[PATCH ipsec v2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation

[PATCH ipsec v2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation

[Jianbo Liu]

Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner
protocol") attempted to fix GSO segmentation by reading the inner
protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect
because the field holds the inner L4 protocol (TCP/UDP) instead of the
required tunnel protocol. Also, the memory location (shared by
XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow())
is prone to corruption. This combination caused the kernel to select
the wrong inner mode and get the wrong address family.

The correct value is in xfrm_offload(skb)->proto, which is set from
the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It
is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP
or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the
inner packet's address family.

Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
---
V2:
 - Update commit message.

 net/ipv4/esp4_offload.c | 4 ++--
 net/ipv6/esp6_offload.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index 05828d4cb6cd..abd77162f5e7 100644
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -122,8 +122,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
 						struct sk_buff *skb,
 						netdev_features_t features)
 {
-	const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
-					XFRM_MODE_SKB_CB(skb)->protocol);
+	struct xfrm_offload *xo = xfrm_offload(skb);
+	const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
 	__be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
 						     : htons(ETH_P_IP);
 
diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index 22410243ebe8..22895521a57d 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -158,8 +158,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
 						struct sk_buff *skb,
 						netdev_features_t features)
 {
-	const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
-					XFRM_MODE_SKB_CB(skb)->protocol);
+	struct xfrm_offload *xo = xfrm_offload(skb);
+	const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
 	__be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
 						    : htons(ETH_P_IPV6);
 
-- 
2.49.0

Re: [PATCH ipsec v2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation

[Sabrina Dubroca]

2025-11-20, 05:56:09 +0200, Jianbo Liu wrote:
> Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner
> protocol") attempted to fix GSO segmentation by reading the inner
> protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect
> because the field holds the inner L4 protocol (TCP/UDP) instead of the
> required tunnel protocol. Also, the memory location (shared by
> XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow())
> is prone to corruption. This combination caused the kernel to select
> the wrong inner mode and get the wrong address family.
> 
> The correct value is in xfrm_offload(skb)->proto, which is set from
> the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It
> is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP
> or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the
> inner packet's address family.
> 
> Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol")
> Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
> ---
> V2:
>  - Update commit message.

Thanks Jianbo.

Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>

-- 
Sabrina

Re: [PATCH ipsec v2] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation

[Steffen Klassert]

On Thu, Nov 20, 2025 at 05:56:09AM +0200, Jianbo Liu wrote:
> Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner
> protocol") attempted to fix GSO segmentation by reading the inner
> protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect
> because the field holds the inner L4 protocol (TCP/UDP) instead of the
> required tunnel protocol. Also, the memory location (shared by
> XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow())
> is prone to corruption. This combination caused the kernel to select
> the wrong inner mode and get the wrong address family.
> 
> The correct value is in xfrm_offload(skb)->proto, which is set from
> the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It
> is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP
> or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the
> inner packet's address family.
> 
> Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol")
> Signed-off-by: Jianbo Liu <jianbol@nvidia.com>

Applied, thanks a lot Jianbo!