linux/net/key, branch v6.16Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
https://git.shady.money/linux/atom?h=v6.162025-07-08T11:28:29ZRevert "xfrm: destroy xfrm_state synchronously on net exit path"2025-07-08T11:28:29ZSabrina Dubrocasd@queasysnail.net2025-07-04T14:54:34Zurn:sha1:2a198bbec6913ae1c90ec963750003c6213668c7
This reverts commit f75a2804da391571563c4b6b29e7797787332673.
With all states (whether user or kern) removed from the hashtables
during deletion, there's no need for synchronous destruction of
states. xfrm6_tunnel states still need to have been destroyed (which
will be the case when its last user is deleted (not destroyed)) so
that xfrm6_tunnel_free_spi removes it from the per-netns hashtable
before the netns is destroyed.
This has the benefit of skipping one synchronize_rcu per state (in
__xfrm_state_destroy(sync=true)) when we exit a netns.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
xfrm: Migrate offload configuration2025-04-17T09:00:03ZChiachang Wangchiachangwang@google.com2025-03-13T02:36:40Zurn:sha1:ab244a394c7f13f6573744b9ca72bb22151a3ec4
Add hardware offload configuration to XFRM_MSG_MIGRATE
using an option netlink attribute XFRMA_OFFLOAD_DEV.
In the existing xfrm_state_migrate(), the xfrm_init_state()
is called assuming no hardware offload by default. Even the
original xfrm_state is configured with offload, the setting will
be reset. If the device is configured with hardware offload,
it's reasonable to allow the device to maintain its hardware
offload mode. But the device will end up with offload disabled
after receiving a migration event when the device migrates the
connection from one netdev to another one.
The devices that support migration may work with different
underlying networks, such as mobile devices. The hardware setting
should be forwarded to the different netdev based on the
migration configuration. This change provides the capability
for user space to migrate from one netdev to another.
Test: Tested with kernel test in the Android tree located
in https://android.googlesource.com/kernel/tests/
The xfrm_tunnel_test.py under the tests folder in
particular.
Signed-off-by: Chiachang Wang <chiachangwang@google.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
xfrm: Add support for per cpu xfrm state handling.2024-10-29T10:56:00ZSteffen Klassertsteffen.klassert@secunet.com2024-10-23T10:53:42Zurn:sha1:1ddf9916ac09313128e40d6581cef889c0b4ce84
Currently all flows for a certain SA must be processed by the same
cpu to avoid packet reordering and lock contention of the xfrm
state lock.
To get rid of this limitation, the IETF standardized per cpu SAs
in RFC 9611. This patch implements the xfrm part of it.
We add the cpu as a lookup key for xfrm states and a config option
to generate acquire messages for each cpu.
With that, we can have on each cpu a SA with identical traffic selector
so that flows can be processed in parallel on all cpus.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Tested-by: Antony Antony <antony.antony@secunet.com>
Tested-by: Tobias Brunner <tobias@strongswan.org>
net: fill in MODULE_DESCRIPTION()s for af_key2024-02-09T22:12:01ZBreno Leitaoleitao@debian.org2024-02-08T16:42:38Zurn:sha1:6e2cf0eb6926a5c51bba0aca819e91d7265c849c
W=1 builds now warn if module is built without a MODULE_DESCRIPTION().
Add descriptions to the PF_KEY socket helpers.
Signed-off-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240208164244.3818498-4-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net2023-08-18T19:44:56ZJakub Kicinskikuba@kernel.org2023-08-18T19:44:22Zurn:sha1:7ff57803d24e0cb326251489d70f60462e3e6c04
Cross-merge networking fixes after downstream PR.
Conflicts:
drivers/net/ethernet/sfc/tc.c
fa165e194997 ("sfc: don't unregister flow_indr if it was never registered")
3bf969e88ada ("sfc: add MAE table machinery for conntrack table")
https://lore.kernel.org/all/20230818112159.7430e9b4@canb.auug.org.au/
No adjacent changes.
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Merge tag 'ipsec-next-2023-07-19' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next2023-07-20T03:36:16ZJakub Kicinskikuba@kernel.org2023-07-20T03:36:15Zurn:sha1:567b12fe7c7ed9d0de58227e8ada15aa3fce3c4c
Steffen Klassert says:
====================
pull request (net-next): ipsec-next 2023-07-19
Just a leftover from the last development cycle:
1) delete a clear to zero of encap_oa, it is not needed anymore.
From Leon Romanovsky.
* tag 'ipsec-next-2023-07-19' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next:
xfrm: delete not-needed clear to zero of encap_oa
====================
Link: https://lore.kernel.org/r/20230719100228.373055-1-steffen.klassert@secunet.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net: af_key: fix sadb_x_filter validation2023-06-29T08:47:29ZLin Malinma@zju.edu.cn2023-06-27T03:39:54Zurn:sha1:75065a8929069bc93181848818e23f147a73f83a
When running xfrm_state_walk_init(), the xfrm_address_filter being used
is okay to have a splen/dplen that equals to sizeof(xfrm_address_t)<<3.
This commit replaces >= to > to make sure the boundary checking is
correct.
Fixes: 37bd22420f85 ("af_key: pfkey_dump needs parameter validation")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES)2023-06-24T22:50:13ZDavid Howellsdhowells@redhat.com2023-06-23T22:55:12Zurn:sha1:dc97391e661009eab46783030d2404c9b6e6f2e7
Remove ->sendpage() and ->sendpage_locked(). sendmsg() with
MSG_SPLICE_PAGES should be used instead. This allows multiple pages and
multipage folios to be passed through.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> # for net/can
cc: Jens Axboe <axboe@kernel.dk>
cc: Matthew Wilcox <willy@infradead.org>
cc: linux-afs@lists.infradead.org
cc: mptcp@lists.linux.dev
cc: rds-devel@oss.oracle.com
cc: tipc-discussion@lists.sourceforge.net
cc: virtualization@lists.linux-foundation.org
Link: https://lore.kernel.org/r/20230623225513.2732256-16-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
xfrm: delete not-needed clear to zero of encap_oa2023-06-09T07:19:11ZLeon Romanovskyleonro@nvidia.com2023-06-06T10:23:06Zurn:sha1:a94fd40a18ae76ba76dbaa8eca0e3c46aa1142c1
After commit 2f4796518315 ("af_key: Fix heap information leak"), there is
no need to clear encap_oa again as it is already initialized to zero.
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
af_key: Reject optional tunnel/BEET mode templates in outbound policies2023-05-10T05:04:51ZTobias Brunnertobias@strongswan.org2023-05-09T09:00:06Zurn:sha1:cf3128a7aca55b2eefb68281d44749c683bdc96f
xfrm_state_find() uses `encap_family` of the current template with
the passed local and remote addresses to find a matching state.
If an optional tunnel or BEET mode template is skipped in a mixed-family
scenario, there could be a mismatch causing an out-of-bounds read as
the addresses were not replaced to match the family of the next template.
While there are theoretical use cases for optional templates in outbound
policies, the only practical one is to skip IPComp states in inbound
policies if uncompressed packets are received that are handled by an
implicitly created IPIP state instead.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>