diff options
author | Greg Kroah-Hartman <gregkh@google.com> | 2024-05-14 12:34:19 +0000 |
---|---|---|
committer | Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> | 2024-05-16 15:02:48 +0000 |
commit | b8507d583096a0663389d25d90570ad052499fe3 (patch) | |
tree | 64aa19f38a75b0a980bf7b106cea61d31ea09a80 | |
parent | fe5748baf6f05bfd918e7a3cf840d9b19759af4b (diff) | |
download | common-b8507d583096a0663389d25d90570ad052499fe3.tar.gz |
Revert "macsec: Detect if Rx skb is macsec-related for offloading devices that update md_dst"
This reverts commit 6c3020dc817f8d08fc0ea48dd004782e7c204d92 which is
commit 642c984dd0e37dbaec9f87bd1211e5fac1f142bf upstream.
It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.
Bug: 161946584
Change-Id: I70a62bf17080aad4ed45ab65272bd14a6eb1819a
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-rw-r--r-- | drivers/net/macsec.c | 46 |
1 files changed, 10 insertions, 36 deletions
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c index 778fb77c5a93..9663050a852d 100644 --- a/drivers/net/macsec.c +++ b/drivers/net/macsec.c @@ -996,12 +996,10 @@ static enum rx_handler_result handle_not_macsec(struct sk_buff *skb) struct metadata_dst *md_dst; struct macsec_rxh_data *rxd; struct macsec_dev *macsec; - bool is_macsec_md_dst; rcu_read_lock(); rxd = macsec_data_rcu(skb->dev); md_dst = skb_metadata_dst(skb); - is_macsec_md_dst = md_dst && md_dst->type == METADATA_MACSEC; list_for_each_entry_rcu(macsec, &rxd->secys, secys) { struct sk_buff *nskb; @@ -1012,42 +1010,14 @@ static enum rx_handler_result handle_not_macsec(struct sk_buff *skb) * the SecTAG, so we have to deduce which port to deliver to. */ if (macsec_is_offloaded(macsec) && netif_running(ndev)) { - const struct macsec_ops *ops; + struct macsec_rx_sc *rx_sc = NULL; - ops = macsec_get_ops(macsec, NULL); + if (md_dst && md_dst->type == METADATA_MACSEC) + rx_sc = find_rx_sc(&macsec->secy, md_dst->u.macsec_info.sci); - if (ops->rx_uses_md_dst && !is_macsec_md_dst) + if (md_dst && md_dst->type == METADATA_MACSEC && !rx_sc) continue; - if (is_macsec_md_dst) { - struct macsec_rx_sc *rx_sc; - - /* All drivers that implement MACsec offload - * support using skb metadata destinations must - * indicate that they do so. - */ - DEBUG_NET_WARN_ON_ONCE(!ops->rx_uses_md_dst); - rx_sc = find_rx_sc(&macsec->secy, - md_dst->u.macsec_info.sci); - if (!rx_sc) - continue; - /* device indicated macsec offload occurred */ - skb->dev = ndev; - skb->pkt_type = PACKET_HOST; - eth_skb_pkt_type(skb, ndev); - ret = RX_HANDLER_ANOTHER; - goto out; - } - - /* This datapath is insecure because it is unable to - * enforce isolation of broadcast/multicast traffic and - * unicast traffic with promiscuous mode on the macsec - * netdev. Since the core stack has no mechanism to - * check that the hardware did indeed receive MACsec - * traffic, it is possible that the response handling - * done by the MACsec port was to a plaintext packet. - * This violates the MACsec protocol standard. - */ if (ether_addr_equal_64bits(hdr->h_dest, ndev->dev_addr)) { /* exact match, divert skb to this port */ @@ -1063,10 +1033,14 @@ static enum rx_handler_result handle_not_macsec(struct sk_buff *skb) break; nskb->dev = ndev; - eth_skb_pkt_type(nskb, ndev); + if (ether_addr_equal_64bits(hdr->h_dest, + ndev->broadcast)) + nskb->pkt_type = PACKET_BROADCAST; + else + nskb->pkt_type = PACKET_MULTICAST; __netif_rx(nskb); - } else if (ndev->flags & IFF_PROMISC) { + } else if (rx_sc || ndev->flags & IFF_PROMISC) { skb->dev = ndev; skb->pkt_type = PACKET_HOST; ret = RX_HANDLER_ANOTHER; |