From mboxrd@z Thu Jan  1 00:00:00 1970
From: Florian Westphal <fw@strlen.de>
Subject: Re: crash in xt_policy due to skb_dst_drop() in nf_ct_frag6_gather()
Date: Tue, 16 Oct 2018 10:11:20 +0200
Message-ID: <20181016081120.umbe3kz2vi4jfgks@breakpoint.cc>
References: <CANP3RGeX5=c=Lb+Pkg89zD7zQ_Z1T8oPJRCkorNCdghmofYXxg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Cc: Lorenzo Colitti <lorenzo@google.com>,
        Eric Dumazet <edumazet@google.com>,
        Florian Westphal <fw@strlen.de>,
        Linux NetDev <netdev@vger.kernel.org>,
        Maciej Zenczykowski <maze@google.com>
To: Maciej =?utf-8?Q?=C5=BBenczykowski?= <zenczykowski@gmail.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:41766 "EHLO
        Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726934AbeJPQAf (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 16 Oct 2018 12:00:35 -0400
Content-Disposition: inline
In-Reply-To: <CANP3RGeX5=c=Lb+Pkg89zD7zQ_Z1T8oPJRCkorNCdghmofYXxg@mail.gmail.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Maciej Żenczykowski <zenczykowski@gmail.com> wrote:

I am currently travelling and not able to investigate
until next week.

> commit ad8b1ffc3efae2f65080bdb11145c87d299b8f9a
> Author: Florian Westphal <fw@strlen.de>
>     netfilter: ipv6: nf_defrag: drop skb dst before queueing
> 
> +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
> @@ -618,6 +618,8 @@ int nf_ct_frag6_gather(struct net *net, struct
> sk_buff *skb, u32 user)
>             fq->q.meat == fq->q.len &&
>             nf_ct_frag6_reasm(fq, skb, dev))
>                 ret = 0;
> +       else
> +               skb_dst_drop(skb);

This is only supposed to drop dst of skbs that are enqueued,
i.e. frag6_gather returns NF_STOLEN.

In case skb completes the queue, then that skbs dst_entry
is supposed to be kept, so skb_dst() does NOT return NULL.

Its not supposed to be any different than ipv4 defrag.

> const struct dst_entry *dst = skb_dst(skb); // returns NULL

That is not supposed to happen.