Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp605552img; Fri, 22 Mar 2019 05:02:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqzID5NsGBpjIB116Bsb/H3l5fk+Wyh/j00oZwkSPNQJtkMpcS4gN5Hlwylhe4CQRcVypsXQ X-Received: by 2002:a62:6c43:: with SMTP id h64mr8818223pfc.123.1553256156187; Fri, 22 Mar 2019 05:02:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553256156; cv=none; d=google.com; s=arc-20160816; b=FsonAm1BwSUq90ziFaso2XgijRZ0zOuWC3TpjNGtSRi6vu1TCoFnqZAWtGWPXsiAy6 y6/CdhW910tppIm79RkIbjgb1cylYHuMkw8UCW43ZGAAn+zee+Pz37NugVS8PIzlDtgR 4DU3gq3wBKjLDLqdY7I42XvFhGahAiQ6nedlGItGhCDr9SfCWYI2iD+eJ9HLJYE5W+rr F2kHdrzypLGdq0faFdRPChqMKwZUDvjar3SYBwEug4fsFRgW2VN/ErR8SIhptjxFp52b JWDEWpP2FC2N2qfruubcyO8smSyK/0FFiFa4B4eN2NJWEhJrbyERYZAkakgodbSOP9RZ rcSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ex5+fCxl/zJCabXt7DEKfMJ/6IEF3sxurc+krhMHIFo=; b=vFxXnVWGtfVfg8RGU5sy1pyiJ4CkyR6M262dzVA1EpJJmekKcSME/Lnefou9L/3C72 8sgzC+NXodhd4NdFAcoPKJmy/14Zi6RlRWDZt5Bfffm0O5nejhmCzPYqv1YYWAt436xj cVogLu0JCpB33VFqMtZym9GMxrEvyfFJjlcgKHy7b2NA8HpGvCD/HAr6b6VE235r6mZ4 Wulkl7u+MSBcfqM7U+uipHS8T3IXpQQRHXK+yZ/t/07A3wnbH+m9d1wSsxEO+H2vy54j rPempsTGaNPOonKJ+rYxos/29XT9O/w6T7cHaaJs81o/hDYcHcHliblF+L+dny2W2Mp9 us8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nSc9R5s6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t18si6859649plr.78.2019.03.22.05.02.15; Fri, 22 Mar 2019 05:02:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nSc9R5s6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387972AbfCVMBO (ORCPT + 99 others); Fri, 22 Mar 2019 08:01:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:38708 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388179AbfCVMBM (ORCPT ); Fri, 22 Mar 2019 08:01:12 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2E247204FD; Fri, 22 Mar 2019 12:01:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553256071; bh=MbB8UnBqJaX6DO88O8/ZyK8v2Lef1hTTVD7LBu4PgdM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nSc9R5s6CFc+7MrQN2QLoD5EtFaMqZpkyX6hmLoZVCfs9sU3N9QxKS2Vv9zkxK/b9 vWwLsRO5yv5xnb6E2vy7ecrDi7Eol/E9qKGoWC9gXsDvJsLleyYpZSw59fL5ktyL32 ubiGUEVqH1gxMK1OBjzykTlaGupmfmZKdOO7M6gs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tobias Brunner , Steffen Klassert , Sasha Levin Subject: [PATCH 4.19 084/280] xfrm: Fix inbound traffic via XFRM interfaces across network namespaces Date: Fri, 22 Mar 2019 12:13:57 +0100 Message-Id: <20190322111311.110135874@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111306.356185024@linuxfoundation.org> References: <20190322111306.356185024@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 660899ddf06ae8bb5bbbd0a19418b739375430c5 ] After moving an XFRM interface to another namespace it stays associated with the original namespace (net in `struct xfrm_if` and the list keyed with `xfrmi_net_id`), allowing processes in the new namespace to use SAs/policies that were created in the original namespace. For instance, this allows a keying daemon in one namespace to establish IPsec SAs for other namespaces without processes there having access to the keys or IKE credentials. This worked fine for outbound traffic, however, for inbound traffic the lookup for the interfaces and the policies used the incorrect namespace (the one the XFRM interface was moved to). Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Tobias Brunner Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/xfrm/xfrm_interface.c | 4 ++-- net/xfrm/xfrm_policy.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c index 6f05e831a73e..82723ef44db3 100644 --- a/net/xfrm/xfrm_interface.c +++ b/net/xfrm/xfrm_interface.c @@ -76,10 +76,10 @@ static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb) int ifindex; struct xfrm_if *xi; - if (!skb->dev) + if (!secpath_exists(skb) || !skb->dev) return NULL; - xfrmn = net_generic(dev_net(skb->dev), xfrmi_net_id); + xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id); ifindex = skb->dev->ifindex; for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) { diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 6ea8036fcdbe..bf5d59270f79 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2340,8 +2340,10 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, if (ifcb) { xi = ifcb->decode_session(skb); - if (xi) + if (xi) { if_id = xi->p.if_id; + net = xi->net; + } } rcu_read_unlock(); -- 2.19.1