Merge tag 'v6.17.10' into linux-6.17.ylinux-6.17.y

This is the 6.17.10 stable release
author: saturneric <[email protected]> 2025-12-02 21:44:00 +0000
committer: saturneric <[email protected]> 2025-12-02 21:44:00 +0000
commit: aa766e96efd6b62fd4dc7750134624f2c633cc55 (patch)
tree: 06078a9d8cbb6227f541e18545aa68f082d86242 /net/xfrm/xfrm_output.c
parent: Merge tag 'v6.17.8' into linux-6.17.y (diff)
parent: Linux 6.17.10 (diff)
download: kernel-linux-6.17.y.tar.gz
kernel-linux-6.17.y.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 9077730ff7d0..54222fcbd7fd 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -698,7 +698,7 @@ static void xfrm_get_inner_ipproto(struct sk_buff *skb, struct xfrm_state *x)
 		return;
 
 	if (x->outer_mode.encap == XFRM_MODE_TUNNEL) {
-		switch (x->outer_mode.family) {
+		switch (skb_dst(skb)->ops->family) {
 		case AF_INET:
 			xo->inner_ipproto = ip_hdr(skb)->protocol;
 			break;
@@ -772,8 +772,12 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
 		/* Exclusive direct xmit for tunnel mode, as
 		 * some filtering or matching rules may apply
 		 * in transport mode.
+		 * Locally generated packets also require
+		 * the normal XFRM path for L2 header setup,
+		 * as the hardware needs the L2 header to match
+		 * for encryption, so skip direct output as well.
 		 */
-		if (x->props.mode == XFRM_MODE_TUNNEL)
+		if (x->props.mode == XFRM_MODE_TUNNEL && !skb->sk)
 			return xfrm_dev_direct_output(sk, x, skb);
 
 		return xfrm_output_resume(sk, skb, 0);
author	saturneric <[email protected]>	2025-12-02 21:44:00 +0000
committer	saturneric <[email protected]>	2025-12-02 21:44:00 +0000
commit	aa766e96efd6b62fd4dc7750134624f2c633cc55 (patch)
tree	06078a9d8cbb6227f541e18545aa68f082d86242 /net/xfrm/xfrm_output.c
parent	Merge tag 'v6.17.8' into linux-6.17.y (diff)
parent	Linux 6.17.10 (diff)
download	kernel-linux-6.17.y.tar.gz kernel-linux-6.17.y.zip