[PATCH net-next 0/6] xfrm: Convert __xfrm4_dst_lookup() and its callers to dscp_t.

[PATCH net-next 0/6] xfrm: Convert __xfrm4_dst_lookup() and its callers to dscp_t.

[Guillaume Nault]

This patch series continues to prepare users of ->flowi4_tos to a
future conversion of this field (__u8 to dscp_t). This time, we convert
__xfrm4_dst_lookup() and its call chain.

The objective is to eventually make all users of ->flowi4_tos use a
dscp_t value. Making ->flowi4_tos a dscp_t field will help avoiding
regressions where ECN bits are erroneously interpreted as DSCP bits.

Guillaume Nault (6):
  xfrm: Convert xfrm_get_tos() to dscp_t.
  xfrm: Convert xfrm_bundle_create() to dscp_t.
  xfrm: Convert xfrm_dst_lookup() to dscp_t.
  xfrm: Convert __xfrm_dst_lookup() to dscp_t.
  xfrm: Convert the ->dst_lookup() callback to dscp_t.
  xfrm: Convert __xfrm4_dst_lookup() to dscp_t.

 include/net/xfrm.h      |  7 ++++---
 net/ipv4/xfrm4_policy.c | 14 ++++++++------
 net/ipv6/xfrm6_policy.c |  5 +++--
 net/xfrm/xfrm_policy.c  | 20 ++++++++++----------
 4 files changed, 25 insertions(+), 21 deletions(-)

Note: I'm sending this series to net-next as these are generic
networking changes, although they only touch xfrm files. But I'm happy
to rebase over ipsec-next if that's prefered. Just let me know.

-- 
2.39.2

[PATCH net-next 1/6] xfrm: Convert xfrm_get_tos() to dscp_t.

[Guillaume Nault]

Return a dscp_t variable to prepare for the future conversion of
xfrm_bundle_create() to dscp_t.

While there, rename the function "xfrm_get_dscp", to align its name
with the new return type.

Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 net/xfrm/xfrm_policy.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 914bac03b52a..dd472e9df059 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2550,10 +2550,10 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
 
 }
 
-static int xfrm_get_tos(const struct flowi *fl, int family)
+static dscp_t xfrm_get_dscp(const struct flowi *fl, int family)
 {
 	if (family == AF_INET)
-		return fl->u.ip4.flowi4_tos & INET_DSCP_MASK;
+		return inet_dsfield_to_dscp(fl->u.ip4.flowi4_tos);
 
 	return 0;
 }
@@ -2647,7 +2647,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
 
 	xfrm_flowi_addr_get(fl, &saddr, &daddr, family);
 
-	tos = xfrm_get_tos(fl, family);
+	tos = inet_dscp_to_dsfield(xfrm_get_dscp(fl, family));
 
 	dst_hold(dst);
 
-- 
2.39.2

[PATCH net-next 2/6] xfrm: Convert xfrm_bundle_create() to dscp_t.

[Guillaume Nault]

Use a dscp_t variable to store the result of xfrm_get_dscp().
This prepares for the future conversion of xfrm_dst_lookup().

Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 net/xfrm/xfrm_policy.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index dd472e9df059..c6ea3ca69e95 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2641,13 +2641,13 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
 	int header_len = 0;
 	int nfheader_len = 0;
 	int trailer_len = 0;
-	int tos;
+	dscp_t dscp;
 	int family = policy->selector.family;
 	xfrm_address_t saddr, daddr;
 
 	xfrm_flowi_addr_get(fl, &saddr, &daddr, family);
 
-	tos = inet_dscp_to_dsfield(xfrm_get_dscp(fl, family));
+	dscp = xfrm_get_dscp(fl, family);
 
 	dst_hold(dst);
 
@@ -2695,7 +2695,8 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
 				family = xfrm[i]->props.family;
 
 			oif = fl->flowi_oif ? : fl->flowi_l3mdev;
-			dst = xfrm_dst_lookup(xfrm[i], tos, oif,
+			dst = xfrm_dst_lookup(xfrm[i],
+					      inet_dscp_to_dsfield(dscp), oif,
 					      &saddr, &daddr, family, mark);
 			err = PTR_ERR(dst);
 			if (IS_ERR(dst))
-- 
2.39.2

[PATCH net-next 3/6] xfrm: Convert xfrm_dst_lookup() to dscp_t.

[Guillaume Nault]

Pass a dscp_t variable to xfrm_dst_lookup(), instead of an int, to
prevent accidental setting of ECN bits in ->flowi4_tos.

Only xfrm_bundle_create() actually calls xfrm_dst_lookup(). Since it
already has a dscp_t variable to pass as parameter, we only need to
remove the inet_dscp_to_dsfield() conversion.

Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 net/xfrm/xfrm_policy.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index c6ea3ca69e95..6e30b110accf 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -291,7 +291,7 @@ struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
 EXPORT_SYMBOL(__xfrm_dst_lookup);
 
 static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
-						int tos, int oif,
+						dscp_t dscp, int oif,
 						xfrm_address_t *prev_saddr,
 						xfrm_address_t *prev_daddr,
 						int family, u32 mark)
@@ -310,7 +310,8 @@ static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
 		daddr = x->coaddr;
 	}
 
-	dst = __xfrm_dst_lookup(net, tos, oif, saddr, daddr, family, mark);
+	dst = __xfrm_dst_lookup(net, inet_dscp_to_dsfield(dscp), oif, saddr,
+				daddr, family, mark);
 
 	if (!IS_ERR(dst)) {
 		if (prev_saddr != saddr)
@@ -2695,9 +2696,8 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
 				family = xfrm[i]->props.family;
 
 			oif = fl->flowi_oif ? : fl->flowi_l3mdev;
-			dst = xfrm_dst_lookup(xfrm[i],
-					      inet_dscp_to_dsfield(dscp), oif,
-					      &saddr, &daddr, family, mark);
+			dst = xfrm_dst_lookup(xfrm[i], dscp, oif, &saddr,
+					      &daddr, family, mark);
 			err = PTR_ERR(dst);
 			if (IS_ERR(dst))
 				goto put_states;
-- 
2.39.2

[PATCH net-next 4/6] xfrm: Convert __xfrm_dst_lookup() to dscp_t.

[Guillaume Nault]

Pass a dscp_t variable to __xfrm_dst_lookup(), instead of an int, to
prevent accidental setting of ECN bits in ->flowi4_tos.

Callers of ip_mc_validate_source() to consider are:

  * xfrm_dst_lookup() which already has a dscp_t variable to pass as
    parameter. We just need to remove the inet_dscp_to_dsfield()
    conversion.

  * xfrm_dev_state_add() in net/xfrm/xfrm_device.c. This function
    sets the tos parameter to 0, which is already a valid dscp_t value,
    so it doesn't need to be adjusted for the new prototype.

Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 include/net/xfrm.h     | 3 ++-
 net/xfrm/xfrm_policy.c | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index b6bfdc6416c7..18c0a6077ae9 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -19,6 +19,7 @@
 
 #include <net/sock.h>
 #include <net/dst.h>
+#include <net/inet_dscp.h>
 #include <net/ip.h>
 #include <net/route.h>
 #include <net/ipv6.h>
@@ -1764,7 +1765,7 @@ static inline int xfrm_user_policy(struct sock *sk, int optname,
 }
 #endif
 
-struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
+struct dst_entry *__xfrm_dst_lookup(struct net *net, dscp_t dscp, int oif,
 				    const xfrm_address_t *saddr,
 				    const xfrm_address_t *daddr,
 				    int family, u32 mark);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6e30b110accf..a1b499cc840c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -270,7 +270,7 @@ static const struct xfrm_if_cb *xfrm_if_get_cb(void)
 	return rcu_dereference(xfrm_if_cb);
 }
 
-struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
+struct dst_entry *__xfrm_dst_lookup(struct net *net, dscp_t dscp, int oif,
 				    const xfrm_address_t *saddr,
 				    const xfrm_address_t *daddr,
 				    int family, u32 mark)
@@ -282,7 +282,8 @@ struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
 	if (unlikely(afinfo == NULL))
 		return ERR_PTR(-EAFNOSUPPORT);
 
-	dst = afinfo->dst_lookup(net, tos, oif, saddr, daddr, mark);
+	dst = afinfo->dst_lookup(net, inet_dscp_to_dsfield(dscp), oif, saddr,
+				 daddr, mark);
 
 	rcu_read_unlock();
 
@@ -310,8 +311,7 @@ static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
 		daddr = x->coaddr;
 	}
 
-	dst = __xfrm_dst_lookup(net, inet_dscp_to_dsfield(dscp), oif, saddr,
-				daddr, family, mark);
+	dst = __xfrm_dst_lookup(net, dscp, oif, saddr, daddr, family, mark);
 
 	if (!IS_ERR(dst)) {
 		if (prev_saddr != saddr)
-- 
2.39.2

[PATCH net-next 5/6] xfrm: Convert the ->dst_lookup() callback to dscp_t.

[Guillaume Nault]

Pass a dscp_t variable to ->dst_lookup() callbacks (struct
xfrm_policy_afinfo), instead of an int, to prevent accidental setting
of ECN bits in ->flowi4_tos.

This callback is only called by __xfrm_dst_lookup(), which already has
a dscp_t variable to pass as parameter. We just need to remove the
inet_dscp_to_dsfield() conversion.

There are two implementations of this callback: xfrm6_dst_lookup(),
which doesn't use the modified parameter, and xfrm4_dst_lookup() which
needs to convert it again before calling __xfrm4_dst_lookup().

Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 include/net/xfrm.h      | 4 ++--
 net/ipv4/xfrm4_policy.c | 8 +++++---
 net/ipv6/xfrm6_policy.c | 5 +++--
 net/xfrm/xfrm_policy.c  | 3 +--
 4 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 18c0a6077ae9..46c82d75679a 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -355,8 +355,8 @@ struct xfrm_type;
 struct xfrm_dst;
 struct xfrm_policy_afinfo {
 	struct dst_ops		*dst_ops;
-	struct dst_entry	*(*dst_lookup)(struct net *net,
-					       int tos, int oif,
+	struct dst_entry	*(*dst_lookup)(struct net *net, dscp_t dscp,
+					       int oif,
 					       const xfrm_address_t *saddr,
 					       const xfrm_address_t *daddr,
 					       u32 mark);
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 0294fef577fa..342a0158da91 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -11,6 +11,7 @@
 
 #include <linux/err.h>
 #include <linux/kernel.h>
+#include <net/inet_dscp.h>
 #include <linux/inetdevice.h>
 #include <net/dst.h>
 #include <net/xfrm.h>
@@ -40,14 +41,15 @@ static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct flowi4 *fl4,
 	return ERR_CAST(rt);
 }
 
-static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos, int oif,
-					  const xfrm_address_t *saddr,
+static struct dst_entry *xfrm4_dst_lookup(struct net *net, dscp_t dscp,
+					  int oif, const xfrm_address_t *saddr,
 					  const xfrm_address_t *daddr,
 					  u32 mark)
 {
 	struct flowi4 fl4;
 
-	return __xfrm4_dst_lookup(net, &fl4, tos, oif, saddr, daddr, mark);
+	return __xfrm4_dst_lookup(net, &fl4, inet_dscp_to_dsfield(dscp), oif,
+				  saddr, daddr, mark);
 }
 
 static int xfrm4_get_saddr(struct net *net, int oif,
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index b1d81c4270ab..0c28b22ae3c1 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -18,13 +18,14 @@
 #include <net/addrconf.h>
 #include <net/dst.h>
 #include <net/xfrm.h>
+#include <net/inet_dscp.h>
 #include <net/ip.h>
 #include <net/ipv6.h>
 #include <net/ip6_route.h>
 #include <net/l3mdev.h>
 
-static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos, int oif,
-					  const xfrm_address_t *saddr,
+static struct dst_entry *xfrm6_dst_lookup(struct net *net, dscp_t dscp,
+					  int oif, const xfrm_address_t *saddr,
 					  const xfrm_address_t *daddr,
 					  u32 mark)
 {
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a1b499cc840c..db2e602971fd 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -282,8 +282,7 @@ struct dst_entry *__xfrm_dst_lookup(struct net *net, dscp_t dscp, int oif,
 	if (unlikely(afinfo == NULL))
 		return ERR_PTR(-EAFNOSUPPORT);
 
-	dst = afinfo->dst_lookup(net, inet_dscp_to_dsfield(dscp), oif, saddr,
-				 daddr, mark);
+	dst = afinfo->dst_lookup(net, dscp, oif, saddr, daddr, mark);
 
 	rcu_read_unlock();
 
-- 
2.39.2

[PATCH net-next 6/6] xfrm: Convert __xfrm4_dst_lookup() to dscp_t.

[Guillaume Nault]

Pass a dscp_t variable to __xfrm4_dst_lookup(), instead of an int, to
prevent accidental setting of ECN bits in ->flowi4_tos.

Callers of __xfrm4_dst_lookup() to consider are:

  * xfrm4_dst_lookup(), which already has a dscp_t variable to pass as
    parameter. We just need to remove the inet_dscp_to_dsfield()
    conversion.

  * xfrm4_get_saddr(). This function sets the tos parameter to 0, which
    is already a valid dscp_t value, so it doesn't need to be adjusted
    for the new prototype.

Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 net/ipv4/xfrm4_policy.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 342a0158da91..b1968ae756c9 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -18,8 +18,9 @@
 #include <net/ip.h>
 #include <net/l3mdev.h>
 
-static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct flowi4 *fl4,
-					    int tos, int oif,
+static struct dst_entry *__xfrm4_dst_lookup(struct net *net,
+					    struct flowi4 *fl4, dscp_t dscp,
+					    int oif,
 					    const xfrm_address_t *saddr,
 					    const xfrm_address_t *daddr,
 					    u32 mark)
@@ -28,7 +29,7 @@ static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct flowi4 *fl4,
 
 	memset(fl4, 0, sizeof(*fl4));
 	fl4->daddr = daddr->a4;
-	fl4->flowi4_tos = tos;
+	fl4->flowi4_tos = inet_dscp_to_dsfield(dscp);
 	fl4->flowi4_l3mdev = l3mdev_master_ifindex_by_index(net, oif);
 	fl4->flowi4_mark = mark;
 	if (saddr)
@@ -48,8 +49,7 @@ static struct dst_entry *xfrm4_dst_lookup(struct net *net, dscp_t dscp,
 {
 	struct flowi4 fl4;
 
-	return __xfrm4_dst_lookup(net, &fl4, inet_dscp_to_dsfield(dscp), oif,
-				  saddr, daddr, mark);
+	return __xfrm4_dst_lookup(net, &fl4, dscp, oif, saddr, daddr, mark);
 }
 
 static int xfrm4_get_saddr(struct net *net, int oif,
-- 
2.39.2

Re: [PATCH net-next 3/6] xfrm: Convert xfrm_dst_lookup() to dscp_t.

[Eyal Birger]

On Tue, Oct 15, 2024 at 2:14 AM Guillaume Nault <gnault@redhat.com> wrote:
>
> Pass a dscp_t variable to xfrm_dst_lookup(), instead of an int, to
> prevent accidental setting of ECN bits in ->flowi4_tos.
>
> Only xfrm_bundle_create() actually calls xfrm_dst_lookup(). Since it
> already has a dscp_t variable to pass as parameter, we only need to
> remove the inet_dscp_to_dsfield() conversion.
>
> Signed-off-by: Guillaume Nault <gnault@redhat.com>
> ---
>  net/xfrm/xfrm_policy.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> index c6ea3ca69e95..6e30b110accf 100644
> --- a/net/xfrm/xfrm_policy.c
> +++ b/net/xfrm/xfrm_policy.c
> @@ -291,7 +291,7 @@ struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
>  EXPORT_SYMBOL(__xfrm_dst_lookup);
>
>  static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
> -                                               int tos, int oif,
> +                                               dscp_t dscp, int oif,


FWIW this looks like it's going to conflict with a commit currently in
the ipsec tree:
https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit/?id=e509996b16728e37d5a909a5c63c1bd64f23b306

Eyal.

Re: [PATCH net-next 3/6] xfrm: Convert xfrm_dst_lookup() to dscp_t.

[Guillaume Nault]

On Tue, Oct 15, 2024 at 04:48:57AM -0700, Eyal Birger wrote:
> On Tue, Oct 15, 2024 at 2:14 AM Guillaume Nault <gnault@redhat.com> wrote:
> >
> > Pass a dscp_t variable to xfrm_dst_lookup(), instead of an int, to
> > prevent accidental setting of ECN bits in ->flowi4_tos.
> >
> > Only xfrm_bundle_create() actually calls xfrm_dst_lookup(). Since it
> > already has a dscp_t variable to pass as parameter, we only need to
> > remove the inet_dscp_to_dsfield() conversion.
> >
> > Signed-off-by: Guillaume Nault <gnault@redhat.com>
> > ---
> >  net/xfrm/xfrm_policy.c | 10 +++++-----
> >  1 file changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> > index c6ea3ca69e95..6e30b110accf 100644
> > --- a/net/xfrm/xfrm_policy.c
> > +++ b/net/xfrm/xfrm_policy.c
> > @@ -291,7 +291,7 @@ struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
> >  EXPORT_SYMBOL(__xfrm_dst_lookup);
> >
> >  static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
> > -                                               int tos, int oif,
> > +                                               dscp_t dscp, int oif,
> 
> 
> FWIW this looks like it's going to conflict with a commit currently in
> the ipsec tree:
> https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git/commit/?id=e509996b16728e37d5a909a5c63c1bd64f23b306

Indeed. I'll send v2 once the ipsec tree will be merged.
Thanks!

> Eyal.
>