ipsec-2025-08-11

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEH7ZpcWbFyOOp6OJbrB3Eaf9PW7cFAmiZtCAACgkQrB3Eaf9P
 W7c/5w/+P3F7DWsjlNUipyIRtwaaMImrELvwrRbg4ajv4RALd1HRSWV8idHg2Kaj
 7XSJzDoGjegCwfXlRAuMRlmPz8HJUEkZ4rAeygOqwxRCrtV7R1JoGbiHot0Bk+Jn
 aWNvbD4/cbULmkvdo1CBPmONb5XDkLJA1Rh6dJJoZtlCCF20zC1HLesoT1EZcIkE
 1Rpmb+O2RB2zj0m+ciKuU5NgqGC4jpwcB+Wlcpa7hTUBIIsuEfUmj8IHXir/7b0v
 MKZMqJfD4xM3MxRQjkR8xEXDcrVGLsS18BzCDW6x3DcW+aq+0gZlUhLg6LDB8c+e
 lwHMzeTlorWIsFf4PrqL4QJMlFx8S5UInZOe/sex1xTJ3afhQgVJv+48V9U+XI4E
 eOL6DVBG+L00dieBdSRcdF2g+ceOx0PaLtfSHhc1zLuWSOlgwnlcLfhhTfxw4eFl
 ShE/TaGgat4l6ng1HHrq6ZnjjCSRXdfAquGUgIWIPlYyQw+8dxXtYaqMJKP28Gl/
 HDqZRxoRy0Wy1woABj7vpotg9I/hi3wV7mRcWxo+tWfMNJm+4BhjvUyp8yYtaV3j
 +1nO1HCg9nEQATVPNQKIUlo7UxwRcgFcm4QzfcWtsGh7/5O0VcUxgIRJtVdY2TZS
 nSBcEQUuS0l47ngGOTzd1pHce5ocKV8YDEprqsXuqYAUh59KnD8=
 =kxTv
 -----END PGP SIGNATURE-----

Merge tag 'ipsec-2025-08-11' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2025-08-11

1) Fix flushing of all states in xfrm_state_fini.
   From Sabrina Dubroca.

2) Fix some IPsec software offload features. These
   got lost with some recent HW offload changes.
   From Sabrina Dubroca.

Please pull or let me know if there are problems.

* tag 'ipsec-2025-08-11' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
  udp: also consider secpath when evaluating ipsec use for checksumming
  xfrm: bring back device check in validate_xmit_xfrm
  xfrm: restore GSO for SW crypto
  xfrm: flush all states in xfrm_state_fini
====================

Link: https://patch.msgid.link/20250811092008.731573-1-steffen.klassert@secunet.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

net/ipv4/udp_offload.c

@@ -217,7 +217,7 @@ static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb,
 	remcsum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_TUNNEL_REMCSUM);
 	skb->remcsum_offload = remcsum;
 
-	need_ipsec = skb_dst(skb) && dst_xfrm(skb_dst(skb));
+	need_ipsec = (skb_dst(skb) && dst_xfrm(skb_dst(skb))) || skb_sec_path(skb);
 	/* Try to offload checksum if possible */
 	offload_csum = !!(need_csum &&
 			  !need_ipsec &&

net/ipv6/xfrm6_tunnel.c

@@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
 	struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
 	unsigned int i;
 
-	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+	xfrm_state_flush(net, 0, false);
 	xfrm_flush_gc();
 
 	for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)

net/xfrm/xfrm_device.c

@@ -155,7 +155,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
 		return skb;
 	}
 
-	if (skb_is_gso(skb) && unlikely(xmit_xfrm_check_overflow(skb))) {
+	if (skb_is_gso(skb) && (unlikely(x->xso.dev != dev) ||
+				unlikely(xmit_xfrm_check_overflow(skb)))) {
 		struct sk_buff *segs;
 
 		/* Packet got rerouted, fixup features and segment it. */
@@ -415,10 +416,12 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
 	struct net_device *dev = x->xso.dev;
 	bool check_tunnel_size;
 
-	if (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED)
+	if (!x->type_offload ||
+	    (x->xso.type == XFRM_DEV_OFFLOAD_UNSPECIFIED && x->encap))
 		return false;
 
-	if ((dev == xfrm_dst_path(dst)->dev) && !xdst->child->xfrm) {
+	if ((!dev || dev == xfrm_dst_path(dst)->dev) &&
+	    !xdst->child->xfrm) {
 		mtu = xfrm_state_mtu(x, xdst->child_mtu_cached);
 		if (skb->len <= mtu)
 			goto ok;
@@ -430,6 +433,9 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
 	return false;
 
 ok:
+	if (!dev)
+		return true;
+
 	check_tunnel_size = x->xso.type == XFRM_DEV_OFFLOAD_PACKET &&
 			    x->props.mode == XFRM_MODE_TUNNEL;
 	switch (x->props.family) {

net/xfrm/xfrm_state.c

@@ -3297,7 +3297,7 @@ void xfrm_state_fini(struct net *net)
 	unsigned int sz;
 
 	flush_work(&net->xfrm.state_hash_work);
-	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+	xfrm_state_flush(net, 0, false);
 	flush_work(&xfrm_state_gc_work);
 
 	WARN_ON(!list_empty(&net->xfrm.state_all));