lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 23 Apr 2014 16:30:22 -0400
From:	Vlad Yasevich <vyasevic@...hat.com>
To:	"Michael S. Tsirkin" <mst@...hat.com>
CC:	netdev@...r.kernel.org, daniel.lezcano@...e.fr,
	nightnord@...il.com, kaber@...sh.net, eric.dumazet@...il.com,
	jasowang@...hat.com
Subject: Re: [PATCH 1/2] mactap: Fix checksum errors for non-gso packets in
 bridge mode

On 04/23/2014 04:10 PM, Michael S. Tsirkin wrote:
> On Wed, Apr 23, 2014 at 03:39:44PM -0400, Vlad Yasevich wrote:
>> On 04/23/2014 03:20 PM, Michael S. Tsirkin wrote:
>>> On Wed, Apr 23, 2014 at 12:51:40PM -0400, Vlad Yasevich wrote:
>>>> The following is a problematic configuration:
>>>>
>>>>  VM1: virtio-net device connected to macvtap0@...0
>>>>  VM2: e1000 device connect to macvtap1@...0
>>>>
>>>> The problem is is that virtio-net supports checksum offloading
>>>> and thus sends the packets to the host with CHECKSUM_PARTIAL set.
>>>> On the other hand, e1000 does not support any acceleration.
>>>>
>>>> For small TCP packets (and this includes the 3-way handshake),
>>>> e1000 ends up receiving packets that only have a partial checksum
>>>> set.  This causes TCP to fail checksum validation and to drop
>>>> packets.  As a result tcp connections can not be established.
>>>>
>>>> Commit 3e4f8b787370978733ca6cae452720a4f0c296b8
>>>> 	macvtap: Perform GSO on forwarding path.
>>>> fixes this issue for large packets wthat will end up undergoing GSO.
>>>> This commit adds a check for the non-GSO case and attempts to
>>>> compute the checksum for partially checksummed packets in the
>>>> non-GSO case.
>>>>
>>>> CC: Daniel Lezcano <daniel.lezcano@...e.fr>
>>>> CC: Patrick McHardy <kaber@...sh.net>
>>>> CC: Andrian Nord <nightnord@...il.com>
>>>> CC: Eric Dumazet <eric.dumazet@...il.com>
>>>> CC: Michael S. Tsirkin <mst@...hat.com>
>>>> CC: Jason Wang <jasowang@...hat.com>
>>>> Signed-off-by: Vlad Yasevich <vyasevic@...hat.com>
>>>> ---
>>>>  drivers/net/macvtap.c | 7 +++++++
>>>>  1 file changed, 7 insertions(+)
>>>>
>>>> diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
>>>> index ff111a8..ba91084 100644
>>>> --- a/drivers/net/macvtap.c
>>>> +++ b/drivers/net/macvtap.c
>>>> @@ -322,6 +322,13 @@ static rx_handler_result_t macvtap_handle_frame(struct sk_buff **pskb)
>>>>  			segs = nskb;
>>>>  		}
>>>>  	} else {
>>>> +		/* If we receive a partial checksum and the tap side
>>>> +		 * doesn't support checksum offload, compute the checksum.
>>>> +		 */
>>>> +		if (skb->ip_summed == CHECKSUM_PARTIAL &&
>>>> +		    !(features & NETIF_F_ALL_CSUM) &&
>>>> +		    skb_checksum_help(skb))
>>>> +			goto drop;
>>>
>>> Hmm confused by NETIF_F_ALL_CSUM here.
>>>
>>> features come from here:
>>>                 feature_mask = NETIF_F_HW_CSUM;
>>>
>>>                 if (arg & (TUN_F_TSO4 | TUN_F_TSO6)) {
>>>                         if (arg & TUN_F_TSO_ECN)
>>>                                 feature_mask |= NETIF_F_TSO_ECN;
>>>                         if (arg & TUN_F_TSO4)
>>>                                 feature_mask |= NETIF_F_TSO;
>>>                         if (arg & TUN_F_TSO6)
>>>                                 feature_mask |= NETIF_F_TSO6;
>>>                 }
>>>
>>>                 if (arg & TUN_F_UFO)
>>>                         feature_mask |= NETIF_F_UFO;
>>>
>>>
>>> okay so why not just check that NETIF_F_HW_CSUM is set?
>>
>> We can do that, but it doesn't make much difference.
> 
> Seems cleaner to test a single bit otherwise one is left
> wondering what happens if only one bit matches.

I can certainly do a single test, but if we ever change it,
this will be another palace that would have to change.

The above is also what dev_start_hard_xmit() does.

> 
>>>
>>> Also does it matter whether specific offloads are enabled?
>>>
>>
>> No it doesn't matter at all.  The packet is not a GSO packet
>> so no other acceleration is used.
> 
> Hmm how do we know it's not a gso packet?
> All I see is need_gso test which means it needs segmentation.

Part of netif_needs_gso() is a test for skb_is_gso().  So it
it's gso and doesn't need segmentation (meaning the guest can
receive large packets), then partial checksum is OK.

> 
> 
>> Also, other offloads are dependent on checksum.
>>
>> -vlad
> 
> Right so what if checksum is on, but segmentation is off?
> Not the case with e1000 today but can be with other userspace.
> 

In this case, the skb will be in need to segmentation and will take
a different branch.

-vlad
> 
>>>
>>>>  		skb_queue_tail(&q->sk.sk_receive_queue, skb);
>>>>  	}
>>>>  
>>>> -- 
>>>> 1.9.0

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ