ACK: [SRU F, B/hwe] xfrm: policy: match with both mark and mask on user interfaces

Mon Aug 10 15:16:00 UTC 2020

On Mon, Aug 10, 2020 at 04:44:47PM +0200, Stefan Bader wrote:
> From: Xin Long <lucien.xin at gmail.com>
> 
> In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
> it would take 'priority' to make a policy unique, and allow duplicated
> policies with different 'priority' to be added, which is not expected
> by userland, as Tobias reported in strongswan.
> 
> To fix this duplicated policies issue, and also fix the issue in
> commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
> when doing add/del/get/update on user interfaces, this patch is to change
> to look up a policy with both mark and mask by doing:
> 
>   mark.v == pol->mark.v && mark.m == pol->mark.m
> 
> and leave the check:
> 
>   (mark & pol->mark.m) == pol->mark.v
> 
> for tx/rx path only.
> 
> As the userland expects an exact mark and mask match to manage policies.
> 
> v1->v2:
>   - make xfrm_policy_mark_match inline and fix the changelog as
>     Tobias suggested.
> 
> Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark")
> Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list")
> Reported-by: Tobias Brunner <tobias at strongswan.org>
> Tested-by: Tobias Brunner <tobias at strongswan.org>
> Signed-off-by: Xin Long <lucien.xin at gmail.com>
> Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1890796
> 
> (cherry picked from commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58)
> Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
> ---
> 
> This is for focal and bionic/hwe first, it seems the offending patch
> also went into bionic and xenial but starting with bionic there is some
> backport effort required to apply it. So submitting this first for
> the easy part.
> 
> -Stefan

Clean cherry-pick, simple test case.

Acked-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>