| Message ID | 20210411081334.1994938-1-roid@nvidia.com |
|---|---|
| State | New |
| Headers | show |
| Series | [net-next,1/1] netfilter: flowtable: Make sure dst_cache is valid before using it | expand |
On 2021-04-11 1:58 PM, Pablo Neira Ayuso wrote: > Hi Roi, > > On Sun, Apr 11, 2021 at 11:13:34AM +0300, Roi Dayan wrote: >> It could be dst_cache was not set so check it's not null before using >> it. > > Could you give a try to this fix? > > net/sched/act_ct.c leaves the xmit_type as FLOW_OFFLOAD_XMIT_UNSPEC > since it does not cache a route. > > Thanks. > what do you mean? FLOW_OFFLOAD_XMIT_UNSPEC doesn't exists so default 0 is set. do you suggest adding that enum option as 0? this is the current xmit_type enum enum flow_offload_xmit_type { FLOW_OFFLOAD_XMIT_NEIGH = 0, FLOW_OFFLOAD_XMIT_XFRM, FLOW_OFFLOAD_XMIT_DIRECT, }; >> Fixes: 8b9229d15877 ("netfilter: flowtable: dst_check() from garbage collector path") >> Signed-off-by: Roi Dayan <roid@nvidia.com> >> --- >> net/netfilter/nf_flow_table_core.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c >> index 76573bae6664..e426077aaed1 100644 >> --- a/net/netfilter/nf_flow_table_core.c >> +++ b/net/netfilter/nf_flow_table_core.c >> @@ -410,6 +410,8 @@ static bool flow_offload_stale_dst(struct flow_offload_tuple *tuple) >> if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_NEIGH || >> tuple->xmit_type == FLOW_OFFLOAD_XMIT_XFRM) { >> dst = tuple->dst_cache; >> + if (!dst) >> + return false; >> if (!dst_check(dst, tuple->dst_cookie)) >> return true; >> } >> -- >> 2.26.2 >>
On Mon, Apr 12, 2021 at 11:26:35AM +0300, Roi Dayan wrote: > > > On 2021-04-11 1:58 PM, Pablo Neira Ayuso wrote: > > Hi Roi, > > > > On Sun, Apr 11, 2021 at 11:13:34AM +0300, Roi Dayan wrote: > > > It could be dst_cache was not set so check it's not null before using > > > it. > > > > Could you give a try to this fix? > > > > net/sched/act_ct.c leaves the xmit_type as FLOW_OFFLOAD_XMIT_UNSPEC > > since it does not cache a route. > > > > Thanks. > > > > what do you mean? FLOW_OFFLOAD_XMIT_UNSPEC doesn't exists so default 0 > is set. > > do you suggest adding that enum option as 0? Yes. This could be FLOW_OFFLOAD_XMIT_TC instead if you prefer. enum flow_offload_xmit_type { FLOW_OFFLOAD_XMIT_TC = 0, FLOW_OFFLOAD_XMIT_NEIGH, FLOW_OFFLOAD_XMIT_XFRM, FLOW_OFFLOAD_XMIT_DIRECT, }; so there is no need to check for no route in the FLOW_OFFLOAD_XMIT_NEIGH case (it's assumed this type always has a route).
On 2021-04-12 2:42 PM, Pablo Neira Ayuso wrote: > On Mon, Apr 12, 2021 at 11:26:35AM +0300, Roi Dayan wrote: >> >> >> On 2021-04-11 1:58 PM, Pablo Neira Ayuso wrote: >>> Hi Roi, >>> >>> On Sun, Apr 11, 2021 at 11:13:34AM +0300, Roi Dayan wrote: >>>> It could be dst_cache was not set so check it's not null before using >>>> it. >>> >>> Could you give a try to this fix? >>> >>> net/sched/act_ct.c leaves the xmit_type as FLOW_OFFLOAD_XMIT_UNSPEC >>> since it does not cache a route. >>> >>> Thanks. >>> >> >> what do you mean? FLOW_OFFLOAD_XMIT_UNSPEC doesn't exists so default 0 >> is set. >> >> do you suggest adding that enum option as 0? > > Yes. This could be FLOW_OFFLOAD_XMIT_TC instead if you prefer. > > enum flow_offload_xmit_type { > FLOW_OFFLOAD_XMIT_TC = 0, > FLOW_OFFLOAD_XMIT_NEIGH, > FLOW_OFFLOAD_XMIT_XFRM, > FLOW_OFFLOAD_XMIT_DIRECT, > }; > > so there is no need to check for no route in the > FLOW_OFFLOAD_XMIT_NEIGH case (it's assumed this type always has a > route). > thanks Pablo. were not sure I wanted to touch the enum. I prefer unspec actually as you suggested initially. it works fine by adding the enum. i'll submit v2 with this suggestion.
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 76573bae6664..e426077aaed1 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -410,6 +410,8 @@ static bool flow_offload_stale_dst(struct flow_offload_tuple *tuple) if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_NEIGH || tuple->xmit_type == FLOW_OFFLOAD_XMIT_XFRM) { dst = tuple->dst_cache; + if (!dst) + return false; if (!dst_check(dst, tuple->dst_cookie)) return true; }
It could be dst_cache was not set so check it's not null before using it. Fixes: 8b9229d15877 ("netfilter: flowtable: dst_check() from garbage collector path") Signed-off-by: Roi Dayan <roid@nvidia.com> --- net/netfilter/nf_flow_table_core.c | 2 ++ 1 file changed, 2 insertions(+)