Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20230707121650.GA17677@debian> <20230707122627.GA17845@debian>
In-Reply-To: <20230707122627.GA17845@debian>
From:   Eric Dumazet <edumazet@google.com>
Date:   Fri, 7 Jul 2023 15:44:41 +0200
Message-ID: <CANn89i+gm=0J3aR_9ikhroQmAvuQ+-dPMH1em9WrmE1o1pfi7w@mail.gmail.com>
Subject: Re: [PATCH 1/1] net: gro: fix misuse of CB in udp socket lookup
To:     Richard Gobert <richardbgobert@gmail.com>
Cc:     davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com,
        willemdebruijn.kernel@gmail.com, dsahern@kernel.org,
        tom@herbertland.com, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, gal@nvidia.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

On Fri, Jul 7, 2023 at 2:26=E2=80=AFPM Richard Gobert <richardbgobert@gmail=
.com> wrote:
>
> This patch fixes a misuse of IP{6}CB(skb) in GRO, while calling to
> `udp6_lib_lookup2` when handling udp tunnels. `udp6_lib_lookup2` fetch th=
e
> device from CB. The fix changes it to fetch the device from `skb->dev`.
> l3mdev case requires special attention since it has a master and a slave
> device.
>
> Fixes: a6024562ffd7 ("udp: Add GRO functions to UDP socket")
> Reported-by: Gal Pressman <gal@nvidia.com>
> Signed-off-by: Richard Gobert <richardbgobert@gmail.com>
> ---
>  include/net/udp.h      |  2 ++
>  net/ipv4/udp.c         | 21 +++++++++++++++++++--
>  net/ipv4/udp_offload.c |  7 +++++--
>  net/ipv6/udp.c         | 21 +++++++++++++++++++--
>  net/ipv6/udp_offload.c |  7 +++++--
>  5 files changed, 50 insertions(+), 8 deletions(-)
>
> diff --git a/include/net/udp.h b/include/net/udp.h
> index 4d13424f8f72..48af1479882f 100644
> --- a/include/net/udp.h
> +++ b/include/net/udp.h
> @@ -299,6 +299,7 @@ int udp_lib_getsockopt(struct sock *sk, int level, in=
t optname,
>  int udp_lib_setsockopt(struct sock *sk, int level, int optname,
>                        sockptr_t optval, unsigned int optlen,
>                        int (*push_pending_frames)(struct sock *));
> +void udp4_get_iif_sdif(const struct sk_buff *skb, int *iif, int *sdif);
>  struct sock *udp4_lib_lookup(struct net *net, __be32 saddr, __be16 sport=
,
>                              __be32 daddr, __be16 dport, int dif);
>  struct sock *__udp4_lib_lookup(struct net *net, __be32 saddr, __be16 spo=
rt,
> @@ -310,6 +311,7 @@ struct sock *udp6_lib_lookup(struct net *net,
>                              const struct in6_addr *saddr, __be16 sport,
>                              const struct in6_addr *daddr, __be16 dport,
>                              int dif);
> +void udp6_get_iif_sdif(const struct sk_buff *skb, int *iif, int *sdif);
>  struct sock *__udp6_lib_lookup(struct net *net,
>                                const struct in6_addr *saddr, __be16 sport=
,
>                                const struct in6_addr *daddr, __be16 dport=
,
> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> index 42a96b3547c9..0581ab184afd 100644
> --- a/net/ipv4/udp.c
> +++ b/net/ipv4/udp.c
> @@ -550,15 +550,32 @@ static inline struct sock *__udp4_lib_lookup_skb(st=
ruct sk_buff *skb,
>                                  inet_sdif(skb), udptable, skb);
>  }
>
> +void udp4_get_iif_sdif(const struct sk_buff *skb, int *iif, int *sdif)
> +{
> +       *iif =3D inet_iif(skb) || skb->dev->ifindex;

This looks wrong. Did you mean

        *iif =3D inet_iif(skb) ?: skb->dev->ifindex;

> +       *sdif =3D 0;
> +
> +#if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV)
> +       if (netif_is_l3_slave(skb->dev)) {
> +               struct net_device *master =3D netdev_master_upper_dev_get=
_rcu(skb->dev);
> +               *sdif =3D *iif;
> +               *iif =3D master ? master->ifindex : 0;
> +       }
> +#endif
> +}
> +
>  struct sock *udp4_lib_lookup_skb(const struct sk_buff *skb,
>                                  __be16 sport, __be16 dport)
>  {
>         const struct iphdr *iph =3D ip_hdr(skb);
>         struct net *net =3D dev_net(skb->dev);
> +       int iif, sdif;
> +
> +       udp4_get_iif_sdif(skb, &iif, &sdif);
>
>         return __udp4_lib_lookup(net, iph->saddr, sport,
> -                                iph->daddr, dport, inet_iif(skb),
> -                                inet_sdif(skb), net->ipv4.udp_table, NUL=
L);
> +                                iph->daddr, dport, iif,
> +                                sdif, net->ipv4.udp_table, NULL);
>  }
>
>  /* Must be called under rcu_read_lock().
> diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
> index 75aa4de5b731..70d760b271db 100644
> --- a/net/ipv4/udp_offload.c
> +++ b/net/ipv4/udp_offload.c
> @@ -603,10 +603,13 @@ static struct sock *udp4_gro_lookup_skb(struct sk_b=
uff *skb, __be16 sport,
>  {
>         const struct iphdr *iph =3D skb_gro_network_header(skb);
>         struct net *net =3D dev_net(skb->dev);
> +       int iif, sdif;
> +
> +       udp4_get_iif_sdif(skb, &iif, &sdif);
>
>         return __udp4_lib_lookup(net, iph->saddr, sport,
> -                                iph->daddr, dport, inet_iif(skb),
> -                                inet_sdif(skb), net->ipv4.udp_table, NUL=
L);
> +                                iph->daddr, dport, iif,
> +                                sdif, net->ipv4.udp_table, NULL);
>  }
>
>  INDIRECT_CALLABLE_SCOPE
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 317b01c9bc39..aac9b20d67e4 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -294,15 +294,32 @@ static struct sock *__udp6_lib_lookup_skb(struct sk=
_buff *skb,
>                                  inet6_sdif(skb), udptable, skb);
>  }
>
> +void udp6_get_iif_sdif(const struct sk_buff *skb, int *iif, int *sdif)
> +{
> +       *iif =3D skb->dev->ifindex;

ipv6_rcv() inits

IP6CB(skb)->iif =3D skb_dst(skb) ?
ip6_dst_idev(skb_dst(skb))->dev->ifindex : dev->ifindex;

You chose to always use skb->dev->ifindex instead ?

You might add a comment why it is okay.

> +       *sdif =3D 0;
> +
> +#if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV)
> +       if (netif_is_l3_slave(skb->dev)) {
> +               struct net_device *master =3D netdev_master_upper_dev_get=
_rcu(skb->dev);
> +               *sdif =3D *iif;
> +               *iif =3D master ? master->ifindex : 0;
> +       }
> +#endif
> +}
> +
>  struct sock *udp6_lib_lookup_skb(const struct sk_buff *skb,
>                                  __be16 sport, __be16 dport)
>  {
>         const struct ipv6hdr *iph =3D ipv6_hdr(skb);
>         struct net *net =3D dev_net(skb->dev);
> +       int iif, sdif;
> +
> +       udp6_get_iif_sdif(skb, &iif, &sdif);
>
>         return __udp6_lib_lookup(net, &iph->saddr, sport,
> -                                &iph->daddr, dport, inet6_iif(skb),
> -                                inet6_sdif(skb), net->ipv4.udp_table, NU=
LL);
> +                                &iph->daddr, dport, iif,
> +                                sdif, net->ipv4.udp_table, NULL);
>  }
>
>  /* Must be called under rcu_read_lock().
> diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
> index ad3b8726873e..88191d79002e 100644
> --- a/net/ipv6/udp_offload.c
> +++ b/net/ipv6/udp_offload.c
> @@ -119,10 +119,13 @@ static struct sock *udp6_gro_lookup_skb(struct sk_b=
uff *skb, __be16 sport,
>  {
>         const struct ipv6hdr *iph =3D skb_gro_network_header(skb);
>         struct net *net =3D dev_net(skb->dev);
> +       int iif, sdif;
> +
> +       udp6_get_iif_sdif(skb, &iif, &sdif);
>
>         return __udp6_lib_lookup(net, &iph->saddr, sport,
> -                                &iph->daddr, dport, inet6_iif(skb),
> -                                inet6_sdif(skb), net->ipv4.udp_table, NU=
LL);
> +                                &iph->daddr, dport, iif,
> +                                sdif, net->ipv4.udp_table, NULL);
>  }
>
>  INDIRECT_CALLABLE_SCOPE
> --
> 2.36.1
>