Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1490177rdb; Mon, 2 Oct 2023 11:04:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG3Wy1X9PWUra1sQWKr9aSTabLwO8m4esPOUeiIYE9qtQYxMWDigmAd8UVrupZCWeylBKhx X-Received: by 2002:a17:902:ed0b:b0:1bc:3944:9391 with SMTP id b11-20020a170902ed0b00b001bc39449391mr9034398pld.25.1696269846206; Mon, 02 Oct 2023 11:04:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696269846; cv=none; d=google.com; s=arc-20160816; b=T8+RUoFlmNoL6dli3JGW2GQT8lBjGR3pLKElmLD6F0Ax2uufJS+NbqdJOy3cA1bTQQ f33wZGinCe1xELc5ZwlHdKZhRoXXQUcfEwctM54Tueu7PNToXxfzMJtpe5gR+i2ihdLY BRNpO9VOvpB+HKYC3e1k9kMDWlI2dAJVix9N505lM5ZxfruWHZ85UaTDbYns0Y0hCIwr EXc9OgXe2EkV9c+aHRf4mnJeloZ5hrj2jWuLmcjC1fxnR/8dRzAbLLkWVdAog+pvGeEd xoxC6tmDV+fgsXz3h/eLqx6prW+TAoDpSm+GMjPmvLfeQ0bwrzJtgqJGyG7cw2SzVtwv V4Yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=2Dr0/aNiQI4Em1ZrorNwt0/u5p8fndiqo3UFJMunHNk=; fh=5OpEt3ApxUzm7uRA+7a7OXNcVqoLiKaTPloF9GUFs4M=; b=MXZdI9odc0cThsgzX097M7HSNBw3Hi3ml38IlTF4VS9bLxHVxF+jBFjNkQUnAQo4SY lO6kitvZPYiC2v/05ILZ3/d50Esy0XlZAM2Oj1GypIQuzkElz1oLByQSTF5ohl6u5G5f a72qbFo2Kl7ChG1vgXVrgNFAdQn4tiTUyEyua7RMBIxCHfLF5uMf25wW14wO9UVgVj58 4bW/h38DovizHMhk6XsGo8Ere9bY/Uw7pp9U1ZrrGdD1Ck5bv6FugNKbtBuqBhrMYjFi gWA26hMn1CloXVAFgkSnGvT3PQhWzDVh+a/FSFQVlAiQKhEuT1N9xQx2NImIpGDNDh9p l17g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google09082023 header.b=ay22t8zQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id t12-20020a1709027fcc00b001bbd70bdffbsi12778870plb.440.2023.10.02.11.03.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 11:04:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google09082023 header.b=ay22t8zQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 1D0B480309A7; Mon, 2 Oct 2023 08:48:00 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237886AbjJBPrw (ORCPT + 99 others); Mon, 2 Oct 2023 11:47:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39080 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237754AbjJBPru (ORCPT ); Mon, 2 Oct 2023 11:47:50 -0400 Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7F0EAC for ; Mon, 2 Oct 2023 08:47:47 -0700 (PDT) Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-9adca291f99so2295770466b.2 for ; Mon, 02 Oct 2023 08:47:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1696261666; x=1696866466; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=2Dr0/aNiQI4Em1ZrorNwt0/u5p8fndiqo3UFJMunHNk=; b=ay22t8zQnfcJNe/X2txz/MI8uXj+sIr0f0gkEFqbyw5rxF2Lin0TQ6+KJv+hLGVzbf B+gsDrqCfYS/h0dm2gB30Zun6R653l56usMT4OPi2M8Tf+URPqc8enYpnbketG9g/+OB uUYzIkMFw8Gh50lceHv+4gIuz+iVKl3dQCFOt5C9g9JZRxSsuhoneYpVVkbPYJ/4V7b7 2q0cFfQeL1BybIbdSCw0q6wUdTBP98rrTVCC2KAb3KKpx1o2zVaLLFFWLSZQWklwNPlg pcM9flgDAYX0gVQGZaMqogUzhJJSuliYcNrndKz+YMX7JmJ2rAJK5rEm/Tj8GkPcnGtw ZN/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696261666; x=1696866466; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2Dr0/aNiQI4Em1ZrorNwt0/u5p8fndiqo3UFJMunHNk=; b=DHxebxgvh/hGa9YSR7qM2LZySFz7gOSnF74FRV5Q0NXugQcBGa+7o0uIMXFCxzDxlH GVAz/GUaKgBGncM84HuKXHFLKiq//zbb62lmPZtGczj+BHDa0PJQm7JQofFjscrcI5hj h81lQStBYN42THvVeD+FxrHW2EifTeZr7PIIn3zI4UaAJHQGBv2Ju+KVMlJwO1V96VYZ oJfMrT3t6AlJC66Yy4DUv7txQ37D6vVLAp7X/uTT1GMH9b9/PovaYDS4kYbybkk+y85/ DaPw0PtI9/tRaqFAemo1Bl2VqHJUNX0dUpDn0zGggEukYtJ+eUkj2aOG8mx3o2BhnatJ 9OfA== X-Gm-Message-State: AOJu0YyqwVa93648D6Pz70pPfZcWTzHeqRIAACHHk7Ucl00wLqIRPsza T6ZOYORtWtv2GuoDAJAncedv6NIj1gVCM+Bd1AbycA== X-Received: by 2002:a17:906:29e:b0:9b0:552c:b36c with SMTP id 30-20020a170906029e00b009b0552cb36cmr11383660ejf.21.1696261666152; Mon, 02 Oct 2023 08:47:46 -0700 (PDT) MIME-Version: 1.0 References: <20230930110854.GA13787@breakpoint.cc> In-Reply-To: <20230930110854.GA13787@breakpoint.cc> From: Yan Zhai Date: Mon, 2 Oct 2023 10:47:35 -0500 Message-ID: Subject: Re: [PATCH net] ipv6: avoid atomic fragment on GSO packets To: Florian Westphal Cc: netdev@vger.kernel.org, "David S. Miller" , David Ahern , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Aya Levin , Tariq Toukan , linux-kernel@vger.kernel.org, kernel-team@cloudflare.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 02 Oct 2023 08:48:00 -0700 (PDT) On Sat, Sep 30, 2023 at 6:09=E2=80=AFAM Florian Westphal wro= te: > > Yan Zhai wrote: > > GSO packets can contain a trailing segment that is smaller than > > gso_size. When examining the dst MTU for such packet, if its gso_size > > is too large, then all segments would be fragmented. However, there is = a > > good chance the trailing segment has smaller actual size than both > > gso_size as well as the MTU, which leads to an "atomic fragment". > > RFC-8021 explicitly recommend to deprecate such use case. An Existing > > report from APNIC also shows that atomic fragments can be dropped > > unexpectedly along the path [1]. > > > > Add an extra check in ip6_fragment to catch all possible generation of > > atomic fragments. Skip atomic header if it is called on a packet no > > larger than MTU. > > > > Link: https://www.potaroo.net/presentations/2022-03-01-ipv6-frag.pdf [1= ] > > Fixes: b210de4f8c97 ("net: ipv6: Validate GSO SKB before finish IPv6 pr= ocessing") > > Reported-by: David Wragg > > Signed-off-by: Yan Zhai > > --- > > net/ipv6/ip6_output.c | 8 +++++++- > > 1 file changed, 7 insertions(+), 1 deletion(-) > > > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > > index 951ba8089b5b..42f5f68a6e24 100644 > > --- a/net/ipv6/ip6_output.c > > +++ b/net/ipv6/ip6_output.c > > @@ -854,6 +854,13 @@ int ip6_fragment(struct net *net, struct sock *sk,= struct sk_buff *skb, > > __be32 frag_id; > > u8 *prevhdr, nexthdr =3D 0; > > > > + /* RFC-8021 recommended atomic fragments to be deprecated. Double= check > > + * the actual packet size before fragment it. > > + */ > > + mtu =3D ip6_skb_dst_mtu(skb); > > + if (unlikely(skb->len <=3D mtu)) > > + return output(net, sk, skb); > > + > > This helper is also called for skbs where IP6CB(skb)->frag_max_size > exceeds the MTU, so this check looks wrong to me. > > Same remark for dst_allfrag() check in __ip6_finish_output(), > after this patch, it would be ignored. > Thanks for covering my carelessness. I was just considering the GSO case so frag_max_size was overlooked. dst_allfrag is indeed a case based on the code logic. But just out of curiosity, do we still see any use of this feature? From commit messages it is set when PMTU values signals smaller than min IPv6 MTU. But such PMTU values are just dropped in __ip6_rt_update_pmtu now. Iproute2 code also does not provide this route feature anymore. So it might be actually a dead check? > I think you should consider to first refactor __ip6_finish_output to make > the existing checks more readable (e.g. handle gso vs. non-gso in separat= e > branches) and then add the check to last seg in > ip6_finish_output_gso_slowpath_drop(). > Agree with refactoring to mirror what IPv4 code is doing. It might not hurt if we check every segments in this case, since it is already the slowpath and it will make code more compact. > Alternatively you might be able to pass more info down to > ip6_fragment and move decisions there. > > In any case we should make same frag-or-no-frag decisions, > regardless of this being the orig skb or a segmented one,