Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3883470pxb; Tue, 2 Mar 2021 00:37:00 -0800 (PST) X-Google-Smtp-Source: ABdhPJyPtLemb4VOOZPRnZD7QMSkewgwWv7ZQX4aNN0oVCfK4hPADmkUgSrEbO07qlk9i1sTmIiE X-Received: by 2002:a17:906:ca02:: with SMTP id jt2mr19782313ejb.312.1614674220374; Tue, 02 Mar 2021 00:37:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614674220; cv=none; d=google.com; s=arc-20160816; b=KDFObZPkNM2ZJFQc/bo4sgEGw37wQ/hi4aRlxVxyoSQ2XbkSB6da9/V9ZQ/Gm4L4SD k4/g+2jkCh1bmWvX26utfBNIKPm73111FZxP7oUfwongWOo0NDJkiOO3DbyOPb0rB0RH X9/XZWY7M2XKIwU0pWTh6WygFypXQm/IwmUPp2Ux5FLf08lIBq70snQqDehJOnivgEf+ csCUMU38MiEv4QjM9F+CQ7tXtGUtsisrZSLuQBFtOP3Q1jQkiy7LBrBtmaLroS+q9OOt pgCLNsi+e+935wOnYZD0gEo6imA/R5iI59Z2mp4tdimUepcsKqWZ2CpqBRiku5wWDr9Z COWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=WKHtECatzQfael+AQiWWuyJ3y/+f6zcgUcKeJWW2cbs=; b=E7EAyTLvM2O12mtihKd6VnOr9Mef2nimNXpt/Af/IsMYuf+HfxIDJa6mcGw/T4J22f DNGlWd8t5AKrqX4GbO6y48RqiOru1epHi5zbO8wyYAme42Q2Px/qbjFIsQ26xtVLwaII mtnvmxUzYQ09IRLlkTWKo3J67gXFnboq4wPU4JwoalSVieSvAmPow1FhIVZoFc2qbboL wyKuY4InwL8SZ4jO5HzOmjhzx2P5wLgAnvCUcx0udMMs/wuiG6SpDQhQ8rroi4rN5Eik YU6bue4W2UAq2S7cJSAhvDvauKsScHy8d+CxDl2d71n4zAU+FDFJb2ycS05M0dP/3itn t6PQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@alliedtelesis.co.nz header.s=mail181024 header.b=Wo7VoMve; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alliedtelesis.co.nz Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i10si13241026ejd.240.2021.03.02.00.36.28; Tue, 02 Mar 2021 00:36:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@alliedtelesis.co.nz header.s=mail181024 header.b=Wo7VoMve; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=alliedtelesis.co.nz Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378443AbhCBBGL (ORCPT + 99 others); Mon, 1 Mar 2021 20:06:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240823AbhCATBN (ORCPT ); Mon, 1 Mar 2021 14:01:13 -0500 Received: from gate2.alliedtelesis.co.nz (gate2.alliedtelesis.co.nz [IPv6:2001:df5:b000:5::4]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B56D1C061794 for ; Mon, 1 Mar 2021 11:00:26 -0800 (PST) Received: from svr-chch-seg1.atlnz.lc (mmarshal3.atlnz.lc [10.32.18.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by gate2.alliedtelesis.co.nz (Postfix) with ESMTPS id EF20C806B7; Tue, 2 Mar 2021 08:00:23 +1300 (NZDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alliedtelesis.co.nz; s=mail181024; t=1614625223; bh=WKHtECatzQfael+AQiWWuyJ3y/+f6zcgUcKeJWW2cbs=; h=From:To:Cc:Subject:Date; b=Wo7VoMveQJ7/MPyoV4CRwpv1OuAB39p1lx4AwAw+nKDQ4VbT2KbLBSRL80mBxWXOn aSmL0WvO5PFYuATYVz7YNm+UagzQUd9PNl8MPQA2t0j8uKUa5KKd9ChTAhWT/v9kTk v+mIKSLvBTW0DbQMwv3fiP4jjlJpojMeiOrsR/7Td1ux9WJ2B6dDCVn41J+LZLY2gi qZjNo0EoH3MBIUYr7SaLjo/Mo1DTQ/C9eO+3ml5UgTYzRYiZqrE6UVN+e6nXezuVxK f8js148C43ddT1uJeFmBCWcScVLHh/JdUVHepw0/O0+IsQZy/TJPC2bhwmgUlC/i0F bSAL02iQ3uxpg== Received: from smtp (Not Verified[10.32.16.33]) by svr-chch-seg1.atlnz.lc with Trustwave SEG (v8,2,6,11305) id ; Tue, 02 Mar 2021 08:00:23 +1300 Received: from evann-dl.ws.atlnz.lc (evann-dl.ws.atlnz.lc [10.33.23.31]) by smtp (Postfix) with ESMTP id 586FF13EECD; Tue, 2 Mar 2021 08:00:34 +1300 (NZDT) Received: by evann-dl.ws.atlnz.lc (Postfix, from userid 1780) id B33201A4EB7; Tue, 2 Mar 2021 08:00:23 +1300 (NZDT) From: Evan Nimmo To: steffen.klassert@secunet.com, herbert@gondor.apana.org.au, davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Evan Nimmo Subject: [PATCH v2 1/1] xfrm: Use actual socket sk instead of skb socket for xfrm_output_resume Date: Tue, 2 Mar 2021 08:00:04 +1300 Message-Id: <20210301190004.9586-1-evan.nimmo@alliedtelesis.co.nz> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-SEG-SpamProfiler-Analysis: v=2.3 cv=C7uXNjH+ c=1 sm=1 tr=0 a=KLBiSEs5mFS1a/PbTCJxuA==:117 a=dESyimp9J3IA:10 a=7ZN4cI0QAAAA:8 a=tm9BhY98yDMkBz91zHIA:9 a=Dl0WHwQvj8hGZljrFLtM:22 X-SEG-SpamProfiler-Score: 0 x-atlnz-ls: pat Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A situation can occur where the interface bound to the sk is different to the interface bound to the sk attached to the skb. The interface bound to the sk is the correct one however this information is lost insid= e xfrm_output2 and instead the sk on the skb is used in xfrm_output_resume instead. This assumes that the sk bound interface and the bound interface attached to the sk within the skb are the same which can lead to lookup failures inside ip_route_me_harder resulting in the packet being dropped. We have an l2tp v3 tunnel with ipsec protection. The tunnel is in the global VRF however we have an encapsulated dot1q tunnel interface that is within a different VRF. We also have a mangle rule that marks the=20 packets causing them to be processed inside ip_route_me_harder. Prior to commit 31c70d5956fc ("l2tp: keep original skb ownership") this worked fine as the sk attached to the skb was changed from the dot1q encapsulated interface to the sk for the tunnel which meant the interface bound to the sk and the interface bound to the skb were identical. Commit 46d6c5ae953c ("netfilter: use actual socket sk rather than skb sk when routing harder") fixed some of these issues however a similar problem existed in the xfrm code. Fixes: 31c70d5956fc ("l2tp: keep original skb ownership") Signed-off-by: Evan Nimmo Reviewed-by: Steffen Klassert --- changes in v2: - Added proper fixes field for backporting include/net/xfrm.h | 2 +- net/ipv4/ah4.c | 2 +- net/ipv4/esp4.c | 2 +- net/ipv6/ah6.c | 2 +- net/ipv6/esp6.c | 2 +- net/xfrm/xfrm_output.c | 10 +++++----- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index b2a06f10b62c..bfbc7810df94 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -1557,7 +1557,7 @@ int xfrm_trans_queue_net(struct net *net, struct sk= _buff *skb, int xfrm_trans_queue(struct sk_buff *skb, int (*finish)(struct net *, struct sock *, struct sk_buff *)); -int xfrm_output_resume(struct sk_buff *skb, int err); +int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err); int xfrm_output(struct sock *sk, struct sk_buff *skb); =20 #if IS_ENABLED(CONFIG_NET_PKTGEN) diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index d99e1be94019..36ed85bf2ad5 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c @@ -141,7 +141,7 @@ static void ah_output_done(struct crypto_async_reques= t *base, int err) } =20 kfree(AH_SKB_CB(skb)->tmp); - xfrm_output_resume(skb, err); + xfrm_output_resume(skb->sk, skb, err); } =20 static int ah_output(struct xfrm_state *x, struct sk_buff *skb) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index a3271ec3e162..4b834bbf95e0 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -279,7 +279,7 @@ static void esp_output_done(struct crypto_async_reque= st *base, int err) x->encap && x->encap->encap_type =3D=3D TCP_ENCAP_ESPINTCP) esp_output_tail_tcp(x, skb); else - xfrm_output_resume(skb, err); + xfrm_output_resume(skb->sk, skb, err); } } =20 diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index 440080da805b..080ee7f44c64 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c @@ -316,7 +316,7 @@ static void ah6_output_done(struct crypto_async_reque= st *base, int err) } =20 kfree(AH_SKB_CB(skb)->tmp); - xfrm_output_resume(skb, err); + xfrm_output_resume(skb->sk, skb, err); } =20 static int ah6_output(struct xfrm_state *x, struct sk_buff *skb) diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 153ad103ba74..727d791ed5e6 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -314,7 +314,7 @@ static void esp_output_done(struct crypto_async_reque= st *base, int err) x->encap && x->encap->encap_type =3D=3D TCP_ENCAP_ESPINTCP) esp_output_tail_tcp(x, skb); else - xfrm_output_resume(skb, err); + xfrm_output_resume(skb->sk, skb, err); } } =20 diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index a7ab19353313..b81ca117dac7 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c @@ -503,22 +503,22 @@ static int xfrm_output_one(struct sk_buff *skb, int= err) return err; } =20 -int xfrm_output_resume(struct sk_buff *skb, int err) +int xfrm_output_resume(struct sock *sk, struct sk_buff *skb, int err) { struct net *net =3D xs_net(skb_dst(skb)->xfrm); =20 while (likely((err =3D xfrm_output_one(skb, err)) =3D=3D 0)) { nf_reset_ct(skb); =20 - err =3D skb_dst(skb)->ops->local_out(net, skb->sk, skb); + err =3D skb_dst(skb)->ops->local_out(net, sk, skb); if (unlikely(err !=3D 1)) goto out; =20 if (!skb_dst(skb)->xfrm) - return dst_output(net, skb->sk, skb); + return dst_output(net, sk, skb); =20 err =3D nf_hook(skb_dst(skb)->ops->family, - NF_INET_POST_ROUTING, net, skb->sk, skb, + NF_INET_POST_ROUTING, net, sk, skb, NULL, skb_dst(skb)->dev, xfrm_output2); if (unlikely(err !=3D 1)) goto out; @@ -534,7 +534,7 @@ EXPORT_SYMBOL_GPL(xfrm_output_resume); =20 static int xfrm_output2(struct net *net, struct sock *sk, struct sk_buff= *skb) { - return xfrm_output_resume(skb, 1); + return xfrm_output_resume(sk, skb, 1); } =20 static int xfrm_output_gso(struct net *net, struct sock *sk, struct sk_b= uff *skb) --=20 2.27.0