Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.257 2026-01-19T12:11:24+00:00 2026-01-19T12:11:24+00:00 Sabrina Dubroca sd@queasysnail.net 2025-07-29T21:11:52+00:00 urn:sha1:1b28a7fae0128fa140a7dccd995182ff6cd1c67b [ Upstream commit b441cf3f8c4b8576639d20c8eb4aa32917602ecd ] The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state synchronously on net exit path") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we currently drop dst")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked. Fixes: 9d4139c76905 ("netns xfrm: per-netns xfrm_state_all list") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-07-09T10:55:37+00:00 Xin Long lucien.xin@gmail.com 2020-07-06T12:01:36+00:00 urn:sha1:d5a7a5057387d79b91a6e2fd78a76ccd53f91e6c The child tunnel if_id will be used for xfrm interface's lookup when processing the IP(6)IP(6) packets in the next patches. Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2020-04-28T09:28:36+00:00 Sabrina Dubroca sd@queasysnail.net 2020-04-27T15:59:34+00:00 urn:sha1:0146dca70b877b73c5fd9c67912b8a0ca8a7bac7 This patch adds support for encapsulation of ESP over UDPv6. The code is very similar to the IPv4 encapsulation implementation, and allows to easily add espintcp on IPv6 as a follow-up. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-06-06T06:34:50+00:00 Florian Westphal fw@strlen.de 2019-05-03T15:46:19+00:00 urn:sha1:4f518e802ccad30c9dccc895f2294398757b87c0 Only a handful of xfrm_types exist, no need to have 512 pointers for them. Reduces size of afinfo struct from 4k to 120 bytes on 64bit platforms. Also, the unregister function doesn't need to return an error, no single caller does anything useful with it. Just place a WARN_ON() where needed instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2019-05-21T09:28:45+00:00 Thomas Gleixner tglx@linutronix.de 2019-05-19T13:51:43+00:00 urn:sha1:1ccea77e2a2687cae171b7987eb44730ec8c6d5f Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details you should have received a copy of the gnu general public license along with this program if not see http www gnu org licenses this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details [based] [from] [clk] [highbank] [c] you should have received a copy of the gnu general public license along with this program if not see http www gnu org licenses extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 355 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Jilayne Lovejoy <opensource@jilayne.com> Reviewed-by: Steve Winslow <swinslow@gmail.com> Reviewed-by: Allison Randal <allison@lohutok.net> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190519154041.837383322@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-11-04T18:45:23+00:00 Lorenzo Colitti lorenzo@google.com 2016-11-03T17:23:43+00:00 urn:sha1:e2d118a1cb5e60d077131a09db1d81b90a5295fe - Use the UID in routing lookups made by protocol connect() and sendmsg() functions. - Make sure that routing lookups triggered by incoming packets (e.g., Path MTU discovery) take the UID of the socket into account. - For packets not associated with a userspace socket, (e.g., ping replies) use UID 0 inside the user namespace corresponding to the network namespace the socket belongs to. This allows all namespaces to apply routing and iptables rules to kernel-originated traffic in that namespaces by matching UID 0. This is better than using the UID of the kernel socket that is sending the traffic, because the UID of kernel sockets created at namespace creation time (e.g., the per-processor ICMP and TCP sockets) is the UID of the user that created the socket, which might not be mapped in the namespace. Tested: compiles allnoconfig, allyesconfig, allmodconfig Tested: https://android-review.googlesource.com/253302 Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2014-08-25T05:37:52+00:00 Ian Morris ipm@chirality.org.uk 2014-08-24T20:53:11+00:00 urn:sha1:cc24becae3e87d7aa8238f4fcb29bfb68f7ffb97 This patch makes no changes to the logic of the code but simply addresses coding style issues as detected by checkpatch. Both objdump and diff -w show no differences. This patch addresses structure definitions, specifically it cleanses the brace placement and replaces spaces with tabs in a few places. Signed-off-by: Ian Morris <ipm@chirality.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> 2014-03-14T06:28:07+00:00 Steffen Klassert steffen.klassert@secunet.com 2014-03-14T06:28:07+00:00 urn:sha1:59b84351c0ee97501782988af5ec9c004c4d30ac Switch ipcomp6 to use the new IPsec protocol multiplexer. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2013-12-06T17:37:56+00:00 Jeff Kirsher jeffrey.t.kirsher@intel.com 2013-12-06T17:13:39+00:00 urn:sha1:a99421d9b1bf332d8eaebfe0ff17096a9f84d50b Several files refer to an old address for the Free Software Foundation in the file header comment. Resolve by replacing the address with the URL <http://www.gnu.org/licenses/> so that we do not have to keep updating the header comments anytime the address changes. CC: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> CC: James Morris <jmorris@namei.org> CC: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> CC: Patrick McHardy <kaber@trash.net> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2013-09-16T07:45:32+00:00 Steffen Klassert steffen.klassert@secunet.com 2013-09-10T11:43:09+00:00 urn:sha1:b3b2b9e192d5811f91f9cd92aeec489cecabc92e Currently we update the pmtu in the IPsec protocol error handlers if icmpv6 message type is either ICMPV6_DEST_UNREACH or ICMPV6_PKT_TOOBIG. Updating the pmtu on ICMPV6_DEST_UNREACH is wrong in any case, it causes strangely fragmented packets. Only ICMPV6_PKT_TOOBIG signalizes pmtu discovery, so remove the ICMPV6_DEST_UNREACH check in the IPsec protocol error handlers. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>