From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <netdev-owner@vger.kernel.org>
Received: from mail-pl0-f66.google.com ([209.85.160.66]:39076 "EHLO
        mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751909AbeBYTrH (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sun, 25 Feb 2018 14:47:07 -0500
Received: by mail-pl0-f66.google.com with SMTP id s13so8023707plq.6
        for <netdev@vger.kernel.org>; Sun, 25 Feb 2018 11:47:07 -0800 (PST)
Message-ID: <1519588025.3258.3.camel@gmail.com>
Subject: Re: [PATCH] netfilter: use skb_to_full_sk in ip6_route_me_harder
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>,
        Florian Westphal <fw@strlen.de>
Cc: netdev <netdev@vger.kernel.org>
Date: Sun, 25 Feb 2018 11:47:05 -0800
In-Reply-To: <1519587819.3258.2.camel@gmail.com>
References: <1519587819.3258.2.camel@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Sun, 2018-02-25 at 11:43 -0800, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> For some reason, Florian forgot to apply to ip6_route_me_harder
> the fix that went in commit 29e09229d9f2 ("netfilter: use
> skb_to_full_sk in ip_route_me_harder")
> 
> Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener") 
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>
> ---
>  net/ipv6/netfilter.c |    9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
> index
> d95ceca7ff8f648ff301d91a2e3eb60fc2050f1c..531d6957af36c4af48176f9360e9d
> 95f78a45d55 100644
> --- a/net/ipv6/netfilter.c
> +++ b/net/ipv6/netfilter.c
> @@ -21,18 +21,19 @@
>  int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
>  {
>  	const struct ipv6hdr *iph = ipv6_hdr(skb);
> +	struct sock *sk = sk_to_full_sk(skb->sk);
>  	unsigned int hh_len;
>  	struct dst_entry *dst;
>  	struct flowi6 fl6 = {
> -		.flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
> +		.flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
>  		.flowi6_mark = skb->mark,
> -		.flowi6_uid = sock_net_uid(net, skb->sk),
> +		.flowi6_uid = sock_net_uid(net, sk),
>  		.daddr = iph->daddr,
>  		.saddr = iph->saddr,
>  	};
>  	int err;
>  
> -	dst = ip6_route_output(net, skb->sk, &fl6);
> +	dst = ip6_route_output(net, sk, &fl6);
>  	err = dst->error;
>  	if (err) {
>  		IP6_INC_STATS(net, ip6_dst_idev(dst),
> IPSTATS_MIB_OUTNOROUTES);
> @@ -50,7 +51,7 @@ int ip6_route_me_harder(struct net *net, struct
> sk_buff *skb)
>  	if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
>  	    xfrm_decode_session(skb, flowi6_to_flowi(&fl6), AF_INET6)
> == 0) {
>  		skb_dst_set(skb, NULL);
> -		dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6),
> skb->sk, 0);
> +		dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk,
> 0);
>  		if (IS_ERR(dst))
>  			return PTR_ERR(dst);
>  		skb_dst_set(skb, dst);


No idea what happened, but it looks like this garbage should not affect
   patchwork.

Tell me if a resend is needed, thanks.