Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2015-05-28

1) Fix a race in xfrm_state_lookup_byspi, we need to take
   the refcount before we release xfrm_state_lock.
   From Li RongQing.

2) Fix IV generation on ESN state. We used just the
   low order sequence numbers for IV generation on
   ESN, as a result the IV can repeat on the same
   state. Fix this by using the  high order sequence
   number bits too and make sure to always initialize
   the high order bits with zero. These patches are
   serious stable candidates. Fixes from Herbert Xu.

3) Fix the skb->mark handling on vti. We don't
   reset skb->mark in skb_scrub_packet anymore,
   so vti must care to restore the original
   value back after it was used to lookup the
   vti policy and state. Fixes from Alexander Duyck.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 12 insertions, 4 deletions

diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 31f1b5d5e2ef..7c07ce36aae2 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -248,7 +248,8 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
         aead_givcrypt_set_crypt(req, sg, sg, clen, iv);
         aead_givcrypt_set_assoc(req, asg, assoclen);
         aead_givcrypt_set_giv(req, esph->enc_data,
-                              XFRM_SKB_CB(skb)->seq.output.low);
+                              XFRM_SKB_CB(skb)->seq.output.low +
+                              ((u64)XFRM_SKB_CB(skb)->seq.output.hi << 32));
 
         ESP_SKB_CB(skb)->tmp = tmp;
         err = crypto_aead_givencrypt(req);
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index ed9d681207fa..ff3bd863fa03 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -322,7 +322,6 @@ static int vti6_rcv(struct sk_buff *skb)
                 }
 
                 XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t;
-                skb->mark = be32_to_cpu(t->parms.i_key);
 
                 rcu_read_unlock();
 
@@ -342,6 +341,8 @@ static int vti6_rcv_cb(struct sk_buff *skb, int err)
         struct pcpu_sw_netstats *tstats;
         struct xfrm_state *x;
         struct ip6_tnl *t = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6;
+        u32 orig_mark = skb->mark;
+        int ret;
 
         if (!t)
                 return 1;
@@ -358,7 +359,11 @@ static int vti6_rcv_cb(struct sk_buff *skb, int err)
         x = xfrm_input_state(skb);
         family = x->inner_mode->afinfo->family;
 
-        if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
+        skb->mark = be32_to_cpu(t->parms.i_key);
+        ret = xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family);
+        skb->mark = orig_mark;
+
+        if (!ret)
                 return -EPERM;
 
         skb_scrub_packet(skb, !net_eq(t->net, dev_net(skb->dev)));
@@ -495,7 +500,6 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         int ret;
 
         memset(&fl, 0, sizeof(fl));
-        skb->mark = be32_to_cpu(t->parms.o_key);
 
         switch (skb->protocol) {
         case htons(ETH_P_IPV6):
@@ -516,6 +520,9 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
                 goto tx_err;
         }
 
+        /* override mark with tunnel output key */
+        fl.flowi_mark = be32_to_cpu(t->parms.o_key);
+
         ret = vti6_xmit(skb, dev, &fl);
         if (ret < 0)
                 goto tx_err;