| From b05c82c00fa00443df86c63ad98b98689d9cf7be Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Mon, 23 May 2022 22:05:24 +0200 |
| Subject: Revert "net: af_key: add check for pfkey_broadcast in function |
| pfkey_process" |
| |
| From: Michal Kubecek <mkubecek@suse.cz> |
| |
| [ Upstream commit 9c90c9b3e50e16d03c7f87d63e9db373974781e0 ] |
| |
| This reverts commit 4dc2a5a8f6754492180741facf2a8787f2c415d7. |
| |
| A non-zero return value from pfkey_broadcast() does not necessarily mean |
| an error occurred as this function returns -ESRCH when no registered |
| listener received the message. In particular, a call with |
| BROADCAST_PROMISC_ONLY flag and null one_sk argument can never return |
| zero so that this commit in fact prevents processing any PF_KEY message. |
| One visible effect is that racoon daemon fails to find encryption |
| algorithms like aes and refuses to start. |
| |
| Excluding -ESRCH return value would fix this but it's not obvious that |
| we really want to bail out here and most other callers of |
| pfkey_broadcast() also ignore the return value. Also, as pointed out by |
| Steffen Klassert, PF_KEY is kind of deprecated and newer userspace code |
| should use netlink instead so that we should only disturb the code for |
| really important fixes. |
| |
| v2: add a comment explaining why is the return value ignored |
| |
| Signed-off-by: Michal Kubecek <mkubecek@suse.cz> |
| Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/key/af_key.c | 10 ++++++---- |
| 1 file changed, 6 insertions(+), 4 deletions(-) |
| |
| diff --git a/net/key/af_key.c b/net/key/af_key.c |
| index d5dc614af2f9..0737fc7b7ebd 100644 |
| --- a/net/key/af_key.c |
| +++ b/net/key/af_key.c |
| @@ -2861,10 +2861,12 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb |
| void *ext_hdrs[SADB_EXT_MAX]; |
| int err; |
| |
| - err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, |
| - BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); |
| - if (err) |
| - return err; |
| + /* Non-zero return value of pfkey_broadcast() does not always signal |
| + * an error and even on an actual error we may still want to process |
| + * the message so rather ignore the return value. |
| + */ |
| + pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, |
| + BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); |
| |
| memset(ext_hdrs, 0, sizeof(ext_hdrs)); |
| err = parse_exthdrs(skb, hdr, ext_hdrs); |
| -- |
| 2.35.1 |
| |