{"id":817709,"url":"http://patchwork.ozlabs.org/api/patches/817709/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/patch/e899d1802d51e022e47e88cff37ffcd2bf7a36cc.1506114055.git.pabeni@redhat.com/","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<e899d1802d51e022e47e88cff37ffcd2bf7a36cc.1506114055.git.pabeni@redhat.com>","list_archive_url":null,"date":"2017-09-22T21:06:26","name":"[RFC,02/11] net: allow early demux to fetch noref socket","commit_ref":null,"pull_url":null,"state":"rfc","archived":true,"hash":"c232faab41dd0e3742787bf18236f24a6a1d6793","submitter":{"id":67312,"url":"http://patchwork.ozlabs.org/api/people/67312/?format=json","name":"Paolo Abeni","email":"pabeni@redhat.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/e899d1802d51e022e47e88cff37ffcd2bf7a36cc.1506114055.git.pabeni@redhat.com/mbox/","series":[{"id":4709,"url":"http://patchwork.ozlabs.org/api/series/4709/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/list/?series=4709","date":"2017-09-22T21:06:24","name":"udp: full early demux for unconnected sockets","version":1,"mbox":"http://patchwork.ozlabs.org/series/4709/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/817709/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/817709/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","ext-mx01.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx01.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=pabeni@redhat.com"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xzQzd4DXfz9sP1\n\tfor <patchwork-incoming@ozlabs.org>;\n\tSat, 23 Sep 2017 07:07:41 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752395AbdIVVHi (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tFri, 22 Sep 2017 17:07:38 -0400","from mx1.redhat.com ([209.132.183.28]:43422 \"EHLO mx1.redhat.com\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1752115AbdIVVHA (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tFri, 22 Sep 2017 17:07:00 -0400","from smtp.corp.redhat.com\n\t(int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 23D9C81E05;\n\tFri, 22 Sep 2017 21:07:00 +0000 (UTC)","from dhcppc0.redhat.com (ovpn-116-39.ams2.redhat.com\n\t[10.36.116.39])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 69F0B5D6A2;\n\tFri, 22 Sep 2017 21:06:58 +0000 (UTC)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 23D9C81E05","From":"Paolo Abeni <pabeni@redhat.com>","To":"netdev@vger.kernel.org","Cc":"\"David S. Miller\" <davem@davemloft.net>,\n\tPablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>,\n\tEric Dumazet <edumazet@google.com>,\n\tHannes Frederic Sowa <hannes@stressinduktion.org>","Subject":"[RFC PATCH 02/11] net: allow early demux to fetch noref socket","Date":"Fri, 22 Sep 2017 23:06:26 +0200","Message-Id":"<e899d1802d51e022e47e88cff37ffcd2bf7a36cc.1506114055.git.pabeni@redhat.com>","In-Reply-To":"<cover.1506114055.git.pabeni@redhat.com>","References":"<cover.1506114055.git.pabeni@redhat.com>","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.15","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.25]);\n\tFri, 22 Sep 2017 21:07:00 +0000 (UTC)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"We must be careful to avoid leaking such sockets outside\nthe RCU section containing the early demux call; we clear\nthem on nonlocal delivery.\n\nFor ipv4 we clear sknoref even for multicast traffic entering\nthe ip_mr_input() path; we will lose the mcast early demux\noptimization when the host is acting as multicast router, but\nthat will help to keep to code simple.\n\nAlso update all iptables/nftables extension that can\nhappen in the input chain and can transmit the skb outside\nsuch patch, namely TEE, nft_dup and nfqueue.\n\nSigned-off-by: Paolo Abeni <pabeni@redhat.com>\n---\n net/ipv4/ip_input.c              | 8 ++++++++\n net/ipv4/netfilter/nf_dup_ipv4.c | 3 +++\n net/ipv6/ip6_input.c             | 4 ++++\n net/ipv6/netfilter/nf_dup_ipv6.c | 3 +++\n net/netfilter/nf_queue.c         | 3 +++\n 5 files changed, 21 insertions(+)","diff":"diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c\nindex fa2dc8f692c6..5690ef09da28 100644\n--- a/net/ipv4/ip_input.c\n+++ b/net/ipv4/ip_input.c\n@@ -351,6 +351,14 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)\n \t\t}\n \t}\n \n+\t/* Since the sk has no reference to the socket, we must\n+\t * clear it before escaping this RCU section.\n+\t * The sk is just an hint and we know we are not going to use\n+\t * it outside the input path.\n+\t */\n+\tif (skb_dst(skb)->input != ip_local_deliver)\n+\t\tskb_clear_noref_sk(skb);\n+\n #ifdef CONFIG_IP_ROUTE_CLASSID\n \tif (unlikely(skb_dst(skb)->tclassid)) {\n \t\tstruct ip_rt_acct *st = this_cpu_ptr(ip_rt_acct);\ndiff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c\nindex 39895b9ddeb9..bf8b78492fc8 100644\n--- a/net/ipv4/netfilter/nf_dup_ipv4.c\n+++ b/net/ipv4/netfilter/nf_dup_ipv4.c\n@@ -71,6 +71,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,\n \tnf_reset(skb);\n \tnf_ct_set(skb, NULL, IP_CT_UNTRACKED);\n #endif\n+\t/* Avoid leaking noref sk outside the input path */\n+\tskb_clear_noref_sk(skb);\n+\n \t/*\n \t * If we are in PREROUTING/INPUT, decrease the TTL to mitigate potential\n \t * loops between two hosts.\ndiff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c\nindex 9ee208a348f5..e15ec2d36b9e 100644\n--- a/net/ipv6/ip6_input.c\n+++ b/net/ipv6/ip6_input.c\n@@ -68,6 +68,10 @@ int ip6_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)\n \tif (!skb_valid_dst(skb))\n \t\tip6_route_input(skb);\n \n+\t/* see comment on ipv4 edmux */\n+\tif (skb_dst(skb)->input != ip6_input)\n+\t\tskb_clear_noref_sk(skb);\n+\n \treturn dst_input(skb);\n }\n \ndiff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c\nindex 4a7ddeddbaab..939f6a2238f9 100644\n--- a/net/ipv6/netfilter/nf_dup_ipv6.c\n+++ b/net/ipv6/netfilter/nf_dup_ipv6.c\n@@ -60,6 +60,9 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,\n \tnf_reset(skb);\n \tnf_ct_set(skb, NULL, IP_CT_UNTRACKED);\n #endif\n+\t/* Avoid leaking noref sk outside the input path */\n+\tskb_clear_noref_sk(skb);\n+\n \tif (hooknum == NF_INET_PRE_ROUTING ||\n \t    hooknum == NF_INET_LOCAL_IN) {\n \t\tstruct ipv6hdr *iph = ipv6_hdr(skb);\ndiff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c\nindex f7e21953b1de..100eff08cb51 100644\n--- a/net/netfilter/nf_queue.c\n+++ b/net/netfilter/nf_queue.c\n@@ -145,6 +145,9 @@ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,\n \t\t.size\t= sizeof(*entry) + afinfo->route_key_size,\n \t};\n \n+\t/* Avoid leaking noref sk outside the input path */\n+\tskb_clear_noref_sk(skb);\n+\n \tnf_queue_entry_get_refs(entry);\n \tskb_dst_force(skb);\n \tafinfo->saveroute(skb, entry);\n","prefixes":["RFC","02/11"]}