While looking into a XFRM_MSG_MIGRATE_STATE issue reported by Sashiko,
we found the underlying problem generalizes: xfrm allows multiple SAs
to coexist for the same (SPI, daddr, proto) differing only in mark,
and every control-plane operation that resolves "which SA" - get,
delete, update, get_ae, new_ae, expire, migrate - uses the same
wildcard mark match the data path needs. A broader-mask SA can
silently shadow a more specific one:
# ip xfrm state add ... spi 0x1000 mark 1 mask 1 (SA_target)
# ip xfrm state add ... spi 0x1000 mark 0 mask 0
(SA_decoy, catch-all, added after -> bucket head)
# ip xfrm state delete dst ... proto esp spi 0x1000 mark 1 mask 1
-> deletes SA_decoy; SA_target survives, untouched
xfrm policy had the same bug, fixed in commit 4f47e8ab6ab7
("xfrm: policy: match with both mark and mask on user interfaces").
Control-plane lookups need an exact mark/mask match; the wildcard
match stays for the data path and state_add only.
This series applies that fix across every affected method,
not just XFRM_MSG_MIGRATE_STATE.
More examples in the attached self tests.
This series not fixing likely isusses PF_KEY. As it
is no more receiving non critical fixes.
---
Antony Antony (8):
xfrm: state: exact mark/mask match for SPI-keyed control-plane SA lookups
xfrm: state: exact mark/mask match for by-address control-plane SA lookups
selftests: net: xfrm_state: add mark shadowing tests for state lookups
xfrm: fix use-after-free of migrated state in xfrm_do_migrate_state()
xfrm: fix hw offload state leak on xfrm_do_migrate_state() error path
xfrm: include mark in MIGRATE_STATE SA collision check
xfrm: pass extack through to xfrm_init_replay() from xfrm_init_state()
docs: xfrm: include mark in XFRM_MSG_MIGRATE_STATE EEXIST tuple
.../networking/xfrm/xfrm_migrate_state.rst | 20 ++--
include/net/xfrm.h | 5 +-
net/ipv6/xfrm6_input.c | 2 +-
net/xfrm/xfrm_state.c | 109 +++++++++++++----
net/xfrm/xfrm_user.c | 49 +++++---
tools/testing/selftests/net/xfrm_state.sh | 130 ++++++++++++++++++++-
6 files changed, 262 insertions(+), 53 deletions(-)
---
base-commit: 226f4a490d1a938fc838d8f8c46a4eca864c0d78
change-id: migrate-state-fixes-063ee0342611
Best regards,
--
Antony Antony <[email protected]>