5.4-stable patches

added patches:
	vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch

diff --git a/queue-5.4/series b/queue-5.4/series
index f38043fc7b837c34fd5c1d5039f614043afd42ec..69d098e4e9600c7ccae01d17e8be6525e613eeb5 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -167,3 +167,4 @@ mmc-core-do-not-force-a-retune-before-rpmb-switch.patch
 io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch
 afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch
 nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch
+vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch

diff --git a/queue-5.4/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch b/queue-5.4/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch
new file mode 100644 (file)
index 0000000..e7dba7a
--- /dev/null
+++ b/queue-5.4/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch
@@ -0,0 +1,62 @@
+From 1cd4bc987abb2823836cbb8f887026011ccddc8a Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Mon, 3 Jun 2024 10:59:26 +0200
+Subject: vxlan: Fix regression when dropping packets due to invalid src addresses
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit 1cd4bc987abb2823836cbb8f887026011ccddc8a upstream.
+
+Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
+has recently been added to vxlan mainly in the context of source
+address snooping/learning so that when it is enabled, an entry in the
+FDB is not being created for an invalid address for the corresponding
+tunnel endpoint.
+
+Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in
+that it passed through whichever macs were set in the L2 header. It
+turns out that this change in behavior breaks setups, for example,
+Cilium with netkit in L3 mode for Pods as well as tunnel mode has been
+passing before the change in f58f45c1e5b9 for both vxlan and geneve.
+After mentioned change it is only passing for geneve as in case of
+vxlan packets are dropped due to vxlan_set_mac() returning false as
+source and destination macs are zero which for E/W traffic via tunnel
+is totally fine.
+
+Fix it by only opting into the is_valid_ether_addr() check in
+vxlan_set_mac() when in fact source address snooping/learning is
+actually enabled in vxlan. This is done by moving the check into
+vxlan_snoop(). With this change, the Cilium connectivity test suite
+passes again for both tunnel flavors.
+
+Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: David Bauer <mail@david-bauer.net>
+Cc: Ido Schimmel <idosch@nvidia.com>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: David Bauer <mail@david-bauer.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[ Backport note: vxlan snooping/learning not supported in 6.8 or older,
+  so commit is simply a revert. ]
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c |    4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1605,10 +1605,6 @@ static bool vxlan_set_mac(struct vxlan_d
+       if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr))
+               return false;
+ 
+-      /* Ignore packets from invalid src-address */
+-      if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
+-              return false;
+-
+       /* Get address from the outer IP header */
+       if (vxlan_get_sk_family(vs) == AF_INET) {
+               saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr;