Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says:

====================
pull request (net): ipsec 2021-03-31

1) Fix ipv4 pmtu checks for xfrm anf vti interfaces.
   From Eyal Birger.

2) There are situations where the socket passed to
   xfrm_output_resume() is not the same as the one
   attached to the skb. Use the socket passed to
   xfrm_output_resume() to avoid lookup failures
   when xfrm is used with VRFs.
   From Evan Nimmo.

3) Make the xfrm_state_hash_generation sequence counter per
   network namespace because but its write serialization
   lock is also per network namespace. Write protection
   is insufficient otherwise.
   From Ahmed S. Darwish.

4) Fixup sctp featue flags when used with esp offload.
   From Xin Long.

5) xfrm BEET mode doesn't support fragments for inner packets.
   This is a limitation of the protocol, so no fix possible.
   Warn at least to notify the user about that situation.
   From Xin Long.

6) Fix NULL pointer dereference on policy lookup when
   namespaces are uses in combination with esp offload.

7) Fix incorrect transformation on esp offload when
   packets get segmented at layer 3.

8) Fix some user triggered usages of WARN_ONCE in
   the xfrm compat layer.
   From Dmitry Safonov.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --cc net/ipv4/ip_vti.c
index eb207089ece0b29bbb96dd66544be79133be2ecc,613741384490f6765c185ae2d2eae21aafa0a749..31c6c6d99d5ecf6ff1752c450c46981f8eac7da0
--- 1/net/ipv4/ip_vti.c
--- 2/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@@ -238,8 -238,10 +238,10 @@@ static netdev_tx_t vti_xmit(struct sk_b
        if (skb->len > mtu) {
                skb_dst_update_pmtu_no_confirm(skb, mtu);
                if (skb->protocol == htons(ETH_P_IP)) {
 -                      icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
 -                                htonl(mtu));
+                       if (!(ip_hdr(skb)->frag_off & htons(IP_DF)))
+                               goto xmit;
 +                      icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
 +                                    htonl(mtu));
                } else {
                        if (mtu < IPV6_MIN_MTU)
                                mtu = IPV6_MIN_MTU;

diff --cc net/ipv6/ip6_vti.c
index f10e7a72ea6248e5ec1fbdb8b4e1c4e0e874cb96,2f0be5ac021c127216007d7a53bad2f0e89dd197..e0cc32e45880117307e921afebedd5817e2d52ea
--- 1/net/ipv6/ip6_vti.c
--- 2/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@@ -521,10 -521,12 +521,12 @@@ vti6_xmit(struct sk_buff *skb, struct n
                        if (mtu < IPV6_MIN_MTU)
                                mtu = IPV6_MIN_MTU;
  
 -                      icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
 +                      icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
                } else {
 -                      icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
 -                                htonl(mtu));
+                       if (!(ip_hdr(skb)->frag_off & htons(IP_DF)))
+                               goto xmit;
 +                      icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
 +                                    htonl(mtu));
                }
  
                err = -EMSGSIZE;