[PATCH v4 net 0/3] sctp: Use software checksum under certain

[PATCH v4 net 0/3] sctp: Use software checksum under certain

[Vlad Yasevich]

There are some cards that support SCTP checksum offloading.  When using
these cards with IPSec or forcing IP fragmentation of SCTP traffic,
the checksum is computed incorrectly due to the fact that xfrm and IP/IPv6
fragmentation code do not know that this is SCTP traffic and do not
know that checksum has to be computed differently.

To fix this, we let SCTP detect these conditions and perform software
checksum calculation.

Fan Du (1):
  sctp: Use software crc32 checksum when xfrm transform will happen.

Vlad Yasevich (2):
  net: dst: provide accessor function to dst->xfrm
  sctp: Perform software checksum if packet has to be fragmented.

 include/net/dst.h | 12 ++++++++++++
 net/sctp/output.c |  3 ++-
 2 files changed, 14 insertions(+), 1 deletion(-)

-- 
1.8.3.1

[PATCH v4 net 1/3] net: dst: provide accessor function to dst->xfrm

[Vlad Yasevich]

dst->xfrm is conditionally defined.  Provide accessor funtion that
is always available.

Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
---
 include/net/dst.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/include/net/dst.h b/include/net/dst.h
index 3bc4865..3c4c944 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -479,10 +479,22 @@ static inline struct dst_entry *xfrm_lookup(struct net *net,
 {
 	return dst_orig;
 } 
+
+static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst)
+{
+	return NULL;
+}
+
 #else
 extern struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
 				     const struct flowi *fl, struct sock *sk,
 				     int flags);
+
+/* skb attached with this dst needs transformation if dst->xfrm is valid */
+static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst)
+{
+	return dst->xfrm;
+}
 #endif
 
 #endif /* _NET_DST_H */
-- 
1.8.3.1

[PATCH v4 net 2/3] sctp: Use software crc32 checksum when xfrm transform will happen.

[Vlad Yasevich]

From: Fan Du <fan.du@windriver.com>

igb/ixgbe have hardware sctp checksum support, when this feature is enabled
and also IPsec is armed to protect sctp traffic, ugly things happened as
xfrm_output checks CHECKSUM_PARTIAL to do checksum operation(sum every thing
up and pack the 16bits result in the checksum field). The result is fail
establishment of sctp communication.

Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Fan Du <fan.du@windriver.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
---
 net/sctp/output.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sctp/output.c b/net/sctp/output.c
index 0ac3a65..d35b54c 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -536,7 +536,8 @@ int sctp_packet_transmit(struct sctp_packet *packet)
 	 * by CRC32-C as described in <draft-ietf-tsvwg-sctpcsum-02.txt>.
 	 */
 	if (!sctp_checksum_disable) {
-		if (!(dst->dev->features & NETIF_F_SCTP_CSUM)) {
+		if (!(dst->dev->features & NETIF_F_SCTP_CSUM) ||
+		    (dst_xfrm(dst) != NULL)) {
 			__u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
 
 			/* 3) Put the resultant value into the checksum field in the
-- 
1.8.3.1

[PATCH v4 net 3/3] sctp: Perform software checksum if packet has to be fragmented.

[Vlad Yasevich]

IP/IPv6 fragmentation knows how to compute only TCP/UDP checksum.
This causes problems if SCTP packets has to be fragmented and
ipsummed has been set to PARTIAL due to checksum offload support.
This condition can happen when retransmitting after MTU discover,
or when INIT or other control chunks are larger then MTU.
Check for the rare fragmentation condition in SCTP and use software
checksum calculation in this case.

CC: Fan Du <fan.du@windriver.com>
Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
---
 net/sctp/output.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/output.c b/net/sctp/output.c
index d35b54c..3191373 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -537,7 +537,7 @@ int sctp_packet_transmit(struct sctp_packet *packet)
 	 */
 	if (!sctp_checksum_disable) {
 		if (!(dst->dev->features & NETIF_F_SCTP_CSUM) ||
-		    (dst_xfrm(dst) != NULL)) {
+		    (dst_xfrm(dst) != NULL) || packet->ipfragok) {
 			__u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
 
 			/* 3) Put the resultant value into the checksum field in the
-- 
1.8.3.1

Re: [PATCH v4 net 0/3] sctp: Use software checksum under certain

[Daniel Borkmann]

On 10/16/2013 04:01 AM, Vlad Yasevich wrote:
> There are some cards that support SCTP checksum offloading.  When using
> these cards with IPSec or forcing IP fragmentation of SCTP traffic,
> the checksum is computed incorrectly due to the fact that xfrm and IP/IPv6
> fragmentation code do not know that this is SCTP traffic and do not
> know that checksum has to be computed differently.
>
> To fix this, we let SCTP detect these conditions and perform software
> checksum calculation.
>
> Fan Du (1):
>    sctp: Use software crc32 checksum when xfrm transform will happen.
>
> Vlad Yasevich (2):
>    net: dst: provide accessor function to dst->xfrm
>    sctp: Perform software checksum if packet has to be fragmented.
>
>   include/net/dst.h | 12 ++++++++++++
>   net/sctp/output.c |  3 ++-
>   2 files changed, 14 insertions(+), 1 deletion(-)
>

Acked-by: Daniel Borkmann <dborkman@redhat.com>

Re: [PATCH v4 net 1/3] net: dst: provide accessor function to dst->xfrm

[Neil Horman]

On Tue, Oct 15, 2013 at 10:01:29PM -0400, Vlad Yasevich wrote:
> dst->xfrm is conditionally defined.  Provide accessor funtion that
> is always available.
> 
> Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
> ---
>  include/net/dst.h | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/include/net/dst.h b/include/net/dst.h
> index 3bc4865..3c4c944 100644
> --- a/include/net/dst.h
> +++ b/include/net/dst.h
> @@ -479,10 +479,22 @@ static inline struct dst_entry *xfrm_lookup(struct net *net,
>  {
>  	return dst_orig;
>  } 
> +
> +static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst)
> +{
> +	return NULL;
> +}
> +
>  #else
>  extern struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
>  				     const struct flowi *fl, struct sock *sk,
>  				     int flags);
> +
> +/* skb attached with this dst needs transformation if dst->xfrm is valid */
> +static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst)
> +{
> +	return dst->xfrm;
> +}
>  #endif
>  
>  #endif /* _NET_DST_H */
> -- 
> 1.8.3.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>

Re: [PATCH v4 net 2/3] sctp: Use software crc32 checksum when xfrm transform will happen.

[Neil Horman]

On Tue, Oct 15, 2013 at 10:01:30PM -0400, Vlad Yasevich wrote:
> From: Fan Du <fan.du@windriver.com>
> 
> igb/ixgbe have hardware sctp checksum support, when this feature is enabled
> and also IPsec is armed to protect sctp traffic, ugly things happened as
> xfrm_output checks CHECKSUM_PARTIAL to do checksum operation(sum every thing
> up and pack the 16bits result in the checksum field). The result is fail
> establishment of sctp communication.
> 
> Cc: Neil Horman <nhorman@tuxdriver.com>
> Cc: Steffen Klassert <steffen.klassert@secunet.com>
> Signed-off-by: Fan Du <fan.du@windriver.com>
> Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
> ---
>  net/sctp/output.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/sctp/output.c b/net/sctp/output.c
> index 0ac3a65..d35b54c 100644
> --- a/net/sctp/output.c
> +++ b/net/sctp/output.c
> @@ -536,7 +536,8 @@ int sctp_packet_transmit(struct sctp_packet *packet)
>  	 * by CRC32-C as described in <draft-ietf-tsvwg-sctpcsum-02.txt>.
>  	 */
>  	if (!sctp_checksum_disable) {
> -		if (!(dst->dev->features & NETIF_F_SCTP_CSUM)) {
> +		if (!(dst->dev->features & NETIF_F_SCTP_CSUM) ||
> +		    (dst_xfrm(dst) != NULL)) {
>  			__u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
>  
>  			/* 3) Put the resultant value into the checksum field in the
> -- 
> 1.8.3.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>

Re: [PATCH v4 net 3/3] sctp: Perform software checksum if packet has to be fragmented.

[Neil Horman]

On Tue, Oct 15, 2013 at 10:01:31PM -0400, Vlad Yasevich wrote:
> IP/IPv6 fragmentation knows how to compute only TCP/UDP checksum.
> This causes problems if SCTP packets has to be fragmented and
> ipsummed has been set to PARTIAL due to checksum offload support.
> This condition can happen when retransmitting after MTU discover,
> or when INIT or other control chunks are larger then MTU.
> Check for the rare fragmentation condition in SCTP and use software
> checksum calculation in this case.
> 
> CC: Fan Du <fan.du@windriver.com>
> Signed-off-by: Vlad Yasevich <vyasevich@gmail.com>
> ---
>  net/sctp/output.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/sctp/output.c b/net/sctp/output.c
> index d35b54c..3191373 100644
> --- a/net/sctp/output.c
> +++ b/net/sctp/output.c
> @@ -537,7 +537,7 @@ int sctp_packet_transmit(struct sctp_packet *packet)
>  	 */
>  	if (!sctp_checksum_disable) {
>  		if (!(dst->dev->features & NETIF_F_SCTP_CSUM) ||
> -		    (dst_xfrm(dst) != NULL)) {
> +		    (dst_xfrm(dst) != NULL) || packet->ipfragok) {
>  			__u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len);
>  
>  			/* 3) Put the resultant value into the checksum field in the
> -- 
> 1.8.3.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>

Re: [PATCH v4 net 0/3] sctp: Use software checksum under certain

[David Miller]

From: Vlad Yasevich <vyasevich@gmail.com>
Date: Tue, 15 Oct 2013 22:01:28 -0400

> There are some cards that support SCTP checksum offloading.  When using
> these cards with IPSec or forcing IP fragmentation of SCTP traffic,
> the checksum is computed incorrectly due to the fact that xfrm and IP/IPv6
> fragmentation code do not know that this is SCTP traffic and do not
> know that checksum has to be computed differently.
> 
> To fix this, we let SCTP detect these conditions and perform software
> checksum calculation.

Series applied, thanks Vlad.

Re: [PATCH v4 net 0/3] sctp: Use software checksum under certain

[Vlad Yasevich]

On 10/17/2013 03:26 PM, David Miller wrote:
> From: Vlad Yasevich <vyasevich@gmail.com>
> Date: Tue, 15 Oct 2013 22:01:28 -0400
>
>> There are some cards that support SCTP checksum offloading.  When using
>> these cards with IPSec or forcing IP fragmentation of SCTP traffic,
>> the checksum is computed incorrectly due to the fact that xfrm and IP/IPv6
>> fragmentation code do not know that this is SCTP traffic and do not
>> know that checksum has to be computed differently.
>>
>> To fix this, we let SCTP detect these conditions and perform software
>> checksum calculation.
>
> Series applied, thanks Vlad.
>

Hi David

Could you please queue this to stable as well.

Thanks
-vlad

Re: [PATCH v4 net 0/3] sctp: Use software checksum under certain

[David Miller]

From: Vlad Yasevich <vyasevich@gmail.com>
Date: Thu, 17 Oct 2013 16:21:31 -0400

> Could you please queue this to stable as well.

Done.