pull request (net): ipsec 2017-04-28

pull request (net): ipsec 2017-04-28

[Steffen Klassert]

1) Do garbage collecting after a policy flush to remove old
   bundles immediately. From Xin Long.

2) Fix GRO if netfilter is not defined.
   From Sabrina Dubroca.

Please pull or let me know if there are problems.

Thanks!

The following changes since commit fd2c83b35752f0a8236b976978ad4658df14a59f:

  net/packet: check length in getsockopt() called with PACKET_HDRLEN (2017-04-25 14:05:52 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master

for you to fetch changes up to cfcf99f987ba321a3d122580716beb9b08d52eb8:

  xfrm: fix GRO for !CONFIG_NETFILTER (2017-04-27 12:20:19 +0200)

----------------------------------------------------------------
Sabrina Dubroca (1):
      xfrm: fix GRO for !CONFIG_NETFILTER

Xin Long (1):
      xfrm: do the garbage collection after flushing policy

 net/xfrm/xfrm_input.c  | 2 +-
 net/xfrm/xfrm_policy.c | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

[PATCH 1/2] xfrm: do the garbage collection after flushing policy

[Steffen Klassert]

From: Xin Long <lucien.xin@gmail.com>

Now xfrm garbage collection can be triggered by 'ip xfrm policy del'.
These is no reason not to do it after flushing policies, especially
considering that 'garbage collection deferred' is only triggered
when it reaches gc_thresh.

It's no good that the policy is gone but the xdst still hold there.
The worse thing is that xdst->route/orig_dst is also hold and can
not be released even if the orig_dst is already expired.

This patch is to do the garbage collection if there is any policy
removed in xfrm_policy_flush.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_policy.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 236cbbc..dfc77b9 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1006,6 +1006,10 @@ int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
 		err = -ESRCH;
 out:
 	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
+
+	if (cnt)
+		xfrm_garbage_collect(net);
+
 	return err;
 }
 EXPORT_SYMBOL(xfrm_policy_flush);
-- 
2.7.4

[PATCH 2/2] xfrm: fix GRO for !CONFIG_NETFILTER

[Steffen Klassert]

From: Sabrina Dubroca <sd@queasysnail.net>

In xfrm_input() when called from GRO, async == 0, and we end up
skipping the processing in xfrm4_transport_finish(). GRO path will
always skip the NF_HOOK, so we don't need the special-case for
!NETFILTER during GRO processing.

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 46bdb4f..e23570b 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -395,7 +395,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 		if (xo)
 			xfrm_gro = xo->flags & XFRM_GRO;
 
-		err = x->inner_mode->afinfo->transport_finish(skb, async);
+		err = x->inner_mode->afinfo->transport_finish(skb, xfrm_gro || async);
 		if (xfrm_gro) {
 			skb_dst_drop(skb);
 			gro_cells_receive(&gro_cells, skb);
-- 
2.7.4

Re: pull request (net): ipsec 2017-04-28

[David Miller]

From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Fri, 28 Apr 2017 11:14:31 +0200

> 1) Do garbage collecting after a policy flush to remove old
>    bundles immediately. From Xin Long.
> 
> 2) Fix GRO if netfilter is not defined.
>    From Sabrina Dubroca.
> 
> Please pull or let me know if there are problems.

Pulled, thanks!