| Message ID | 1655391299-10961-1-git-send-email-bodong@nvidia.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,F:linux-bluefield] UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check | expand |
Tim/Alex, This is an urgent fix for us. Could you include it inside the past SRU cycle(June 15). The next one in July is too late for us. Thanks, Bodong -----Original Message----- From: Bodong Wang <bodong@nvidia.com> Sent: Thursday, June 16, 2022 9:55 AM To: kernel-team@lists.ubuntu.com Cc: Vladimir Sokolovsky <vlad@nvidia.com>; Bodong Wang <bodong@nvidia.com>; Raed Salem <raeds@nvidia.com>; Maor Dickman <maord@nvidia.com>; Emeel Hakim <ehakim@nvidia.com> Subject: [SRU][F:linux-bluefield][PATCH] UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check From: Emeel Hakim <ehakim@nvidia.com> BugLink: https://bugs.launchpad.net/bugs/1978967 commit a3ca11eec78 introduced a flags validity check for xfrm, the check excluded flag XFRM_OFFLOAD_FULL from the check hence the flag is being blocked from getting to the kernel space. The above is preventing ipsec states from being added with the full_offload option hence the Failure. Fix by adding XFRM_OFFLOAD_FULL flag to the check statement which allows the flag to get to kernel space as expected. Fixes: a3ca11eec78 ("xfrm: enforce validity of offload input flags") Signed-off-by: Emeel Hakim <ehakim@nvidia.com> Signed-off-by: Bodong Wang <bodong@nvidia.com> --- net/xfrm/xfrm_device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 8cb04de..40960c0 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -206,7 +206,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, if (x->encap || x->tfcpad) return -EINVAL; - if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND)) + if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND | +XFRM_OFFLOAD_FULL)) return -EINVAL; dev = dev_get_by_index(net, xuo->ifindex); -- 1.8.3.1
+ Dann and German On Thu, Jun 16, 2022 at 10:59 AM Bodong Wang <bodong@nvidia.com> wrote: > Tim/Alex, > > This is an urgent fix for us. Could you include it inside the past SRU > cycle(June 15). The next one in July is too late for us. > > Thanks, > Bodong > > -----Original Message----- > From: Bodong Wang <bodong@nvidia.com> > Sent: Thursday, June 16, 2022 9:55 AM > To: kernel-team@lists.ubuntu.com > Cc: Vladimir Sokolovsky <vlad@nvidia.com>; Bodong Wang <bodong@nvidia.com>; > Raed Salem <raeds@nvidia.com>; Maor Dickman <maord@nvidia.com>; Emeel > Hakim <ehakim@nvidia.com> > Subject: [SRU][F:linux-bluefield][PATCH] UBUNTU: SAUCE: net/xfrm: Fix XFRM > flags validity check > > From: Emeel Hakim <ehakim@nvidia.com> > > BugLink: https://bugs.launchpad.net/bugs/1978967 > > commit a3ca11eec78 introduced a flags validity check for xfrm, the check > excluded flag XFRM_OFFLOAD_FULL from the check hence the flag is being > blocked from getting to the kernel space. > The above is preventing ipsec states from being added with the > full_offload option hence the Failure. > > Fix by adding XFRM_OFFLOAD_FULL flag to the check statement which allows > the flag to get to kernel space as expected. > > Fixes: a3ca11eec78 ("xfrm: enforce validity of offload input flags") > Signed-off-by: Emeel Hakim <ehakim@nvidia.com> > Signed-off-by: Bodong Wang <bodong@nvidia.com> > --- > net/xfrm/xfrm_device.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index > 8cb04de..40960c0 100644 > --- a/net/xfrm/xfrm_device.c > +++ b/net/xfrm/xfrm_device.c > @@ -206,7 +206,7 @@ int xfrm_dev_state_add(struct net *net, struct > xfrm_state *x, > if (x->encap || x->tfcpad) > return -EINVAL; > > - if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND)) > + if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND | > +XFRM_OFFLOAD_FULL)) > return -EINVAL; > > dev = dev_get_by_index(net, xuo->ifindex); > -- > 1.8.3.1 > >
On 6/16/22 08:54, Bodong Wang wrote: > From: Emeel Hakim <ehakim@nvidia.com> > > BugLink: https://bugs.launchpad.net/bugs/1978967 > > commit a3ca11eec78 introduced a flags validity check for xfrm, > the check excluded flag XFRM_OFFLOAD_FULL from the check hence the > flag is being blocked from getting to the kernel space. > The above is preventing ipsec states from being added with the > full_offload option hence the Failure. > > Fix by adding XFRM_OFFLOAD_FULL flag to the check statement which > allows the flag to get to kernel space as expected. > > Fixes: a3ca11eec78 ("xfrm: enforce validity of offload input flags") > Signed-off-by: Emeel Hakim <ehakim@nvidia.com> > Signed-off-by: Bodong Wang <bodong@nvidia.com> > --- > net/xfrm/xfrm_device.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c > index 8cb04de..40960c0 100644 > --- a/net/xfrm/xfrm_device.c > +++ b/net/xfrm/xfrm_device.c > @@ -206,7 +206,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, > if (x->encap || x->tfcpad) > return -EINVAL; > > - if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND)) > + if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND | XFRM_OFFLOAD_FULL)) > return -EINVAL; > > dev = dev_get_by_index(net, xuo->ifindex); Acked-by: Tim Gardner <tim.gardner@canonical.com>
Hey Bodong, The past cycle (2022.05.09) is currently awaiting cert and Stakeholder sign-off. As it is at the end of its spin, we think it makes more sense instead to do this fix ontop of 2022.05.30 and just drop 2022.05.09. The earliest this could get out would be sometime late next week depending on cert and stakeholder sign-off. Would that be acceptable? -Zack On 6/16/22 10:59 AM, Bodong Wang wrote: > Tim/Alex, > > This is an urgent fix for us. Could you include it inside the past SRU cycle(June 15). The next one in July is too late for us. > > Thanks, > Bodong > > -----Original Message----- > From: Bodong Wang <bodong@nvidia.com> > Sent: Thursday, June 16, 2022 9:55 AM > To: kernel-team@lists.ubuntu.com > Cc: Vladimir Sokolovsky <vlad@nvidia.com>; Bodong Wang <bodong@nvidia.com>; Raed Salem <raeds@nvidia.com>; Maor Dickman <maord@nvidia.com>; Emeel Hakim <ehakim@nvidia.com> > Subject: [SRU][F:linux-bluefield][PATCH] UBUNTU: SAUCE: net/xfrm: Fix XFRM flags validity check > > From: Emeel Hakim <ehakim@nvidia.com> > > BugLink: https://bugs.launchpad.net/bugs/1978967 > > commit a3ca11eec78 introduced a flags validity check for xfrm, the check excluded flag XFRM_OFFLOAD_FULL from the check hence the flag is being blocked from getting to the kernel space. > The above is preventing ipsec states from being added with the full_offload option hence the Failure. > > Fix by adding XFRM_OFFLOAD_FULL flag to the check statement which allows the flag to get to kernel space as expected. > > Fixes: a3ca11eec78 ("xfrm: enforce validity of offload input flags") > Signed-off-by: Emeel Hakim <ehakim@nvidia.com> > Signed-off-by: Bodong Wang <bodong@nvidia.com> > --- > net/xfrm/xfrm_device.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 8cb04de..40960c0 100644 > --- a/net/xfrm/xfrm_device.c > +++ b/net/xfrm/xfrm_device.c > @@ -206,7 +206,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, > if (x->encap || x->tfcpad) > return -EINVAL; > > - if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND)) > + if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND | > +XFRM_OFFLOAD_FULL)) > return -EINVAL; > > dev = dev_get_by_index(net, xuo->ifindex); > -- > 1.8.3.1 > >
Acked-by: Zachary Tahenakos <zachary.tahenakos@canonical.com> On 6/16/22 10:54 AM, Bodong Wang wrote: > From: Emeel Hakim <ehakim@nvidia.com> > > BugLink: https://bugs.launchpad.net/bugs/1978967 > > commit a3ca11eec78 introduced a flags validity check for xfrm, > the check excluded flag XFRM_OFFLOAD_FULL from the check hence the > flag is being blocked from getting to the kernel space. > The above is preventing ipsec states from being added with the > full_offload option hence the Failure. > > Fix by adding XFRM_OFFLOAD_FULL flag to the check statement which > allows the flag to get to kernel space as expected. > > Fixes: a3ca11eec78 ("xfrm: enforce validity of offload input flags") > Signed-off-by: Emeel Hakim <ehakim@nvidia.com> > Signed-off-by: Bodong Wang <bodong@nvidia.com> > --- > net/xfrm/xfrm_device.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c > index 8cb04de..40960c0 100644 > --- a/net/xfrm/xfrm_device.c > +++ b/net/xfrm/xfrm_device.c > @@ -206,7 +206,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, > if (x->encap || x->tfcpad) > return -EINVAL; > > - if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND)) > + if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND | XFRM_OFFLOAD_FULL)) > return -EINVAL; > > dev = dev_get_by_index(net, xuo->ifindex);
Applied to f:bluefield/master-next. Thanks, Zack On 6/16/22 10:54 AM, Bodong Wang wrote: > From: Emeel Hakim <ehakim@nvidia.com> > > BugLink: https://bugs.launchpad.net/bugs/1978967 > > commit a3ca11eec78 introduced a flags validity check for xfrm, > the check excluded flag XFRM_OFFLOAD_FULL from the check hence the > flag is being blocked from getting to the kernel space. > The above is preventing ipsec states from being added with the > full_offload option hence the Failure. > > Fix by adding XFRM_OFFLOAD_FULL flag to the check statement which > allows the flag to get to kernel space as expected. > > Fixes: a3ca11eec78 ("xfrm: enforce validity of offload input flags") > Signed-off-by: Emeel Hakim <ehakim@nvidia.com> > Signed-off-by: Bodong Wang <bodong@nvidia.com> > --- > net/xfrm/xfrm_device.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c > index 8cb04de..40960c0 100644 > --- a/net/xfrm/xfrm_device.c > +++ b/net/xfrm/xfrm_device.c > @@ -206,7 +206,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, > if (x->encap || x->tfcpad) > return -EINVAL; > > - if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND)) > + if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND | XFRM_OFFLOAD_FULL)) > return -EINVAL; > > dev = dev_get_by_index(net, xuo->ifindex);
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c index 8cb04de..40960c0 100644 --- a/net/xfrm/xfrm_device.c +++ b/net/xfrm/xfrm_device.c @@ -206,7 +206,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, if (x->encap || x->tfcpad) return -EINVAL; - if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND)) + if (xuo->flags & ~(XFRM_OFFLOAD_IPV6 | XFRM_OFFLOAD_INBOUND | XFRM_OFFLOAD_FULL)) return -EINVAL; dev = dev_get_by_index(net, xuo->ifindex);