From abd2ac600395062e685e144cb8b1cd759bcc6cc1 Mon Sep 17 00:00:00 2001
From: Laura Abbott <labbott@fedoraproject.org>
Date: Mon, 5 Jun 2017 08:51:55 -0700
Subject: Actually fix ipsec encapsulation problems (rhbz 1458222 1458499)

---
 actual_udpencap_fix.patch | 45 +++++++++++++++++++++++++++++++++++++++++++++
 kernel.spec               |  7 +++++++
 2 files changed, 52 insertions(+)
 create mode 100644 actual_udpencap_fix.patch

diff --git a/actual_udpencap_fix.patch b/actual_udpencap_fix.patch
new file mode 100644
index 000000000..bba8b7676
--- /dev/null
+++ b/actual_udpencap_fix.patch
@@ -0,0 +1,45 @@
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Subject: [PATCH] esp4: Fix udpencap for local TCP packets.
+
+Locally generated TCP packets are usually cloned, so we
+do skb_cow_data() on this packets. After that we need to
+reload the pointer to the esp header. On udpencap this
+header has an offset to skb_transport_header, so take this
+offset into account.
+
+Fixes: commit cac2661c53f ("esp4: Avoid skb_cow_data whenever possible")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+---
+ net/ipv4/esp4.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
+index b1e2444..ab71fbb 100644
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -223,6 +223,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
+ 	int extralen;
+ 	int tailen;
+ 	__be64 seqno;
++	int esp_offset = 0;
+ 	__u8 proto = *skb_mac_header(skb);
+ 
+ 	/* skb is pure payload to encrypt */
+@@ -288,6 +289,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
+ 			break;
+ 		}
+ 
++		esp_offset = (unsigned char *)esph - (unsigned char *)uh;
++
+ 		*skb_mac_header(skb) = IPPROTO_UDP;
+ 	}
+ 
+@@ -397,7 +400,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
+ 		goto error;
+ 	nfrags = err;
+ 	tail = skb_tail_pointer(trailer);
+-	esph = ip_esp_hdr(skb);
++	esph = (struct ip_esp_hdr *)(skb_transport_header(skb) + esp_offset);
+ 
+ skip_cow:
+ 	esp_output_fill_trailer(tail, tfclen, plen, proto);
diff --git a/kernel.spec b/kernel.spec
index 9a832c746..bf6059605 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -642,6 +642,10 @@ Patch676: 2-2-nvme-Quirk-APST-on-Intel-600P-P3100-devices.patch
 # Networking fix reported on bodhi
 Patch678: net-v2-ip6_tunnel-ip6_gre-fix-setting-of-DSCP-on-encapsulated-packets.patch
 
+# rhbz 1458222 1458499
+# As linked from http://marc.info/?l=linux-netdev&m=149336766030175&w=2
+Patch679: actual_udpencap_fix.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2206,6 +2210,9 @@ fi
 #
 #
 %changelog
+* Mon Jun 05 2017 Laura Abbott <labbott@fedoraproject.org>
+- Actually fix ipsec encapsulation problems (rhbz 1458222 1458499)
+
 * Fri Jun 02 2017 Laura Abbott <labbott@fedoraproject.org>
 - Turn CONFIG_GPIO_SYSFS back on
 
-- 
cgit