| Message ID | 20230126102933.1245451-1-chopps@labn.net (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | xfrm: fix bug with DSCP copy to v6 from v4 tunnel | expand |
On Thu, Jan 26, 2023 at 05:29:34AM -0500, Christian Hopps wrote: > When copying the DSCP bits for decap-dscp into IPv6 don't assume the > outer encap is always IPv6. Instead, as with the inner IPv4 case, copy > the DSCP bits from the correctly saved "tos" value in the control block. > > fixes: 227620e29509 ("[IPSEC]: Separate inner/outer mode processing on input") The broken code apparently came from commit b3284df1c86f7ac078dcb8fb250fe3d6437e740c Author: Florian Westphal <fw@strlen.de> Date: Fri Mar 29 21:16:28 2019 +0100 xfrm: remove input2 indirection from xfrm_mode Please fix the Fixes header. Thanks,
Herbert Xu <herbert@gondor.apana.org.au> writes: > On Thu, Jan 26, 2023 at 05:29:34AM -0500, Christian Hopps wrote: >> When copying the DSCP bits for decap-dscp into IPv6 don't assume the >> outer encap is always IPv6. Instead, as with the inner IPv4 case, copy >> the DSCP bits from the correctly saved "tos" value in the control block. >> >> fixes: 227620e29509 ("[IPSEC]: Separate inner/outer mode processing on input") > > The broken code apparently came from > > commit b3284df1c86f7ac078dcb8fb250fe3d6437e740c > Author: Florian Westphal <fw@strlen.de> > Date: Fri Mar 29 21:16:28 2019 +0100 > > xfrm: remove input2 indirection from xfrm_mode > > Please fix the Fixes header. Yes that's what the immediate git blame points at; however, that code was copied from net/ipv6/xfrm6_mode_tunnel.c:xfrm6_tunnel_input() and that code arrived in: b59f45d0b2878 ("[IPSEC] xfrm: Abstract out encapsulation modes") Originally this code using a different sk_buff layout was from the initial git repo checkin. 1da177e4c3f41 ("Linux-2.6.12-rc2") Why don't I just remove the fixes line? I didn't want to include it initially anyway. Thanks, Chris. > > Thanks,
On Fri, Jan 27, 2023 at 07:31:54AM -0500, Christian Hopps wrote: > > Yes that's what the immediate git blame points at; however, that code was copied from net/ipv6/xfrm6_mode_tunnel.c:xfrm6_tunnel_input() and that code arrived in: > > b59f45d0b2878 ("[IPSEC] xfrm: Abstract out encapsulation modes") > > Originally this code using a different sk_buff layout was from the initial git repo checkin. > > 1da177e4c3f41 ("Linux-2.6.12-rc2") > > Why don't I just remove the fixes line? I didn't want to include it initially anyway. On closer inspection my patch was definitely buggy in that it would place some random value in the DSCP field. Previously the code simply didn't copy the TOS value across. Steffen, keeping the Fixes header is fine by me. Thanks,
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index c06e54a10540..436d29640ac2 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -279,8 +279,7 @@ static int xfrm6_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb) goto out; if (x->props.flags & XFRM_STATE_DECAP_DSCP) - ipv6_copy_dscp(ipv6_get_dsfield(ipv6_hdr(skb)), - ipipv6_hdr(skb)); + ipv6_copy_dscp(XFRM_MODE_SKB_CB(skb)->tos, ipipv6_hdr(skb)); if (!(x->props.flags & XFRM_STATE_NOECN)) ipip6_ecn_decapsulate(skb);
When copying the DSCP bits for decap-dscp into IPv6 don't assume the outer encap is always IPv6. Instead, as with the inner IPv4 case, copy the DSCP bits from the correctly saved "tos" value in the control block. fixes: 227620e29509 ("[IPSEC]: Separate inner/outer mode processing on input") Signed-off-by: Christian Hopps <chopps@labn.net> --- net/xfrm/xfrm_input.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)