On Tue, Apr 12, 2022 at 09:33:58AM +0200, Tobias Brunner wrote: > From: Xin Long <lucien.xin@xxxxxxxxx> > > commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58 upstream. > > In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"), > it would take 'priority' to make a policy unique, and allow duplicated > policies with different 'priority' to be added, which is not expected > by userland, as Tobias reported in strongswan. > > To fix this duplicated policies issue, and also fix the issue in > commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"), > when doing add/del/get/update on user interfaces, this patch is to change > to look up a policy with both mark and mask by doing: > > mark.v == pol->mark.v && mark.m == pol->mark.m > > and leave the check: > > (mark & pol->mark.m) == pol->mark.v > > for tx/rx path only. > > As the userland expects an exact mark and mask match to manage policies. > > v1->v2: > - make xfrm_policy_mark_match inline and fix the changelog as > Tobias suggested. > > Cc: <stable@xxxxxxxxxxxxxxx> # 4.19.x > Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark") > Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list") > Reported-by: Tobias Brunner <tobias@xxxxxxxxxxxxxx> > Tested-by: Tobias Brunner <tobias@xxxxxxxxxxxxxx> > Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx> > Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx> > --- > This is a backport to 4.19.x of a fix that has already been applied > to newer stable kernels. However, due to conflicts it was never > included in the 4.x trees, which all contain backports of the > problematic commit referenced above (ed17b8d377ea). So they all are > prone to creating duplicate IPsec policies with priority updates. All 3 now queued up, thanks. greg k-h