Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1221320rdb; Mon, 2 Oct 2023 03:05:51 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHCSfHkLkCc9EIF82Ryi0qrVWSLtkiHzZCVfc+h/5rPr2/6T/qhLa2C6VpGI+CPeWNqucoH X-Received: by 2002:a05:6a00:1789:b0:68f:e0f0:85f4 with SMTP id s9-20020a056a00178900b0068fe0f085f4mr10818004pfg.25.1696241151270; Mon, 02 Oct 2023 03:05:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696241151; cv=none; d=google.com; s=arc-20160816; b=NyJZoPToXV0/hkirKB8+i4veIFAzSJfO4rOUZLR7UIUbNydZ+I+xhsEYTe2nvgby9b sj9nzP1Hy1nH6lb+A+nUHLK68Lib1b+Owwc+cvLNFiS0l4BNtb8x8erhAm1IORsBB/VA iQPlJzyzm4GRDpegF7XhCro+umLC1U3TOoB6Hs7k8la6/TVXSFjKPu3YQHzvFmqyJjDN v3ygMmZZGDnhmzFNlvzTYogbXVVqlCO4Vh1MHP5K4C+fMffigSJS5tHSyB8Xaf33K32A qKXJZPM0+/mgIpV7lwV6w9SRklM27Znh0QCHJQJc5ptsgu3sBYKiRHUQUQriTCGGD4Bw zuQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=6l+jmeB2VfTAn+b6B+3ppKXZp69RAqjIcox5duaFcYw=; fh=qp1uAQhEMgWTT2ifQpp6w81J6Tltn12wOF5hvL6YTRU=; b=Stc+7AFXSBMPqzQIX82EKkW2RAtvXXZS4n5vPwe9b+2Mm4OPquLFZTdqt1e2IuJ7jy zRYEoCkXBCuTSyrDs+KJ3j7wgWkxFHTqYMhmU+SZomAWVuBVNtghm9MpfNOjU7FgHMzG DPShAf1P8cBQQ3G0Hejw4OqEdsK6D4RIPN3Mf26Srm9+xKdWYhaoo9oglmQiPJ6H3svo ho0HA6HnaAw9RDC7NYqCWzuf5gosIDlUD1Cx7tNAzBwVSOoAnoTsFLkkMf+cZoSyaGrn Vy2DKvDqDjgac5Su5/ccfv/gf4sDmfw6iMWjG1vnMH3p3Qit5fv5KZION3vxJW5PLlCI sCEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=d9is37bq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id k6-20020a056a00134600b0069342cee042si12411750pfu.51.2023.10.02.03.05.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 03:05:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=d9is37bq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id AAC378031E00; Sun, 1 Oct 2023 23:53:11 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235576AbjJBGxJ (ORCPT + 99 others); Mon, 2 Oct 2023 02:53:09 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33174 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235587AbjJBGxH (ORCPT ); Mon, 2 Oct 2023 02:53:07 -0400 Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B4CA7C9; Sun, 1 Oct 2023 23:53:03 -0700 (PDT) Received: by mail-vs1-xe2d.google.com with SMTP id ada2fe7eead31-4529d1238a9so7691583137.3; Sun, 01 Oct 2023 23:53:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696229583; x=1696834383; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=6l+jmeB2VfTAn+b6B+3ppKXZp69RAqjIcox5duaFcYw=; b=d9is37bqTFwZtKp+EFKhURrRVPZUmRVwOV1sskBvkO4lD2ZNhuEAALxHOmCoQ2RHfC ySPyK/0DF4FVGKevOc07OxzgJXz3iDhNFZ7X7tD4ZIHQINasxXRlnycvocNTdRqzLMtC IeLHB05uwTkdEDzkabOdYeXQbYhAJzs6gJ3NVek9oERfU2YtAB6pXAND7zPJ8MJyN8o6 JV59sh64ABX3N1xiS7G9+MV3qMNZG4/rvJhKKL2EmNIB+abXadfAOoT7PX62M8WeH5+n fB1dr1pQI1hmOcdGjR9ODavopnsiiD/ZSWEz24vORz2X5GZ5xV3YQ9ZBYZCvc+40xwpf F5yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696229583; x=1696834383; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6l+jmeB2VfTAn+b6B+3ppKXZp69RAqjIcox5duaFcYw=; b=Wdc/drctqAdi2bAxQ4SQiSy415llzAHVD9nvI4GEseNcxm/DMUhR9yUudcwuXwUsc4 8m44JH9g2pdkvLGxQUCmLNsmJXRJr2FSQqynUg9Bz9sBMsprhUcj0lv20AMPh47zBk0h BmMk364VluoOHzoD6Shi63EAG8xIYjivv/QK95VjbLaxNHSbfhkSwQRp/TjCf7dI6nzb bFY2H5PigSJ4BcpDwqBiwsuYvzgn4GUc2bcjdXd6wANN5xriDu456tBUFfo+iFdedI9Y rC5f7J3PMeFrs7FOY4dTVRn6Kn3F4tUukq2nhlZAYJ/hLiEz1lMZEbNnRIx/zSWJF6Ap 9EZw== X-Gm-Message-State: AOJu0YxbY+RTo858GWeR1kJXko+/1BoVhmnCxce5Za/5Wl5UmBmWF+Wf szeg06uw2SyLcGbhbjAzvK4cpsccBvKvPVnocNc= X-Received: by 2002:a67:f71a:0:b0:44e:ab53:6152 with SMTP id m26-20020a67f71a000000b0044eab536152mr9446139vso.29.1696229582591; Sun, 01 Oct 2023 23:53:02 -0700 (PDT) MIME-Version: 1.0 References: <20230930110854.GA13787@breakpoint.cc> In-Reply-To: <20230930110854.GA13787@breakpoint.cc> From: Willem de Bruijn Date: Mon, 2 Oct 2023 08:52:26 +0200 Message-ID: Subject: Re: [PATCH net] ipv6: avoid atomic fragment on GSO packets To: Florian Westphal Cc: Yan Zhai , netdev@vger.kernel.org, "David S. Miller" , David Ahern , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Aya Levin , Tariq Toukan , linux-kernel@vger.kernel.org, kernel-team@cloudflare.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sun, 01 Oct 2023 23:53:11 -0700 (PDT) On Sat, Sep 30, 2023 at 1:09=E2=80=AFPM Florian Westphal wro= te: > > Yan Zhai wrote: > > GSO packets can contain a trailing segment that is smaller than > > gso_size. When examining the dst MTU for such packet, if its gso_size > > is too large, then all segments would be fragmented. However, there is = a > > good chance the trailing segment has smaller actual size than both > > gso_size as well as the MTU, which leads to an "atomic fragment". > > RFC-8021 explicitly recommend to deprecate such use case. An Existing > > report from APNIC also shows that atomic fragments can be dropped > > unexpectedly along the path [1]. > > > > Add an extra check in ip6_fragment to catch all possible generation of > > atomic fragments. Skip atomic header if it is called on a packet no > > larger than MTU. > > > > Link: https://www.potaroo.net/presentations/2022-03-01-ipv6-frag.pdf [1= ] > > Fixes: b210de4f8c97 ("net: ipv6: Validate GSO SKB before finish IPv6 pr= ocessing") > > Reported-by: David Wragg > > Signed-off-by: Yan Zhai > > --- > > net/ipv6/ip6_output.c | 8 +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > > index 951ba8089b5b..42f5f68a6e24 100644 > > --- a/net/ipv6/ip6_output.c > > +++ b/net/ipv6/ip6_output.c > > @@ -854,6 +854,13 @@ int ip6_fragment(struct net *net, struct sock *sk,= struct sk_buff *skb, > > __be32 frag_id; > > u8 *prevhdr, nexthdr =3D 0; > > > > + /* RFC-8021 recommended atomic fragments to be deprecated. Double= check > > + * the actual packet size before fragment it. > > + */ > > + mtu =3D ip6_skb_dst_mtu(skb); > > + if (unlikely(skb->len <=3D mtu)) > > + return output(net, sk, skb); > > + > > This helper is also called for skbs where IP6CB(skb)->frag_max_size > exceeds the MTU, so this check looks wrong to me. > > Same remark for dst_allfrag() check in __ip6_finish_output(), > after this patch, it would be ignored. > > I think you should consider to first refactor __ip6_finish_output to make > the existing checks more readable (e.g. handle gso vs. non-gso in separat= e > branches) and then add the check to last seg in > ip6_finish_output_gso_slowpath_drop(). > > Alternatively you might be able to pass more info down to > ip6_fragment and move decisions there. > > In any case we should make same frag-or-no-frag decisions, > regardless of this being the orig skb or a segmented one, To add to that: if this is a suggestion to update the algorithm to match RFC 8021, not a fix for a bug in the current implementation, then I think this should target net-next. That will also make it easier to include the kind of refactoring that Florian suggests.