releases/4.19.31/xfrm-fix-inbound-traffic-via-xfrm-interfaces-across-.patch

   1 From 1d369f463431cc5607682c87b497fa7ed5ed5bbb Mon Sep 17 00:00:00 2001
   2 From: Tobias Brunner <tobias@strongswan.org>
   3 Date: Mon, 18 Feb 2019 10:49:39 +0100
   4 Subject: xfrm: Fix inbound traffic via XFRM interfaces across network
   5  namespaces
   6
   7 [ Upstream commit 660899ddf06ae8bb5bbbd0a19418b739375430c5 ]
   8
   9 After moving an XFRM interface to another namespace it stays associated
  10 with the original namespace (net in `struct xfrm_if` and the list keyed
  11 with `xfrmi_net_id`), allowing processes in the new namespace to use
  12 SAs/policies that were created in the original namespace.  For instance,
  13 this allows a keying daemon in one namespace to establish IPsec SAs for
  14 other namespaces without processes there having access to the keys or IKE
  15 credentials.
  16
  17 This worked fine for outbound traffic, however, for inbound traffic the
  18 lookup for the interfaces and the policies used the incorrect namespace
  19 (the one the XFRM interface was moved to).
  20
  21 Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
  22 Signed-off-by: Tobias Brunner <tobias@strongswan.org>
  23 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
  24 Signed-off-by: Sasha Levin <sashal@kernel.org>
  25 ---
  26  net/xfrm/xfrm_interface.c | 4 ++--
  27  net/xfrm/xfrm_policy.c    | 4 +++-
  28  2 files changed, 5 insertions(+), 3 deletions(-)
  29
  30 diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
  31 index 6f05e831a73e..82723ef44db3 100644
  32 --- a/net/xfrm/xfrm_interface.c
  33 +++ b/net/xfrm/xfrm_interface.c
  34 @@ -76,10 +76,10 @@ static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb)
  35         int ifindex;
  36         struct xfrm_if *xi;
  37
  38 -       if (!skb->dev)
  39 +       if (!secpath_exists(skb) || !skb->dev)
  40                 return NULL;
  41
  42 -       xfrmn = net_generic(dev_net(skb->dev), xfrmi_net_id);
  43 +       xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id);
  44         ifindex = skb->dev->ifindex;
  45
  46         for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
  47 diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
  48 index 6ea8036fcdbe..bf5d59270f79 100644
  49 --- a/net/xfrm/xfrm_policy.c
  50 +++ b/net/xfrm/xfrm_policy.c
  51 @@ -2340,8 +2340,10 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
  52
  53         if (ifcb) {
  54                 xi = ifcb->decode_session(skb);
  55 -               if (xi)
  56 +               if (xi) {
  57                         if_id = xi->p.if_id;
  58 +                       net = xi->net;
  59 +               }
  60         }
  61         rcu_read_unlock();
  62
  63 --
  64 2.19.1
  65