Received: by 2002:ac8:45c5:0:b0:405:464a:c27a with SMTP id e5csp1249799qto; Thu, 27 Jul 2023 08:55:49 -0700 (PDT) X-Google-Smtp-Source: APBJJlFnDOUiHSVWv4iTO7wVcSismYQGk9wRciP2a3E68SYMWl4y84dBrzvJ5sm8cNqDNKF2MF+m X-Received: by 2002:a05:6a00:3a1f:b0:681:c372:5aa4 with SMTP id fj31-20020a056a003a1f00b00681c3725aa4mr6933719pfb.27.1690473349585; Thu, 27 Jul 2023 08:55:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690473349; cv=none; d=google.com; s=arc-20160816; b=DUBwcmvUD/VoHZgrezp7keL5wOqNLGLkgre0956zpePs6yoMTp0h9h7UVyXCUnpEEr x1L5FhuvNNRfF6yWo622ky/1HfAWlDcMVOi7iA+2cW82io/7iJHSb7hBD4zt4NM4tFeU pEkEMLYw1paPY2pUg4xxVbS3B0JSdzqLrRRxBlFRj7ytVLEyHi5Gl8UMqYJy9eoy6go5 VuqCwyNyl/JiWOv0S1pBxSd0F4Gjpk2aMixihD5IQG39RqR4vBFY2Hsy0dsbdwKC0SVR KY3W5L/67qicb7e1eb8SQhowjx5yfRHERs2s8YE5z8s0BLqRlbPSAMMzlOHqHZLh13xN olQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:to:from:date :dkim-signature; bh=dj+mM5KXpQqCCdCwg7vn+GdZ5wm15kON6FaHozgs714=; fh=NfPdGD6Y/fUukMnDQdv+EWH4vc0MgRZIMcW8czEW4Rs=; b=PlPrzH4LyVnO+hKsEvfBTmdcOcmsxbUTZ2ZIliwYVrp0gtV6eusZYmb+QRk6SNAfM8 3XEp3WVt6hnoxo3Wu270DWwCRQYuCTHSloZAYXnch20lv69BO4L9qUlkVrDuvVXxoAK8 SNVFC+08ZAW7OpeDAydhk+GDc6Hor0GReCHYhIK3o3LBmrf8dBtAP3DF10L7gThUQK+q rIaW7+TF1J33hcJ+5RyjZZXm8LkSUapBIAHR+R35O4J3X6XhKrm+QPCPuhDdH8IkcfGP L1qPJtrK5Jm7di3Y97U3i8wEabrTp2PfKgFPSI3hIH6EcPIRgHTFcoyttMGndUMyglft zg7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=hAQvKhK0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r22-20020a638f56000000b00533fce755adsi1418527pgn.130.2023.07.27.08.55.36; Thu, 27 Jul 2023 08:55:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=hAQvKhK0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231868AbjG0PeZ (ORCPT + 99 others); Thu, 27 Jul 2023 11:34:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43522 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231799AbjG0PeW (ORCPT ); Thu, 27 Jul 2023 11:34:22 -0400 Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 700D426A8; Thu, 27 Jul 2023 08:34:21 -0700 (PDT) Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-3fdfd4c749dso6776085e9.3; Thu, 27 Jul 2023 08:34:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690472060; x=1691076860; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:to:from:date:from:to:cc:subject:date:message-id :reply-to; bh=dj+mM5KXpQqCCdCwg7vn+GdZ5wm15kON6FaHozgs714=; b=hAQvKhK091T0tUaIvXPYoWFzlb6eor6LUdeIJ4WWQAwzdDrg+ltlDU91aqOBZWT4zh zl4x9uFxX97u2PBDQ1XaOi1RF6lnGejCIlWmijkD0/Oqze666acioz5aqQTi73wrbnjQ cULmQjVLqZ85oVM/d0f3rdyvryFi/YAPWzRGQi1QTDcCzmlp+JnKCBZfLKaYkRjZiwFa F4oaJWKETp+g7d+4aDAzQAtsttaEbY9KmMVlwFheq7/iKQrac/aphxsyTx/8knvRPaDB MnU5c6W4W8gqhpLwFkdEVh9nRF5IB8qjS2j9E79PD2hTzn/XOJpupjuK0jy6cuj2DLFQ fzHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690472060; x=1691076860; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dj+mM5KXpQqCCdCwg7vn+GdZ5wm15kON6FaHozgs714=; b=IuS7zDdJYcnhpQ0rtuho+5U6d6IWrdrslwepuKgdlRA99ZjwLFeURQkhI03MvtXQ7y 7lDS2jdzkBo3jm0AYHvvaz5gk7nGe79zk1eCkTDgIp332HXE2Z3KcvWcgz5s9RT8l4MK v0EC9wBFpZaBWyXifQwLl1vgrJEUNJJr4Cv74N7TdG19kzwfekPG2qWky4AHRr6L4qN+ akR9Mjo91mslNIUvncrGzLpBng7edrooi7p2NA5Otqh6+EQWgHQ8WqVoO1efQzK0VyjK mVYGQ7kV2T6VyLkGOAcJulfVgypKof2GSHZRS5tiTxPkZGDR0XWtvgItPFAxn/4pXbep 08Nw== X-Gm-Message-State: ABy/qLZb+mzGQt0r21VVkmz1xTBG0OcWnSdkdE5gjATDJt9jdY5CkH9N M9qmjTqu9mtaAYP/nGQJ75A= X-Received: by 2002:a7b:cc86:0:b0:3fb:e356:b60d with SMTP id p6-20020a7bcc86000000b003fbe356b60dmr2068046wma.38.1690472059635; Thu, 27 Jul 2023 08:34:19 -0700 (PDT) Received: from debian ([89.238.191.199]) by smtp.gmail.com with ESMTPSA id 1-20020a05600c248100b003fbb5142c4bsm5026343wms.18.2023.07.27.08.34.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Jul 2023 08:34:19 -0700 (PDT) Date: Thu, 27 Jul 2023 17:33:56 +0200 From: Richard Gobert To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, willemdebruijn.kernel@gmail.com, dsahern@kernel.org, tom@herbertland.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, gal@nvidia.com Subject: [PATCH v3 1/1] net: gro: fix misuse of CB in udp socket lookup Message-ID: <20230727153353.GA32089@debian> References: <20230727152503.GA32010@debian> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230727152503.GA32010@debian> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch fixes a misuse of IP{6}CB(skb) in GRO, while calling to `udp6_lib_lookup2` when handling udp tunnels. `udp6_lib_lookup2` fetch the device from CB. The fix changes it to fetch the device from `skb->dev`. l3mdev case requires special attention since it has a master and a slave device. Fixes: a6024562ffd7 ("udp: Add GRO functions to UDP socket") Reported-by: Gal Pressman Signed-off-by: Richard Gobert --- include/net/gro.h | 43 ++++++++++++++++++++++++++++++++++++++++++ net/ipv4/udp.c | 8 ++++++-- net/ipv4/udp_offload.c | 7 +++++-- net/ipv6/udp.c | 8 ++++++-- net/ipv6/udp_offload.c | 7 +++++-- 5 files changed, 65 insertions(+), 8 deletions(-) diff --git a/include/net/gro.h b/include/net/gro.h index 75efa6fb8441..88644b3ca660 100644 --- a/include/net/gro.h +++ b/include/net/gro.h @@ -452,6 +452,49 @@ static inline void gro_normal_one(struct napi_struct *napi, struct sk_buff *skb, gro_normal_list(napi); } +/* This function is the alternative of 'inet_iif' and 'inet_sdif' + * functions in case we can not rely on fields of IPCB. + * + * The caller must verify skb_valid_dst(skb) is false and skb->dev is initialized. + * The caller must hold the RCU read lock. + */ +static inline void inet_get_iif_sdif(const struct sk_buff *skb, int *iif, int *sdif) +{ + *iif = inet_iif(skb) ?: skb->dev->ifindex; + *sdif = 0; + +#if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV) + if (netif_is_l3_slave(skb->dev)) { + struct net_device *master = netdev_master_upper_dev_get_rcu(skb->dev); + + *sdif = *iif; + *iif = master ? master->ifindex : 0; + } +#endif +} + +/* This function is the alternative of 'inet6_iif' and 'inet6_sdif' + * functions in case we can not rely on fields of IP6CB. + * + * The caller must verify skb_valid_dst(skb) is false and skb->dev is initialized. + * The caller must hold the RCU read lock. + */ +static inline void inet6_get_iif_sdif(const struct sk_buff *skb, int *iif, int *sdif) +{ + /* using skb->dev->ifindex because skb_dst(skb) is not initialized */ + *iif = skb->dev->ifindex; + *sdif = 0; + +#if IS_ENABLED(CONFIG_NET_L3_MASTER_DEV) + if (netif_is_l3_slave(skb->dev)) { + struct net_device *master = netdev_master_upper_dev_get_rcu(skb->dev); + + *sdif = *iif; + *iif = master ? master->ifindex : 0; + } +#endif +} + extern struct list_head offload_base; #endif /* _NET_IPV6_GRO_H */ diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 8c3ebd95f5b9..1ee9e56dc79a 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -114,6 +114,7 @@ #include #include #include +#include #if IS_ENABLED(CONFIG_IPV6) #include #endif @@ -555,10 +556,13 @@ struct sock *udp4_lib_lookup_skb(const struct sk_buff *skb, { const struct iphdr *iph = ip_hdr(skb); struct net *net = dev_net(skb->dev); + int iif, sdif; + + inet_get_iif_sdif(skb, &iif, &sdif); return __udp4_lib_lookup(net, iph->saddr, sport, - iph->daddr, dport, inet_iif(skb), - inet_sdif(skb), net->ipv4.udp_table, NULL); + iph->daddr, dport, iif, + sdif, net->ipv4.udp_table, NULL); } /* Must be called under rcu_read_lock(). diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index 75aa4de5b731..d734f11e13cc 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -603,10 +603,13 @@ static struct sock *udp4_gro_lookup_skb(struct sk_buff *skb, __be16 sport, { const struct iphdr *iph = skb_gro_network_header(skb); struct net *net = dev_net(skb->dev); + int iif, sdif; + + inet_get_iif_sdif(skb, &iif, &sdif); return __udp4_lib_lookup(net, iph->saddr, sport, - iph->daddr, dport, inet_iif(skb), - inet_sdif(skb), net->ipv4.udp_table, NULL); + iph->daddr, dport, iif, + sdif, net->ipv4.udp_table, NULL); } INDIRECT_CALLABLE_SCOPE diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index b7c972aa09a7..e5da5d1cb215 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -51,6 +51,7 @@ #include #include #include +#include #include #include @@ -300,10 +301,13 @@ struct sock *udp6_lib_lookup_skb(const struct sk_buff *skb, { const struct ipv6hdr *iph = ipv6_hdr(skb); struct net *net = dev_net(skb->dev); + int iif, sdif; + + inet6_get_iif_sdif(skb, &iif, &sdif); return __udp6_lib_lookup(net, &iph->saddr, sport, - &iph->daddr, dport, inet6_iif(skb), - inet6_sdif(skb), net->ipv4.udp_table, NULL); + &iph->daddr, dport, iif, + sdif, net->ipv4.udp_table, NULL); } /* Must be called under rcu_read_lock(). diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c index ad3b8726873e..31f12bd5d0fe 100644 --- a/net/ipv6/udp_offload.c +++ b/net/ipv6/udp_offload.c @@ -119,10 +119,13 @@ static struct sock *udp6_gro_lookup_skb(struct sk_buff *skb, __be16 sport, { const struct ipv6hdr *iph = skb_gro_network_header(skb); struct net *net = dev_net(skb->dev); + int iif, sdif; + + inet6_get_iif_sdif(skb, &iif, &sdif); return __udp6_lib_lookup(net, &iph->saddr, sport, - &iph->daddr, dport, inet6_iif(skb), - inet6_sdif(skb), net->ipv4.udp_table, NULL); + &iph->daddr, dport, iif, + sdif, net->ipv4.udp_table, NULL); } INDIRECT_CALLABLE_SCOPE -- 2.36.1