git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Antony Antony <antony.antony@secunet.com>
	Thu, 26 Feb 2026 10:27:51 +0000 (11:27 +0100)
committer	Jakub Kicinski <kuba@kernel.org>
	Sat, 28 Feb 2026 23:08:15 +0000 (15:08 -0800)
commit	595da751c8222ca957cfdc0161d9845a75c67046
tree	3e56cc680649f05f93a5cdfda5634fb3575abc91	tree \| snapshot
parent	d578b4729399979f14f7ddd6a80e3ae0832c2e0c	commit \| diff

icmp: fix ICMP error source address when xfrm policy matches

When an IPsec gateway generates an ICMP error (e.g., Destination Host
Unreachable), the source address incorrectly shows the unreachable
destination instead of the gateway's address. IPv6 behaves correctly.

Before fix:
  ping 10.1.6.3
  From 10.1.6.3 icmp_seq=1 Destination Host Unreachable
  (wrong - 10.1.6.3 is the unreachable host)

After fix:
  ping 10.1.6.3
  From 10.1.5.2 icmp_seq=1 Destination Host Unreachable
  (correct - 10.1.5.2 is the gateway)

The fix removes the memcpy that overwrote fl4 with fl4_dec after
xfrm_lookup(). A follow-up commit adds a selftest.

Fixes: 415b3334a21a ("icmp: Fix regression in nexthop resolution during replies.")
Cc: stable+noautosel@kernel.org # Avoid false positives in tests
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Acked-by: Tobias Brunner <tobias@strongswan.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/19a0156ff6e76baa323a81d710510d399a6ff63a.1772101380.git.antony.antony@secunet.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>