[linux] 02/03: net: Fix regression in ip_vti/ip6_vti in 3.16.7-ckt11 (Closes: #813594)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Mar 6 22:19:31 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit 438969074948e1b6eda09f84ed7816983454a714
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Mar 6 21:56:15 2016 +0000
net: Fix regression in ip_vti/ip6_vti in 3.16.7-ckt11 (Closes: #813594)
- ip_vti/ip6_vti: Do not touch skb->mark on xmit
- xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input
- ip_vti/ip6_vti: Preserve skb->mark after rcv_cb call
All of these were included in 3.18.y.
---
debian/changelog | 4 ++
...vti-ip6_vti-do-not-touch-skb-mark-on-xmit.patch | 59 +++++++++++++++
...6_vti-preserve-skb-mark-after-rcv_cb-call.patch | 83 ++++++++++++++++++++++
...de-skb-mark-with-tunnel-parm.i_key-in-xfr.patch | 63 ++++++++++++++++
debian/patches/series | 3 +
5 files changed, 212 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 82a1a08..300c6f6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -639,6 +639,10 @@ linux (3.16.7-ckt25-1) UNRELEASED; urgency=medium
np->opt", which don't appear to affect out-of-tree modules
* crypto: {blk,giv}cipher: Set has_setkey (avoids regressing cryptsetup;
see #815480)
+ * net: Fix regression in ip_vti/ip6_vti in 3.16.7-ckt11 (Closes: #813594):
+ - ip_vti/ip6_vti: Do not touch skb->mark on xmit
+ - xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input
+ - ip_vti/ip6_vti: Preserve skb->mark after rcv_cb call
[ Aurelien Jarno ]
* [mips*] Add support for MIPS 5KE CPU.
diff --git a/debian/patches/bugfix/all/ip_vti-ip6_vti-do-not-touch-skb-mark-on-xmit.patch b/debian/patches/bugfix/all/ip_vti-ip6_vti-do-not-touch-skb-mark-on-xmit.patch
new file mode 100644
index 0000000..463d573
--- /dev/null
+++ b/debian/patches/bugfix/all/ip_vti-ip6_vti-do-not-touch-skb-mark-on-xmit.patch
@@ -0,0 +1,59 @@
+From: Alexander Duyck <alexander.h.duyck at redhat.com>
+Date: Wed, 27 May 2015 07:16:43 -0700
+Subject: ip_vti/ip6_vti: Do not touch skb->mark on xmit
+Origin: https://git.kernel.org/linus/cd5279c194f89c9b97c294af4aaf4ea8c5e3c704
+
+Instead of modifying skb->mark we can simply modify the flowi_mark that is
+generated as a result of the xfrm_decode_session. By doing this we don't
+need to actually touch the skb->mark and it can be preserved as it passes
+out through the tunnel.
+
+Signed-off-by: Alexander Duyck <alexander.h.duyck at redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+---
+ net/ipv4/ip_vti.c | 5 +++--
+ net/ipv6/ip6_vti.c | 4 +++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -216,8 +216,6 @@ static netdev_tx_t vti_tunnel_xmit(struc
+
+ memset(&fl, 0, sizeof(fl));
+
+- skb->mark = be32_to_cpu(tunnel->parms.o_key);
+-
+ switch (skb->protocol) {
+ case htons(ETH_P_IP):
+ xfrm_decode_session(skb, &fl, AF_INET);
+@@ -233,6 +231,9 @@ static netdev_tx_t vti_tunnel_xmit(struc
+ return NETDEV_TX_OK;
+ }
+
++ /* override mark with tunnel output key */
++ fl.flowi_mark = be32_to_cpu(tunnel->parms.o_key);
++
+ return vti_xmit(skb, dev, &fl);
+ }
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -468,7 +468,6 @@ vti6_tnl_xmit(struct sk_buff *skb, struc
+ int ret;
+
+ memset(&fl, 0, sizeof(fl));
+- skb->mark = be32_to_cpu(t->parms.o_key);
+
+ switch (skb->protocol) {
+ case htons(ETH_P_IPV6):
+@@ -489,6 +488,9 @@ vti6_tnl_xmit(struct sk_buff *skb, struc
+ goto tx_err;
+ }
+
++ /* override mark with tunnel output key */
++ fl.flowi_mark = be32_to_cpu(t->parms.o_key);
++
+ ret = vti6_xmit(skb, dev, &fl);
+ if (ret < 0)
+ goto tx_err;
diff --git a/debian/patches/bugfix/all/ip_vti-ip6_vti-preserve-skb-mark-after-rcv_cb-call.patch b/debian/patches/bugfix/all/ip_vti-ip6_vti-preserve-skb-mark-after-rcv_cb-call.patch
new file mode 100644
index 0000000..1a6b7ab
--- /dev/null
+++ b/debian/patches/bugfix/all/ip_vti-ip6_vti-preserve-skb-mark-after-rcv_cb-call.patch
@@ -0,0 +1,83 @@
+From: Alexander Duyck <alexander.h.duyck at redhat.com>
+Date: Wed, 27 May 2015 07:16:54 -0700
+Subject: ip_vti/ip6_vti: Preserve skb->mark after rcv_cb call
+Origin: https://git.kernel.org/linus/d55c670cbc54b2270a465cdc382ce71adae45785
+
+The vti6_rcv_cb and vti_rcv_cb calls were leaving the skb->mark modified
+after completing the function. This resulted in the original skb->mark
+value being lost. Since we only need skb->mark to be set for
+xfrm_policy_check we can pull the assignment into the rcv_cb calls and then
+just restore the original mark after xfrm_policy_check has been completed.
+
+Signed-off-by: Alexander Duyck <alexander.h.duyck at redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+---
+ net/ipv4/ip_vti.c | 9 +++++++--
+ net/ipv6/ip6_vti.c | 9 +++++++--
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -65,7 +65,6 @@ static int vti_input(struct sk_buff *skb
+ goto drop;
+
+ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+- skb->mark = be32_to_cpu(tunnel->parms.i_key);
+
+ return xfrm_input(skb, nexthdr, spi, encap_type);
+ }
+@@ -91,6 +90,8 @@ static int vti_rcv_cb(struct sk_buff *sk
+ struct pcpu_sw_netstats *tstats;
+ struct xfrm_state *x;
+ struct ip_tunnel *tunnel = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4;
++ u32 orig_mark = skb->mark;
++ int ret;
+
+ if (!tunnel)
+ return 1;
+@@ -107,7 +108,11 @@ static int vti_rcv_cb(struct sk_buff *sk
+ x = xfrm_input_state(skb);
+ family = x->inner_mode->afinfo->family;
+
+- if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
++ skb->mark = be32_to_cpu(tunnel->parms.i_key);
++ ret = xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family);
++ skb->mark = orig_mark;
++
++ if (!ret)
+ return -EPERM;
+
+ skb_scrub_packet(skb, !net_eq(tunnel->net, dev_net(skb->dev)));
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -301,7 +301,6 @@ static int vti6_rcv(struct sk_buff *skb)
+ }
+
+ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t;
+- skb->mark = be32_to_cpu(t->parms.i_key);
+
+ rcu_read_unlock();
+
+@@ -321,6 +320,8 @@ static int vti6_rcv_cb(struct sk_buff *s
+ struct pcpu_sw_netstats *tstats;
+ struct xfrm_state *x;
+ struct ip6_tnl *t = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6;
++ u32 orig_mark = skb->mark;
++ int ret;
+
+ if (!t)
+ return 1;
+@@ -337,7 +338,11 @@ static int vti6_rcv_cb(struct sk_buff *s
+ x = xfrm_input_state(skb);
+ family = x->inner_mode->afinfo->family;
+
+- if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
++ skb->mark = be32_to_cpu(t->parms.i_key);
++ ret = xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family);
++ skb->mark = orig_mark;
++
++ if (!ret)
+ return -EPERM;
+
+ skb_scrub_packet(skb, !net_eq(t->net, dev_net(skb->dev)));
diff --git a/debian/patches/bugfix/all/xfrm-override-skb-mark-with-tunnel-parm.i_key-in-xfr.patch b/debian/patches/bugfix/all/xfrm-override-skb-mark-with-tunnel-parm.i_key-in-xfr.patch
new file mode 100644
index 0000000..7e15503
--- /dev/null
+++ b/debian/patches/bugfix/all/xfrm-override-skb-mark-with-tunnel-parm.i_key-in-xfr.patch
@@ -0,0 +1,63 @@
+From: Alexander Duyck <alexander.h.duyck at redhat.com>
+Date: Wed, 27 May 2015 07:16:49 -0700
+Subject: xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input
+Origin: https://git.kernel.org/linus/049f8e2e28d9c3dac0744cc2f19d3157c7fb5646
+
+This change makes it so that if a tunnel is defined we just use the mark
+from the tunnel instead of the mark from the skb header. By doing this we
+can avoid the need to set skb->mark inside of the tunnel receive functions.
+
+Signed-off-by: Alexander Duyck <alexander.h.duyck at redhat.com>
+Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
+Signed-off-by: Sasha Levin <sasha.levin at oracle.com>
+---
+ net/xfrm/xfrm_input.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -13,6 +13,8 @@
+ #include <net/dst.h>
+ #include <net/ip.h>
+ #include <net/xfrm.h>
++#include <net/ip_tunnels.h>
++#include <net/ip6_tunnel.h>
+
+ static struct kmem_cache *secpath_cachep __read_mostly;
+
+@@ -186,6 +188,7 @@ int xfrm_input(struct sk_buff *skb, int
+ struct xfrm_state *x = NULL;
+ xfrm_address_t *daddr;
+ struct xfrm_mode *inner_mode;
++ u32 mark = skb->mark;
+ unsigned int family;
+ int decaps = 0;
+ int async = 0;
+@@ -203,6 +206,18 @@ int xfrm_input(struct sk_buff *skb, int
+ XFRM_SPI_SKB_CB(skb)->daddroff);
+ family = XFRM_SPI_SKB_CB(skb)->family;
+
++ /* if tunnel is present override skb->mark value with tunnel i_key */
++ if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) {
++ switch (family) {
++ case AF_INET:
++ mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4->parms.i_key);
++ break;
++ case AF_INET6:
++ mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6->parms.i_key);
++ break;
++ }
++ }
++
+ /* Allocate new secpath or COW existing one. */
+ if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
+ struct sec_path *sp;
+@@ -229,7 +244,7 @@ int xfrm_input(struct sk_buff *skb, int
+ goto drop;
+ }
+
+- x = xfrm_state_lookup(net, skb->mark, daddr, spi, nexthdr, family);
++ x = xfrm_state_lookup(net, mark, daddr, spi, nexthdr, family);
+ if (x == NULL) {
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
+ xfrm_audit_state_notfound(skb, family, spi, seq);
diff --git a/debian/patches/series b/debian/patches/series
index b37ec30..7cd7bb1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -653,3 +653,6 @@ debian/enclosure-fix-abi-change-in-3.16.7-ckt23.patch
debian/revert-cgroup-make-sure-a-parent-css-isn-t-offlined.patch
bugfix/all/crypto-blk-giv-cipher-set-has_setkey.patch
debian/crypto-fix-abi-change-in-3.16.7-ckt25.patch
+bugfix/all/ip_vti-ip6_vti-do-not-touch-skb-mark-on-xmit.patch
+bugfix/all/xfrm-override-skb-mark-with-tunnel-parm.i_key-in-xfr.patch
+bugfix/all/ip_vti-ip6_vti-preserve-skb-mark-after-rcv_cb-call.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list