Fix XFRM flags validity check
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-bluefield (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
* Explain the bug(s)
commit a3ca11eec78 introduced a flags validity check for XFRM , the check excluded flag XFRM_OFFLOAD_FULL from the check hence the flag is being blocked from getting to the kernel space.
The above is preventing IPsec states from being added with the full_offload option.
* Brief explanation of fixes
The commit restricted unknown flags from being configured from user space by adding a validity check,
since the Bluefield feature added such a flag , the fix expands the validity check to include this flag which is added
only in Bluefield kernel .
* How to test
Need to make sure that configuring IPsec with full_offload option using IProute2 can be done successfully with no issues.
(Not getting the RTNETLINK answers: Invalid argument error anymore)
* What it could break.
NA, this patch allows a specific flag to get passed to the kernel space, the kernel was using this flag already however after validity check got introduced the flag just got blocked from getting to the kernel.
CVE References
Changed in linux-bluefield (Ubuntu Focal): | |
status: | New → Fix Committed |
Changed in linux-bluefield (Ubuntu): | |
status: | New → Invalid |
This bug is awaiting verification that the linux-bluefield /5.4.0- 1040.44 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- focal' to 'verification- done-focal' . If the problem still exists, change the tag 'verification- needed- focal' to 'verification- failed- focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!