* [PATCH 0/2] pull request (net): ipsec 2026-01-14
@ 2026-01-14 12:18 Steffen Klassert
2026-01-14 12:18 ` [PATCH 1/2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation Steffen Klassert
2026-01-14 12:18 ` [PATCH 2/2] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set Steffen Klassert
0 siblings, 2 replies; 4+ messages in thread
From: Steffen Klassert @ 2026-01-14 12:18 UTC (permalink / raw)
To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev
1) Fix inner mode lookup in tunnel mode GSO segmentation.
The protocol was taken from the wrong field.
2) Set ipv4 no_pmtu_disc flag only on output SAs. The
insertation of input SAs can fail if no_pmtu_disc
is set.
Please pull or let me know if there are problems.
Thanks!
The following changes since commit 8f7aa3d3c7323f4ca2768a9e74ebbe359c4f8f88:
Merge tag 'net-next-6.19' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next (2025-12-03 17:24:33 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git tags/ipsec-2026-01-14
for you to fetch changes up to c196def07bbc6e8306d7a274433913444b0db20a:
xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set (2025-12-15 11:06:25 +0100)
----------------------------------------------------------------
ipsec-2026-01-14
----------------------------------------------------------------
Antony Antony (1):
xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set
Jianbo Liu (1):
xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
net/ipv4/esp4_offload.c | 4 ++--
net/ipv6/esp6_offload.c | 4 ++--
net/xfrm/xfrm_state.c | 1 +
3 files changed, 5 insertions(+), 4 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH 1/2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation 2026-01-14 12:18 [PATCH 0/2] pull request (net): ipsec 2026-01-14 Steffen Klassert @ 2026-01-14 12:18 ` Steffen Klassert 2026-01-15 12:10 ` patchwork-bot+netdevbpf 2026-01-14 12:18 ` [PATCH 2/2] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set Steffen Klassert 1 sibling, 1 reply; 4+ messages in thread From: Steffen Klassert @ 2026-01-14 12:18 UTC (permalink / raw) To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev From: Jianbo Liu <jianbol@nvidia.com> Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol") attempted to fix GSO segmentation by reading the inner protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect because the field holds the inner L4 protocol (TCP/UDP) instead of the required tunnel protocol. Also, the memory location (shared by XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow()) is prone to corruption. This combination caused the kernel to select the wrong inner mode and get the wrong address family. The correct value is in xfrm_offload(skb)->proto, which is set from the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the inner packet's address family. Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol") Signed-off-by: Jianbo Liu <jianbol@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> --- net/ipv4/esp4_offload.c | 4 ++-- net/ipv6/esp6_offload.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index 05828d4cb6cd..abd77162f5e7 100644 --- a/net/ipv4/esp4_offload.c +++ b/net/ipv4/esp4_offload.c @@ -122,8 +122,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, struct sk_buff *skb, netdev_features_t features) { - const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, - XFRM_MODE_SKB_CB(skb)->protocol); + struct xfrm_offload *xo = xfrm_offload(skb); + const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); __be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6) : htons(ETH_P_IP); diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c index 22410243ebe8..22895521a57d 100644 --- a/net/ipv6/esp6_offload.c +++ b/net/ipv6/esp6_offload.c @@ -158,8 +158,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, struct sk_buff *skb, netdev_features_t features) { - const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, - XFRM_MODE_SKB_CB(skb)->protocol); + struct xfrm_offload *xo = xfrm_offload(skb); + const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto); __be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP) : htons(ETH_P_IPV6); -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation 2026-01-14 12:18 ` [PATCH 1/2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation Steffen Klassert @ 2026-01-15 12:10 ` patchwork-bot+netdevbpf 0 siblings, 0 replies; 4+ messages in thread From: patchwork-bot+netdevbpf @ 2026-01-15 12:10 UTC (permalink / raw) To: Steffen Klassert; +Cc: davem, kuba, herbert, netdev Hello: This series was applied to netdev/net.git (main) by Steffen Klassert <steffen.klassert@secunet.com>: On Wed, 14 Jan 2026 13:18:08 +0100 you wrote: > From: Jianbo Liu <jianbol@nvidia.com> > > Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner > protocol") attempted to fix GSO segmentation by reading the inner > protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect > because the field holds the inner L4 protocol (TCP/UDP) instead of the > required tunnel protocol. Also, the memory location (shared by > XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow()) > is prone to corruption. This combination caused the kernel to select > the wrong inner mode and get the wrong address family. > > [...] Here is the summary with links: - [1/2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation https://git.kernel.org/netdev/net/c/3d5221af9c77 - [2/2] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set https://git.kernel.org/netdev/net/c/c196def07bbc You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 2/2] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set 2026-01-14 12:18 [PATCH 0/2] pull request (net): ipsec 2026-01-14 Steffen Klassert 2026-01-14 12:18 ` [PATCH 1/2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation Steffen Klassert @ 2026-01-14 12:18 ` Steffen Klassert 1 sibling, 0 replies; 4+ messages in thread From: Steffen Klassert @ 2026-01-14 12:18 UTC (permalink / raw) To: David Miller, Jakub Kicinski; +Cc: Herbert Xu, Steffen Klassert, netdev From: Antony Antony <antony.antony@secunet.com> The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but it was being applied regardless of the SA direction when the sysctl ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs. Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction is configured. Closes: https://github.com/strongswan/strongswan/issues/2946 Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out") Signed-off-by: Antony Antony <antony.antony@secunet.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> --- net/xfrm/xfrm_state.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 9e14e453b55c..98b362d51836 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -3151,6 +3151,7 @@ int __xfrm_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack) int err; if (family == AF_INET && + (!x->dir || x->dir == XFRM_SA_DIR_OUT) && READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc)) x->props.flags |= XFRM_STATE_NOPMTUDISC; -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-01-15 12:13 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-01-14 12:18 [PATCH 0/2] pull request (net): ipsec 2026-01-14 Steffen Klassert 2026-01-14 12:18 ` [PATCH 1/2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation Steffen Klassert 2026-01-15 12:10 ` patchwork-bot+netdevbpf 2026-01-14 12:18 ` [PATCH 2/2] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set Steffen Klassert
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox