--- /dev/null
+From 7c7fedd51c02f4418e8b2eed64bdab601f882aa4 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 29 Nov 2016 17:05:20 +0100
+Subject: esp4: Fix integrity verification when ESN are used
+
+From: Tobias Brunner <tobias@strongswan.org>
+
+commit 7c7fedd51c02f4418e8b2eed64bdab601f882aa4 upstream.
+
+When handling inbound packets, the two halves of the sequence number
+stored on the skb are already in network order.
+
+Fixes: 7021b2e1cddd ("esp4: Switch to new AEAD interface")
+Signed-off-by: Tobias Brunner <tobias@strongswan.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/esp4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -476,7 +476,7 @@ static int esp_input(struct xfrm_state *
+ esph = (void *)skb_push(skb, 4);
+ *seqhi = esph->spi;
+ esph->spi = esph->seq_no;
+- esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi);
++ esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi;
+ aead_request_set_callback(req, 0, esp_input_done_esn, skb);
+ }
+
--- /dev/null
+From a55e23864d381c5a4ef110df94b00b2fe121a70d Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 29 Nov 2016 17:05:25 +0100
+Subject: esp6: Fix integrity verification when ESN are used
+
+From: Tobias Brunner <tobias@strongswan.org>
+
+commit a55e23864d381c5a4ef110df94b00b2fe121a70d upstream.
+
+When handling inbound packets, the two halves of the sequence number
+stored on the skb are already in network order.
+
+Fixes: 000ae7b2690e ("esp6: Switch to new AEAD interface")
+Signed-off-by: Tobias Brunner <tobias@strongswan.org>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/esp6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -418,7 +418,7 @@ static int esp6_input(struct xfrm_state
+ esph = (void *)skb_push(skb, 4);
+ *seqhi = esph->spi;
+ esph->spi = esph->seq_no;
+- esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.input.hi);
++ esph->seq_no = XFRM_SKB_CB(skb)->seq.input.hi;
+ aead_request_set_callback(req, 0, esp_input_done_esn, skb);
+ }
+
--- /dev/null
+From f4180439109aa720774baafdd798b3234ab1a0d2 Mon Sep 17 00:00:00 2001
+From: Eli Cooper <elicooper@gmx.com>
+Date: Thu, 1 Dec 2016 10:05:10 +0800
+Subject: ipv4: Set skb->protocol properly for local output
+
+From: Eli Cooper <elicooper@gmx.com>
+
+commit f4180439109aa720774baafdd798b3234ab1a0d2 upstream.
+
+When xfrm is applied to TSO/GSO packets, it follows this path:
+
+ xfrm_output() -> xfrm_output_gso() -> skb_gso_segment()
+
+where skb_gso_segment() relies on skb->protocol to function properly.
+
+This patch sets skb->protocol to ETH_P_IP before dst_output() is called,
+fixing a bug where GSO packets sent through a sit tunnel are dropped
+when xfrm is involved.
+
+Signed-off-by: Eli Cooper <elicooper@gmx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ip_output.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -102,6 +102,9 @@ int __ip_local_out(struct net *net, stru
+
+ iph->tot_len = htons(skb->len);
+ ip_send_check(iph);
++
++ skb->protocol = htons(ETH_P_IP);
++
+ return nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT,
+ net, sk, skb, NULL, skb_dst(skb)->dev,
+ dst_output);
--- /dev/null
+From b4e479a96fc398ccf83bb1cffb4ffef8631beaf1 Mon Sep 17 00:00:00 2001
+From: Eli Cooper <elicooper@gmx.com>
+Date: Thu, 1 Dec 2016 10:05:11 +0800
+Subject: ipv6: Set skb->protocol properly for local output
+
+From: Eli Cooper <elicooper@gmx.com>
+
+commit b4e479a96fc398ccf83bb1cffb4ffef8631beaf1 upstream.
+
+When xfrm is applied to TSO/GSO packets, it follows this path:
+
+ xfrm_output() -> xfrm_output_gso() -> skb_gso_segment()
+
+where skb_gso_segment() relies on skb->protocol to function properly.
+
+This patch sets skb->protocol to ETH_P_IPV6 before dst_output() is called,
+fixing a bug where GSO packets sent through an ipip6 tunnel are dropped
+when xfrm is involved.
+
+Signed-off-by: Eli Cooper <elicooper@gmx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/output_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -148,6 +148,8 @@ int __ip6_local_out(struct net *net, str
+ ipv6_hdr(skb)->payload_len = htons(len);
+ IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
+
++ skb->protocol = htons(ETH_P_IPV6);
++
+ return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
+ net, sk, skb, NULL, skb_dst(skb)->dev,
+ dst_output);
sparc64-fix-compile-warning-section-mismatch-in-find_node.patch
don-t-feed-anything-but-regular-iovec-s-to-blk_rq_map_user_iov.patch
constify-iov_iter_count-and-iter_is_iovec.patch
+ipv6-set-skb-protocol-properly-for-local-output.patch
+ipv4-set-skb-protocol-properly-for-local-output.patch
+esp4-fix-integrity-verification-when-esn-are-used.patch
+esp6-fix-integrity-verification-when-esn-are-used.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
