Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2017-12-22

1) Check for valid id proto in validate_tmpl(), otherwise
   we may trigger a warning in xfrm_state_fini().
   From Cong Wang.

2) Fix a typo on XFRMA_OUTPUT_MARK policy attribute.
   From Michal Kubecek.

3) Verify the state is valid when encap_type < 0,
   otherwise we may crash on IPsec GRO .
   From Aviv Heller.

4) Fix stack-out-of-bounds read on socket policy lookup.
   We access the flowi of the wrong address family in the
   IPv4 mapped IPv6 case, fix this by catching address
   family missmatches before we do the lookup.

5) fix xfrm_do_migrate() with AEAD to copy the geniv
   field too. Otherwise the state is not fully initialized
   and migration fails. From Antony Antony.

6) Fix stack-out-of-bounds with misconfigured transport
   mode policies. Our policy template validation is not
   strict enough. It is possible to configure policies
   with transport mode template where the address family
   of the template does not match the selectors address
   family. Fix this by refusing such a configuration,
   address family can not change on transport mode.

7) Fix a policy reference leak when reusing pcpu xdst
   entry. From Florian Westphal.

8) Reinject transport-mode packets through tasklet,
   otherwise it is possible to reate a recursion
   loop. From Herbert Xu.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --combined net/xfrm/xfrm_state.c
index 065d89606888ec1bf053577d3949746bcea6f099,88d0a563e1413a12339eba6703c40eac3f119ac3..500b3391f474b96fe273060ff8eae16f1e23f3c2
--- 1/net/xfrm/xfrm_state.c
--- 2/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@@ -556,7 -556,7 +556,7 @@@ out
        return HRTIMER_NORESTART;
  }
  
 -static void xfrm_replay_timer_handler(unsigned long data);
 +static void xfrm_replay_timer_handler(struct timer_list *t);
  
  struct xfrm_state *xfrm_state_alloc(struct net *net)
  {
@@@ -574,7 -574,8 +574,7 @@@
                INIT_HLIST_NODE(&x->byspi);
                tasklet_hrtimer_init(&x->mtimer, xfrm_timer_handler,
                                        CLOCK_BOOTTIME, HRTIMER_MODE_ABS);
 -              setup_timer(&x->rtimer, xfrm_replay_timer_handler,
 -                              (unsigned long)x);
 +              timer_setup(&x->rtimer, xfrm_replay_timer_handler, 0);
                x->curlft.add_time = get_seconds();
                x->lft.soft_byte_limit = XFRM_INF;
                x->lft.soft_packet_limit = XFRM_INF;
@@@ -1343,6 -1344,7 +1343,7 @@@ static struct xfrm_state *xfrm_state_cl
  
        if (orig->aead) {
                x->aead = xfrm_algo_aead_clone(orig->aead);
+               x->geniv = orig->geniv;
                if (!x->aead)
                        goto error;
        }
@@@ -1878,9 -1880,9 +1879,9 @@@ void xfrm_state_walk_done(struct xfrm_s
  }
  EXPORT_SYMBOL(xfrm_state_walk_done);
  
 -static void xfrm_replay_timer_handler(unsigned long data)
 +static void xfrm_replay_timer_handler(struct timer_list *t)
  {
 -      struct xfrm_state *x = (struct xfrm_state *)data;
 +      struct xfrm_state *x = from_timer(x, t, rtimer);
  
        spin_lock(&x->lock);