diff mbox series

Subject: [PATCH net] drivers: net: ixgbe: Fix *_ipsec_offload_ok():, Use ip_hdr family

Message ID 1581f61a-f405-008a-8f31-e9e696667d5a@secunet.com
State New
Headers show
Series Subject: [PATCH net] drivers: net: ixgbe: Fix *_ipsec_offload_ok():, Use ip_hdr family | expand

Commit Message

Christian Langrock Oct. 26, 2020, 2:44 p.m. UTC
Xfrm_dev_offload_ok() is called with the unencrypted SKB. So in case of
interfamily ipsec traffic (IPv4-in-IPv6 and IPv6 in IPv4) the check
assumes the wrong family of the skb (IP family of the state).
With this patch the ip header of the SKB is used to determine the
family.

Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +-
 drivers/net/ethernet/intel/ixgbevf/ipsec.c     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

                        return false;

Comments

Jesse Brandeburg Oct. 26, 2020, 3:33 p.m. UTC | #1
Christian Langrock wrote:

Please fix your subject, remove the word 'Subject: '

> Xfrm_dev_offload_ok() is called with the unencrypted SKB. So in case of

> interfamily ipsec traffic (IPv4-in-IPv6 and IPv6 in IPv4) the check

> assumes the wrong family of the skb (IP family of the state).

> With this patch the ip header of the SKB is used to determine the

> family.

> 


missing "Fixes: " line? It's useful here because I think this looks
like a good candidate for stable bug fix.

> Signed-off-by: Christian Langrock <christian.langrock@secunet.com>

> ---

>  drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 2 +-

>  drivers/net/ethernet/intel/ixgbevf/ipsec.c     | 2 +-

>  2 files changed, 2 insertions(+), 2 deletions(-)


The patch looks ok otherwise, thanks!
diff mbox series

Patch

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index eca73526ac86..3601dd293463 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -813,7 +813,7 @@  static void ixgbe_ipsec_del_sa(struct xfrm_state *xs)
  **/
 static bool ixgbe_ipsec_offload_ok(struct sk_buff *skb, struct
xfrm_state *xs)
 {
-       if (xs->props.family == AF_INET) {
+       if (ip_hdr(skb)->version == 4) {
                /* Offload with IPv4 options is not supported yet */
                if (ip_hdr(skb)->ihl != 5)
                        return false;
diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
index 5170dd9d8705..b1d72d5d1744 100644
--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
@@ -418,7 +418,7 @@  static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs)
  **/
 static bool ixgbevf_ipsec_offload_ok(struct sk_buff *skb, struct
xfrm_state *xs)
 {
-       if (xs->props.family == AF_INET) {
+       if (ip_hdr(skb)->version == 4) {
                /* Offload with IPv4 options is not supported yet */
                if (ip_hdr(skb)->ihl != 5)