Merge tag 'ipsec-next-2024-11-15' of git://git.kernel.org/pub/scm/linux/kernel/git...

Steffen Klassert says:

====================

ipsec-next-11-15

1) Add support for RFC 9611 per cpu xfrm state handling.

2) Add inbound and outbound xfrm state caches to speed up
   state lookups.

3) Convert xfrm to dscp_t. From Guillaume Nault.

4) Fix error handling in build_aevent.
   From Everest K.C.

5) Replace strncpy with strscpy_pad in copy_to_user_auth.
   From Daniel Yang.

6) Fix an uninitialized symbol during acquire state insertion.
====================

Signed-off-by: David S. Miller <[email protected]>

diff --combined net/xfrm/xfrm_user.c
index e0dd9dfd71c29f0fb02d575a951c1f09081b77c3,6b0800c7c75e2e352ba663696ff5a0fd708a1c55..b2876e09328b6296958e994f0ed3a504559245ce
--- 1/net/xfrm/xfrm_user.c
--- 2/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@@ -200,7 -200,7 +200,7 @@@ static int verify_newsa_info(struct xfr
                             struct netlink_ext_ack *extack)
  {
        int err;
 -      u8 sa_dir = attrs[XFRMA_SA_DIR] ? nla_get_u8(attrs[XFRMA_SA_DIR]) : 0;
 +      u8 sa_dir = nla_get_u8_default(attrs[XFRMA_SA_DIR], 0);
        u16 family = p->sel.family;
  
        err = -EINVAL;
@@@ -460,6 -460,12 +460,12 @@@
                }
        }
  
+       if (!sa_dir && attrs[XFRMA_SA_PCPU]) {
+               NL_SET_ERR_MSG(extack, "SA_PCPU only supported with SA_DIR");
+               err = -EINVAL;
+               goto out;
+       }
+ 
  out:
        return err;
  }
@@@ -767,8 -773,10 +773,8 @@@ static void xfrm_smark_init(struct nlat
  {
        if (attrs[XFRMA_SET_MARK]) {
                m->v = nla_get_u32(attrs[XFRMA_SET_MARK]);
 -              if (attrs[XFRMA_SET_MARK_MASK])
 -                      m->m = nla_get_u32(attrs[XFRMA_SET_MARK_MASK]);
 -              else
 -                      m->m = 0xffffffff;
 +              m->m = nla_get_u32_default(attrs[XFRMA_SET_MARK_MASK],
 +                                         0xffffffff);
        } else {
                m->v = m->m = 0;
        }
@@@ -839,6 -847,12 +845,12 @@@ static struct xfrm_state *xfrm_state_co
                x->nat_keepalive_interval =
                        nla_get_u32(attrs[XFRMA_NAT_KEEPALIVE_INTERVAL]);
  
+       if (attrs[XFRMA_SA_PCPU]) {
+               x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]);
+               if (x->pcpu_num >= num_possible_cpus())
+                       goto error;
+       }
+ 
        err = __xfrm_init_state(x, false, attrs[XFRMA_OFFLOAD_DEV], extack);
        if (err)
                goto error;
@@@ -1087,7 -1101,7 +1099,7 @@@ static int copy_to_user_auth(struct xfr
        if (!nla)
                return -EMSGSIZE;
        algo = nla_data(nla);
-       strncpy(algo->alg_name, auth->alg_name, sizeof(algo->alg_name));
+       strscpy_pad(algo->alg_name, auth->alg_name, sizeof(algo->alg_name));
  
        if (redact_secret && auth->alg_key_len)
                memset(algo->alg_key, 0, (auth->alg_key_len + 7) / 8);
@@@ -1294,6 -1308,11 +1306,11 @@@ static int copy_to_user_state_extra(str
                if (ret)
                        goto out;
        }
+       if (x->pcpu_num != UINT_MAX) {
+               ret = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num);
+               if (ret)
+                       goto out;
+       }
        if (x->dir)
                ret = nla_put_u8(skb, XFRMA_SA_DIR, x->dir);
  
@@@ -1698,6 -1717,7 +1715,7 @@@ static int xfrm_alloc_userspi(struct sk
        u32 mark;
        struct xfrm_mark m;
        u32 if_id = 0;
+       u32 pcpu_num = UINT_MAX;
  
        p = nlmsg_data(nlh);
        err = verify_spi_info(p->info.id.proto, p->min, p->max, extack);
@@@ -1714,8 -1734,16 +1732,16 @@@
        if (attrs[XFRMA_IF_ID])
                if_id = nla_get_u32(attrs[XFRMA_IF_ID]);
  
+       if (attrs[XFRMA_SA_PCPU]) {
+               pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]);
+               if (pcpu_num >= num_possible_cpus()) {
+                       err = -EINVAL;
+                       goto out_noput;
+               }
+       }
+ 
        if (p->info.seq) {
-               x = xfrm_find_acq_byseq(net, mark, p->info.seq);
+               x = xfrm_find_acq_byseq(net, mark, p->info.seq, pcpu_num);
                if (x && !xfrm_addr_equal(&x->id.daddr, daddr, family)) {
                        xfrm_state_put(x);
                        x = NULL;
@@@ -1724,7 -1752,7 +1750,7 @@@
  
        if (!x)
                x = xfrm_find_acq(net, &m, p->info.mode, p->info.reqid,
-                                 if_id, p->info.id.proto, daddr,
+                                 if_id, pcpu_num, p->info.id.proto, daddr,
                                  &p->info.saddr, 1,
                                  family);
        err = -ENOENT;
@@@ -2524,7 -2552,8 +2550,8 @@@ static inline unsigned int xfrm_aevent_
               + nla_total_size(sizeof(struct xfrm_mark))
               + nla_total_size(4) /* XFRM_AE_RTHR */
               + nla_total_size(4) /* XFRM_AE_ETHR */
-              + nla_total_size(sizeof(x->dir)); /* XFRMA_SA_DIR */
+              + nla_total_size(sizeof(x->dir)) /* XFRMA_SA_DIR */
+              + nla_total_size(4); /* XFRMA_SA_PCPU */
  }
  
  static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
@@@ -2580,6 -2609,11 +2607,11 @@@
        err = xfrm_if_id_put(skb, x->if_id);
        if (err)
                goto out_cancel;
+       if (x->pcpu_num != UINT_MAX) {
+               err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num);
+               if (err)
+                       goto out_cancel;
+       }
  
        if (x->dir) {
                err = nla_put_u8(skb, XFRMA_SA_DIR, x->dir);
@@@ -2850,6 -2884,13 +2882,13 @@@ static int xfrm_add_acquire(struct sk_b
  
        xfrm_mark_get(attrs, &mark);
  
+       if (attrs[XFRMA_SA_PCPU]) {
+               x->pcpu_num = nla_get_u32(attrs[XFRMA_SA_PCPU]);
+               err = -EINVAL;
+               if (x->pcpu_num >= num_possible_cpus())
+                       goto free_state;
+       }
+ 
        err = verify_newpolicy_info(&ua->policy, extack);
        if (err)
                goto free_state;
@@@ -3180,6 -3221,7 +3219,7 @@@ const struct nla_policy xfrma_policy[XF
        [XFRMA_MTIMER_THRESH]   = { .type = NLA_U32 },
        [XFRMA_SA_DIR]          = NLA_POLICY_RANGE(NLA_U8, XFRM_SA_DIR_IN, XFRM_SA_DIR_OUT),
        [XFRMA_NAT_KEEPALIVE_INTERVAL] = { .type = NLA_U32 },
+       [XFRMA_SA_PCPU]         = { .type = NLA_U32 },
  };
  EXPORT_SYMBOL_GPL(xfrma_policy);
  
@@@ -3243,6 -3285,20 +3283,20 @@@ static int xfrm_reject_unused_attr(int 
                }
        }
  
+       if (attrs[XFRMA_SA_PCPU]) {
+               switch (type) {
+               case XFRM_MSG_NEWSA:
+               case XFRM_MSG_UPDSA:
+               case XFRM_MSG_ALLOCSPI:
+               case XFRM_MSG_ACQUIRE:
+ 
+                       break;
+               default:
+                       NL_SET_ERR_MSG(extack, "Invalid attribute SA_PCPU");
+                       return -EINVAL;
+               }
+       }
+ 
        return 0;
  }
  
@@@ -3346,7 -3402,8 +3400,8 @@@ static inline unsigned int xfrm_expire_
  {
        return NLMSG_ALIGN(sizeof(struct xfrm_user_expire)) +
               nla_total_size(sizeof(struct xfrm_mark)) +
-              nla_total_size(sizeof_field(struct xfrm_state, dir));
+              nla_total_size(sizeof_field(struct xfrm_state, dir)) +
+              nla_total_size(4); /* XFRMA_SA_PCPU */
  }
  
  static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
@@@ -3372,6 -3429,11 +3427,11 @@@
        err = xfrm_if_id_put(skb, x->if_id);
        if (err)
                return err;
+       if (x->pcpu_num != UINT_MAX) {
+               err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num);
+               if (err)
+                       return err;
+       }
  
        if (x->dir) {
                err = nla_put_u8(skb, XFRMA_SA_DIR, x->dir);
@@@ -3479,6 -3541,8 +3539,8 @@@ static inline unsigned int xfrm_sa_len(
        }
        if (x->if_id)
                l += nla_total_size(sizeof(x->if_id));
+       if (x->pcpu_num)
+               l += nla_total_size(sizeof(x->pcpu_num));
  
        /* Must count x->lastused as it may become non-zero behind our back. */
        l += nla_total_size_64bit(sizeof(u64));
@@@ -3585,6 -3649,7 +3647,7 @@@ static inline unsigned int xfrm_acquire
               + nla_total_size(sizeof(struct xfrm_user_tmpl) * xp->xfrm_nr)
               + nla_total_size(sizeof(struct xfrm_mark))
               + nla_total_size(xfrm_user_sec_ctx_size(x->security))
+              + nla_total_size(4) /* XFRMA_SA_PCPU */
               + userpolicy_type_attrsize();
  }
  
@@@ -3621,6 -3686,8 +3684,8 @@@ static int build_acquire(struct sk_buf
                err = xfrm_if_id_put(skb, xp->if_id);
        if (!err && xp->xdo.dev)
                err = copy_user_offload(&xp->xdo, skb);
+       if (!err && x->pcpu_num != UINT_MAX)
+               err = nla_put_u32(skb, XFRMA_SA_PCPU, x->pcpu_num);
        if (err) {
                nlmsg_cancel(skb, nlh);
                return err;