From patchwork Fri Sep 22 21:04:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilya Maximets X-Patchwork-Id: 143661 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:172:b0:3f2:4152:657d with SMTP id h50csp5866317vqi; Fri, 22 Sep 2023 14:07:41 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHERQF2vJs3znXBqV97YodN6MuOK02qQTGPMZ2Ce+J35Staxee9e11aII2tnTyPGcsP5t2/ X-Received: by 2002:aca:1307:0:b0:3a1:e7fb:76fc with SMTP id e7-20020aca1307000000b003a1e7fb76fcmr739536oii.17.1695416861064; Fri, 22 Sep 2023 14:07:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695416861; cv=none; d=google.com; s=arc-20160816; b=dItklz5Hzv7aRFDH6sX5l5AAhXmPeADO+uQcvqYB+a/K/tu0LYwWy8QL3nrD2bIwAF pZrCvokmoWur06zZ/1pI+i9WCkmRTbI+NqDdWDOTssbh6VloscgQkdFG9ZQjf8kTAHYg L1PCYa4xGkZt4ViRiNS4A9eaSbMqPtJoOkpdFxNrREfWO5KhPO3Y4bfN/QdXr3esrJ9y hoHiid5R6+jYgmQYcar2BFwrVvWnBbpxJzCg2vly7FcwEASRceRCDQSswll+0zZZzH6o xNWzluLF5Wc0HcVg9UqlNImymYfj7KqXvPjP8j86fjFauPXdQUcZmxsiNTSMQ7wEjzs8 160Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=PIaFBzOIuJ0+eo0C2WD94WFQc6zlM5pd8R75E+zf/tY=; fh=pxEtdOin9k7/jpG1vSfKEQbU20BZ8WLnPzuFpx3DWdw=; b=eRxL+b3xJEbHHAyBWsfj47kZAdGEq2Z0/DiMdbYb8FCZVZmdV4JzLY4o6TG+4hfAdR ny6Uc7uyBmKtQ0bgCX1MgcSSew/rNJSrHb79xtkCCoUctUyY0tyz1/Bi4fWzvLqB+5ZW EP99yvwNtGv+71hE4euGNI8ujC2KqVuNtxTL6lL2y4T0DS8FWQpQQNzkjJVrgsVbyWBe 369x/jH2rCFiaezXV6K6FHlDnwH6Mka9v1RjYB+fgqFJ1p6O3RlFihBDh4ih7pc+FNhF v9jzwU+7kMr/WZX4myckLQmpHuEzgGz39JcOKBPbOAuUWoDtZku6e66FM2mA35q008vz truw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id u23-20020a056a00099700b00687008df88dsi4996357pfg.52.2023.09.22.14.07.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Sep 2023 14:07:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 076FC829EA28; Fri, 22 Sep 2023 14:05:04 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229781AbjIVVEx (ORCPT + 28 others); Fri, 22 Sep 2023 17:04:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229591AbjIVVEw (ORCPT ); Fri, 22 Sep 2023 17:04:52 -0400 Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::226]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 67349AC; Fri, 22 Sep 2023 14:04:45 -0700 (PDT) Received: by mail.gandi.net (Postfix) with ESMTPSA id 9AAC4C0002; Fri, 22 Sep 2023 21:04:40 +0000 (UTC) From: Ilya Maximets To: netdev@vger.kernel.org Cc: Jakub Kicinski , "David S. Miller" , Eric Dumazet , Paolo Abeni , linux-kernel@vger.kernel.org, David Ahern , Florian Westphal , Madhu Koriginja , Frode Nordahl , Steffen Klassert , Ilya Maximets Subject: [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling Date: Fri, 22 Sep 2023 23:04:58 +0200 Message-ID: <20230922210530.2045146-1-i.maximets@ovn.org> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-GND-Spam-Score: 300 X-GND-Status: SPAM X-GND-Sasl: i.maximets@ovn.org X-Spam-Status: No, score=2.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Fri, 22 Sep 2023 14:05:04 -0700 (PDT) X-Spam-Level: ** X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1777773430309994585 X-GMAIL-MSGID: 1777773430309994585 Commit b0e214d21203 ("netfilter: keep conntrack reference until IPsecv6 policy checks are done") is a direct copy of the old commit b59c270104f0 ("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done") but for IPv6. However, it also copies a bug that this old commit had. That is: when the third packet of 3WHS connection establishment contains payload, it is added into socket receive queue without the XFRM check and the drop of connection tracking context. That leads to nf_conntrack module being impossible to unload as it waits for all the conntrack references to be dropped while the packet release is deferred in per-cpu cache indefinitely, if not consumed by the application. The issue for IPv4 was fixed in commit 6f0012e35160 ("tcp: add a missing nf_reset_ct() in 3WHS handling") by adding a missing XFRM check and correctly dropping the conntrack context. However, the issue was introduced to IPv6 code afterwards. Fixing it the same way for IPv6 now. Fixes: b0e214d21203 ("netfilter: keep conntrack reference until IPsecv6 policy checks are done") Link: https://lore.kernel.org/netdev/d589a999-d4dd-2768-b2d5-89dec64a4a42@ovn.org/ Signed-off-by: Ilya Maximets Acked-by: Florian Westphal Reviewed-by: Eric Dumazet --- net/ipv6/tcp_ipv6.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 3a88545a265d..44b6949d72b2 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1640,9 +1640,12 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb) struct sock *nsk; sk = req->rsk_listener; - drop_reason = tcp_inbound_md5_hash(sk, skb, - &hdr->saddr, &hdr->daddr, - AF_INET6, dif, sdif); + if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) + drop_reason = SKB_DROP_REASON_XFRM_POLICY; + else + drop_reason = tcp_inbound_md5_hash(sk, skb, + &hdr->saddr, &hdr->daddr, + AF_INET6, dif, sdif); if (drop_reason) { sk_drops_add(sk, skb); reqsk_put(req); @@ -1689,6 +1692,7 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb) } goto discard_and_relse; } + nf_reset_ct(skb); if (nsk == sk) { reqsk_put(req); tcp_v6_restore_cb(skb);