Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp1643996pxy; Mon, 2 Aug 2021 06:58:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwLEnxZEqht5JHRZ+TL6uSha6qqZgYtAr+gFAykr6l5VKeEKuv6Fcy5CJjod5YqoMJiuf/9 X-Received: by 2002:a05:6638:114:: with SMTP id x20mr14704174jao.118.1627912730788; Mon, 02 Aug 2021 06:58:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627912730; cv=none; d=google.com; s=arc-20160816; b=MXaLbtmLG19o9jrLbe1M9wq0OEtpm/YnUQ+K9vI8HcbDzuBd9yxbz+r9QZTJ0XRD5V jdm21/X7zxF30/m9RQcOoZzgPxRhmsofJ7Ph3qDAqkIQnGEDbSuXufc01IvzowM9UdNS l/eDAmfxBErwbN9zUkVN6QKL+bmugka/Vn5itV/ILq8yy0qxZoTruVErd2HnBBKp5npY xFRCowIYCpHMCS8v8dMF4z1kqc/J+7W41KSvZvu+h7EFL1kQO51i4FkyE66iFsrT4xG8 1MnOHiiiUW0ViAUructuRF9zhpazfu+qiOT0T0s9tci9yalMQSMTDxLLulMAG3YeOVQn vtxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=PzQnxC7MHisjFzrcBNHzqD9b2XdKxWXsTh1XdQEyT1M=; b=UrWnxrrtfMYCATi6HpZPVM3nSYj49Feh6fGIe77pwhcL8oGn8HqxscSBQRmM6CfNnA GqcG8IQcQ1sCz8i5PP0ucH+5a/UUF874/CZE8xINaJpO7fjo99YEdkIYayEVEVg7mUTj 4mhkgBnDTYd0r4xwQ0Ept9nkRhqYywmYAOVIexo1pqp5rfAZ4hgXIOcWrcrBjML8Jr7I HLfX5TIFmXMVzFuMHJFQRxvVh7FeTkhZWSNoP9zlQ1J+98QdRCEt0eCup/Z3wO4Z0Ld5 Jg2aLERWrXKA7VeyyOcyOn3dF1iDLUUkFCTGexUkJNMkM02fRRkn1SCZ1tjYR4SDlWFM ++ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=t1kXRRR0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a6si15665695ilv.81.2021.08.02.06.58.39; Mon, 02 Aug 2021 06:58:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=t1kXRRR0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236030AbhHBN6H (ORCPT + 99 others); Mon, 2 Aug 2021 09:58:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:33536 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234891AbhHBNvk (ORCPT ); Mon, 2 Aug 2021 09:51:40 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C3B9E6113B; Mon, 2 Aug 2021 13:51:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627912278; bh=Z0FHo0vkFOWmXRXzBJ8pqARAM7rIV38XEmvJjNw60IU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=t1kXRRR04EC8BxXqub65rhHYWP715tq8JtAHk8lfWZd1cloVPnZHc6ElNTunSnAmB YZdNIhZNZq95A0YFQM8+CVw2Nl8NIIJTyxwOKcKTRNw45A/h9HKCIl06EelqTzq096 RWkoNoN9FVaw6pzPBdCMx/TVb31+F0ZqD+307VRg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "David S. Miller" , Hideaki YOSHIFUJI , David Ahern , Jakub Kicinski , =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Gilad Naaman , Sasha Levin Subject: [PATCH 5.4 27/40] net: Set true network header for ECN decapsulation Date: Mon, 2 Aug 2021 15:45:07 +0200 Message-Id: <20210802134336.259765265@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210802134335.408294521@linuxfoundation.org> References: <20210802134335.408294521@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Gilad Naaman [ Upstream commit 227adfb2b1dfbc53dfc53b9dd7a93a6298ff7c56 ] In cases where the header straight after the tunnel header was another ethernet header (TEB), instead of the network header, the ECN decapsulation code would treat the ethernet header as if it was an IP header, resulting in mishandling and possible wrong drops or corruption of the IP header. In this case, ECT(1) is sent, so IP_ECN_decapsulate tries to copy it to the inner IPv4 header, and correct its checksum. The offset of the ECT bits in an IPv4 header corresponds to the lower 2 bits of the second octet of the destination MAC address in the ethernet header. The IPv4 checksum corresponds to end of the source address. In order to reproduce: $ ip netns add A $ ip netns add B $ ip -n A link add _v0 type veth peer name _v1 netns B $ ip -n A link set _v0 up $ ip -n A addr add dev _v0 10.254.3.1/24 $ ip -n A route add default dev _v0 scope global $ ip -n B link set _v1 up $ ip -n B addr add dev _v1 10.254.1.6/24 $ ip -n B route add default dev _v1 scope global $ ip -n B link add gre1 type gretap local 10.254.1.6 remote 10.254.3.1 key 0x49000000 $ ip -n B link set gre1 up # Now send an IPv4/GRE/Eth/IPv4 frame where the outer header has ECT(1), # and the inner header has no ECT bits set: $ cat send_pkt.py #!/usr/bin/env python3 from scapy.all import * pkt = IP(b'E\x01\x00\xa7\x00\x00\x00\x00@/`%\n\xfe\x03\x01\n\xfe\x01\x06 \x00eXI\x00' b'\x00\x00\x18\xbe\x92\xa0\xee&\x18\xb0\x92\xa0l&\x08\x00E\x00\x00}\x8b\x85' b'@\x00\x01\x01\xe4\xf2\x82\x82\x82\x01\x82\x82\x82\x02\x08\x00d\x11\xa6\xeb' b'3\x1e\x1e\\xf3\\xf7`\x00\x00\x00\x00ZN\x00\x00\x00\x00\x00\x00\x10\x11\x12' b'\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234' b'56789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ') send(pkt) $ sudo ip netns exec B tcpdump -neqlllvi gre1 icmp & ; sleep 1 $ sudo ip netns exec A python3 send_pkt.py In the original packet, the source/destinatio MAC addresses are dst=18:be:92:a0:ee:26 src=18:b0:92:a0:6c:26 In the received packet, they are dst=18:bd:92:a0:ee:26 src=18:b0:92:a0:6c:27 Thanks to Lahav Schlesinger and Isaac Garzon for helping me pinpoint the origin. Fixes: b723748750ec ("tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040") Cc: David S. Miller Cc: Hideaki YOSHIFUJI Cc: David Ahern Cc: Jakub Kicinski Cc: Toke Høiland-Jørgensen Signed-off-by: Gilad Naaman Acked-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv4/ip_tunnel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index eb381a24a8f8..38d3095ef979 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -391,7 +391,7 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb, tunnel->i_seqno = ntohl(tpi->seq) + 1; } - skb_reset_network_header(skb); + skb_set_network_header(skb, (tunnel->dev->type == ARPHRD_ETHER) ? ETH_HLEN : 0); err = IP_ECN_decapsulate(iph, skb); if (unlikely(err)) { -- 2.30.2