* [PATCH 0/4] pull request (net): ipsec 2025-08-11
@ 2025-08-11 9:19 Steffen Klassert
2025-08-11 9:19 ` [PATCH 1/4] xfrm: flush all states in xfrm_state_fini Steffen Klassert
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Steffen Klassert @ 2025-08-11 9:19 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
1) Fix flushing of all states in xfrm_state_fini.
From Sabrina Dubroca.
2) Fix some IPsec software offload features. These
got lost with some recent HW offload changes.
From Sabrina Dubroca.
Please pull or let me know if there are problems.
Thanks!
The following changes since commit d942fe13f72bec92f6c689fbd74c5ec38228c16a:
net: ti: icssg-prueth: Fix skb handling for XDP_PASS (2025-08-05 18:03:33 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git tags/ipsec-2025-08-11
for you to fetch changes up to d8369183a01a9f06f08c5d52e2667035e66b9957:
Merge branch 'xfrm: some fixes for GSO with SW crypto' (2025-08-08 10:44:23 +0200)
----------------------------------------------------------------
ipsec-2025-08-11
----------------------------------------------------------------
Sabrina Dubroca (4):
xfrm: flush all states in xfrm_state_fini
xfrm: restore GSO for SW crypto
xfrm: bring back device check in validate_xmit_xfrm
udp: also consider secpath when evaluating ipsec use for checksumming
Steffen Klassert (1):
Merge branch 'xfrm: some fixes for GSO with SW crypto'
net/ipv4/udp_offload.c | 2 +-
net/ipv6/xfrm6_tunnel.c | 2 +-
net/xfrm/xfrm_device.c | 12 +++++++++---
net/xfrm/xfrm_state.c | 2 +-
4 files changed, 12 insertions(+), 6 deletions(-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] xfrm: flush all states in xfrm_state_fini
2025-08-11 9:19 [PATCH 0/4] pull request (net): ipsec 2025-08-11 Steffen Klassert
@ 2025-08-11 9:19 ` Steffen Klassert
2025-08-12 13:10 ` patchwork-bot+netdevbpf
2025-08-11 9:19 ` [PATCH 2/4] xfrm: restore GSO for SW crypto Steffen Klassert
` (2 subsequent siblings)
3 siblings, 1 reply; 6+ messages in thread
From: Steffen Klassert @ 2025-08-11 9:19 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Sabrina Dubroca <sd@queasysnail.net>
While reverting commit f75a2804da39 ("xfrm: destroy xfrm_state
synchronously on net exit path"), I incorrectly changed
xfrm_state_flush's "proto" argument back to IPSEC_PROTO_ANY. This
reverts some of the changes in commit dbb2483b2a46 ("xfrm: clean up
xfrm protocol checks"), and leads to some states not being removed
when we exit the netns.
Pass 0 instead of IPSEC_PROTO_ANY from both xfrm_state_fini
xfrm6_tunnel_net_exit, so that xfrm_state_flush deletes all states.
Fixes: 2a198bbec691 ("Revert "xfrm: destroy xfrm_state synchronously on net exit path"")
Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
Tested-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv6/xfrm6_tunnel.c | 2 +-
net/xfrm/xfrm_state.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 5120a763da0d..0a0eeaed0591 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
unsigned int i;
- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ xfrm_state_flush(net, 0, false);
xfrm_flush_gc();
for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 77db3b5fe4ac..78fcbb89cf32 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -3297,7 +3297,7 @@ void xfrm_state_fini(struct net *net)
unsigned int sz;
flush_work(&net->xfrm.state_hash_work);
- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ xfrm_state_flush(net, 0, false);
flush_work(&xfrm_state_gc_work);
WARN_ON(!list_empty(&net->xfrm.state_all));
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] xfrm: restore GSO for SW crypto
2025-08-11 9:19 [PATCH 0/4] pull request (net): ipsec 2025-08-11 Steffen Klassert
2025-08-11 9:19 ` [PATCH 1/4] xfrm: flush all states in xfrm_state_fini Steffen Klassert
@ 2025-08-11 9:19 ` Steffen Klassert
2025-08-11 9:19 ` [PATCH 3/4] xfrm: bring back device check in validate_xmit_xfrm Steffen Klassert
2025-08-11 9:19 ` [PATCH 4/4] udp: also consider secpath when evaluating ipsec use for checksumming Steffen Klassert
3 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2025-08-11 9:19 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Sabrina Dubroca <sd@queasysnail.net>
Commit 49431af6c4ef incorrectly assumes that the GSO path is only used
by HW offload, but it's also useful for SW crypto.
This patch re-enables GSO for SW crypto. It's not an exact revert to
preserve the other changes made to xfrm_dev_offload_ok afterwards, but
it reverts all of its effects.
Fixes: 49431af6c4ef ("xfrm: rely on XFRM offload")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_device.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index d2819baea414..1f88472aaac0 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -415,10 +415,12 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
struct net_device *dev = x->xso.dev;
bool check_tunnel_size;
- if (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED)
+ if (!x->type_offload ||
+ (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED && x->encap))
return false;
- if ((dev == xfrm_dst_path(dst)->dev) && !xdst->child->xfrm) {
+ if ((!dev || dev == xfrm_dst_path(dst)->dev) &&
+ !xdst->child->xfrm) {
mtu = xfrm_state_mtu(x, xdst->child_mtu_cached);
if (skb->len <= mtu)
goto ok;
@@ -430,6 +432,9 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
return false;
ok:
+ if (!dev)
+ return true;
+
check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
x->props.mode == XFRM_MODE_TUNNEL;
switch (x->props.family) {
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] xfrm: bring back device check in validate_xmit_xfrm
2025-08-11 9:19 [PATCH 0/4] pull request (net): ipsec 2025-08-11 Steffen Klassert
2025-08-11 9:19 ` [PATCH 1/4] xfrm: flush all states in xfrm_state_fini Steffen Klassert
2025-08-11 9:19 ` [PATCH 2/4] xfrm: restore GSO for SW crypto Steffen Klassert
@ 2025-08-11 9:19 ` Steffen Klassert
2025-08-11 9:19 ` [PATCH 4/4] udp: also consider secpath when evaluating ipsec use for checksumming Steffen Klassert
3 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2025-08-11 9:19 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Sabrina Dubroca <sd@queasysnail.net>
This is partial revert of commit d53dda291bbd993a29b84d358d282076e3d01506.
This change causes traffic using GSO with SW crypto running through a
NIC capable of HW offload to no longer get segmented during
validate_xmit_xfrm, and is unrelated to the bonding use case mentioned
in the commit.
Fixes: d53dda291bbd ("xfrm: Remove unneeded device check from validate_xmit_xfrm")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_device.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 1f88472aaac0..c7a1f080d2de 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -155,7 +155,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
return skb;
}
- if (skb_is_gso(skb) && unlikely(xmit_xfrm_check_overflow(skb))) {
+ if (skb_is_gso(skb) && (unlikely(x->xso.dev != dev) ||
+ unlikely(xmit_xfrm_check_overflow(skb)))) {
struct sk_buff *segs;
/* Packet got rerouted, fixup features and segment it. */
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] udp: also consider secpath when evaluating ipsec use for checksumming
2025-08-11 9:19 [PATCH 0/4] pull request (net): ipsec 2025-08-11 Steffen Klassert
` (2 preceding siblings ...)
2025-08-11 9:19 ` [PATCH 3/4] xfrm: bring back device check in validate_xmit_xfrm Steffen Klassert
@ 2025-08-11 9:19 ` Steffen Klassert
3 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2025-08-11 9:19 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Sabrina Dubroca <sd@queasysnail.net>
Commit b40c5f4fde22 ("udp: disable inner UDP checksum offloads in
IPsec case") tried to fix checksumming in UFO when the packets are
going through IPsec, so that we can't rely on offloads because the UDP
header and payload will be encrypted.
But when doing a TCP test over VXLAN going through IPsec transport
mode with GSO enabled (esp4_offload module loaded), I'm seeing broken
UDP checksums on the encap after successful decryption.
The skbs get to udp4_ufo_fragment/__skb_udp_tunnel_segment via
__dev_queue_xmit -> validate_xmit_skb -> skb_gso_segment and at this
point we've already dropped the dst (unless the device sets
IFF_XMIT_DST_RELEASE, which is not common), so need_ipsec is false and
we proceed with checksum offload.
Make need_ipsec also check the secpath, which is not dropped on this
callpath.
Fixes: b40c5f4fde22 ("udp: disable inner UDP checksum offloads in IPsec case")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv4/udp_offload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 5128e2a5b00a..b1f3fd302e9d 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -217,7 +217,7 @@ static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb,
remcsum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_TUNNEL_REMCSUM);
skb->remcsum_offload = remcsum;
- need_ipsec = skb_dst(skb) && dst_xfrm(skb_dst(skb));
+ need_ipsec = (skb_dst(skb) && dst_xfrm(skb_dst(skb))) || skb_sec_path(skb);
/* Try to offload checksum if possible */
offload_csum = !!(need_csum &&
!need_ipsec &&
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/4] xfrm: flush all states in xfrm_state_fini
2025-08-11 9:19 ` [PATCH 1/4] xfrm: flush all states in xfrm_state_fini Steffen Klassert
@ 2025-08-12 13:10 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-08-12 13:10 UTC (permalink / raw)
To: Steffen Klassert; +Cc: davem, kuba, herbert, netdev
Hello:
This series was applied to netdev/net.git (main)
by Steffen Klassert <steffen.klassert@secunet.com>:
On Mon, 11 Aug 2025 11:19:29 +0200 you wrote:
> From: Sabrina Dubroca <sd@queasysnail.net>
>
> While reverting commit f75a2804da39 ("xfrm: destroy xfrm_state
> synchronously on net exit path"), I incorrectly changed
> xfrm_state_flush's "proto" argument back to IPSEC_PROTO_ANY. This
> reverts some of the changes in commit dbb2483b2a46 ("xfrm: clean up
> xfrm protocol checks"), and leads to some states not being removed
> when we exit the netns.
>
> [...]
Here is the summary with links:
- [1/4] xfrm: flush all states in xfrm_state_fini
https://git.kernel.org/netdev/net/c/42e42562c9cf
- [2/4] xfrm: restore GSO for SW crypto
https://git.kernel.org/netdev/net/c/234d1eff5d49
- [3/4] xfrm: bring back device check in validate_xmit_xfrm
https://git.kernel.org/netdev/net/c/65f079a6c446
- [4/4] udp: also consider secpath when evaluating ipsec use for checksumming
https://git.kernel.org/netdev/net/c/1118aaa3b351
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-08-12 13:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-11 9:19 [PATCH 0/4] pull request (net): ipsec 2025-08-11 Steffen Klassert
2025-08-11 9:19 ` [PATCH 1/4] xfrm: flush all states in xfrm_state_fini Steffen Klassert
2025-08-12 13:10 ` patchwork-bot+netdevbpf
2025-08-11 9:19 ` [PATCH 2/4] xfrm: restore GSO for SW crypto Steffen Klassert
2025-08-11 9:19 ` [PATCH 3/4] xfrm: bring back device check in validate_xmit_xfrm Steffen Klassert
2025-08-11 9:19 ` [PATCH 4/4] udp: also consider secpath when evaluating ipsec use for checksumming Steffen Klassert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).