Patch "xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 2 Feb 2025 09:25:29 -0500

This is a note to let you know that I've just added the patch titled

    xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xfrm-replay-fix-the-update-of-replay_esn-oseq_hi-for.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7f94be6829b56829e7c817af9d8e6e59b8a87553
Author: Jianbo Liu <jianbol@xxxxxxxxxx>
Date:   Tue Nov 12 14:10:31 2024 +0200

    xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO
    
    [ Upstream commit c05c5e5aa163f4682ca97a2f0536575fc7dbdecb ]
    
    When skb needs GSO and wrap around happens, if xo->seq.low (seqno of
    the first skb segment) is before the last seq number but oseq (seqno
    of the last segment) is after it, xo->seq.low is still bigger than
    replay_esn->oseq while oseq is smaller than it, so the update of
    replay_esn->oseq_hi is missed for this case wrap around because of
    the change in the cited commit.
    
    For example, if sending a packet with gso_segs=3 while old
    replay_esn->oseq=0xfffffffe, we calculate:
        xo->seq.low = 0xfffffffe + 1 = 0x0xffffffff
        oseq = 0xfffffffe + 3 = 0x1
    (oseq < replay_esn->oseq) is true, but (xo->seq.low <
    replay_esn->oseq) is false, so replay_esn->oseq_hi is not incremented.
    
    To fix this issue, change the outer checking back for the update of
    replay_esn->oseq_hi. And add new checking inside for the update of
    packet's oseq_hi.
    
    Fixes: 4b549ccce941 ("xfrm: replay: Fix ESN wrap around for GSO")
    Signed-off-by: Jianbo Liu <jianbol@xxxxxxxxxx>
    Reviewed-by: Patrisious Haddad <phaddad@xxxxxxxxxx>
    Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxx>
    Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 49dd788859d8b..6f6a18dc375b7 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -714,10 +714,12 @@ static int xfrm_replay_overflow_offload_esn(struct xfrm_state *x, struct sk_buff
 			oseq += skb_shinfo(skb)->gso_segs;
 		}
 
-		if (unlikely(xo->seq.low < replay_esn->oseq)) {
-			XFRM_SKB_CB(skb)->seq.output.hi = ++oseq_hi;
-			xo->seq.hi = oseq_hi;
-			replay_esn->oseq_hi = oseq_hi;
+		if (unlikely(oseq < replay_esn->oseq)) {
+			replay_esn->oseq_hi = ++oseq_hi;
+			if (xo->seq.low < replay_esn->oseq) {
+				XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi;
+				xo->seq.hi = oseq_hi;
+			}
 			if (replay_esn->oseq_hi == 0) {
 				replay_esn->oseq--;
 				replay_esn->oseq_hi--;







