parent
63680f3314
commit
530030f117
|
@ -3,6 +3,9 @@ linux (4.19.67-3) UNRELEASED; urgency=medium
|
|||
[ Romain Perier ]
|
||||
* [armel/rpi] Enable CONFIG_BRCMFMAC_SDIO (Closes: #940530)
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* ixgbe: Fix secpath usage for IPsec TX offload (Closes: #930443)
|
||||
|
||||
-- Romain Perier <romain.perier@gmail.com> Wed, 28 Aug 2019 13:28:09 +0200
|
||||
|
||||
linux (4.19.67-2+deb10u1) buster-security; urgency=high
|
||||
|
|
49
debian/patches/bugfix/all/ixgbe-Fix-secpath-usage-for-IPsec-TX-offload.patch
vendored
Normal file
49
debian/patches/bugfix/all/ixgbe-Fix-secpath-usage-for-IPsec-TX-offload.patch
vendored
Normal file
|
@ -0,0 +1,49 @@
|
|||
From: Steffen Klassert <steffen.klassert@secunet.com>
|
||||
Date: Thu, 12 Sep 2019 13:01:44 +0200
|
||||
Subject: ixgbe: Fix secpath usage for IPsec TX offload.
|
||||
Origin: https://git.kernel.org/linus/f39b683d35dfa93a58f1b400a8ec0ff81296b37c
|
||||
Bug-Debian: https://bugs.debian.org/930443
|
||||
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=204551
|
||||
|
||||
The ixgbe driver currently does IPsec TX offloading
|
||||
based on an existing secpath. However, the secpath
|
||||
can also come from the RX side, in this case it is
|
||||
misinterpreted for TX offload and the packets are
|
||||
dropped with a "bad sa_idx" error. Fix this by using
|
||||
the xfrm_offload() function to test for TX offload.
|
||||
|
||||
Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload")
|
||||
Reported-by: Michael Marley <michael@michaelmarley.com>
|
||||
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
[Salvatore Bonaccorso: Backport to 4.19.67: cherry-pick patch from 4.19.74
|
||||
release with adjusted context]
|
||||
---
|
||||
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
|
||||
index 410d5d3aa393..2c3da1516036 100644
|
||||
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
|
||||
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <net/tc_act/tc_mirred.h>
|
||||
#include <net/vxlan.h>
|
||||
#include <net/mpls.h>
|
||||
+#include <net/xfrm.h>
|
||||
|
||||
#include "ixgbe.h"
|
||||
#include "ixgbe_common.h"
|
||||
@@ -8599,7 +8600,8 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb,
|
||||
#endif /* IXGBE_FCOE */
|
||||
|
||||
#ifdef CONFIG_XFRM_OFFLOAD
|
||||
- if (skb->sp && !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
|
||||
+ if (xfrm_offload(skb) &&
|
||||
+ !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
|
||||
goto out_drop;
|
||||
#endif
|
||||
tso = ixgbe_tso(tx_ring, first, &hdr_len, &ipsec_tx);
|
||||
--
|
||||
2.23.0
|
||||
|
|
@ -105,6 +105,7 @@ bugfix/all/mt76-use-the-correct-hweight8-function.patch
|
|||
bugfix/all/rtc-s35390a-set-uie_unsupported.patch
|
||||
bugfix/all/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch
|
||||
bugfix/all/xfs-fix-missing-ILOCK-unlock-when-xfs_setattr_nonsiz.patch
|
||||
bugfix/all/ixgbe-Fix-secpath-usage-for-IPsec-TX-offload.patch
|
||||
|
||||
# Miscellaneous features
|
||||
|
||||
|
|
Loading…
Reference in New Issue