Re: [PATCH ipsec-next v8 07/14] xfrm: check family before comparing addresses in migrate

[Sabrina Dubroca]

2026-05-05, 06:33:18 +0200, Antony Antony wrote:
> When migrating between different address families, xfrm_addr_equal()
> cannot meaningfully compare addresses, different lengths.
> Only call xfrm_addr_equal() when families match, and take
> the xfrm_state_insert() path when addresses are equal.
> 
> Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
> 
> Signed-off-by: Antony Antony <antony.antony@xxxxxxxxxxx>

This fix doesn't simply cherry-pick on top of net, I don't know if the
stable maintainers will handle the (pretty trivial in the context of
reviewing this patch series, but maybe not for them) conflict.

I think xfrm_migrate_state_find, and probably xfrm_alloc_userspi, need
the same kind of check.

> ---
> v5->v6: added this patch
> ---
>  net/xfrm/xfrm_state.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
> index 85fd80520184..327a855253e6 100644
> --- a/net/xfrm/xfrm_state.c
> +++ b/net/xfrm/xfrm_state.c
> @@ -2159,10 +2159,11 @@ int xfrm_state_migrate_install(const struct xfrm_state *x,
>  			       struct xfrm_user_offload *xuo,
>  			       struct netlink_ext_ack *extack)
>  {
> -	if (xfrm_addr_equal(&x->id.daddr, &m->new_daddr, m->new_family)) {
> +	if (m->new_family == m->old_family &&
> +	    xfrm_addr_equal(&x->id.daddr, &m->new_daddr, m->new_family)) {
>  		/*
> -		 * Care is needed when the destination address
> -		 * of the state is to be updated as it is a part of triplet.
> +		 * Care is needed when the destination address of the state is
> +		 * to be updated as it is a part of triplet.

nit: the previous patch rewords this comment, and now you're
reindenting it. it would be a bit nicer to do both in the previous
patch, and only add the family check in this patch.

>  		 */
>  		xfrm_state_insert(xc);
>  	} else {
> 
> -- 
> 2.47.3
> 

-- 
Sabrina