Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp3244095imc; Wed, 13 Mar 2019 12:33:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqy3qrQJvLnRYmgaou5lQmbVm4eI9xQ429k3xEr6c5JIpofOfDmE/CvZM0SJ7aYWKq5+blXv X-Received: by 2002:a62:f201:: with SMTP id m1mr45605085pfh.97.1552505627465; Wed, 13 Mar 2019 12:33:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552505627; cv=none; d=google.com; s=arc-20160816; b=kq4UJPEomuebTBT13KbhERoSF+4bxtUwTcymP7iLDQt/IB9NBUBYrnAEs1DoOlMF/D rYIzOJiboGezTX4XChB0EVAUpr1PfQVKXnSrBUD9a5fYai9YTo7KGXFpjDHq9NyDttBs f45uN8TKBIHBQjHrR48VSM02HSJPVD3yeQAVOfgCwQdQ5yME2QNkvKsDbl3nu+Gs2y11 I5iWLvlGQpy4jRIdKFCWB7tqYTKrjDIqJYo7GhNj3ADMf3Cm4S1DJqpsyasyOMtzpz6w i7TtppbOyuJB/05FyXxHAGg1cpxavknfpRQJ9QKZ/UZmceLv8L7Eql9fqpXX8hM/lgE/ oB7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=xJTv67cHSi2EsY2ZNHswu2mE1SthwjvtaMoHdehAXxw=; b=OM2ICvH0BhCzS+Co+F14hxgJ5zm+Z3ozVYFcSRbgFrmW9NFdQFk1o1qmehym5apOWU Z1/i9xg24phAAaDetcSg52OYih1ieAANpryC2CeJ7CIckHpf1050jFcZ7m2A+8/siqWa 97rYTopmGqMD7K8ExpVviU0bziXks7UEjHkU2v8DP6BcFA7zMA+sIIpebrUVTRMHP7KN TMSdMHmxDjjRGzo5nkTf7imk2OsFek6W3rTeBlGYLsa5jYTOazXIiJHT154xQeo3VjRQ I2S5rglGxxy+rkE7EaEqoJrMe/X9pa3xZcfA7xaosrf22Su6QMF3tSAuEAuXR06Fwv8K 4GtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Pb04sNMV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i13si7481065pgr.58.2019.03.13.12.33.31; Wed, 13 Mar 2019 12:33:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Pb04sNMV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727339AbfCMTLH (ORCPT + 99 others); Wed, 13 Mar 2019 15:11:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:41646 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727284AbfCMTLF (ORCPT ); Wed, 13 Mar 2019 15:11:05 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 369502173C; Wed, 13 Mar 2019 19:11:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1552504264; bh=mv8Xmg/kQinWCCXmWb1GB2gyOCpwrhAdqjD2MOgWSas=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Pb04sNMVA9g4cTE/G+7o7NdZHPT4hq1z8A8U2AOhh5vfTRa8aAdPfBxNgmPdxsrIA 0HPR0NaaZoG9WkreowPHZeQsTklxhZaFNPOcAsZfCHe2TANWC0eoc03uSM+a8YJ5HK UjJFuA3jbiZ1hEYNiYTDSknnfwYTNFWGSA1QkXes= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Tobias Brunner , Steffen Klassert , Sasha Levin , netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.20 20/60] xfrm: Fix inbound traffic via XFRM interfaces across network namespaces Date: Wed, 13 Mar 2019 15:09:41 -0400 Message-Id: <20190313191021.158171-20-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190313191021.158171-1-sashal@kernel.org> References: <20190313191021.158171-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tobias Brunner [ Upstream commit 660899ddf06ae8bb5bbbd0a19418b739375430c5 ] After moving an XFRM interface to another namespace it stays associated with the original namespace (net in `struct xfrm_if` and the list keyed with `xfrmi_net_id`), allowing processes in the new namespace to use SAs/policies that were created in the original namespace. For instance, this allows a keying daemon in one namespace to establish IPsec SAs for other namespaces without processes there having access to the keys or IKE credentials. This worked fine for outbound traffic, however, for inbound traffic the lookup for the interfaces and the policies used the incorrect namespace (the one the XFRM interface was moved to). Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Tobias Brunner Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/xfrm/xfrm_interface.c | 4 ++-- net/xfrm/xfrm_policy.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c index d679fa0f44b3..fcf3c714f4ff 100644 --- a/net/xfrm/xfrm_interface.c +++ b/net/xfrm/xfrm_interface.c @@ -76,10 +76,10 @@ static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb) int ifindex; struct xfrm_if *xi; - if (!skb->dev) + if (!secpath_exists(skb) || !skb->dev) return NULL; - xfrmn = net_generic(dev_net(skb->dev), xfrmi_net_id); + xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id); ifindex = skb->dev->ifindex; for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) { diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6ea8036fcdbe..bf5d59270f79 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2340,8 +2340,10 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, if (ifcb) { xi = ifcb->decode_session(skb); - if (xi) + if (xi) { if_id = xi->p.if_id; + net = xi->net; + } } rcu_read_unlock(); -- 2.19.1