From patchwork Thu Jun 23 05:04:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 12891804 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE3FAC43334 for ; Thu, 23 Jun 2022 05:12:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229764AbiFWFMQ (ORCPT ); Thu, 23 Jun 2022 01:12:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229804AbiFWFMC (ORCPT ); Thu, 23 Jun 2022 01:12:02 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7A2F444A16 for ; Wed, 22 Jun 2022 22:04:38 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id m11-20020a25710b000000b0065d4a4abca1so16358788ybc.18 for ; Wed, 22 Jun 2022 22:04:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=r+Crtbvq8iDvuhDMduPTWi3XQ/95QYHYjtiBVKyEKUQ=; b=eeTpLBvvDpxm0tsH2fBjBPQjdX1cAazSqxK2O+HQJzKerJxjkUpuTiFEP2AmLQ0jdv ECnd3grAWFFlpRbS5RumFXaPiggzhfUv7d8nEviwBmKaY5Ogi0+WBCb7uYp8/gZ66LYk +xcl9l8eUKF+7trS4ddWcQvdyJtQkpC9KLlnF0HL9SUs64Hex5M+zJwQQ55t1dkld4Er 6Xo4vHJrzvTgTl7A1mAPlOuTHow/zNvVwAju+Co+gG6VktMs7dixU59gggI0VDytBk0J 43UvoSVCDiLpZMFXY4+Z4Lhn3IYvrQ8lAzDTZDogDIu66o92mPQl14nu9BL2QLjNgHww Og9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=r+Crtbvq8iDvuhDMduPTWi3XQ/95QYHYjtiBVKyEKUQ=; b=8RrPomFA/cEmZ1pZHFSmdQHG/p21LDPYCkn82NQlVxKui+30SeqPcpu8vhtRWY/GRj adbIR9A66Kvc/rkmghsEqQNFUqXNVkG1zEsIcCj54Zg6q9q73E6WpSFUWGCtuhUwLeml vX/bahvbc4rGjRn1E6dd9rzO0gO04j+oHS3Zo6/YKDrFhaA/S77eSW9RLTY+aJTJ9maq YysSSOCmRsFs7kd+Gxc2+x+48pgT23mJwDsKdMIHpSVZuB4PAQjLvgY2um47LVh9Y++m iCpEcZ7X3SlKu9I+FBu0tBpZ6QHwgBq2dHrOH0SzqKwFoyAa+p20CudGJZwOGPcHgLRj V7cg== X-Gm-Message-State: AJIora+XOPR54q1ty7C8wHlgB4hGi5+EtgXwHu1vyuAobZVH2i5HyTqU eOCRMO5yeqqz+xvA5cYQYTltaKYSy3WZZg== X-Google-Smtp-Source: AGRyM1suxio0cDZYSxwhzZwFh/5RbNkszjczuOO3xVkjf0PxR2aTiuPDd3MBF3pnzBqatGhTGStFLnRkUQIoIg== X-Received: from edumazet1.c.googlers.com ([fda3:e722:ac3:cc00:2b:7d90:c0a8:395a]) (user=edumazet job=sendgmr) by 2002:a5b:982:0:b0:63e:7d7e:e2f2 with SMTP id c2-20020a5b0982000000b0063e7d7ee2f2mr7172383ybq.549.1655960677832; Wed, 22 Jun 2022 22:04:37 -0700 (PDT) Date: Thu, 23 Jun 2022 05:04:36 +0000 Message-Id: <20220623050436.1290307-1-edumazet@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.37.0.rc0.104.g0611611a94-goog Subject: [PATCH net] tcp: add a missing nf_reset_ct() in 3WHS handling From: Eric Dumazet To: "David S . Miller" , Jakub Kicinski , Paolo Abeni Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com, Eric Dumazet , Ilya Maximets , Florian Westphal , Pablo Neira Ayuso , Steffen Klassert Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org When the third packet of 3WHS connection establishment contains payload, it is added into socket receive queue without the XFRM check and the drop of connection tracking context. This means that if the data is left unread in the socket receive queue, conntrack module can not be unloaded. As most applications usually reads the incoming data immediately after accept(), bug has been hiding for quite a long time. Commit 68822bdf76f1 ("net: generalize skb freeing deferral to per-cpu lists") exposed this bug because even if the application reads this data, the skb with nfct state could stay in a per-cpu cache for an arbitrary time, if said cpu no longer process RX softirqs. Many thanks to Ilya Maximets for reporting this issue, and for testing various patches: https://lore.kernel.org/netdev/20220619003919.394622-1-i.maximets@ovn.org/ Note that I also added a missing xfrm4_policy_check() call, although this is probably not a big issue, as the SYN packet should have been dropped earlier. Fixes: b59c270104f0 ("[NETFILTER]: Keep conntrack reference until IPsec policy checks are done") Reported-by: Ilya Maximets Signed-off-by: Eric Dumazet Cc: Florian Westphal Cc: Pablo Neira Ayuso Cc: Steffen Klassert Tested-by: Ilya Maximets Reviewed-by: Ilya Maximets --- net/ipv4/tcp_ipv4.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index fe8f23b95d32ca4a35d05166d471327bc608fa91..da5a3c44c4fb70f1d3ecc596e694a86267f1c44a 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1964,7 +1964,10 @@ int tcp_v4_rcv(struct sk_buff *skb) struct sock *nsk; sk = req->rsk_listener; - drop_reason = tcp_inbound_md5_hash(sk, skb, + if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) + drop_reason = SKB_DROP_REASON_XFRM_POLICY; + else + drop_reason = tcp_inbound_md5_hash(sk, skb, &iph->saddr, &iph->daddr, AF_INET, dif, sdif); if (unlikely(drop_reason)) { @@ -2016,6 +2019,7 @@ int tcp_v4_rcv(struct sk_buff *skb) } goto discard_and_relse; } + nf_reset_ct(skb); if (nsk == sk) { reqsk_put(req); tcp_v4_restore_cb(skb);