[SRU][F:linux-bluefield][PATCH] UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check

Zachary Tahenakos zachary.tahenakos at canonical.com
Thu Jun 16 15:42:17 UTC 2022 

Hey Bodong,

The past cycle (2022.05.09) is currently awaiting cert and Stakeholder 
sign-off. As it is at the end of its spin, we think it makes more sense 
instead to do this fix ontop of 2022.05.30 and just drop 2022.05.09. The 
earliest this could get out would be sometime late next week depending 
on cert and stakeholder sign-off. Would that be acceptable?

-Zack

On 6/16/22 10:59 AM, Bodong Wang wrote:
> Tim/Alex,
>
> This is an urgent fix for us. Could you include it inside the past SRU cycle(June 15). The next one in July is too late for us.
>
> Thanks,
> Bodong
>
> -----Original Message-----
> From: Bodong Wang <bodong at nvidia.com>
> Sent: Thursday, June 16, 2022 9:55 AM
> To: kernel-team at lists.ubuntu.com
> Cc: Vladimir Sokolovsky <vlad at nvidia.com>; Bodong Wang <bodong at nvidia.com>; Raed Salem <raeds at nvidia.com>; Maor Dickman <maord at nvidia.com>; Emeel Hakim <ehakim at nvidia.com>
> Subject: [SRU][F:linux-bluefield][PATCH] UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check
>
> From: Emeel Hakim <ehakim at nvidia.com>
>
> BugLink: https://bugs.launchpad.net/bugs/1978967
>
> commit a3ca11eec78 introduced a flags validity check for xfrm, the check excluded flag XFRM_OFFLOAD_FULL from the check hence the flag is being blocked from getting to the kernel space.
> The above is preventing ipsec states from being added with the full_offload option hence the Failure.
>
> Fix by adding XFRM_OFFLOAD_FULL flag to the check statement which allows the flag to get to kernel space as expected.
>
> Fixes: a3ca11eec78 ("xfrm: enforce validity of offload input flags")
> Signed-off-by: Emeel Hakim <ehakim at nvidia.com>
> Signed-off-by: Bodong Wang <bodong at nvidia.com>
> ---
>   net/xfrm/xfrm_device.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 8cb04de..40960c0 100644
> --- a/net/xfrm/xfrm_device.c
> +++ b/net/xfrm/xfrm_device.c
> @@ -206,7 +206,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
>   	if (x->encap || x->tfcpad)
>   		return -EINVAL;
>   
> -	if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND))
> +	if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND |
> +XFRM_OFFLOAD_FULL))
>   		return -EINVAL;
>   
>   	dev = dev_get_by_index(net, xuo->ifindex);
> --
> 1.8.3.1
>
>

More information about the kernel-team mailing list