[{"id":1772596,"web_url":"http://patchwork.ozlabs.org/comment/1772596/","msgid":"<1505985191.2560.38.camel@redhat.com>","list_archive_url":null,"date":"2017-09-21T09:13:11","subject":"Re: [PATCH net-next 2/5] net: allow early demux to fetch noref\n\tsocket","submitter":{"id":67312,"url":"http://patchwork.ozlabs.org/api/people/67312/","name":"Paolo Abeni","email":"pabeni@redhat.com"},"content":"On Wed, 2017-09-20 at 18:54 +0200, Paolo Abeni wrote:\n> We must be careful to avoid leaking such sockets outside\n> the RCU section containing the early demux call; we clear\n> them on nonlocal delivery.\n> \n> For ipv4 we must take care of local mcast delivery, too,\n> since udp early demux works also for mcast addresses.\n> \n> Also update all iptables/nftables extension that can\n> happen in the input chain and can transmit the skb outside\n> such patch, namely TEE, nft_dup and nfqueue.\n> \n> Signed-off-by: Paolo Abeni <pabeni@redhat.com>\n> ---\n>  net/ipv4/ip_input.c              | 12 ++++++++++++\n>  net/ipv4/ipmr.c                  | 18 ++++++++++++++----\n>  net/ipv4/netfilter/nf_dup_ipv4.c |  3 +++\n>  net/ipv6/ip6_input.c             |  7 ++++++-\n>  net/ipv6/netfilter/nf_dup_ipv6.c |  3 +++\n>  net/netfilter/nf_queue.c         |  3 +++\n>  6 files changed, 41 insertions(+), 5 deletions(-)\n> \n> diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c\n> index fa2dc8f692c6..e71abc8b698c 100644\n> --- a/net/ipv4/ip_input.c\n> +++ b/net/ipv4/ip_input.c\n> @@ -349,6 +349,18 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)\n>  \t\t\t\t__NET_INC_STATS(net, LINUX_MIB_IPRPFILTER);\n>  \t\t\tgoto drop;\n>  \t\t}\n> +\n> +\t\t/* Since the sk has no reference to the socket, we must\n> +\t\t * clear it before escaping this RCU section.\n> +\t\t * The sk is just an hint and we know we are not going to use\n> +\t\t * it outside the input path.\n> +\t\t */\n> +\t\tif (skb_dst(skb)->input != ip_local_deliver\n> +#ifdef CONFIG_IP_MROUTE\n> +\t\t    && skb_dst(skb)->input != ip_mr_input\n> +#endif\n> +\t\t    )\n> +\t\t\tskb_clear_noref_sk(skb);\n>  \t}\n\nThe above is to allow early demux for multicast sockets even on hosts\nacting as multicast router. This is probably overkill: an host will\nprobably act as a multicast router or receive large amount of locally\nterminate mcast traffic.\n\nWe can instead preserve the sknoref only for ip_local_deliver(),\ndropping the early demux optimization in the above scenario, which\nshould not be very relevant. Will simplify the above chunk and drop the\nneed for the ipmr.c changes below; overall this patch will become much\nsimpler.\n\nPaolo","headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","ext-mx05.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx05.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=pabeni@redhat.com"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xyW9m6mFTz9s06\n\tfor <patchwork-incoming@ozlabs.org>;\n\tThu, 21 Sep 2017 19:13:16 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751750AbdIUJNO (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tThu, 21 Sep 2017 05:13:14 -0400","from mx1.redhat.com ([209.132.183.28]:39122 \"EHLO mx1.redhat.com\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1751548AbdIUJNN (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tThu, 21 Sep 2017 05:13:13 -0400","from smtp.corp.redhat.com\n\t(int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 6C44D91FC3;\n\tThu, 21 Sep 2017 09:13:13 +0000 (UTC)","from localhost.localdomain (unknown [10.32.181.195])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 0269060D10;\n\tThu, 21 Sep 2017 09:13:11 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 6C44D91FC3","Message-ID":"<1505985191.2560.38.camel@redhat.com>","Subject":"Re: [PATCH net-next 2/5] net: allow early demux to fetch noref\n\tsocket","From":"Paolo Abeni <pabeni@redhat.com>","To":"netdev@vger.kernel.org","Cc":"\"David S. Miller\" <davem@davemloft.net>,\n\tPablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>,\n\tEric Dumazet <edumazet@google.com>,\n\tHannes Frederic Sowa <hannes@stressinduktion.org>","Date":"Thu, 21 Sep 2017 11:13:11 +0200","In-Reply-To":"<db75c6a6872040712a9ab97b0bac04b697c42a4c.1505926196.git.pabeni@redhat.com>","References":"<cover.1505926196.git.pabeni@redhat.com>\n\t<db75c6a6872040712a9ab97b0bac04b697c42a4c.1505926196.git.pabeni@redhat.com>","Content-Type":"text/plain; charset=\"UTF-8\"","Mime-Version":"1.0","Content-Transfer-Encoding":"7bit","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.13","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.29]);\n\tThu, 21 Sep 2017 09:13:13 +0000 (UTC)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"}}]