On Fri, Feb 23, 2018 at 07:23:55PM +0100, Greg Kroah-Hartman wrote:
> 4.4-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Paolo Abeni <[email protected]>
>
> commit 607f725f6f7d5ec3759fbc16224afb60e2152a5b upstream.
>
> This also fix a potential race into the existing tunnel code, which
> could lead to the wrong dst to be permanenty cached:
>
> CPU1: CPU2:
> <xmit on ip6_tunnel>
> <cache lookup fails>
> dst = ip6_route_output(...)
> <tunnel params are changed via nl>
> dst_cache_reset() // no effect,
> // the cache is empty
> dst_cache_set() // the wrong dst
> // is permanenty stored
> // into the cache
>
> With the new dst implementation the above race is not possible
> since the first cache lookup after dst_cache_reset will fail due
> to the timestamp check
>
> Signed-off-by: Paolo Abeni <[email protected]>
> Suggested-and-acked-by: Hannes Frederic Sowa <[email protected]>
> Signed-off-by: David S. Miller <[email protected]>
> Signed-off-by: Manoj Boopathi Raj <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
> ---
...
> --- a/net/ipv6/ip6_gre.c
> +++ b/net/ipv6/ip6_gre.c
...
> @@ -1053,7 +962,6 @@ static int ip6_tnl_xmit2(struct sk_buff
> struct ipv6_tel_txoption opt;
> struct dst_entry *dst = NULL, *ndst = NULL;
> struct net_device *tdev;
> - bool use_cache = false;
> int mtu;
> unsigned int max_headroom = sizeof(struct ipv6hdr);
> u8 proto;
> @@ -1061,39 +969,28 @@ static int ip6_tnl_xmit2(struct sk_buff
>
> /* NBMA tunnel */
> if (ipv6_addr_any(&t->parms.raddr)) {
> - if (skb->protocol == htons(ETH_P_IPV6)) {
> - struct in6_addr *addr6;
> - struct neighbour *neigh;
> - int addr_type;
> -
> - if (!skb_dst(skb))
> - goto tx_err_link_failure;
> -
> - neigh = dst_neigh_lookup(skb_dst(skb),
> - &ipv6_hdr(skb)->daddr);
> - if (!neigh)
> - goto tx_err_link_failure;
> + struct in6_addr *addr6;
> + struct neighbour *neigh;
> + int addr_type;
> +
> + if (!skb_dst(skb))
> + goto tx_err_link_failure;
>
> - addr6 = (struct in6_addr *)&neigh->primary_key;
> - addr_type = ipv6_addr_type(addr6);
> + neigh = dst_neigh_lookup(skb_dst(skb),
> + &ipv6_hdr(skb)->daddr);
> + if (!neigh)
> + goto tx_err_link_failure;
>
> - if (addr_type == IPV6_ADDR_ANY)
> - addr6 = &ipv6_hdr(skb)->daddr;
> + addr6 = (struct in6_addr *)&neigh->primary_key;
> + addr_type = ipv6_addr_type(addr6);
>
> - memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
> - neigh_release(neigh);
> - }
> - } else if (t->parms.proto != 0 && !(t->parms.flags &
> - (IP6_TNL_F_USE_ORIG_TCLASS |
> - IP6_TNL_F_USE_ORIG_FWMARK))) {
> - /* enable the cache only if neither the outer protocol nor the
> - * routing decision depends on the current inner header value
> - */
> - use_cache = true;
> - }
> + if (addr_type == IPV6_ADDR_ANY)
> + addr6 = &ipv6_hdr(skb)->daddr;
>
> - if (use_cache)
> - dst = ip6_tnl_dst_get(t);
> + memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
> + neigh_release(neigh);
> + } else if (!fl6->flowi6_mark)
> + dst = dst_cache_get(&t->dst_cache);
>
> if (!ip6_tnl_xmit_ctl(t, &fl6->saddr, &fl6->daddr))
> goto tx_err_link_failure;
> @@ -1156,8 +1053,8 @@ static int ip6_tnl_xmit2(struct sk_buff
> skb = new_skb;
> }
>
> - if (use_cache && ndst)
> - ip6_tnl_dst_set(t, ndst);
> + if (!fl6->flowi6_mark && ndst)
> + dst_cache_set_ip6(&t->dst_cache, ndst, &fl6->saddr);
> skb_dst_set(skb, dst);
>
> skb->transport_header = skb->network_header;
This part looks essentially like a revert of earlier commit befb92542439
("ipv6: check skb->protocol before lookup for nexthop", mainline
199ab00f3cdb). Is it possible that it comes from an incorrect resolution
of the conflict caused by these two being backported in opposite order
(befb92542439 < b8c7f80cbdcd) than the original mainline commits
(607f725f6f7d < 199ab00f3cdb)?
Michal Kubecek
