On Tue, Apr 12, 2022 at 09:33:58AM +0200, Tobias Brunner wrote:
> From: Xin Long <lucien.xin@xxxxxxxxx>
>
> commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58 upstream.
>
> In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
> it would take 'priority' to make a policy unique, and allow duplicated
> policies with different 'priority' to be added, which is not expected
> by userland, as Tobias reported in strongswan.
>
> To fix this duplicated policies issue, and also fix the issue in
> commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
> when doing add/del/get/update on user interfaces, this patch is to change
> to look up a policy with both mark and mask by doing:
>
> mark.v == pol->mark.v && mark.m == pol->mark.m
>
> and leave the check:
>
> (mark & pol->mark.m) == pol->mark.v
>
> for tx/rx path only.
>
> As the userland expects an exact mark and mask match to manage policies.
>
> v1->v2:
> - make xfrm_policy_mark_match inline and fix the changelog as
> Tobias suggested.
>
> Cc: <stable@xxxxxxxxxxxxxxx> # 4.19.x
> Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark")
> Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list")
> Reported-by: Tobias Brunner <tobias@xxxxxxxxxxxxxx>
> Tested-by: Tobias Brunner <tobias@xxxxxxxxxxxxxx>
> Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
> Signed-off-by: Steffen Klassert <steffen.klassert@xxxxxxxxxxx>
> ---
> This is a backport to 4.19.x of a fix that has already been applied
> to newer stable kernels. However, due to conflicts it was never
> included in the 4.x trees, which all contain backports of the
> problematic commit referenced above (ed17b8d377ea). So they all are
> prone to creating duplicate IPsec policies with priority updates.
All 3 now queued up, thanks.
greg k-h
