From: Jonathan Basseri <misterikkit@google.com>
To: netdev@vger.kernel.org
Cc: jkbs@redhat.com, davem@davemloft.net,
steffen.klassert@secunet.com, lorenzo@google.com,
eric.dumazet@gmail.com, Jonathan Basseri <misterikkit@google.com>
Subject: [PATCH net v2] xfrm: Clear sk_dst_cache when applying per-socket policy.
Date: Wed, 25 Oct 2017 09:52:27 -0700 [thread overview]
Message-ID: <20171025165227.6469-1-misterikkit@google.com> (raw)
In-Reply-To: <20170815222510.21711-1-misterikkit@google.com>
If a socket has a valid dst cache, then xfrm_lookup_route will get
skipped. However, the cache is not invalidated when applying policy to a
socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are
sometimes ignored on those sockets. (Note: This was broken for IPv4 and
IPv6 at different times.)
This can be demonstrated like so,
1. Create UDP socket.
2. connect() the socket.
3. Apply an outbound XFRM policy to the socket. (setsockopt)
4. send() data on the socket.
Packets will continue to be sent in the clear instead of matching an
xfrm or returning a no-match error (EAGAIN). This affects calls to
send() and not sendto().
Invalidating the sk_dst_cache is necessary to correctly apply xfrm
policies. Since we do this in xfrm_user_policy(), the sk_lock was
already acquired in either do_ip_setsockopt() or do_ipv6_setsockopt(),
and we may call __sk_dst_reset().
Performance impact should be negligible, since this code is only called
when changing xfrm policy, and only affects the socket in question.
Fixes: 00bc0ef5880d ("ipv6: Skip XFRM lookup if dst_entry in socket cache is valid")
Tested: https://android-review.googlesource.com/517555
Tested: https://android-review.googlesource.com/418659
Signed-off-by: Jonathan Basseri <misterikkit@google.com>
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 12213477cd3a..1f5cee2269af 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2045,33 +2045,34 @@ EXPORT_SYMBOL(km_is_alive);
int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
{
int err;
u8 *data;
struct xfrm_mgr *km;
struct xfrm_policy *pol = NULL;
if (optlen <= 0 || optlen > PAGE_SIZE)
return -EMSGSIZE;
data = memdup_user(optval, optlen);
if (IS_ERR(data))
return PTR_ERR(data);
err = -EINVAL;
rcu_read_lock();
list_for_each_entry_rcu(km, &xfrm_km_list, list) {
pol = km->compile_policy(sk, optname, data,
optlen, &err);
if (err >= 0)
break;
}
rcu_read_unlock();
if (err >= 0) {
xfrm_sk_policy_insert(sk, err, pol);
xfrm_pol_put(pol);
+ __sk_dst_reset(sk);
err = 0;
}
kfree(data);
return err;
}
--
2.15.0.rc2.357.g7e34df9404-goog
next prev parent reply other threads:[~2017-10-25 16:52 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-15 22:25 [PATCH net] xfrm: Clear sk_dst_cache when applying per-socket policy Jonathan Basseri
2017-08-16 9:03 ` Lorenzo Colitti
2017-08-16 9:03 ` Jakub Sitnicki
2017-08-16 10:43 ` Eric Dumazet
2017-08-16 11:19 ` Jakub Sitnicki
2017-10-24 1:18 ` Jonathan Basseri
2017-10-24 7:04 ` Steffen Klassert
2017-10-24 16:58 ` Jonathan Basseri 😶
2017-10-25 4:25 ` Steffen Klassert
2017-10-25 16:52 ` Jonathan Basseri
2017-10-25 16:52 ` Jonathan Basseri [this message]
2017-10-26 10:54 ` [PATCH net v2] " Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171025165227.6469-1-misterikkit@google.com \
--to=misterikkit@google.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=jkbs@redhat.com \
--cc=lorenzo@google.com \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).