From: Florian Westphal <fw@strlen.de>
To: Ilya Maximets <i.maximets@ovn.org>
Cc: netdev@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>,
linux-kernel@vger.kernel.org, David Ahern <dsahern@kernel.org>,
Florian Westphal <fw@strlen.de>,
Madhu Koriginja <madhu.koriginja@nxp.com>,
Frode Nordahl <frode.nordahl@canonical.com>,
Steffen Klassert <steffen.klassert@secunet.com>
Subject: Re: [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
Date: Sat, 23 Sep 2023 01:53:51 +0200 [thread overview]
Message-ID: <20230922235351.GA22532@breakpoint.cc> (raw)
In-Reply-To: <20230922210530.2045146-1-i.maximets@ovn.org>
Ilya Maximets <i.maximets@ovn.org> wrote:
> Commit b0e214d21203 ("netfilter: keep conntrack reference until
> IPsecv6 policy checks are done") is a direct copy of the old
> commit b59c270104f0 ("[NETFILTER]: Keep conntrack reference until
> IPsec policy checks are done") but for IPv6. However, it also
> copies a bug that this old commit had. That is: when the third
> packet of 3WHS connection establishment contains payload, it is
> added into socket receive queue without the XFRM check and the
> drop of connection tracking context.
>
> That leads to nf_conntrack module being impossible to unload as
> it waits for all the conntrack references to be dropped while
> the packet release is deferred in per-cpu cache indefinitely, if
> not consumed by the application.
>
> The issue for IPv4 was fixed in commit 6f0012e35160 ("tcp: add a
> missing nf_reset_ct() in 3WHS handling") by adding a missing XFRM
> check and correctly dropping the conntrack context. However, the
> issue was introduced to IPv6 code afterwards. Fixing it the
> same way for IPv6 now.
>
> Fixes: b0e214d21203 ("netfilter: keep conntrack reference until IPsecv6 policy checks are done")
> Link: https://lore.kernel.org/netdev/d589a999-d4dd-2768-b2d5-89dec64a4a42@ovn.org/
> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
> ---
> net/ipv6/tcp_ipv6.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
LGTM, thanks for tracking this down.
Acked-by: Florian Westphal <fw@strlen.de>
next prev parent reply other threads:[~2023-09-22 23:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-22 21:04 [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling Ilya Maximets
2023-09-22 23:53 ` Florian Westphal [this message]
2023-09-25 4:35 ` Eric Dumazet
2023-10-03 8:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230922235351.GA22532@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=frode.nordahl@canonical.com \
--cc=i.maximets@ovn.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=madhu.koriginja@nxp.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.