[PATCH net] ipv6: tcp: add a missing nf_reset

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
@ 2023-09-22 21:04 Ilya Maximets
  2023-09-22 23:53 ` Florian Westphal
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Ilya Maximets @ 2023-09-22 21:04 UTC (permalink / raw)
  To: netdev
  Cc: Jakub Kicinski, David S. Miller, Eric Dumazet, Paolo Abeni,
	linux-kernel, David Ahern, Florian Westphal, Madhu Koriginja,
	Frode Nordahl, Steffen Klassert, Ilya Maximets

Commit b0e214d21203 ("netfilter: keep conntrack reference until
IPsecv6 policy checks are done") is a direct copy of the old
commit b59c270104f0 ("[NETFILTER]: Keep conntrack reference until
IPsec policy checks are done") but for IPv6.  However, it also
copies a bug that this old commit had.  That is: when the third
packet of 3WHS connection establishment contains payload, it is
added into socket receive queue without the XFRM check and the
drop of connection tracking context.

That leads to nf_conntrack module being impossible to unload as
it waits for all the conntrack references to be dropped while
the packet release is deferred in per-cpu cache indefinitely, if
not consumed by the application.

The issue for IPv4 was fixed in commit 6f0012e35160 ("tcp: add a
missing nf_reset_ct() in 3WHS handling") by adding a missing XFRM
check and correctly dropping the conntrack context.  However, the
issue was introduced to IPv6 code afterwards.  Fixing it the
same way for IPv6 now.

Fixes: b0e214d21203 ("netfilter: keep conntrack reference until IPsecv6 policy checks are done")
Link: https://lore.kernel.org/netdev/d589a999-d4dd-2768-b2d5-89dec64a4a42@ovn.org/
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
---
 net/ipv6/tcp_ipv6.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 3a88545a265d..44b6949d72b2 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1640,9 +1640,12 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb)
 		struct sock *nsk;

 		sk = req->rsk_listener;
-		drop_reason = tcp_inbound_md5_hash(sk, skb,
-						   &hdr->saddr, &hdr->daddr,
-						   AF_INET6, dif, sdif);
+		if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
+			drop_reason = SKB_DROP_REASON_XFRM_POLICY;
+		else
+			drop_reason = tcp_inbound_md5_hash(sk, skb,
+							   &hdr->saddr, &hdr->daddr,
+							   AF_INET6, dif, sdif);
 		if (drop_reason) {
 			sk_drops_add(sk, skb);
 			reqsk_put(req);
@@ -1689,6 +1692,7 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb)
 			}
 			goto discard_and_relse;
 		}
+		nf_reset_ct(skb);
 		if (nsk == sk) {
 			reqsk_put(req);
 			tcp_v6_restore_cb(skb);
-- 
2.41.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
  2023-09-22 21:04 [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling Ilya Maximets
@ 2023-09-22 23:53 ` Florian Westphal
  2023-09-25  4:35 ` Eric Dumazet
  2023-10-03  8:00 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2023-09-22 23:53 UTC (permalink / raw)
  To: Ilya Maximets
  Cc: netdev, Jakub Kicinski, David S. Miller, Eric Dumazet,
	Paolo Abeni, linux-kernel, David Ahern, Florian Westphal,
	Madhu Koriginja, Frode Nordahl, Steffen Klassert

Ilya Maximets <i.maximets@ovn.org> wrote:
> Commit b0e214d21203 ("netfilter: keep conntrack reference until
> IPsecv6 policy checks are done") is a direct copy of the old
> commit b59c270104f0 ("[NETFILTER]: Keep conntrack reference until
> IPsec policy checks are done") but for IPv6.  However, it also
> copies a bug that this old commit had.  That is: when the third
> packet of 3WHS connection establishment contains payload, it is
> added into socket receive queue without the XFRM check and the
> drop of connection tracking context.
> 
> That leads to nf_conntrack module being impossible to unload as
> it waits for all the conntrack references to be dropped while
> the packet release is deferred in per-cpu cache indefinitely, if
> not consumed by the application.
> 
> The issue for IPv4 was fixed in commit 6f0012e35160 ("tcp: add a
> missing nf_reset_ct() in 3WHS handling") by adding a missing XFRM
> check and correctly dropping the conntrack context.  However, the
> issue was introduced to IPv6 code afterwards.  Fixing it the
> same way for IPv6 now.
> 
> Fixes: b0e214d21203 ("netfilter: keep conntrack reference until IPsecv6 policy checks are done")
> Link: https://lore.kernel.org/netdev/d589a999-d4dd-2768-b2d5-89dec64a4a42@ovn.org/
> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
> ---
>  net/ipv6/tcp_ipv6.c | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 

LGTM, thanks for tracking this down.

Acked-by: Florian Westphal <fw@strlen.de>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
  2023-09-22 21:04 [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling Ilya Maximets
  2023-09-22 23:53 ` Florian Westphal
@ 2023-09-25  4:35 ` Eric Dumazet
  2023-10-03  8:00 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2023-09-25  4:35 UTC (permalink / raw)
  To: Ilya Maximets
  Cc: netdev, Jakub Kicinski, David S. Miller, Paolo Abeni,
	linux-kernel, David Ahern, Florian Westphal, Madhu Koriginja,
	Frode Nordahl, Steffen Klassert

On Fri, Sep 22, 2023 at 11:04 PM Ilya Maximets <i.maximets@ovn.org> wrote:
>
> Commit b0e214d21203 ("netfilter: keep conntrack reference until
> IPsecv6 policy checks are done") is a direct copy of the old
> commit b59c270104f0 ("[NETFILTER]: Keep conntrack reference until
> IPsec policy checks are done") but for IPv6.  However, it also
> copies a bug that this old commit had.  That is: when the third
> packet of 3WHS connection establishment contains payload, it is
> added into socket receive queue without the XFRM check and the
> drop of connection tracking context.
>
> That leads to nf_conntrack module being impossible to unload as
> it waits for all the conntrack references to be dropped while
> the packet release is deferred in per-cpu cache indefinitely, if
> not consumed by the application.
>
> The issue for IPv4 was fixed in commit 6f0012e35160 ("tcp: add a
> missing nf_reset_ct() in 3WHS handling") by adding a missing XFRM
> check and correctly dropping the conntrack context.  However, the
> issue was introduced to IPv6 code afterwards.  Fixing it the
> same way for IPv6 now.
>
> Fixes: b0e214d21203 ("netfilter: keep conntrack reference until IPsecv6 policy checks are done")
> Link: https://lore.kernel.org/netdev/d589a999-d4dd-2768-b2d5-89dec64a4a42@ovn.org/
> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
> ---

Nica catch, thanks a lot.

Reviewed-by: Eric Dumazet <edumazet@google.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
  2023-09-22 21:04 [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling Ilya Maximets
  2023-09-22 23:53 ` Florian Westphal
  2023-09-25  4:35 ` Eric Dumazet
@ 2023-10-03  8:00 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-10-03  8:00 UTC (permalink / raw)
  To: Ilya Maximets
  Cc: netdev, kuba, davem, edumazet, pabeni, linux-kernel, dsahern, fw,
	madhu.koriginja, frode.nordahl, steffen.klassert

Hello:

This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Fri, 22 Sep 2023 23:04:58 +0200 you wrote:
> Commit b0e214d21203 ("netfilter: keep conntrack reference until
> IPsecv6 policy checks are done") is a direct copy of the old
> commit b59c270104f0 ("[NETFILTER]: Keep conntrack reference until
> IPsec policy checks are done") but for IPv6.  However, it also
> copies a bug that this old commit had.  That is: when the third
> packet of 3WHS connection establishment contains payload, it is
> added into socket receive queue without the XFRM check and the
> drop of connection tracking context.
> 
> [...]

Here is the summary with links:
  - [net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
    https://git.kernel.org/netdev/net/c/9593c7cb6cf6

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-10-03  8:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-22 21:04 [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling Ilya Maximets
2023-09-22 23:53 ` Florian Westphal
2023-09-25  4:35 ` Eric Dumazet
2023-10-03  8:00 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).