From: Jakub Sitnicki <jkbs@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>, lorenzo@google.com
Cc: Jonathan Basseri <misterikkit@google.com>,
netdev@vger.kernel.org, davem@davemloft.net,
steffen.klassert@secunet.com
Subject: Re: [PATCH net] xfrm: Clear sk_dst_cache when applying per-socket policy.
Date: Wed, 16 Aug 2017 13:19:53 +0200 [thread overview]
Message-ID: <20170816131953.4ac0efe5@beetle> (raw)
In-Reply-To: <1502880234.4936.102.camel@edumazet-glaptop3.roam.corp.google.com>
On Wed, 16 Aug 2017 03:43:54 -0700
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Wed, 2017-08-16 at 11:03 +0200, Jakub Sitnicki wrote:
> > On Tue, 15 Aug 2017 15:25:10 -0700
> > Jonathan Basseri <misterikkit@google.com> wrote:
> >
> > > If an IPv6 socket has a valid dst cache, then xfrm_lookup_route will get
> > > skipped. However, the cache is not invalidated when applying policy to a
> > > socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are
> > > sometimes ignored on those sockets.
> > >
> > > This can be demonstrated like so,
> > > 1. Create UDPv6 socket.
> > > 2. connect() the socket.
> > > 3. Apply an outbound XFRM policy to the socket.
> > > 4. send() data on the socket.
> > >
> > > Packets will continue to be sent in the clear instead of matching an
> > > xfrm or returning a no-match error (EAGAIN). This affects calls to
> > > send() and not sendto().
> > >
> > > Note: Creating normal XFRM policies should have a similar effect on
> > > sk_dst_cache entries that match the policy, but that is not fixed in
> > > this patch.
> > >
> > > Fixes: 00bc0ef5880d ("ipv6: Skip XFRM lookup if dst_entry in socket cache is valid")
> > > Tested: https://android-review.googlesource.com/418659
> > > Signed-off-by: Jonathan Basseri <misterikkit@google.com>
> > > ---
> >
> > Thank you for the fix.
> >
> > Acked-by: Jakub Sitnicki <jkbs@redhat.com>
>
> I do not believe this fix is correct.
>
> What happens if the socket is TCP ?
>
> sk_dst_reset(sk) is not safe for them.
>
> This might add use-after-free, and eventually crash.
You are right. I see that RCU-variant __sk_dst_reset() is used
throughout TCP stack. Thank you for pointing it out.
Please disregard my earlier ACK.
-Jakub
next prev parent reply other threads:[~2017-08-16 11:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-15 22:25 [PATCH net] xfrm: Clear sk_dst_cache when applying per-socket policy Jonathan Basseri
2017-08-16 9:03 ` Lorenzo Colitti
2017-08-16 9:03 ` Jakub Sitnicki
2017-08-16 10:43 ` Eric Dumazet
2017-08-16 11:19 ` Jakub Sitnicki [this message]
2017-10-24 1:18 ` Jonathan Basseri
2017-10-24 7:04 ` Steffen Klassert
2017-10-24 16:58 ` Jonathan Basseri 😶
2017-10-25 4:25 ` Steffen Klassert
2017-10-25 16:52 ` Jonathan Basseri
2017-10-25 16:52 ` [PATCH net v2] " Jonathan Basseri
2017-10-26 10:54 ` Steffen Klassert
-- strict thread matches above, loose matches on Subject: below --
2017-10-24 1:30 [PATCH net] " Jonathan Basseri 😶
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170816131953.4ac0efe5@beetle \
--to=jkbs@redhat.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=lorenzo@google.com \
--cc=misterikkit@google.com \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.