Merge branch 'tcp-ao-fixes'
Dmitry Safonov says: ==================== TCP-AO fixes Changes from v4: - Dropped 2 patches on which there's no consensus. They will require more work TBD if they may made acceptable. Those are: o "net/tcp: Allow removing current/rnext TCP-AO keys on TCP_LISTEN sockets" o "net/tcp: Store SNEs + SEQs on ao_info" Changes from v3: - Don't restrict adding any keys on TCP-AO connection in VRF, but only the ones that don't match l3index (David) Changes from v2: - rwlocks are problematic in net code (Paolo) Changed the SNE code to avoid spin/rw locks on RX/TX fastpath by double-accounting SEQ numbers for TCP-AO enabled connections. Changes from v1: - Use tcp_can_repair_sock() helper to limit TCP_AO_REPAIR (Eric) - Instead of hook to listen() syscall, allow removing current/rnext keys on TCP_LISTEN (addressing Eric's objection) - Add sne_lock to protect snd_sne/rcv_sne - Don't move used_tcp_ao in struct tcp_request_sock (Eric) I've been working on TCP-AO key-rotation selftests and as a result exercised some corner-cases that are not usually met in production. Here are a bunch of semi-related fixes: - Documentation typo (reported by Markus Elfring) - Proper alignment for TCP-AO option in TCP header that has MAC length of non 4 bytes (now a selftest with randomized maclen/algorithm/etc passes) - 3 uAPI restricting patches that disallow more things to userspace in order to prevent it shooting itself in any parts of the body - SNEs READ_ONCE()/WRITE_ONCE() that went missing by my human factor - Avoid storing MAC length from SYN header as SYN-ACK will use rnext_key.maclen (drops an extra check that fails on new selftests) ==================== Link: https://lore.kernel.org/r/Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Showing
Please register or sign in to comment