From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH ipsec-next] xfrm: check that cached bundle is still valid Date: Mon, 07 Aug 2017 14:26:28 -0700 (PDT) Message-ID: <20170807.142628.1235964040083698243.davem@davemloft.net> References: <20170806081907.5267-1-fw@strlen.de> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org To: fw@strlen.de Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:36504 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751662AbdHGV03 (ORCPT ); Mon, 7 Aug 2017 17:26:29 -0400 In-Reply-To: <20170806081907.5267-1-fw@strlen.de> Sender: netdev-owner@vger.kernel.org List-ID: From: Florian Westphal Date: Sun, 6 Aug 2017 10:19:07 +0200 > Quoting Ilan Tayari: > 1. Set up a host-to-host IPSec tunnel (or transport, doesn't matter) > 2. Ping over IPSec, or do something to populate the pcpu cache > 3. Join a MC group, then leave MC group > 4. Try to ping again using same CPU as before -> traffic > doesn't egress the machine at all > > Ilan debugged the problem down to the fact that one of the path dsts > devices point to lo due to earlier dst_dev_put(). > In this case, dst is marked as DEAD and we cannot reuse the bundle. > > The cache only asserted that the requested policy and that of the cached > bundle match, but its not enough - also verify the path is still valid. > > Fixes: ec30d78c14a813 ("xfrm: add xdst pcpu cache") > Reported-by: Ayham Masood > Tested-by: Ilan Tayari > Signed-off-by: Florian Westphal Since this regression is from the flow cache removal that went directly into my tree, I'll apply this directly to net-next as well. Thanks Florian.