From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: Re: [BUG] kernel stack corruption during/after Netlabel error Date: Thu, 30 Nov 2017 09:57:09 -0800 Message-ID: <1512064629.19682.21.camel@gmail.com> References: <4d73f839-7a86-6edc-b44b-e296bd5947c2@schaufler-ca.com> <1512039044.19682.12.camel@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Cc: Paul Moore , netdev@vger.kernel.org, Stephen Smalley , selinux@tycho.nsa.gov, LSM To: David Ahern , Casey Schaufler , James Morris Return-path: Received: from mail-pg0-f65.google.com ([74.125.83.65]:34924 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752290AbdK3R5M (ORCPT ); Thu, 30 Nov 2017 12:57:12 -0500 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Thu, 2017-11-30 at 10:30 -0700, David Ahern wrote: > On 11/30/17 8:44 AM, David Ahern wrote: > > On 11/30/17 3:50 AM, Eric Dumazet wrote: > > > @@ -1631,24 +1659,6 @@ int tcp_v4_rcv(struct sk_buff *skb) > > >   > > >   th = (const struct tcphdr *)skb->data; > > >   iph = ip_hdr(skb); > > > - /* This is tricky : We move IPCB at its correct location > > > into TCP_SKB_CB() > > > -  * barrier() makes sure compiler wont play > > > fool^Waliasing games. > > > -  */ > > > - memmove(&TCP_SKB_CB(skb)->header.h4, IPCB(skb), > > > - sizeof(struct inet_skb_parm)); > > > - barrier(); > > > - > > > - TCP_SKB_CB(skb)->seq = ntohl(th->seq); > > > - TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th- > > > >syn + th->fin + > > > -     skb->len - th->doff * 4); > > > - TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq); > > > - TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th); > > > - TCP_SKB_CB(skb)->tcp_tw_isn = 0; > > > - TCP_SKB_CB(skb)->ip_dsfield = ipv4_get_dsfield(iph); > > > - TCP_SKB_CB(skb)->sacked  = 0; > > > - TCP_SKB_CB(skb)->has_rxtstamp = > > > - skb->tstamp || skb_hwtstamps(skb)- > > > >hwtstamp; > > > - > > >  lookup: > > >   sk = __inet_lookup_skb(&tcp_hashinfo, skb, > > > __tcp_hdrlen(th), th->source, > > >          th->dest, sdif, &refcounted); > > > > I believe moving the above is going to affect lookups with VRF. Let > > me > > take a look before this gets committed. > > > > Eric: > > Can you add this to the patch? Fixes socket lookups with VRF which > stashes a flag in the cb. > > Thanks, > > diff --git a/include/net/tcp.h b/include/net/tcp.h > index 4e09398009c1..6c020015d556 100644 > --- a/include/net/tcp.h > +++ b/include/net/tcp.h > @@ -849,7 +849,7 @@ static inline bool inet_exact_dif_match(struct > net > *net, struct sk_buff *skb) >  { >  #if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV) >         if (!net->ipv4.sysctl_tcp_l3mdev_accept && > -           skb && ipv4_l3mdev_skb(TCP_SKB_CB(skb)->header.h4.flags)) > +           skb && ipv4_l3mdev_skb(IPCB(skb)->flags)) >                 return true; >  #endif >         return false; I wonder if this should not be in a separate patch ? Bug was added in 971f10eca186cab238c49daa91f703c5a001b0b1 ("tcp: better TCP_SKB_CB layout to reduce cache line misses") in linux 3.18 While VRF was added later. If you agree, I will prepare a patch series, with different Fixes tag so that David can decide which path needs to be backported into each stable version. Thanks.