On Tue, Apr 12, 2022 at 09:33:58AM +0200, Tobias Brunner wrote:
From: Xin Long lucien.xin@gmail.com
commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58 upstream.
In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"), it would take 'priority' to make a policy unique, and allow duplicated policies with different 'priority' to be added, which is not expected by userland, as Tobias reported in strongswan.
To fix this duplicated policies issue, and also fix the issue in commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"), when doing add/del/get/update on user interfaces, this patch is to change to look up a policy with both mark and mask by doing:
mark.v == pol->mark.v && mark.m == pol->mark.m
and leave the check:
(mark & pol->mark.m) == pol->mark.v
for tx/rx path only.
As the userland expects an exact mark and mask match to manage policies.
v1->v2:
- make xfrm_policy_mark_match inline and fix the changelog as Tobias suggested.
Cc: stable@vger.kernel.org # 4.19.x Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark") Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list") Reported-by: Tobias Brunner tobias@strongswan.org Tested-by: Tobias Brunner tobias@strongswan.org Signed-off-by: Xin Long lucien.xin@gmail.com Signed-off-by: Steffen Klassert steffen.klassert@secunet.com
This is a backport to 4.19.x of a fix that has already been applied to newer stable kernels. However, due to conflicts it was never included in the 4.x trees, which all contain backports of the problematic commit referenced above (ed17b8d377ea). So they all are prone to creating duplicate IPsec policies with priority updates.
All 3 now queued up, thanks.
greg k-h