From: Paul Moore <[email protected]> Date: Fri, 15 Feb 2019 14:02:31 -0500
> On Thu, Feb 14, 2019 at 11:43 AM David Miller <[email protected]> wrote: >> From: Nazarov Sergey <[email protected]> >> Date: Tue, 12 Feb 2019 18:10:03 +0300 >> >> > Since cipso_v4_error might be called from different network stack layers, >> > we can't safely use icmp_send there. >> > icmp_send copies IP options with ip_option_echo, which uses IPCB to take >> > access to IP header compiled data. >> > But after commit 971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache >> > line misses"), IPCB can't be used >> > above IP layer. >> > This patch fixes the problem by creating in cipso_v4_error a local copy of >> > compiled IP options and using it with >> > introduced __icmp_send function. This looks some overloaded, but in quite >> > rare error conditions only. >> > >> > The original discussion is here: >> > https://lore.kernel.org/linux-security-module/[email protected]/ >> > >> > Signed-off-by: Sergey Nazarov <[email protected]> >> >> This problem is not unique to Cipso, net/atm/clip.c's error handler >> has the same exact issue. >> >> I didn't scan more of the tree, there are probably a couple more >> locations as well. > > David, are you happy with Sergey's solution as a fix for this? > > If so, would you prefer a respin of this patch to apply the to the > other broken callers (e.g. net/atm/clip.c), or would you rather merge > this patch and deal with the other callers in separate patches? I'd like the other broken callers to be handled.
