From: Greg KH <greg@kroah.com>
To: Tobias Brunner <tobias@strongswan.org>
Cc: stable@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Steffen Klassert <steffen.klassert@secunet.com>,
Xin Long <lucien.xin@gmail.com>
Subject: Re: [PATCH 4.19] xfrm: policy: match with both mark and mask on user interfaces
Date: Thu, 14 Apr 2022 12:37:14 +0200 [thread overview]
Message-ID: <Ylf5WkjP7AclOR05@kroah.com> (raw)
In-Reply-To: <9376197f-55d6-d450-4b51-a86aae21feb2@strongswan.org>
On Tue, Apr 12, 2022 at 09:33:58AM +0200, Tobias Brunner wrote:
> From: Xin Long <lucien.xin@gmail.com>
>
> commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58 upstream.
>
> In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
> it would take 'priority' to make a policy unique, and allow duplicated
> policies with different 'priority' to be added, which is not expected
> by userland, as Tobias reported in strongswan.
>
> To fix this duplicated policies issue, and also fix the issue in
> commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
> when doing add/del/get/update on user interfaces, this patch is to change
> to look up a policy with both mark and mask by doing:
>
> mark.v == pol->mark.v && mark.m == pol->mark.m
>
> and leave the check:
>
> (mark & pol->mark.m) == pol->mark.v
>
> for tx/rx path only.
>
> As the userland expects an exact mark and mask match to manage policies.
>
> v1->v2:
> - make xfrm_policy_mark_match inline and fix the changelog as
> Tobias suggested.
>
> Cc: <stable@vger.kernel.org> # 4.19.x
> Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark")
> Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list")
> Reported-by: Tobias Brunner <tobias@strongswan.org>
> Tested-by: Tobias Brunner <tobias@strongswan.org>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> ---
> This is a backport to 4.19.x of a fix that has already been applied
> to newer stable kernels. However, due to conflicts it was never
> included in the 4.x trees, which all contain backports of the
> problematic commit referenced above (ed17b8d377ea). So they all are
> prone to creating duplicate IPsec policies with priority updates.
All 3 now queued up, thanks.
greg k-h
prev parent reply other threads:[~2022-04-14 10:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-12 7:33 [PATCH 4.19] xfrm: policy: match with both mark and mask on user interfaces Tobias Brunner
2022-04-14 10:37 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Ylf5WkjP7AclOR05@kroah.com \
--to=greg@kroah.com \
--cc=davem@davemloft.net \
--cc=lucien.xin@gmail.com \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=tobias@strongswan.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox