diff options
| author | David S. Miller <davem@davemloft.net> | 2017-11-01 19:27:46 +0900 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-11-01 19:27:46 +0900 |
| commit | 122f00cdc1bb27cb0ff4b0a8cffa3bb27f61f949 (patch) | |
| tree | d4ee44d28cf00a6a355f7f6eba870a3d1acaafcd /net | |
| parent | 62b0e9243fca257217ef72f383bd38ed5a542b5e (diff) | |
| parent | 73b9fc49b4c0116a04eda3979f64ed9b540b153c (diff) | |
| download | op-kernel-dev-122f00cdc1bb27cb0ff4b0a8cffa3bb27f61f949.zip op-kernel-dev-122f00cdc1bb27cb0ff4b0a8cffa3bb27f61f949.tar.gz | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2017-11-01
1) Fix a memleak when a packet matches a policy
without a matching state.
2) Reset the socket cached dst_entry when inserting
a socket policy, otherwise the policy might be
ignored. From Jonathan Basseri.
3) Fix GSO for a IPsec, GRE tunnel combination.
We reset the encapsulation field at the skb
too erly, as a result GRE does not segment
GSO packets. Fix this by resetting the the
encapsulation field right before the
transformation where the inner headers get
invalid.
Please pull or let me know if there are problems.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/xfrm/xfrm_output.c | 4 | ||||
| -rw-r--r-- | net/xfrm/xfrm_policy.c | 1 | ||||
| -rw-r--r-- | net/xfrm/xfrm_state.c | 1 |
3 files changed, 4 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 31a2e6d..73ad8c8 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -105,6 +105,9 @@ static int xfrm_output_one(struct sk_buff *skb, int err) if (xfrm_offload(skb)) { x->type_offload->encap(x, skb); } else { + /* Inner headers are invalid now. */ + skb->encapsulation = 0; + err = x->type->output(x, skb); if (err == -EINPROGRESS) goto out; @@ -208,7 +211,6 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb) int err; secpath_reset(skb); - skb->encapsulation = 0; if (xfrm_dev_offload_ok(skb, x)) { struct sec_path *sp; diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 2746b62..8cafb3c 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2076,7 +2076,6 @@ make_dummy_bundle: xdst->num_xfrms = num_xfrms; memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols); - dst_hold(&xdst->u.dst); return xdst; inc_error: diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 1221347..1f5cee2 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -2069,6 +2069,7 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen if (err >= 0) { xfrm_sk_policy_insert(sk, err, pol); xfrm_pol_put(pol); + __sk_dst_reset(sk); err = 0; } |
