bpf: Make bpf_skb_change_head helper metadata-safe

Although bpf_skb_change_head() doesn't move packet data after skb_push(),
skb metadata still needs to be relocated. Use the dedicated helper to
handle it.

Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/20251105-skb-meta-rx-path-v4-9-5ceb08a9b37b@cloudflare.com

diff --git a/net/core/filter.c b/net/core/filter.c
index 50775c01c4567b42f3b8e37f479c54b76869d2c0..4124becf860477fa78d11578e56bf75018f7ba6d 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3875,6 +3875,7 @@ static const struct bpf_func_proto sk_skb_change_tail_proto = {
 static inline int __bpf_skb_change_head(struct sk_buff *skb, u32 head_room,
                                        u64 flags)
 {
+       const u8 meta_len = skb_metadata_len(skb);
        u32 max_len = BPF_SKB_MAX_LEN;
        u32 new_len = skb->len + head_room;
        int ret;
@@ -3884,7 +3885,7 @@ static inline int __bpf_skb_change_head(struct sk_buff *skb, u32 head_room,
                     new_len < skb->len))
                return -EINVAL;
 
-       ret = skb_cow(skb, head_room);
+       ret = skb_cow(skb, meta_len + head_room);
        if (likely(!ret)) {
                /* Idea for this helper is that we currently only
                 * allow to expand on mac header. This means that
@@ -3896,6 +3897,7 @@ static inline int __bpf_skb_change_head(struct sk_buff *skb, u32 head_room,
                 * for redirection into L2 device.
                 */
                __skb_push(skb, head_room);
+               skb_postpush_data_move(skb, head_room, 0);
                memset(skb->data, 0, head_room);
                skb_reset_mac_header(skb);
                skb_reset_mac_len(skb);