releases/4.9.94/xfrm-fix-state-migration-copy-replay-sequence-numbers.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Mon Apr  9 17:09:24 CEST 2018
 From: Antony Antony <antony@phenome.org>
 Date: Fri, 19 May 2017 12:47:00 +0200
 Subject: xfrm: fix state migration copy replay sequence numbers

 From: Antony Antony <antony@phenome.org>


 [ Upstream commit a486cd23661c9387fb076c3f6ae8b2aa9d20d54a ]

 During xfrm migration copy replay and preplay sequence numbers
 from the previous state.

 Here is a tcpdump output showing the problem.
 10.0.10.46 is running vanilla kernel, is the IKE/IPsec responder.
 After the migration it sent wrong sequence number, reset to 1.
 The migration is from 10.0.0.52 to 10.0.0.53.

 IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7cf), length 136
 IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7cf), length 136
 IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d0), length 136
 IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7d0), length 136

 IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa  inf2[I]
 IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa  inf2[R]
 IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa  inf2[I]
 IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa  inf2[R]

 IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d1), length 136

 NOTE: next sequence is wrong 0x1

 IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x1), length 136
 IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2), length 136
 IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2), length 136

 Signed-off-by: Antony Antony <antony@phenome.org>
 Reviewed-by: Richard Guy Briggs <rgb@tricolour.ca>
 Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/xfrm/xfrm_state.c |    2 ++
  1 file changed, 2 insertions(+)

 --- a/net/xfrm/xfrm_state.c
 +++ b/net/xfrm/xfrm_state.c
 @@ -1246,6 +1246,8 @@ static struct xfrm_state *xfrm_state_clo
  	x->curlft.add_time = orig->curlft.add_time;
  	x->km.state = orig->km.state;
  	x->km.seq = orig->km.seq;
 +	x->replay = orig->replay;
 +	x->preplay = orig->preplay;

  	return x;
	From foo@baz Mon Apr 9 17:09:24 CEST 2018
	From: Antony Antony <antony@phenome.org>
	Date: Fri, 19 May 2017 12:47:00 +0200
	Subject: xfrm: fix state migration copy replay sequence numbers

	From: Antony Antony <antony@phenome.org>


	[ Upstream commit a486cd23661c9387fb076c3f6ae8b2aa9d20d54a ]

	During xfrm migration copy replay and preplay sequence numbers
	from the previous state.

	Here is a tcpdump output showing the problem.
	10.0.10.46 is running vanilla kernel, is the IKE/IPsec responder.
	After the migration it sent wrong sequence number, reset to 1.
	The migration is from 10.0.0.52 to 10.0.0.53.

	IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7cf), length 136
	IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7cf), length 136
	IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d0), length 136
	IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7d0), length 136

	IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I]
	IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R]
	IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I]
	IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R]

	IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d1), length 136

	NOTE: next sequence is wrong 0x1

	IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x1), length 136
	IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2), length 136
	IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2), length 136

	Signed-off-by: Antony Antony <antony@phenome.org>
	Reviewed-by: Richard Guy Briggs <rgb@tricolour.ca>
	Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/xfrm/xfrm_state.c \| 2 ++
	1 file changed, 2 insertions(+)

	--- a/net/xfrm/xfrm_state.c
	+++ b/net/xfrm/xfrm_state.c
	@@ -1246,6 +1246,8 @@ static struct xfrm_state *xfrm_state_clo
	x->curlft.add_time = orig->curlft.add_time;
	x->km.state = orig->km.state;
	x->km.seq = orig->km.seq;
	+ x->replay = orig->replay;
	+ x->preplay = orig->preplay;

	return x;