1 From 68a0d5e025a8e3acaca298471ba5ccdc59c36b3c Mon Sep 17 00:00:00 2001
2 From: Sasha Levin <sashal@kernel.org>
3 Date: Tue, 26 Mar 2024 12:33:58 +0100
4 Subject: udp: do not accept non-tunnel GSO skbs landing in a tunnel
6 From: Antoine Tenart <atenart@kernel.org>
8 [ Upstream commit 3d010c8031e39f5fa1e8b13ada77e0321091011f ]
10 When rx-udp-gro-forwarding is enabled UDP packets might be GROed when
11 being forwarded. If such packets might land in a tunnel this can cause
12 various issues and udp_gro_receive makes sure this isn't the case by
13 looking for a matching socket. This is performed in
14 udp4/6_gro_lookup_skb but only in the current netns. This is an issue
15 with tunneled packets when the endpoint is in another netns. In such
16 cases the packets will be GROed at the UDP level, which leads to various
17 issues later on. The same thing can happen with rx-gro-list.
19 We saw this with geneve packets being GROed at the UDP level. In such
20 case gso_size is set; later the packet goes through the geneve rx path,
21 the geneve header is pulled, the offset are adjusted and frag_list skbs
22 are not adjusted with regard to geneve. When those skbs hit
23 skb_fragment, it will misbehave. Different outcomes are possible
24 depending on what the GROed skbs look like; from corrupted packets to
27 One example is a BUG_ON[1] triggered in skb_segment while processing the
28 frag_list. Because gso_size is wrong (geneve header was pulled)
29 skb_segment thinks there is "geneve header size" of data in frag_list,
30 although it's in fact the next packet. The BUG_ON itself has nothing to
31 do with the issue. This is only one of the potential issues.
33 Looking up for a matching socket in udp_gro_receive is fragile: the
34 lookup could be extended to all netns (not speaking about performances)
35 but nothing prevents those packets from being modified in between and we
36 could still not find a matching socket. It's OK to keep the current
37 logic there as it should cover most cases but we also need to make sure
38 we handle tunnel packets being GROed too early.
40 This is done by extending the checks in udp_unexpected_gso: GSO packets
41 lacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must
44 [1] kernel BUG at net/core/skbuff.c:4408!
45 RIP: 0010:skb_segment+0xd2a/0xf70
46 __udp_gso_segment+0xaa/0x560
48 Fixes: 9fd1ff5d2ac7 ("udp: Support UDP fraglist GRO/GSO.")
49 Fixes: 36707061d6ba ("udp: allow forwarding of plain (non-fraglisted) UDP GRO packets")
50 Signed-off-by: Antoine Tenart <atenart@kernel.org>
51 Reviewed-by: Willem de Bruijn <willemb@google.com>
52 Signed-off-by: David S. Miller <davem@davemloft.net>
53 Signed-off-by: Sasha Levin <sashal@kernel.org>
55 include/linux/udp.h | 28 ++++++++++++++++++++++++++++
56 net/ipv4/udp.c | 7 +++++++
57 net/ipv4/udp_offload.c | 5 +++++
59 4 files changed, 41 insertions(+), 1 deletion(-)
61 diff --git a/include/linux/udp.h b/include/linux/udp.h
62 index ae58ff3b6b5b8..a220880019d6b 100644
63 --- a/include/linux/udp.h
64 +++ b/include/linux/udp.h
65 @@ -131,6 +131,24 @@ static inline void udp_cmsg_recv(struct msghdr *msg, struct sock *sk,
69 +DECLARE_STATIC_KEY_FALSE(udp_encap_needed_key);
70 +#if IS_ENABLED(CONFIG_IPV6)
71 +DECLARE_STATIC_KEY_FALSE(udpv6_encap_needed_key);
74 +static inline bool udp_encap_needed(void)
76 + if (static_branch_unlikely(&udp_encap_needed_key))
79 +#if IS_ENABLED(CONFIG_IPV6)
80 + if (static_branch_unlikely(&udpv6_encap_needed_key))
87 static inline bool udp_unexpected_gso(struct sock *sk, struct sk_buff *skb)
90 @@ -142,6 +160,16 @@ static inline bool udp_unexpected_gso(struct sock *sk, struct sk_buff *skb)
91 if (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST && !udp_sk(sk)->accept_udp_fraglist)
94 + /* GSO packets lacking the SKB_GSO_UDP_TUNNEL/_CSUM bits might still
95 + * land in a tunnel as the socket check in udp_gro_receive cannot be
98 + if (udp_encap_needed() &&
99 + READ_ONCE(udp_sk(sk)->encap_rcv) &&
100 + !(skb_shinfo(skb)->gso_type &
101 + (SKB_GSO_UDP_TUNNEL | SKB_GSO_UDP_TUNNEL_CSUM)))
107 diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
108 index b2541c7d7c87f..0b7e76e6f2028 100644
111 @@ -602,6 +602,13 @@ static inline bool __udp_is_mcast_sock(struct net *net, struct sock *sk,
114 DEFINE_STATIC_KEY_FALSE(udp_encap_needed_key);
115 +EXPORT_SYMBOL(udp_encap_needed_key);
117 +#if IS_ENABLED(CONFIG_IPV6)
118 +DEFINE_STATIC_KEY_FALSE(udpv6_encap_needed_key);
119 +EXPORT_SYMBOL(udpv6_encap_needed_key);
122 void udp_encap_enable(void)
124 static_branch_inc(&udp_encap_needed_key);
125 diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
126 index 9f6dcdaf86a4d..445d8bc30fdd1 100644
127 --- a/net/ipv4/udp_offload.c
128 +++ b/net/ipv4/udp_offload.c
129 @@ -512,6 +512,11 @@ struct sk_buff *udp_gro_receive(struct list_head *head, struct sk_buff *skb,
130 unsigned int off = skb_gro_offset(skb);
133 + /* We can do L4 aggregation only if the packet can't land in a tunnel
134 + * otherwise we could corrupt the inner stream. Detecting such packets
135 + * cannot be foolproof and the aggregation might still happen in some
136 + * cases. Such packets should be caught in udp_unexpected_gso later.
138 NAPI_GRO_CB(skb)->is_flist = 0;
139 if (skb->dev->features & NETIF_F_GRO_FRAGLIST)
140 NAPI_GRO_CB(skb)->is_flist = sk ? !udp_sk(sk)->gro_enabled: 1;
141 diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
142 index 5385037209a6b..b5d879f2501da 100644
145 @@ -474,7 +474,7 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
149 -DEFINE_STATIC_KEY_FALSE(udpv6_encap_needed_key);
150 +DECLARE_STATIC_KEY_FALSE(udpv6_encap_needed_key);
151 void udpv6_encap_enable(void)
153 static_branch_inc(&udpv6_encap_needed_key);
projects / thirdparty / kernel / stable-queue.git / blob