From: Zhu Yanjun <yanjun.zhu@linux.dev>
To: Jianbo Liu <jianbol@nvidia.com>,
netdev@vger.kernel.org, davem@davemloft.net, kuba@kernel.org,
steffen.klassert@secunet.com, sd@queasysnail.net
Cc: Cosmin Ratiu <cratiu@nvidia.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Leon Romanovsky <leon@kernel.org>, Raed Salem <raeds@nvidia.com>
Subject: Re: [PATCH ipsec v3 1/2] xfrm: Check inner packet family directly from skb_dst
Date: Tue, 28 Oct 2025 07:27:36 -0700 [thread overview]
Message-ID: <e4e528ea-f641-4ab9-bdde-5bd6beb65b8c@linux.dev> (raw)
In-Reply-To: <20251028023013.9836-2-jianbol@nvidia.com>
在 2025/10/27 19:22, Jianbo Liu 写道:
> In the output path, xfrm_dev_offload_ok and xfrm_get_inner_ipproto
> need to determine the protocol family of the inner packet (skb) before
> it gets encapsulated.
>
> In xfrm_dev_offload_ok, the code checked x->inner_mode.family. This is
> unreliable because, for states handling both IPv4 and IPv6, the
> relevant inner family could be either x->inner_mode.family or
> x->inner_mode_iaf.family. Checking only the former can lead to a
> mismatch with the actual packet being processed.
>
> In xfrm_get_inner_ipproto, the code checked x->outer_mode.family. This
> is also incorrect for tunnel mode, as the inner packet's family can be
> different from the outer header's family.
>
> At both of these call sites, the skb variable holds the original inner
> packet. The most direct and reliable source of truth for its protocol
> family is its destination entry. This patch fixes the issue by using
> skb_dst(skb)->ops->family to ensure protocol-specific headers are only
> accessed for the correct packet type.
>
> Fixes: 91d8a53db219 ("xfrm: fix offloading of cross-family tunnels")
> Fixes: 45a98ef4922d ("net/xfrm: IPsec tunnel mode fix inner_ipproto setting in sec_path")
> Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
> Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
Thanks a lot. I am fine with this.
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Zhu Yanjun
> ---
> V2:
> - Change subject prefix, and send to "ipsec".
> - Update commit msg.
> - Add Fixes tag.
>
> net/xfrm/xfrm_device.c | 2 +-
> net/xfrm/xfrm_output.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
> index 44b9de6e4e77..52ae0e034d29 100644
> --- a/net/xfrm/xfrm_device.c
> +++ b/net/xfrm/xfrm_device.c
> @@ -438,7 +438,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
>
> check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
> x->props.mode == XFRM_MODE_TUNNEL;
> - switch (x->inner_mode.family) {
> + switch (skb_dst(skb)->ops->family) {
> case AF_INET:
> /* Check for IPv4 options */
> if (ip_hdr(skb)->ihl != 5)
> diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
> index 9077730ff7d0..a98b5bf55ac3 100644
> --- a/net/xfrm/xfrm_output.c
> +++ b/net/xfrm/xfrm_output.c
> @@ -698,7 +698,7 @@ static void xfrm_get_inner_ipproto(struct sk_buff *skb, struct xfrm_state *x)
> return;
>
> if (x->outer_mode.encap == XFRM_MODE_TUNNEL) {
> - switch (x->outer_mode.family) {
> + switch (skb_dst(skb)->ops->family) {
> case AF_INET:
> xo->inner_ipproto = ip_hdr(skb)->protocol;
> break;
--
Best Regards,
Yanjun.Zhu
next prev parent reply other threads:[~2025-10-28 14:27 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-28 2:22 [PATCH ipsec v3 0/2] xfrm: Correct inner packet family determination Jianbo Liu
2025-10-28 2:22 ` [PATCH ipsec v3 1/2] xfrm: Check inner packet family directly from skb_dst Jianbo Liu
2025-10-28 14:27 ` Zhu Yanjun [this message]
2025-10-28 2:22 ` [PATCH ipsec v3 2/2] xfrm: Determine inner GSO type from packet inner protocol Jianbo Liu
2025-10-28 11:03 ` Sabrina Dubroca
2025-10-28 13:36 ` Jianbo Liu
2025-10-28 15:04 ` Sabrina Dubroca
2025-10-30 8:08 ` Steffen Klassert
2025-10-30 8:35 ` Jianbo Liu
2025-10-30 10:28 ` Sabrina Dubroca
2025-11-01 12:29 ` [PATCH ipsec v3 0/2] xfrm: Correct inner packet family determination Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e4e528ea-f641-4ab9-bdde-5bd6beb65b8c@linux.dev \
--to=yanjun.zhu@linux.dev \
--cc=cratiu@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=horms@kernel.org \
--cc=jianbol@nvidia.com \
--cc=kuba@kernel.org \
--cc=leon@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=raeds@nvidia.com \
--cc=sd@queasysnail.net \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.