Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dongseok Yi <dseok.yi@samsung.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Willem de Bruijn <willemb@google.com>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org, bpf@vger.kernel.org
Subject: [PATCH AUTOSEL 5.4 17/74] bpf: Check for BPF_F_ADJ_ROOM_FIXED_GSO when bpf_skb_change_proto
Date: Tue, 6 Jul 2021 07:24:05 -0400 [thread overview]
Message-ID: <20210706112502.2064236-17-sashal@kernel.org> (raw)
In-Reply-To: <20210706112502.2064236-1-sashal@kernel.org>
From: Dongseok Yi <dseok.yi@samsung.com>
[ Upstream commit fa7b83bf3b156c767f3e4a25bbf3817b08f3ff8e ]
In the forwarding path GRO -> BPF 6 to 4 -> GSO for TCP traffic, the
coalesced packet payload can be > MSS, but < MSS + 20.
bpf_skb_proto_6_to_4() will upgrade the MSS and it can be > the payload
length. After then tcp_gso_segment checks for the payload length if it
is <= MSS. The condition is causing the packet to be dropped.
tcp_gso_segment():
[...]
mss = skb_shinfo(skb)->gso_size;
if (unlikely(skb->len <= mss))
goto out;
[...]
Allow to upgrade/downgrade MSS only when BPF_F_ADJ_ROOM_FIXED_GSO is
not set.
Signed-off-by: Dongseok Yi <dseok.yi@samsung.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/bpf/1620804453-57566-1-git-send-email-dseok.yi@samsung.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 108bcf600052..823e77846525 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2833,7 +2833,7 @@ static int bpf_skb_net_hdr_pop(struct sk_buff *skb, u32 off, u32 len)
return ret;
}
-static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
+static int bpf_skb_proto_4_to_6(struct sk_buff *skb, u64 flags)
{
const u32 len_diff = sizeof(struct ipv6hdr) - sizeof(struct iphdr);
u32 off = skb_mac_header_len(skb);
@@ -2862,7 +2862,9 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
}
/* Due to IPv6 header, MSS needs to be downgraded. */
- skb_decrease_gso_size(shinfo, len_diff);
+ if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO))
+ skb_decrease_gso_size(shinfo, len_diff);
+
/* Header must be checked, and gso_segs recomputed. */
shinfo->gso_type |= SKB_GSO_DODGY;
shinfo->gso_segs = 0;
@@ -2874,7 +2876,7 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
return 0;
}
-static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
+static int bpf_skb_proto_6_to_4(struct sk_buff *skb, u64 flags)
{
const u32 len_diff = sizeof(struct ipv6hdr) - sizeof(struct iphdr);
u32 off = skb_mac_header_len(skb);
@@ -2903,7 +2905,9 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
}
/* Due to IPv4 header, MSS can be upgraded. */
- skb_increase_gso_size(shinfo, len_diff);
+ if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO))
+ skb_increase_gso_size(shinfo, len_diff);
+
/* Header must be checked, and gso_segs recomputed. */
shinfo->gso_type |= SKB_GSO_DODGY;
shinfo->gso_segs = 0;
@@ -2915,17 +2919,17 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
return 0;
}
-static int bpf_skb_proto_xlat(struct sk_buff *skb, __be16 to_proto)
+static int bpf_skb_proto_xlat(struct sk_buff *skb, __be16 to_proto, u64 flags)
{
__be16 from_proto = skb->protocol;
if (from_proto == htons(ETH_P_IP) &&
to_proto == htons(ETH_P_IPV6))
- return bpf_skb_proto_4_to_6(skb);
+ return bpf_skb_proto_4_to_6(skb, flags);
if (from_proto == htons(ETH_P_IPV6) &&
to_proto == htons(ETH_P_IP))
- return bpf_skb_proto_6_to_4(skb);
+ return bpf_skb_proto_6_to_4(skb, flags);
return -ENOTSUPP;
}
@@ -2935,7 +2939,7 @@ BPF_CALL_3(bpf_skb_change_proto, struct sk_buff *, skb, __be16, proto,
{
int ret;
- if (unlikely(flags))
+ if (unlikely(flags & ~(BPF_F_ADJ_ROOM_FIXED_GSO)))
return -EINVAL;
/* General idea is that this helper does the basic groundwork
@@ -2955,7 +2959,7 @@ BPF_CALL_3(bpf_skb_change_proto, struct sk_buff *, skb, __be16, proto,
* that. For offloads, we mark packet as dodgy, so that headers
* need to be verified first.
*/
- ret = bpf_skb_proto_xlat(skb, proto);
+ ret = bpf_skb_proto_xlat(skb, proto, flags);
bpf_compute_data_pointers(skb);
return ret;
}
--
2.30.2
next prev parent reply other threads:[~2021-07-06 11:39 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210706112502.2064236-1-sashal@kernel.org>
2021-07-06 11:23 ` [PATCH AUTOSEL 5.4 06/74] net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() Sasha Levin
2021-07-06 11:23 ` [PATCH AUTOSEL 5.4 09/74] atm: iphase: fix possible use-after-free in ia_module_exit() Sasha Levin
2021-07-06 11:23 ` [PATCH AUTOSEL 5.4 10/74] mISDN: fix possible use-after-free in HFC_cleanup() Sasha Levin
2021-07-06 11:23 ` [PATCH AUTOSEL 5.4 11/74] atm: nicstar: Fix possible use-after-free in nicstar_cleanup() Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 12/74] net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT Sasha Levin
2021-07-06 11:24 ` Sasha Levin [this message]
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 20/74] e100: handle eeprom as little endian Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 21/74] igb: handle vlan types with checker enabled Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 25/74] ipv6: use prandom_u32() for ID generation Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 29/74] ice: set the value of global config lock timeout longer Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 30/74] virtio_net: Remove BUG() to avoid machine dead Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 31/74] net: bcmgenet: check return value after calling platform_get_resource() Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 32/74] net: mvpp2: " Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 33/74] net: micrel: " Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 34/74] net: moxa: Use devm_platform_get_and_ioremap_resource() Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 39/74] fjes: check return value after calling platform_get_resource() Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 41/74] r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 43/74] xfrm: Fix error reporting in xfrm_state_construct Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 44/74] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 45/74] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 46/74] cw1200: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 47/74] bpf: Fix up register-based shifts in interpreter to silence KUBSAN Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 48/74] mt76: mt7615: fix fixed-rate tx status reporting Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 50/74] net: sched: fix error return code in tcf_del_walker() Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 52/74] rtl8xxxu: Fix device info for RTL8192EU devices Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 54/74] atm: nicstar: use 'dma_free_coherent' instead of 'kfree' Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 55/74] atm: nicstar: register the interrupt handler in the right place Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 56/74] vsock: notify server to shutdown when client has pending signal Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 58/74] iwlwifi: mvm: don't change band on bound PHY contexts Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 59/74] iwlwifi: pcie: free IML DMA memory allocation Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 60/74] iwlwifi: pcie: fix context info freeing Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 61/74] sfc: avoid double pci_remove of VFs Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 62/74] sfc: error code if SRIOV cannot be disabled Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 63/74] wireless: wext-spy: Fix out-of-bounds warning Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 64/74] media, bpf: Do not copy more entries than user space requested Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 65/74] net: ip: avoid OOM kills with large UDP sends over loopback Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 68/74] Bluetooth: Fix the HCI to MGMT status conversion table Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 69/74] Bluetooth: Shutdown controller after workqueues are flushed or cancelled Sasha Levin
2021-07-06 11:24 ` [PATCH AUTOSEL 5.4 71/74] sctp: validate from_addr_param return Sasha Levin
2021-07-06 11:25 ` [PATCH AUTOSEL 5.4 72/74] sctp: add size validation when walking chunks Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210706112502.2064236-17-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dseok.yi@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
--subject='Re: [PATCH AUTOSEL 5.4 17/74] bpf: Check for BPF_F_ADJ_ROOM_FIXED_GSO when bpf_skb_change_proto' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).