Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    udp: perform source validation for mcast early demux

to the 4.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     udp-perform-source-validation-for-mcast-early-demux.patch
and it can be found in the queue-4.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Mon Oct  9 09:32:35 CEST 2017
From: Paolo Abeni <pabeni@redhat.com>
Date: Thu, 28 Sep 2017 15:51:37 +0200
Subject: udp: perform source validation for mcast early demux

From: Paolo Abeni <pabeni@redhat.com>


[ Upstream commit bc044e8db7962e727a75b591b9851ff2ac5cf846 ]

The UDP early demux can leverate the rx dst cache even for
multicast unconnected sockets.

In such scenario the ipv4 source address is validated only on
the first packet in the given flow. After that, when we fetch
the dst entry  from the socket rx cache, we stop enforcing
the rp_filter and we even start accepting any kind of martian
addresses.

Disabling the dst cache for unconnected multicast socket will
cause large performace regression, nearly reducing by half the
max ingress tput.

Instead we factor out a route helper to completely validate an
skb source address for multicast packets and we call it from
the UDP early demux for mcast packets landing on unconnected
sockets, after successful fetching the related cached dst entry.

This still gives a measurable, but limited performance
regression:

		rp_filter = 0		rp_filter = 1
edmux disabled:	1182 Kpps		1127 Kpps
edmux before:	2238 Kpps		2238 Kpps
edmux after:	2037 Kpps		2019 Kpps

The above figures are on top of current net tree.
Applying the net-next commit 6e617de84e87 ("net: avoid a full
fib lookup when rp_filter is disabled.") the delta with
rp_filter == 0 will decrease even more.

Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/route.h |    4 +++-
 net/ipv4/route.c    |   46 ++++++++++++++++++++++++++--------------------
 net/ipv4/udp.c      |   13 ++++++++++++-
 3 files changed, 41 insertions(+), 22 deletions(-)

--- a/include/net/route.h
+++ b/include/net/route.h
@@ -175,7 +175,9 @@ static inline struct rtable *ip_route_ou
 	fl4->fl4_gre_key = gre_key;
 	return ip_route_output_key(net, fl4);
 }
-
+int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+			  u8 tos, struct net_device *dev,
+			  struct in_device *in_dev, u32 *itag);
 int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,
 			 u8 tos, struct net_device *devin);
 int ip_route_input_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1520,43 +1520,56 @@ struct rtable *rt_dst_alloc(struct net_d
 EXPORT_SYMBOL(rt_dst_alloc);
 
 /* called in rcu_read_lock() section */
-static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-				u8 tos, struct net_device *dev, int our)
+int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+			  u8 tos, struct net_device *dev,
+			  struct in_device *in_dev, u32 *itag)
 {
-	struct rtable *rth;
-	struct in_device *in_dev = __in_dev_get_rcu(dev);
-	unsigned int flags = RTCF_MULTICAST;
-	u32 itag = 0;
 	int err;
 
 	/* Primary sanity checks. */
-
 	if (!in_dev)
 		return -EINVAL;
 
 	if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr) ||
 	    skb->protocol != htons(ETH_P_IP))
-		goto e_inval;
+		return -EINVAL;
 
 	if (ipv4_is_loopback(saddr) && !IN_DEV_ROUTE_LOCALNET(in_dev))
-		goto e_inval;
+		return -EINVAL;
 
 	if (ipv4_is_zeronet(saddr)) {
 		if (!ipv4_is_local_multicast(daddr))
-			goto e_inval;
+			return -EINVAL;
 	} else {
 		err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
-					  in_dev, &itag);
+					  in_dev, itag);
 		if (err < 0)
-			goto e_err;
+			return err;
 	}
+	return 0;
+}
+
+/* called in rcu_read_lock() section */
+static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+			     u8 tos, struct net_device *dev, int our)
+{
+	struct in_device *in_dev = __in_dev_get_rcu(dev);
+	unsigned int flags = RTCF_MULTICAST;
+	struct rtable *rth;
+	u32 itag = 0;
+	int err;
+
+	err = ip_mc_validate_source(skb, daddr, saddr, tos, dev, in_dev, &itag);
+	if (err)
+		return err;
+
 	if (our)
 		flags |= RTCF_LOCAL;
 
 	rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST,
 			   IN_DEV_CONF_GET(in_dev, NOPOLICY), false, false);
 	if (!rth)
-		goto e_nobufs;
+		return -ENOBUFS;
 
 #ifdef CONFIG_IP_ROUTE_CLASSID
 	rth->dst.tclassid = itag;
@@ -1572,13 +1585,6 @@ static int ip_route_input_mc(struct sk_b
 
 	skb_dst_set(skb, &rth->dst);
 	return 0;
-
-e_nobufs:
-	return -ENOBUFS;
-e_inval:
-	return -EINVAL;
-e_err:
-	return err;
 }
 
 
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2220,6 +2220,7 @@ static struct sock *__udp4_lib_demux_loo
 int udp_v4_early_demux(struct sk_buff *skb)
 {
 	struct net *net = dev_net(skb->dev);
+	struct in_device *in_dev = NULL;
 	const struct iphdr *iph;
 	const struct udphdr *uh;
 	struct sock *sk = NULL;
@@ -2236,7 +2237,7 @@ int udp_v4_early_demux(struct sk_buff *s
 
 	if (skb->pkt_type == PACKET_BROADCAST ||
 	    skb->pkt_type == PACKET_MULTICAST) {
-		struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
+		in_dev = __in_dev_get_rcu(skb->dev);
 
 		if (!in_dev)
 			return 0;
@@ -2266,11 +2267,21 @@ int udp_v4_early_demux(struct sk_buff *s
 	if (dst)
 		dst = dst_check(dst, 0);
 	if (dst) {
+		u32 itag = 0;
+
 		/* set noref for now.
 		 * any place which wants to hold dst has to call
 		 * dst_hold_safe()
 		 */
 		skb_dst_set_noref(skb, dst);
+
+		/* for unconnected multicast sockets we need to validate
+		 * the source on each packet
+		 */
+		if (!inet_sk(sk)->inet_daddr && in_dev)
+			return ip_mc_validate_source(skb, iph->daddr,
+						     iph->saddr, iph->tos,
+						     skb->dev, in_dev, &itag);
 	}
 	return 0;
 }


Patches currently in stable-queue which might be from pabeni@redhat.com are

queue-4.13/udp-perform-source-validation-for-mcast-early-demux.patch
queue-4.13/ipv4-early-demux-can-return-an-error-code.patch

Re: Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

[Paolo Abeni]

On Mon, 2017-10-09 at 09:35 +0200, gregkh@linuxfoundation.org wrote:
> This is a note to let you know that I've just added the patch titled
> 
>     udp: perform source validation for mcast early demux
> 
> to the 4.13-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      udp-perform-source-validation-for-mcast-early-demux.patch
> and it can be found in the queue-4.13 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.

Please, keep this one on-hold. It needs a relevant follow-up I'm going
to post soon!

Thanks,

Paolo

Re: Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

[Greg KH]

On Mon, Oct 09, 2017 at 09:37:31AM +0200, Paolo Abeni wrote:
> On Mon, 2017-10-09 at 09:35 +0200, gregkh@linuxfoundation.org wrote:
> > This is a note to let you know that I've just added the patch titled
> > 
> >     udp: perform source validation for mcast early demux
> > 
> > to the 4.13-stable tree which can be found at:
> >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > 
> > The filename of the patch is:
> >      udp-perform-source-validation-for-mcast-early-demux.patch
> > and it can be found in the queue-4.13 subdirectory.
> > 
> > If you, or anyone else, feels it should not be added to the stable tree,
> > please let <stable@vger.kernel.org> know about it.
> 
> Please, keep this one on-hold. It needs a relevant follow-up I'm going
> to post soon!

Can I keep the patch before this one in the series "IPv4: early demux
can return an error code"?  Or should I hold off on both of these for
now?

thanks,

greg k-h

Re: Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

[Paolo Abeni]

On Mon, 2017-10-09 at 09:57 +0200, Greg KH wrote:
> On Mon, Oct 09, 2017 at 09:37:31AM +0200, Paolo Abeni wrote:
> > On Mon, 2017-10-09 at 09:35 +0200, gregkh@linuxfoundation.org wrote:
> > > This is a note to let you know that I've just added the patch titled
> > > 
> > >     udp: perform source validation for mcast early demux
> > > 
> > > to the 4.13-stable tree which can be found at:
> > >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > > 
> > > The filename of the patch is:
> > >      udp-perform-source-validation-for-mcast-early-demux.patch
> > > and it can be found in the queue-4.13 subdirectory.
> > > 
> > > If you, or anyone else, feels it should not be added to the stable tree,
> > > please let <stable@vger.kernel.org> know about it.
> > 
> > Please, keep this one on-hold. It needs a relevant follow-up I'm going
> > to post soon!
> 
> Can I keep the patch before this one in the series "IPv4: early demux
> can return an error code"?  Or should I hold off on both of these for
> now?

AFAIK the patch "IPv4: early demux can return an error code" does not
have any issue - it's just useless without this one - I guess it can
stay in.

Thanks,

Paolo

Re: Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

[Greg KH]

On Mon, Oct 09, 2017 at 10:02:14AM +0200, Paolo Abeni wrote:
> On Mon, 2017-10-09 at 09:57 +0200, Greg KH wrote:
> > On Mon, Oct 09, 2017 at 09:37:31AM +0200, Paolo Abeni wrote:
> > > On Mon, 2017-10-09 at 09:35 +0200, gregkh@linuxfoundation.org wrote:
> > > > This is a note to let you know that I've just added the patch titled
> > > > 
> > > >     udp: perform source validation for mcast early demux
> > > > 
> > > > to the 4.13-stable tree which can be found at:
> > > >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > > > 
> > > > The filename of the patch is:
> > > >      udp-perform-source-validation-for-mcast-early-demux.patch
> > > > and it can be found in the queue-4.13 subdirectory.
> > > > 
> > > > If you, or anyone else, feels it should not be added to the stable tree,
> > > > please let <stable@vger.kernel.org> know about it.
> > > 
> > > Please, keep this one on-hold. It needs a relevant follow-up I'm going
> > > to post soon!
> > 
> > Can I keep the patch before this one in the series "IPv4: early demux
> > can return an error code"?  Or should I hold off on both of these for
> > now?
> 
> AFAIK the patch "IPv4: early demux can return an error code" does not
> have any issue - it's just useless without this one - I guess it can
> stay in.

Ok, I've now moved this one out, thanks for letting me know.

And if you happen to remember when/if a fix for this goes into the tree,
that would be most helpful :)

thanks,

greg k-h

Re: Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

[Paolo Abeni]

On Mon, 2017-10-09 at 10:54 +0200, Greg KH wrote:
> On Mon, Oct 09, 2017 at 10:02:14AM +0200, Paolo Abeni wrote:
> > On Mon, 2017-10-09 at 09:57 +0200, Greg KH wrote:
> > > On Mon, Oct 09, 2017 at 09:37:31AM +0200, Paolo Abeni wrote:
> > > > On Mon, 2017-10-09 at 09:35 +0200, gregkh@linuxfoundation.org wrote:
> > > > > This is a note to let you know that I've just added the patch titled
> > > > > 
> > > > >     udp: perform source validation for mcast early demux
> > > > > 
> > > > > to the 4.13-stable tree which can be found at:
> > > > >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > > > > 
> > > > > The filename of the patch is:
> > > > >      udp-perform-source-validation-for-mcast-early-demux.patch
> > > > > and it can be found in the queue-4.13 subdirectory.
> > > > > 
> > > > > If you, or anyone else, feels it should not be added to the stable tree,
> > > > > please let <stable@vger.kernel.org> know about it.
> > > > 
> > > > Please, keep this one on-hold. It needs a relevant follow-up I'm going
> > > > to post soon!
> > > 
> > > Can I keep the patch before this one in the series "IPv4: early demux
> > > can return an error code"?  Or should I hold off on both of these for
> > > now?
> > 
> > AFAIK the patch "IPv4: early demux can return an error code" does not
> > have any issue - it's just useless without this one - I guess it can
> > stay in.
> 
> Ok, I've now moved this one out, thanks for letting me know.
> 
> And if you happen to remember when/if a fix for this goes into the tree,
> that would be most helpful :)

Sure! the fix just entered Linus's tree: commit 996b44fcef8f ("udp: fix
bcast packet reception")

Thanks,

Paolo

Re: Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

[Greg KH]

On Tue, Oct 10, 2017 at 09:16:06AM +0200, Paolo Abeni wrote:
> On Mon, 2017-10-09 at 10:54 +0200, Greg KH wrote:
> > On Mon, Oct 09, 2017 at 10:02:14AM +0200, Paolo Abeni wrote:
> > > On Mon, 2017-10-09 at 09:57 +0200, Greg KH wrote:
> > > > On Mon, Oct 09, 2017 at 09:37:31AM +0200, Paolo Abeni wrote:
> > > > > On Mon, 2017-10-09 at 09:35 +0200, gregkh@linuxfoundation.org wrote:
> > > > > > This is a note to let you know that I've just added the patch titled
> > > > > > 
> > > > > >     udp: perform source validation for mcast early demux
> > > > > > 
> > > > > > to the 4.13-stable tree which can be found at:
> > > > > >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> > > > > > 
> > > > > > The filename of the patch is:
> > > > > >      udp-perform-source-validation-for-mcast-early-demux.patch
> > > > > > and it can be found in the queue-4.13 subdirectory.
> > > > > > 
> > > > > > If you, or anyone else, feels it should not be added to the stable tree,
> > > > > > please let <stable@vger.kernel.org> know about it.
> > > > > 
> > > > > Please, keep this one on-hold. It needs a relevant follow-up I'm going
> > > > > to post soon!
> > > > 
> > > > Can I keep the patch before this one in the series "IPv4: early demux
> > > > can return an error code"?  Or should I hold off on both of these for
> > > > now?
> > > 
> > > AFAIK the patch "IPv4: early demux can return an error code" does not
> > > have any issue - it's just useless without this one - I guess it can
> > > stay in.
> > 
> > Ok, I've now moved this one out, thanks for letting me know.
> > 
> > And if you happen to remember when/if a fix for this goes into the tree,
> > that would be most helpful :)
> 
> Sure! the fix just entered Linus's tree: commit 996b44fcef8f ("udp: fix
> bcast packet reception")

Great!  Dave, mind if I take this now, or do you want me to wait for the
next round of networking patches.

thanks,

greg k-h

Re: Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

[David Miller]

From: Greg KH <gregkh@linuxfoundation.org>
Date: Tue, 10 Oct 2017 09:31:43 +0200

> On Tue, Oct 10, 2017 at 09:16:06AM +0200, Paolo Abeni wrote:
>> On Mon, 2017-10-09 at 10:54 +0200, Greg KH wrote:
>> > On Mon, Oct 09, 2017 at 10:02:14AM +0200, Paolo Abeni wrote:
>> > > On Mon, 2017-10-09 at 09:57 +0200, Greg KH wrote:
>> > > > On Mon, Oct 09, 2017 at 09:37:31AM +0200, Paolo Abeni wrote:
>> > > > > On Mon, 2017-10-09 at 09:35 +0200, gregkh@linuxfoundation.org wrote:
>> > > > > > This is a note to let you know that I've just added the patch titled
>> > > > > > 
>> > > > > >     udp: perform source validation for mcast early demux
>> > > > > > 
>> > > > > > to the 4.13-stable tree which can be found at:
>> > > > > >     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>> > > > > > 
>> > > > > > The filename of the patch is:
>> > > > > >      udp-perform-source-validation-for-mcast-early-demux.patch
>> > > > > > and it can be found in the queue-4.13 subdirectory.
>> > > > > > 
>> > > > > > If you, or anyone else, feels it should not be added to the stable tree,
>> > > > > > please let <stable@vger.kernel.org> know about it.
>> > > > > 
>> > > > > Please, keep this one on-hold. It needs a relevant follow-up I'm going
>> > > > > to post soon!
>> > > > 
>> > > > Can I keep the patch before this one in the series "IPv4: early demux
>> > > > can return an error code"?  Or should I hold off on both of these for
>> > > > now?
>> > > 
>> > > AFAIK the patch "IPv4: early demux can return an error code" does not
>> > > have any issue - it's just useless without this one - I guess it can
>> > > stay in.
>> > 
>> > Ok, I've now moved this one out, thanks for letting me know.
>> > 
>> > And if you happen to remember when/if a fix for this goes into the tree,
>> > that would be most helpful :)
>> 
>> Sure! the fix just entered Linus's tree: commit 996b44fcef8f ("udp: fix
>> bcast packet reception")
> 
> Great!  Dave, mind if I take this now, or do you want me to wait for the
> next round of networking patches.

Feel free to take this now, thanks!

Patch "udp: perform source validation for mcast early demux" has been added to the 4.13-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    udp: perform source validation for mcast early demux

to the 4.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     udp-perform-source-validation-for-mcast-early-demux.patch
and it can be found in the queue-4.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Mon Oct  9 09:32:35 CEST 2017
From: Paolo Abeni <pabeni@redhat.com>
Date: Thu, 28 Sep 2017 15:51:37 +0200
Subject: udp: perform source validation for mcast early demux

From: Paolo Abeni <pabeni@redhat.com>


[ Upstream commit bc044e8db7962e727a75b591b9851ff2ac5cf846 ]

The UDP early demux can leverate the rx dst cache even for
multicast unconnected sockets.

In such scenario the ipv4 source address is validated only on
the first packet in the given flow. After that, when we fetch
the dst entry  from the socket rx cache, we stop enforcing
the rp_filter and we even start accepting any kind of martian
addresses.

Disabling the dst cache for unconnected multicast socket will
cause large performace regression, nearly reducing by half the
max ingress tput.

Instead we factor out a route helper to completely validate an
skb source address for multicast packets and we call it from
the UDP early demux for mcast packets landing on unconnected
sockets, after successful fetching the related cached dst entry.

This still gives a measurable, but limited performance
regression:

		rp_filter = 0		rp_filter = 1
edmux disabled:	1182 Kpps		1127 Kpps
edmux before:	2238 Kpps		2238 Kpps
edmux after:	2037 Kpps		2019 Kpps

The above figures are on top of current net tree.
Applying the net-next commit 6e617de84e87 ("net: avoid a full
fib lookup when rp_filter is disabled.") the delta with
rp_filter == 0 will decrease even more.

Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/route.h |    4 +++-
 net/ipv4/route.c    |   46 ++++++++++++++++++++++++++--------------------
 net/ipv4/udp.c      |   13 ++++++++++++-
 3 files changed, 41 insertions(+), 22 deletions(-)

--- a/include/net/route.h
+++ b/include/net/route.h
@@ -175,7 +175,9 @@ static inline struct rtable *ip_route_ou
 	fl4->fl4_gre_key = gre_key;
 	return ip_route_output_key(net, fl4);
 }
-
+int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+			  u8 tos, struct net_device *dev,
+			  struct in_device *in_dev, u32 *itag);
 int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,
 			 u8 tos, struct net_device *devin);
 int ip_route_input_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1520,43 +1520,56 @@ struct rtable *rt_dst_alloc(struct net_d
 EXPORT_SYMBOL(rt_dst_alloc);
 
 /* called in rcu_read_lock() section */
-static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-				u8 tos, struct net_device *dev, int our)
+int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+			  u8 tos, struct net_device *dev,
+			  struct in_device *in_dev, u32 *itag)
 {
-	struct rtable *rth;
-	struct in_device *in_dev = __in_dev_get_rcu(dev);
-	unsigned int flags = RTCF_MULTICAST;
-	u32 itag = 0;
 	int err;
 
 	/* Primary sanity checks. */
-
 	if (!in_dev)
 		return -EINVAL;
 
 	if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr) ||
 	    skb->protocol != htons(ETH_P_IP))
-		goto e_inval;
+		return -EINVAL;
 
 	if (ipv4_is_loopback(saddr) && !IN_DEV_ROUTE_LOCALNET(in_dev))
-		goto e_inval;
+		return -EINVAL;
 
 	if (ipv4_is_zeronet(saddr)) {
 		if (!ipv4_is_local_multicast(daddr))
-			goto e_inval;
+			return -EINVAL;
 	} else {
 		err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
-					  in_dev, &itag);
+					  in_dev, itag);
 		if (err < 0)
-			goto e_err;
+			return err;
 	}
+	return 0;
+}
+
+/* called in rcu_read_lock() section */
+static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+			     u8 tos, struct net_device *dev, int our)
+{
+	struct in_device *in_dev = __in_dev_get_rcu(dev);
+	unsigned int flags = RTCF_MULTICAST;
+	struct rtable *rth;
+	u32 itag = 0;
+	int err;
+
+	err = ip_mc_validate_source(skb, daddr, saddr, tos, dev, in_dev, &itag);
+	if (err)
+		return err;
+
 	if (our)
 		flags |= RTCF_LOCAL;
 
 	rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST,
 			   IN_DEV_CONF_GET(in_dev, NOPOLICY), false, false);
 	if (!rth)
-		goto e_nobufs;
+		return -ENOBUFS;
 
 #ifdef CONFIG_IP_ROUTE_CLASSID
 	rth->dst.tclassid = itag;
@@ -1572,13 +1585,6 @@ static int ip_route_input_mc(struct sk_b
 
 	skb_dst_set(skb, &rth->dst);
 	return 0;
-
-e_nobufs:
-	return -ENOBUFS;
-e_inval:
-	return -EINVAL;
-e_err:
-	return err;
 }
 
 
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2220,6 +2220,7 @@ static struct sock *__udp4_lib_demux_loo
 int udp_v4_early_demux(struct sk_buff *skb)
 {
 	struct net *net = dev_net(skb->dev);
+	struct in_device *in_dev = NULL;
 	const struct iphdr *iph;
 	const struct udphdr *uh;
 	struct sock *sk = NULL;
@@ -2236,7 +2237,7 @@ int udp_v4_early_demux(struct sk_buff *s
 
 	if (skb->pkt_type == PACKET_BROADCAST ||
 	    skb->pkt_type == PACKET_MULTICAST) {
-		struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
+		in_dev = __in_dev_get_rcu(skb->dev);
 
 		if (!in_dev)
 			return 0;
@@ -2266,11 +2267,21 @@ int udp_v4_early_demux(struct sk_buff *s
 	if (dst)
 		dst = dst_check(dst, 0);
 	if (dst) {
+		u32 itag = 0;
+
 		/* set noref for now.
 		 * any place which wants to hold dst has to call
 		 * dst_hold_safe()
 		 */
 		skb_dst_set_noref(skb, dst);
+
+		/* for unconnected multicast sockets we need to validate
+		 * the source on each packet
+		 */
+		if (!inet_sk(sk)->inet_daddr && in_dev)
+			return ip_mc_validate_source(skb, iph->daddr,
+						     iph->saddr, iph->tos,
+						     skb->dev, in_dev, &itag);
 	}
 	return 0;
 }


Patches currently in stable-queue which might be from pabeni@redhat.com are

queue-4.13/udp-perform-source-validation-for-mcast-early-demux.patch
queue-4.13/ipv4-early-demux-can-return-an-error-code.patch
queue-4.13/udp-fix-bcast-packet-reception.patch