Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp5032406iog; Wed, 22 Jun 2022 10:30:57 -0700 (PDT) X-Google-Smtp-Source: AGRyM1toZQzgBlUkg8h+uGJgstN+9FkcorwlWKitvaR9+93TIcM0e3mxz162gpKw4AhX6W/CEDIZ X-Received: by 2002:a17:906:530e:b0:713:3a97:1cf9 with SMTP id h14-20020a170906530e00b007133a971cf9mr4200533ejo.110.1655919056769; Wed, 22 Jun 2022 10:30:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655919056; cv=none; d=google.com; s=arc-20160816; b=vCYRMAnJ2BBy4530Cwh/QVuNViOufW6Oodyt3074nddxOY7ONwa3f3npSdrwbvHSJn /tHVu811FaJ0dM2OQETlj55RL8QGTgLBC/Cb+va2j57R+10B8zdl0crfu8gcVULuL/Iw AGAY7iqLBg1j4q3GKFlAl90OnjyXXUW6Sjshyhc/zp8MSsyFcQqbfuQL8Y41B9SzukNQ vPF6To22PZNJQ1UHDKnBfOY8gN8rfFgIFvbhkqIp5SWk+H+/JMo221DR8NSrkjVdyl5+ MO6BytX/5uaxht51qz4XCHt7iVutt4JsYno4L242O9VwfXTs7rZ7xQWtbM0keE6SWJ9X AGQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=OwKNJdEq2fSuT6c6/krJqcgyCdnVK9ItawtXpFRBFlw=; b=a/BTlUXq90cUHzmXvdwdNNb8hUbfFTZPHP9SZkubQfPCGytC2GSEUOR64aVQVYwbR5 ganRrhudMzY8ggDO8QsaqP6zcltOFXg3jRi6IEFS9E7EEVyWDwNCoDmxD32c2WI3bXxZ f76EObhH7ZRw+m8+ZP5xSDXNpj+hIrtjGIgfAyJCZ9JQHAv7pC4vSdACxqVzrBYUxpg7 w2GQ4cMYg2UEOczLGkzrf5YbBVZXbc2VtYkgdXswAQV0nuQcwKIlW2kto2BFS6pHpl/a 9Qms1PrLf0TX8RGfpIIBGCSrDjanDmbYPhUlpzioQi4x7RoT8ifOl7MtkPZIBpOoJ3tL uzvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=X8R0nCGY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id he11-20020a1709073d8b00b00722e8821ff6si4985447ejc.514.2022.06.22.10.30.29; Wed, 22 Jun 2022 10:30:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=X8R0nCGY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377046AbiFVRDk (ORCPT + 99 others); Wed, 22 Jun 2022 13:03:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40224 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1376451AbiFVRD1 (ORCPT ); Wed, 22 Jun 2022 13:03:27 -0400 Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 475D33CA47 for ; Wed, 22 Jun 2022 10:03:25 -0700 (PDT) Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-317a66d62dfso108560397b3.7 for ; Wed, 22 Jun 2022 10:03:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OwKNJdEq2fSuT6c6/krJqcgyCdnVK9ItawtXpFRBFlw=; b=X8R0nCGYt4xCP/TPEs2XC7WfnU+y3rxCP0kcWE2gHcT/OHmnv8ss11MKBNhnCCurrj vtvXZJhHlDT1oTt6nZgmuyN/pwg6B8BYRg7Gag6i12oUp7sqeezN+ILgXGfi3bGmXWhl 982rpk+Yy73ekHr95pdroJBr25jow78QjIi5YKjOAzddn67CYeuKBgzmlRXJu+C3/sg8 YziAyKnXXJbvIAhitG+EPziQuFcuOVwxwn/xHJre+nsqqrL+hR8ig6cPjXNVspUFsnuS DpWO/rp2s0lDFdYCsYoDUYdLcW2IGq5ymO8HFhZVAztm3ZlPNe+T7Y1d+KVnQOrIWHpL 8mCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OwKNJdEq2fSuT6c6/krJqcgyCdnVK9ItawtXpFRBFlw=; b=202VUNhHHPDw2Mmxbxgve91PitrTubUpS3Zvt0D2/f3q4nAkr45AYFNsdtlhyyDkFD c0f6QVKkwX7lpFunj9PXXeo82VpKOLJdk5ycs7jsDJ8N4xY/bwN4Ub/p3vc81oSprpgi SWuaJJGzsLmL45J0iYBSLwWWegd/Fx5+tB+T0Z3wkqcSf8K/3+wgIw3THzILrXXs5jZD KpHa2qpSo7eZ2eGQ7GslzAh1UaaHgrYQ4WfR0QPE4Q+BoDMRKf4/INC8zXKjWnbI0YDn /35PxtFoHMpNdQW8KKdZYHO+ctmwJaWVuHmYC5M/Wu1tnCTWZ5K+jEbdNQ7WQsTP3YsY MoKg== X-Gm-Message-State: AJIora+FCG5q2TAiuMmUWuXPHFUW0DQQuCbW7ZzmiWLzhSDvz35gSVXL q79SkO3R2f/DZ3zP1175zaQy1c3v5TzBz6WsC90h5Q== X-Received: by 2002:a81:3a81:0:b0:317:7dcf:81d4 with SMTP id h123-20020a813a81000000b003177dcf81d4mr5404335ywa.47.1655917403918; Wed, 22 Jun 2022 10:03:23 -0700 (PDT) MIME-Version: 1.0 References: <20220619003919.394622-1-i.maximets@ovn.org> <20220622102813.GA24844@breakpoint.cc> <068ad894-c60f-c089-fd4a-5deda1c84cdd@ovn.org> In-Reply-To: From: Eric Dumazet Date: Wed, 22 Jun 2022 19:03:12 +0200 Message-ID: Subject: Re: [PATCH net] net: ensure all external references are released in deferred skbuffs To: Ilya Maximets Cc: Steffen Klassert , Herbert Xu , Florian Westphal , netdev , "David S. Miller" , dev@openvswitch.org, LKML , Jakub Kicinski , Paolo Abeni Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 22, 2022 at 6:47 PM Eric Dumazet wrote: > > On Wed, Jun 22, 2022 at 6:39 PM Eric Dumazet wrote: > > > > On Wed, Jun 22, 2022 at 6:29 PM Eric Dumazet wrote: > > > > > > On Wed, Jun 22, 2022 at 4:26 PM Ilya Maximets wrote: > > > > > > > > On 6/22/22 13:43, Eric Dumazet wrote: > > > > > > > > > > > I tested the patch below and it seems to fix the issue seen > > > > with OVS testsuite. Though it's not obvious for me why this > > > > happens. Can you explain a bit more? > > > > > > Anyway, I am not sure we can call nf_reset_ct(skb) that early. > > > > > > git log seems to say that xfrm check needs to be done before > > > nf_reset_ct(skb), I have no idea why. > > > > Additional remark: In IPv6 side, xfrm6_policy_check() _is_ called > > after nf_reset_ct(skb) > > > > Steffen, do you have some comments ? > > > > Some context: > > commit b59c270104f03960069596722fea70340579244d > > Author: Patrick McHardy > > Date: Fri Jan 6 23:06:10 2006 -0800 > > > > [NETFILTER]: Keep conntrack reference until IPsec policy checks are done > > > > Keep the conntrack reference until policy checks have been performed for > > IPsec NAT support. The reference needs to be dropped before a packet is > > queued to avoid having the conntrack module unloadable. > > > > Signed-off-by: Patrick McHardy > > Signed-off-by: David S. Miller > > > > Oh well... __xfrm_policy_check() has : > > nf_nat_decode_session(skb, &fl, family); > > This answers my questions. > > This means we are probably missing at least one XFRM check in TCP > stack in some cases. > (Only after adding this XFRM check we can call nf_reset_ct(skb)) > Maybe this will help ? diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index fe8f23b95d32ca4a35d05166d471327bc608fa91..49c1348e40b6c7b6a98b54d716f29c948e00ba33 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -2019,12 +2019,19 @@ int tcp_v4_rcv(struct sk_buff *skb) if (nsk == sk) { reqsk_put(req); tcp_v4_restore_cb(skb); - } else if (tcp_child_process(sk, nsk, skb)) { - tcp_v4_send_reset(nsk, skb); - goto discard_and_relse; } else { - sock_put(sk); - return 0; + if (!xfrm4_policy_check(nsk, XFRM_POLICY_IN, skb)) { + drop_reason = SKB_DROP_REASON_XFRM_POLICY; + goto discard_and_relse; + } + nf_reset_ct(skb); + if (tcp_child_process(sk, nsk, skb)) { + tcp_v4_send_reset(nsk, skb); + goto discard_and_relse; + } else { + sock_put(sk); + return 0; + } } }