Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp1260440rdh; Mon, 25 Sep 2023 07:41:46 -0700 (PDT) X-Google-Smtp-Source: AGHT+IECyB9T2xNMIveHh4V+I3os8yds8Dqqv22YZTQT5Q0/8siaulygv/QtqD7WXi4b5qNq7qRd X-Received: by 2002:a17:903:41c2:b0:1c6:21b4:30bb with SMTP id u2-20020a17090341c200b001c621b430bbmr2305262ple.15.1695652905558; Mon, 25 Sep 2023 07:41:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695652905; cv=none; d=google.com; s=arc-20160816; b=x5Rwer1auvmo0ZPyTRY3fr+0gsR9r2dQE9UhdV5sMtf1I5AwbkStnLDA0+eICSuEdO q2teuQWaQsn9vgTd38YA+5se5CTET3N1RinQh3MGNzrEaa8562XVi9G+Tc0zmYkydGMI bogSae5WbX2D5fa+DmnsTvfLDG7IHkfYBFkYUDbGOBBkwSt5Fyms6w/cuARd+/ekIA0C q8MjVYLM5ZUlydfvT9+QNWok8w28sQPCbknIB/HomkQzeNBt8wfpzuODSufB/zneD9tQ PWORpNpqtTzAf2fkFM4PUbScIK3p87A3wl1lc1BszhYKRYCcEnIoJ6lvqNcdEiygIb3P VjnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=utpCVSnKwmUjnI78nqFvLGOx8w1hMljEMO2FokBLE1I=; fh=so67m0bVdrSkSfyngwy7iuImPCNdrkseE/qQ4d/uwtY=; b=vh/bazQrQvPSbzlvh3fXo0zcPxJ6qwcUahKWQZMDuBA5+BKWqQCNaq0d+vHCI1ky0t l6XwYsBkjplV+6X7JNrIrL6nma1IqccNQxSQGJp89eARrD5B6ocJaiD3r9RfZoWCZppI diANOOo/SGWJuYJMNhrFAX1nDSXI+DpcbBbGBCdIEgT5UQzIGulKg1wfY+dwypSCHXmz yTNtTGldDYJPPbKKtAJ+hno0ewzUK9qfDqjm21FXqGXCYEwZ2be+ZeXkuUBHGbraEwQ9 q2oBzmBiHUjNZSngdmsMy3Y1KUHA/SZfkvgZAr9aWnAaRxj64JweZhuKeLLBE3EEBXV1 rTtw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ybr6RM4C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id la7-20020a170902fa0700b001bf7289d2b2si9692332plb.315.2023.09.25.07.41.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Sep 2023 07:41:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=ybr6RM4C; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id E99C6808488E; Sun, 24 Sep 2023 21:36:32 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229907AbjIYEgX (ORCPT + 99 others); Mon, 25 Sep 2023 00:36:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59920 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229449AbjIYEgV (ORCPT ); Mon, 25 Sep 2023 00:36:21 -0400 Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5536492 for ; Sun, 24 Sep 2023 21:36:13 -0700 (PDT) Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-53368df6093so9677a12.1 for ; Sun, 24 Sep 2023 21:36:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1695616572; x=1696221372; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=utpCVSnKwmUjnI78nqFvLGOx8w1hMljEMO2FokBLE1I=; b=ybr6RM4CPXpwC9LRY3DBeFzRR8xUW4feAfauDPvuNqGD1XTEgTZJ6PysV1BcIGUkUW YpPV4a1uIofNpKwJGKIAfmzVso2/MAKtqv9JruN5CBBgnotdlr2lHuyMX1lB71iVsovG U/DSoEXgp/YIsyIPnhIsjH8h0SsTWPfJ/j5TEABPMYSUa9VXHeJObZ1U//c60mvSXaAg Uyzfyc0JGX5Df0HeGB5VSwYoZ02krp79yhq9F1wpQIqpxGAD/zrR+ITeyQmSJ8xE1pQY 5wKjCRB2yRF4+Gi3Kaxg2BbJo8xffQCdHyjmzOzzwR9xP8YYllbzMcnr9xwnj4Azy0LH qYLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695616572; x=1696221372; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=utpCVSnKwmUjnI78nqFvLGOx8w1hMljEMO2FokBLE1I=; b=M95d5oeHaKoNUrStWgvRwIDEx95awZih7kSSXSVYpALeQbnx3jc3RQq2O30rrS4m0s 29re5F8YirRN4Z+UXNQBe5PhmuBLJ0VFZWN9j1VPWX9p7sYQEhPL3PhRUtEckZ4thvel 33bIhu0a9tfJA8TIS+Y/s0R7bbAsllv9hoskbx30tYlR1Rx0TN+DEJ9Amh1thqyrNWLg 3XMbRg8low4IqIaFIPIQjmdrxa33Eo5FTQpXq4smNnsWGuqPubecS87mBvltZNV8SPl+ NmZKdTyA0d0n/vtS3AU4OINwugjn1N3iT9vY2S0TPir/LZjp9mtnipxBbHvJqBSME/2s sFFw== X-Gm-Message-State: AOJu0YyWp8CaQckb9y2Vk9VTuiwg+sXgPXIRB9FVhTftMG52enJkcetw J3FG37WAnQ9CZjCpNTA5exDW2g3NF2r5Ofc7ErZyug== X-Received: by 2002:a50:9fc5:0:b0:525:573c:6444 with SMTP id c63-20020a509fc5000000b00525573c6444mr23731edf.1.1695616571593; Sun, 24 Sep 2023 21:36:11 -0700 (PDT) MIME-Version: 1.0 References: <20230922210530.2045146-1-i.maximets@ovn.org> In-Reply-To: <20230922210530.2045146-1-i.maximets@ovn.org> From: Eric Dumazet Date: Mon, 25 Sep 2023 06:35:58 +0200 Message-ID: Subject: Re: [PATCH net] ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling To: Ilya Maximets Cc: netdev@vger.kernel.org, Jakub Kicinski , "David S. Miller" , Paolo Abeni , linux-kernel@vger.kernel.org, David Ahern , Florian Westphal , Madhu Koriginja , Frode Nordahl , Steffen Klassert Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sun, 24 Sep 2023 21:36:33 -0700 (PDT) On Fri, Sep 22, 2023 at 11:04=E2=80=AFPM Ilya Maximets = wrote: > > Commit b0e214d21203 ("netfilter: keep conntrack reference until > IPsecv6 policy checks are done") is a direct copy of the old > commit b59c270104f0 ("[NETFILTER]: Keep conntrack reference until > IPsec policy checks are done") but for IPv6. However, it also > copies a bug that this old commit had. That is: when the third > packet of 3WHS connection establishment contains payload, it is > added into socket receive queue without the XFRM check and the > drop of connection tracking context. > > That leads to nf_conntrack module being impossible to unload as > it waits for all the conntrack references to be dropped while > the packet release is deferred in per-cpu cache indefinitely, if > not consumed by the application. > > The issue for IPv4 was fixed in commit 6f0012e35160 ("tcp: add a > missing nf_reset_ct() in 3WHS handling") by adding a missing XFRM > check and correctly dropping the conntrack context. However, the > issue was introduced to IPv6 code afterwards. Fixing it the > same way for IPv6 now. > > Fixes: b0e214d21203 ("netfilter: keep conntrack reference until IPsecv6 p= olicy checks are done") > Link: https://lore.kernel.org/netdev/d589a999-d4dd-2768-b2d5-89dec64a4a42= @ovn.org/ > Signed-off-by: Ilya Maximets > --- Nica catch, thanks a lot. Reviewed-by: Eric Dumazet