From patchwork Thu Jun 2 21:52:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 9152951 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A8E0C6072B for ; Fri, 3 Jun 2016 11:57:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9820627BFA for ; Fri, 3 Jun 2016 11:57:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8C4DE28327; Fri, 3 Jun 2016 11:57:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_FROM,T_DKIM_INVALID autolearn=no version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id E16DC27BFA for ; Fri, 3 Jun 2016 11:57:21 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.26,411,1459814400"; d="scan'208";a="16622076" IronPort-PHdr: =?us-ascii?q?9a23=3Ah7ZXehxVL807Bp3XCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0OgTIJqq85mqBkHD//Il1AaPBtWKrawfwLaN+4nbGkU+or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?= =?us-ascii?q?f6KuSt+U0Z/8i7v60qaQSjsLrQL1Wal1IhSyoFeZnegtqqwmFJwMzADUqGBDYe?= =?us-ascii?q?VcyDAgD1uSmxHh+pX4p8Y7oGx48sgs/M9YUKj8Y79wDfkBVGxnYF0v4IXXkTWL?= =?us-ascii?q?DU7WvjpPGlkRxyJBHgyNyRb9RJq55jPzq+5VwCCHOYjzSrcuVHKp6KI9DFfEgT?= =?us-ascii?q?kGO3Yc8WXTh9Y42K5Svh+kjxB23YPRZIabKLx4c7+LLv0AQm8Uc9xQXGRtH4a1?= =?us-ascii?q?fYYTR74MJ+dT6YXgolIcoAeWCgylBeepwThN0CyllZYm2vgsRFmVlDcrGMgD5T?= =?us-ascii?q?GN9Y34?= X-IPAS-Result: =?us-ascii?q?A2HTAABacFFX/wHyM5BcGgEBAQGCcCyBU687jDcFUCGHLkw?= =?us-ascii?q?BAQEBAQECAmIngjAKORBVAitBAQEBAwECDxUTBgENDhILAQIBAgkBAQUFDQghC?= =?us-ascii?q?AgDAR8OAwEFAQsRBgEHCwUYBAGHcgEDFwGjVoExPjGNJYJYBYd3ChknDVKDTQE?= =?us-ascii?q?BCAEBAQEbAgYQhAuCDIRNhBIRAYV2AQSOWolrgVeWACWFRI4TMIEPVII5gVVOi?= =?us-ascii?q?F2BNQEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Jun 2016 11:57:18 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u53BuZQx019145; Fri, 3 Jun 2016 07:56:54 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u52Lqo1G066714 for ; Thu, 2 Jun 2016 17:52:50 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u52LqnMR011599; Thu, 2 Jun 2016 17:52:49 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1CfAABOqlBXa0LcVdFeGgEBAQGCcCyBU68zjC8FWoYSAoE2TAEBAQEBARMLCwwIH4R3AQEBAxIRBBkBGx0BAwwGBRUFAiYCAiMRAQUBHAYBEiKHcgEDFwGjXoExPjGLO4FqglgFh3wKGScNUoNNAQEBAQEBAQEBAQEBAQEBAQEYAgYQcYMaggyETYdBglkFjlmJXoFWlX2FaY4NMIEPgk4/gVVOinwBAQE X-IPAS-Result: A1CfAABOqlBXa0LcVdFeGgEBAQGCcCyBU68zjC8FWoYSAoE2TAEBAQEBARMLCwwIH4R3AQEBAxIRBBkBGx0BAwwGBRUFAiYCAiMRAQUBHAYBEiKHcgEDFwGjXoExPjGLO4FqglgFh3wKGScNUoNNAQEBAQEBAQEBAQEBAQEBAQEYAgYQcYMaggyETYdBglkFjlmJXoFWlX2FaY4NMIEPgk4/gVVOinwBAQE X-IronPort-AV: E=Sophos;i="5.26,408,1459828800"; d="scan'208";a="5486235" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 02 Jun 2016 17:52:46 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3A61cCkx/4cX9cYv9uRHKM819IXTAuvvDOBiVQ1KB8?= =?us-ascii?q?0uscTK2v8tzYMVDF4r011RmSDdSdtasP07CempujcFJDyK7JiGoFfp1IWk1Nou?= =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXsq3G/pQQfBg/4fVIs?= =?us-ascii?q?YL+lS8iM1o/vjaibwN76XUZhvHKFe7R8LRG7/036l/I9ps9cEJs30QbDuXBSeu?= =?us-ascii?q?5blitCLFOXmAvgtI/rpMYwuwwZgf8q9tZBXKPmZOx4COUAVHV1e1wysfXiqB2L?= =?us-ascii?q?aAyI/HZUBn0fjx5gGwHY6FT/WZDrv23xse8rnGG2NNP3QfgRWDCm4r0jHBPhli?= =?us-ascii?q?oCHzIw7mzSjst+kORdrQ739DJlxIuBTZuUP7JSY6bUb94GDT5MRMdaESBcB4qu?= =?us-ascii?q?YpcnAO8IPOIepI748Qhd5SCiDBWhUbu8ggRDgWX7iOhji7ws?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0G4AAAmqVBXa0LcVdFeGgEBAQGCcCyBU?= =?us-ascii?q?68zjC8FWoYSAoE2TAEBAQEBAQICDwsLFB8xgjAKORBVAitBAQEBAxIRBBkBGx0?= =?us-ascii?q?BAwwGBRUFAiYCAiMRAQUBHAYBEiKHcgEDFwGjXoExPjGLO4FqglgFh3wKGScNU?= =?us-ascii?q?oNNAQEBAQEBAQEBAQEBAQEBAQEYAgYQcYMaggyETYdBglkFjlmJXoFWlX2FaY4?= =?us-ascii?q?NMIEPgk4/gVVOinwBAQE?= X-IPAS-Result: =?us-ascii?q?A0G4AAAmqVBXa0LcVdFeGgEBAQGCcCyBU68zjC8FWoYSAoE?= =?us-ascii?q?2TAEBAQEBAQICDwsLFB8xgjAKORBVAitBAQEBAxIRBBkBGx0BAwwGBRUFAiYCA?= =?us-ascii?q?iMRAQUBHAYBEiKHcgEDFwGjXoExPjGLO4FqglgFh3wKGScNUoNNAQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEYAgYQcYMaggyETYdBglkFjlmJXoFWlX2FaY4NMIEPgk4/gVVOi?= =?us-ascii?q?nwBAQE?= X-IronPort-AV: E=Sophos;i="5.26,408,1459814400"; d="scan'208";a="14289601" Received: from mail-pa0-f66.google.com ([209.85.220.66]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 02 Jun 2016 21:52:46 +0000 Received: by mail-pa0-f66.google.com with SMTP id gp3so4192238pac.2; Thu, 02 Jun 2016 14:52:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=8Do/Mi2euxSQdFgviGyfqYog3ClQCZAU4DsyTUb78xM=; b=MuXEx5h1esNrMsiObLYEjCVMM1SkIxkvWVcSxgkdsdRRF1FMND8ls/QAm4VkZ19z2Y CN5Emj5ITshOEmruDkOItvX8cGLvQry5ub/sGflCjGVQPTCO0LuRdD7DVuSy8TnhyKqS bkIIQ4qpVQLKq0oNvdrdmaTAz8m4NhepVsazpvjvFhsv0TLASpK6Z0Q93MNJKpnsFYSw ditG5ls5Q1e2zQFrR9hniYhaqMWuMjSt9JvYs3/HsSTFT0n0iqe/vpej23cskQ23hXCS onOmOQQTX44t4HoFZCrt24okM8O/WLdihzJQtG5IuQGrkPsLx3rWX2Z8l5ov1X5IaUFt 7Ziw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=8Do/Mi2euxSQdFgviGyfqYog3ClQCZAU4DsyTUb78xM=; b=OixOVipqG1dg7IsvFOqix7sk5bfLvUpPTJ5QLjv2zuw0LTvEhLoW16TooZHNZiS1OJ Va1urhNnKz53HvSDHgq78RZ5WfkqdBMEKuS7eY6AuAkYQFA0Z/+Oh10ddJpJxWr2BwQ0 X4/8IQ9pmB1+36STLNFxi7ROwoquCMWSf+GplorpekcB8c8ZNdN0GM9fXb9wxmeT9GpL BXwi0FziDgw7/QM54yJ1T9bjXPHzKigUPIRmgbYNQqwtES4OnEiGUqBx5OY/soZgKFN7 LYs3n/5aWtBcEMDKvoONHoImyBpXAjQNiIt9sxd2Y6qErG45mHaUmEnkD8iSSkvPdGtx T2/A== X-Gm-Message-State: ALyK8tKP0ixxOHpzGXA5Tkpm0lXdbdqttXzGOhLVYF7VqUcJYBftkyOssBsUvxwanj6oaQ== X-Received: by 10.66.182.45 with SMTP id eb13mr412727pac.40.1464904365108; Thu, 02 Jun 2016 14:52:45 -0700 (PDT) Received: from ?IPv6:2620:0:1000:1704:14f8:1220:7954:f1f1? ([2620:0:1000:1704:14f8:1220:7954:f1f1]) by smtp.googlemail.com with ESMTPSA id p65sm3107274pfd.6.2016.06.02.14.52.44 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 02 Jun 2016 14:52:44 -0700 (PDT) Message-ID: <1464904363.5939.185.camel@edumazet-glaptop3.roam.corp.google.com> Subject: Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing") From: Eric Dumazet To: Paul Moore , David Miller Date: Thu, 02 Jun 2016 14:52:43 -0700 In-Reply-To: References: <1464808695.5939.167.camel@edumazet-glaptop3.roam.corp.google.com> <0b1fde4f-57ef-8c5e-147f-10c4a51fb2b0@tycho.nsa.gov> X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 X-Mailman-Approved-At: Fri, 03 Jun 2016 07:46:57 -0400 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: samanthakumar , linux-security-module@vger.kernel.org, Stephen Smalley , selinux@tycho.nsa.gov, netdev@vger.kernel.org Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Dumazet Paul Moore tracked a regression caused by a recent commit, which mistakenly assumed that sk_filter() could be avoided if socket had no current BPF filter. The intent was to avoid udp_lib_checksum_complete() overhead. But sk_filter() also checks skb_pfmemalloc() and security_sock_rcv_skb(), so better call it. Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") Signed-off-by: Eric Dumazet Reported-by: Paul Moore Tested-by: Paul Moore Tested-by: Stephen Smalley Cc: samanthakumar --- net/ipv4/udp.c | 10 +++++----- net/ipv6/udp.c | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index d56c0559b477..0ff31d97d485 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1618,12 +1618,12 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) } } - if (rcu_access_pointer(sk->sk_filter)) { - if (udp_lib_checksum_complete(skb)) + if (rcu_access_pointer(sk->sk_filter) && + udp_lib_checksum_complete(skb)) goto csum_error; - if (sk_filter(sk, skb)) - goto drop; - } + + if (sk_filter(sk, skb)) + goto drop; udp_csum_pull_header(skb); if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) { diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 2da1896af934..f421c9f23c5b 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -653,12 +653,12 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb) } } - if (rcu_access_pointer(sk->sk_filter)) { - if (udp_lib_checksum_complete(skb)) - goto csum_error; - if (sk_filter(sk, skb)) - goto drop; - } + if (rcu_access_pointer(sk->sk_filter) && + udp_lib_checksum_complete(skb)) + goto csum_error; + + if (sk_filter(sk, skb)) + goto drop; udp_csum_pull_header(skb); if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {