On Fri, Feb 23, 2018 at 07:23:55PM +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Paolo Abeni pabeni@redhat.com
commit 607f725f6f7d5ec3759fbc16224afb60e2152a5b upstream.
This also fix a potential race into the existing tunnel code, which could lead to the wrong dst to be permanenty cached:
CPU1: CPU2:
<xmit on ip6_tunnel> <cache lookup fails> dst = ip6_route_output(...) <tunnel params are changed via nl> dst_cache_reset() // no effect, // the cache is empty dst_cache_set() // the wrong dst // is permanenty stored // into the cache
With the new dst implementation the above race is not possible since the first cache lookup after dst_cache_reset will fail due to the timestamp check
Signed-off-by: Paolo Abeni pabeni@redhat.com Suggested-and-acked-by: Hannes Frederic Sowa hannes@stressinduktion.org Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Manoj Boopathi Raj manojboopathi@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
...
--- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c
...
@@ -1053,7 +962,6 @@ static int ip6_tnl_xmit2(struct sk_buff struct ipv6_tel_txoption opt; struct dst_entry *dst = NULL, *ndst = NULL; struct net_device *tdev;
- bool use_cache = false; int mtu; unsigned int max_headroom = sizeof(struct ipv6hdr); u8 proto;
@@ -1061,39 +969,28 @@ static int ip6_tnl_xmit2(struct sk_buff /* NBMA tunnel */ if (ipv6_addr_any(&t->parms.raddr)) {
if (skb->protocol == htons(ETH_P_IPV6)) {struct in6_addr *addr6;struct neighbour *neigh;int addr_type;if (!skb_dst(skb))goto tx_err_link_failure;neigh = dst_neigh_lookup(skb_dst(skb),&ipv6_hdr(skb)->daddr);if (!neigh)goto tx_err_link_failure;
struct in6_addr *addr6;struct neighbour *neigh;int addr_type;if (!skb_dst(skb))goto tx_err_link_failure;
addr6 = (struct in6_addr *)&neigh->primary_key;addr_type = ipv6_addr_type(addr6);
neigh = dst_neigh_lookup(skb_dst(skb),&ipv6_hdr(skb)->daddr);if (!neigh)goto tx_err_link_failure;
if (addr_type == IPV6_ADDR_ANY)addr6 = &ipv6_hdr(skb)->daddr;
addr6 = (struct in6_addr *)&neigh->primary_key;addr_type = ipv6_addr_type(addr6);
memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));neigh_release(neigh);}- } else if (t->parms.proto != 0 && !(t->parms.flags &
(IP6_TNL_F_USE_ORIG_TCLASS |IP6_TNL_F_USE_ORIG_FWMARK))) {/* enable the cache only if neither the outer protocol nor the* routing decision depends on the current inner header value*/use_cache = true;- }
if (addr_type == IPV6_ADDR_ANY)addr6 = &ipv6_hdr(skb)->daddr;
- if (use_cache)
dst = ip6_tnl_dst_get(t);
memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));neigh_release(neigh);- } else if (!fl6->flowi6_mark)
dst = dst_cache_get(&t->dst_cache);if (!ip6_tnl_xmit_ctl(t, &fl6->saddr, &fl6->daddr)) goto tx_err_link_failure; @@ -1156,8 +1053,8 @@ static int ip6_tnl_xmit2(struct sk_buff skb = new_skb; }
- if (use_cache && ndst)
ip6_tnl_dst_set(t, ndst);
- if (!fl6->flowi6_mark && ndst)
dst_cache_set_ip6(&t->dst_cache, ndst, &fl6->saddr);skb->transport_header = skb->network_header;
This part looks essentially like a revert of earlier commit befb92542439 ("ipv6: check skb->protocol before lookup for nexthop", mainline 199ab00f3cdb). Is it possible that it comes from an incorrect resolution of the conflict caused by these two being backported in opposite order (befb92542439 < b8c7f80cbdcd) than the original mainline commits (607f725f6f7d < 199ab00f3cdb)?
Michal Kubecek