xc+7LHvIMzQx ri+frMxYV+G+EmNSZ5ozV7abDiaovMs2ZLPjpi3Klja0T8qPgswSCuauiR28ulhkT11j 4kLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qwRtwFF2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w1-v6si5902613pff.47.2018.11.02.11.48.34; Fri, 02 Nov 2018 11:48:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qwRtwFF2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730014AbeKCDz5 (ORCPT + 99 others); Fri, 2 Nov 2018 23:55:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:51442 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727629AbeKCDz5 (ORCPT ); Fri, 2 Nov 2018 23:55:57 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A67E32082D; Fri, 2 Nov 2018 18:47:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541184463; bh=wuqvQfDKYnFtaZ+FwCagJnDxUT+zBiHav0/gWJamo8A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qwRtwFF2/Oytyir13NS5Bwu0AL4s3KZiRH6xH54zOqVl425fF56GcxWq74m1G/ISG Qxl6oVfYrHmekwQ+jv0GopU1aEsffmT/ooKCoC+1+l8vqFyg3ZJchk5cAu4apPf5et mnndrj9rZjE9jHJCY9B+ExnCuwDwAKottPDyEpcY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steffen Klassert , Sowmini Varadhan , Sasha Levin Subject: [PATCH 4.14 003/143] xfrm: reset transport header back to network header after all input transforms ahave been applied Date: Fri, 2 Nov 2018 19:33:08 +0100 Message-Id: <20181102182857.333835509@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181102182857.064326086@linuxfoundation.org> References: <20181102182857.064326086@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit bfc0698bebcb16d19ecfc89574ad4d696955e5d3 ] A policy may have been set up with multiple transforms (e.g., ESP and ipcomp). In this situation, the ingress IPsec processing iterates in xfrm_input() and applies each transform in turn, processing the nexthdr to find any additional xfrm that may apply. This patch resets the transport header back to network header only after the last transformation so that subsequent xfrms can find the correct transport header. Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Suggested-by: Steffen Klassert Signed-off-by: Sowmini Varadhan Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/ipv4/xfrm4_input.c | 1 + net/ipv4/xfrm4_mode_transport.c | 4 +--- net/ipv6/xfrm6_input.c | 1 + net/ipv6/xfrm6_mode_transport.c | 4 +--- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c index bcfc00e88756..f8de2482a529 100644 --- a/net/ipv4/xfrm4_input.c +++ b/net/ipv4/xfrm4_input.c @@ -67,6 +67,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async) if (xo && (xo->flags & XFRM_GRO)) { skb_mac_header_rebuild(skb); + skb_reset_transport_header(skb); return 0; } diff --git a/net/ipv4/xfrm4_mode_transport.c b/net/ipv4/xfrm4_mode_transport.c index 3d36644890bb..1ad2c2c4e250 100644 --- a/net/ipv4/xfrm4_mode_transport.c +++ b/net/ipv4/xfrm4_mode_transport.c @@ -46,7 +46,6 @@ static int xfrm4_transport_output(struct xfrm_state *x, struct sk_buff *skb) static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb) { int ihl = skb->data - skb_transport_header(skb); - struct xfrm_offload *xo = xfrm_offload(skb); if (skb->transport_header != skb->network_header) { memmove(skb_transport_header(skb), @@ -54,8 +53,7 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb) skb->network_header = skb->transport_header; } ip_hdr(skb)->tot_len = htons(skb->len + ihl); - if (!xo || !(xo->flags & XFRM_GRO)) - skb_reset_transport_header(skb); + skb_reset_transport_header(skb); return 0; } diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c index 841f4a07438e..9ef490dddcea 100644 --- a/net/ipv6/xfrm6_input.c +++ b/net/ipv6/xfrm6_input.c @@ -59,6 +59,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async) if (xo && (xo->flags & XFRM_GRO)) { skb_mac_header_rebuild(skb); + skb_reset_transport_header(skb); return -1; } diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c index 9ad07a91708e..3c29da5defe6 100644 --- a/net/ipv6/xfrm6_mode_transport.c +++ b/net/ipv6/xfrm6_mode_transport.c @@ -51,7 +51,6 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb) static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb) { int ihl = skb->data - skb_transport_header(skb); - struct xfrm_offload *xo = xfrm_offload(skb); if (skb->transport_header != skb->network_header) { memmove(skb_transport_header(skb), @@ -60,8 +59,7 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb) } ipv6_hdr(skb)->payload_len = htons(skb->len + ihl - sizeof(struct ipv6hdr)); - if (!xo || !(xo->flags & XFRM_GRO)) - skb_reset_transport_header(skb); + skb_reset_transport_header(skb); return 0; } -- 2.17.1