[SRU][F:linux-bluefield][PATCH] UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check

Bodong Wang bodong at nvidia.com
Thu Jun 16 14:59:41 UTC 2022


This is an urgent fix for us. Could you include it inside the past SRU cycle(June 15). The next one in July is too late for us.


-----Original Message-----
From: Bodong Wang <bodong at nvidia.com> 
Sent: Thursday, June 16, 2022 9:55 AM
To: kernel-team at lists.ubuntu.com
Cc: Vladimir Sokolovsky <vlad at nvidia.com>; Bodong Wang <bodong at nvidia.com>; Raed Salem <raeds at nvidia.com>; Maor Dickman <maord at nvidia.com>; Emeel Hakim <ehakim at nvidia.com>
Subject: [SRU][F:linux-bluefield][PATCH] UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check

From: Emeel Hakim <ehakim at nvidia.com>

BugLink: https://bugs.launchpad.net/bugs/1978967

commit a3ca11eec78 introduced a flags validity check for xfrm, the check excluded flag XFRM_OFFLOAD_FULL from the check hence the flag is being blocked from getting to the kernel space.
The above is preventing ipsec states from being added with the full_offload option hence the Failure.

Fix by adding XFRM_OFFLOAD_FULL flag to the check statement which allows the flag to get to kernel space as expected.

Fixes: a3ca11eec78 ("xfrm: enforce validity of offload input flags")
Signed-off-by: Emeel Hakim <ehakim at nvidia.com>
Signed-off-by: Bodong Wang <bodong at nvidia.com>
 net/xfrm/xfrm_device.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 8cb04de..40960c0 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -206,7 +206,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
 	if (x->encap || x->tfcpad)
 		return -EINVAL;
+	if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND | 
 		return -EINVAL;
 	dev = dev_get_by_index(net, xuo->ifindex);

More information about the kernel-team mailing list