* [PATCH ipsec-next] xfrm: check that cached bundle is still valid
@ 2017-08-06 8:19 Florian Westphal
2017-08-07 21:26 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2017-08-06 8:19 UTC (permalink / raw)
To: netdev; +Cc: Florian Westphal
Quoting Ilan Tayari:
1. Set up a host-to-host IPSec tunnel (or transport, doesn't matter)
2. Ping over IPSec, or do something to populate the pcpu cache
3. Join a MC group, then leave MC group
4. Try to ping again using same CPU as before -> traffic
doesn't egress the machine at all
Ilan debugged the problem down to the fact that one of the path dsts
devices point to lo due to earlier dst_dev_put().
In this case, dst is marked as DEAD and we cannot reuse the bundle.
The cache only asserted that the requested policy and that of the cached
bundle match, but its not enough - also verify the path is still valid.
Fixes: ec30d78c14a813 ("xfrm: add xdst pcpu cache")
Reported-by: Ayham Masood <ayhamm@mellanox.com>
Tested-by: Ilan Tayari <ilant@mellanox.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/xfrm/xfrm_policy.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 06c3bf7ab86b..8da428f56aec 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1818,7 +1818,8 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
xdst->num_pols == num_pols &&
!xfrm_pol_dead(xdst) &&
memcmp(xdst->pols, pols,
- sizeof(struct xfrm_policy *) * num_pols) == 0) {
+ sizeof(struct xfrm_policy *) * num_pols) == 0 &&
+ xfrm_bundle_ok(xdst)) {
dst_hold(&xdst->u.dst);
return xdst;
}
--
2.13.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH ipsec-next] xfrm: check that cached bundle is still valid
2017-08-06 8:19 [PATCH ipsec-next] xfrm: check that cached bundle is still valid Florian Westphal
@ 2017-08-07 21:26 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2017-08-07 21:26 UTC (permalink / raw)
To: fw; +Cc: netdev
From: Florian Westphal <fw@strlen.de>
Date: Sun, 6 Aug 2017 10:19:07 +0200
> Quoting Ilan Tayari:
> 1. Set up a host-to-host IPSec tunnel (or transport, doesn't matter)
> 2. Ping over IPSec, or do something to populate the pcpu cache
> 3. Join a MC group, then leave MC group
> 4. Try to ping again using same CPU as before -> traffic
> doesn't egress the machine at all
>
> Ilan debugged the problem down to the fact that one of the path dsts
> devices point to lo due to earlier dst_dev_put().
> In this case, dst is marked as DEAD and we cannot reuse the bundle.
>
> The cache only asserted that the requested policy and that of the cached
> bundle match, but its not enough - also verify the path is still valid.
>
> Fixes: ec30d78c14a813 ("xfrm: add xdst pcpu cache")
> Reported-by: Ayham Masood <ayhamm@mellanox.com>
> Tested-by: Ilan Tayari <ilant@mellanox.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Since this regression is from the flow cache removal that went directly
into my tree, I'll apply this directly to net-next as well.
Thanks Florian.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-08-07 21:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-06 8:19 [PATCH ipsec-next] xfrm: check that cached bundle is still valid Florian Westphal
2017-08-07 21:26 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).