From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Martin Willi <martin@strongswan.org>,
Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 06/25] xfrm: Honor original L3 slave device in xfrmi policy lookup
Date: Thu, 16 May 2019 07:40:09 -0400 [thread overview]
Message-ID: <20190516114029.8682-6-sashal@kernel.org> (raw)
In-Reply-To: <20190516114029.8682-1-sashal@kernel.org>
From: Martin Willi <martin@strongswan.org>
[ Upstream commit 025c65e119bf58b610549ca359c9ecc5dee6a8d2 ]
If an xfrmi is associated to a vrf layer 3 master device,
xfrm_policy_check() fails after traffic decapsulation. The input
interface is replaced by the layer 3 master device, and hence
xfrmi_decode_session() can't match the xfrmi anymore to satisfy
policy checking.
Extend ingress xfrmi lookup to honor the original layer 3 slave
device, allowing xfrm interfaces to operate within a vrf domain.
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xfrm.h | 3 ++-
net/xfrm/xfrm_interface.c | 17 ++++++++++++++---
net/xfrm/xfrm_policy.c | 2 +-
3 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 3e966c632f3b2..4ddd2b13ac8d6 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -295,7 +295,8 @@ struct xfrm_replay {
};
struct xfrm_if_cb {
- struct xfrm_if *(*decode_session)(struct sk_buff *skb);
+ struct xfrm_if *(*decode_session)(struct sk_buff *skb,
+ unsigned short family);
};
void xfrm_if_register_cb(const struct xfrm_if_cb *ifcb);
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 82723ef44db3e..555ee2aca6c01 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -70,17 +70,28 @@ static struct xfrm_if *xfrmi_lookup(struct net *net, struct xfrm_state *x)
return NULL;
}
-static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb)
+static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb,
+ unsigned short family)
{
struct xfrmi_net *xfrmn;
- int ifindex;
struct xfrm_if *xi;
+ int ifindex = 0;
if (!secpath_exists(skb) || !skb->dev)
return NULL;
+ switch (family) {
+ case AF_INET6:
+ ifindex = inet6_sdif(skb);
+ break;
+ case AF_INET:
+ ifindex = inet_sdif(skb);
+ break;
+ }
+ if (!ifindex)
+ ifindex = skb->dev->ifindex;
+
xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id);
- ifindex = skb->dev->ifindex;
for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
if (ifindex == xi->dev->ifindex &&
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index bf5d59270f79d..ce1b262ce9646 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2339,7 +2339,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
ifcb = xfrm_if_get_cb();
if (ifcb) {
- xi = ifcb->decode_session(skb);
+ xi = ifcb->decode_session(skb, family);
if (xi) {
if_id = xi->p.if_id;
net = xi->net;
--
2.20.1
next prev parent reply other threads:[~2019-05-16 11:46 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-16 11:40 [PATCH AUTOSEL 4.19 01/25] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 02/25] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 03/25] vti4: ipip tunnel deregistration fixes Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 04/25] xfrm: clean up xfrm protocol checks Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 05/25] esp4: add length check for UDP encapsulation Sasha Levin
2019-05-16 11:40 ` Sasha Levin [this message]
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 07/25] xfrm4: Fix uninitialized memory read in _decode_session4 Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 08/25] clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0) Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 09/25] power: supply: cpcap-battery: Fix division by zero Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 10/25] securityfs: fix use-after-free on symlink traversal Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 11/25] apparmorfs: " Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 12/25] PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 13/25] x86: kvm: hyper-v: deal with buggy TLB flush requests from WS2012 Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 14/25] mac80211: Fix kernel panic due to use of txq after free Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 15/25] net: ieee802154: fix missing checks for regmap_update_bits Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 16/25] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Sasha Levin
2019-05-16 11:40 ` Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 17/25] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 18/25] bpf: Fix preempt_enable_no_resched() abuse Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 19/25] qmi_wwan: new Wistron, ZTE and D-Link devices Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 20/25] iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 21/25] sched/cpufreq: Fix kobject memleak Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 22/25] x86/mm/mem_encrypt: Disable all instrumentation for early SME setup Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 23/25] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 24/25] perf bench numa: Add define for RUSAGE_THREAD if not present Sasha Levin
2019-05-16 11:40 ` Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 25/25] perf/x86/intel: Fix race in intel_pmu_disable_event() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190516114029.8682-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin@strongswan.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.