Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 04f1c4ad authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 



Steffen Klassert says:

====================
pull request (net): ipsec 2017-08-29

1) Fix dst_entry refcount imbalance when using socket policies.
   From Lorenzo Colitti.

2) Fix locking when adding the ESP trailers.

3) Fix tailroom calculation for the ESP trailer by using
   skb_tailroom instead of skb_availroom.

4) Fix some info leaks in xfrm_user.
   From Mathias Krause.

Please pull or let me know if there are problems.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents c7848399 931e79d7

net/ipv4/esp4.c

+4 −3
Original line number Diff line number Diff line
@@ -258,7 +258,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * 
		esp_output_udp_encap(x, skb, esp);



	if (!skb_cloned(skb)) {

		if (tailen <= skb_availroom(skb)) {

		if (tailen <= skb_tailroom(skb)) {

			nfrags = 1;

			trailer = skb;

			tail = skb_tail_pointer(trailer);
@@ -292,8 +292,6 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * 


			kunmap_atomic(vaddr);



			spin_unlock_bh(&x->lock);



			nfrags = skb_shinfo(skb)->nr_frags;



			__skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
@@ -301,6 +299,9 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * 
			skb_shinfo(skb)->nr_frags = ++nfrags;



			pfrag->offset = pfrag->offset + allocsize;



			spin_unlock_bh(&x->lock);



			nfrags++;



			skb->len += tailen;

net/ipv6/esp6.c

+4 −3
Original line number Diff line number Diff line
@@ -226,7 +226,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info 
	int tailen = esp->tailen;



	if (!skb_cloned(skb)) {

		if (tailen <= skb_availroom(skb)) {

		if (tailen <= skb_tailroom(skb)) {

			nfrags = 1;

			trailer = skb;

			tail = skb_tail_pointer(trailer);
@@ -260,8 +260,6 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info 


			kunmap_atomic(vaddr);



			spin_unlock_bh(&x->lock);



			nfrags = skb_shinfo(skb)->nr_frags;



			__skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
@@ -269,6 +267,9 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info 
			skb_shinfo(skb)->nr_frags = ++nfrags;



			pfrag->offset = pfrag->offset + allocsize;



			spin_unlock_bh(&x->lock);



			nfrags++;



			skb->len += tailen;

net/xfrm/xfrm_policy.c

+0 −1
Original line number Diff line number Diff line
@@ -2226,7 +2226,6 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, 
				goto no_transform;

			}



			dst_hold(&xdst->u.dst);

			route = xdst->route;

		}

	}

net/xfrm/xfrm_user.c

+5 −1
Original line number Diff line number Diff line
@@ -796,7 +796,7 @@ static int copy_user_offload(struct xfrm_state_offload *xso, struct sk_buff *skb 
		return -EMSGSIZE;



	xuo = nla_data(attr);



	memset(xuo, 0, sizeof(*xuo));

	xuo->ifindex = xso->dev->ifindex;

	xuo->flags = xso->flags;
@@ -1869,6 +1869,7 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct 
		return -EMSGSIZE;



	id = nlmsg_data(nlh);

	memset(&id->sa_id, 0, sizeof(id->sa_id));

	memcpy(&id->sa_id.daddr, &x->id.daddr, sizeof(x->id.daddr));

	id->sa_id.spi = x->id.spi;

	id->sa_id.family = x->props.family;
@@ -2578,6 +2579,8 @@ static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct 
	ue = nlmsg_data(nlh);

	copy_to_user_state(x, &ue->state);

	ue->hard = (c->data.hard != 0) ? 1 : 0;

	/* clear the padding bytes */

	memset(&ue->hard + 1, 0, sizeof(*ue) - offsetofend(typeof(*ue), hard));



	err = xfrm_mark_put(skb, &x->mark);

	if (err)
@@ -2715,6 +2718,7 @@ static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c) 
		struct nlattr *attr;



		id = nlmsg_data(nlh);

		memset(id, 0, sizeof(*id));

		memcpy(&id->daddr, &x->id.daddr, sizeof(id->daddr));

		id->spi = x->id.spi;

		id->family = x->props.family;