Merge tag 'net-6.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Paolo Abeni:
 "This is somewhat larger than what I hoped for, with a few PRs from
  subsystems and follow-ups for the recent netdev locking changes,
  anyhow there are no known pending regressions.

  Including fixes from bluetooth, ipsec and CAN.

  Current release - regressions:

   - eth: team: grab team lock during team_change_rx_flags

   - eth: bnxt_en: fix netdev locking in ULP IRQ functions

  Current release - new code bugs:

   - xfrm: ipcomp: fix truesize computation on receive

   - eth: airoha: fix page recycling in airoha_qdma_rx_process()

  Previous releases - regressions:

   - sched: hfsc: fix qlen accounting bug when using peek in
     hfsc_enqueue()

   - mr: consolidate the ipmr_can_free_table() checks.

   - bridge: netfilter: fix forwarding of fragmented packets

   - xsk: bring back busy polling support in XDP_COPY

   - can:
       - add missing rcu read protection for procfs content
       - kvaser_pciefd: force IRQ edge in case of nested IRQ

  Previous releases - always broken:

   - xfrm: espintcp: remove encap socket caching to avoid reference leak

   - bluetooth: use skb_pull to avoid unsafe access in QCA dump handling

   - eth: idpf:
       - fix null-ptr-deref in idpf_features_check
       - fix idpf_vport_splitq_napi_poll()

   - eth: hibmcge: fix wrong ndo.open() after reset fail issue"

* tag 'net-6.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (40 commits)
  octeontx2-af: Fix APR entry mapping based on APR_LMT_CFG
  octeontx2-af: Set LMT_ENA bit for APR table entries
  net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done
  octeontx2-pf: Avoid adding dcbnl_ops for LBK and SDP vf
  selftests/tc-testing: Add an HFSC qlen accounting test
  sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
  idpf: fix idpf_vport_splitq_napi_poll()
  net: hibmcge: fix wrong ndo.open() after reset fail issue.
  net: hibmcge: fix incorrect statistics update issue
  xsk: Bring back busy polling support in XDP_COPY
  can: slcan: allow reception of short error messages
  net: lan743x: Restore SGMII CTRL register on resume
  bnxt_en: Fix netdev locking in ULP IRQ functions
  MAINTAINERS: Drop myself to reviewer for ravb driver
  net: dwmac-sun8i: Use parsed internal PHY address instead of 1
  net: ethernet: ti: am65-cpsw: Lower random mac address error print to info
  can: kvaser_pciefd: Continue parsing DMA buf after dropped RX
  can: kvaser_pciefd: Fix echo_skb race
  can: kvaser_pciefd: Force IRQ edge in case of nested IRQ
  idpf: fix null-ptr-deref in idpf_features_check
  ...

1 files changed, 10 insertions, 8 deletions

diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index b5b06323cfd9..0d31a8c108d4 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -182,11 +182,15 @@ struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
 	int offset = skb_gro_offset(skb);
 	const struct net_offload *ops;
 	struct sk_buff *pp = NULL;
-	int ret;
-
-	offset = offset - sizeof(struct udphdr);
+	int len, dlen;
+	__u8 *udpdata;
+	__be32 *udpdata32;
 
-	if (!pskb_pull(skb, offset))
+	len = skb->len - offset;
+	dlen = offset + min(len, 8);
+	udpdata = skb_gro_header(skb, dlen, offset);
+	udpdata32 = (__be32 *)udpdata;
+	if (unlikely(!udpdata))
 		return NULL;
 
 	rcu_read_lock();
@@ -194,11 +198,10 @@ struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
 	if (!ops || !ops->callbacks.gro_receive)
 		goto out;
 
-	ret = __xfrm4_udp_encap_rcv(sk, skb, false);
-	if (ret)
+	/* check if it is a keepalive or IKE packet */
+	if (len <= sizeof(struct ip_esp_hdr) || udpdata32[0] == 0)
 		goto out;
 
-	skb_push(skb, offset);
 	NAPI_GRO_CB(skb)->proto = IPPROTO_UDP;
 
 	pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
@@ -208,7 +211,6 @@ struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
 
 out:
 	rcu_read_unlock();
-	skb_push(skb, offset);
 	NAPI_GRO_CB(skb)->same_flow = 0;
 	NAPI_GRO_CB(skb)->flush = 1;