lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Jan 2020 10:43:08 -0500 From: Willem de Bruijn <willemdebruijn.kernel@...il.com> To: Steffen Klassert <steffen.klassert@...unet.com> Cc: Willem de Bruijn <willemdebruijn.kernel@...il.com>, David Miller <davem@...emloft.net>, Paolo Abeni <pabeni@...hat.com>, Subash Abhinov Kasiviswanathan <subashab@...eaurora.org>, Marcelo Ricardo Leitner <marcelo.leitner@...il.com>, Network Development <netdev@...r.kernel.org> Subject: Re: [PATCH net-next 3/4] net: Support GRO/GSO fraglist chaining. > > > Maybe we can be conservative here and do a full > > > __copy_skb_header for now. The initial version > > > does not necessarily need to be the most performant > > > version. We could try to identify the correct subset > > > of header fields later then. > > > > We should probably aim for the right set from the start. If you think > > this set is it, let's keep it. > > I'd prefer to do a full __copy_skb_header for now and think a bit > longer if that what I chose is really the correct subset. Ok > > > > > I had to set ip_summed to CHECKSUM_UNNECESSARY on GRO to > > > > > make sure the noone touches the checksum of the head > > > > > skb. Otherise netfilter etc. tries to touch the csum. > > > > > > > > > > Before chaining I make sure that ip_summed and csum_level is > > > > > the same for all chained skbs and here I restore the original > > > > > value from nskb. > > > > > > > > This is safe because the skb_gro_checksum_validate will have validated > > > > already on CHECKSUM_PARTIAL? What happens if there is decap or encap > > > > in the path? We cannot revert to CHECKSUM_PARTIAL after that, I > > > > imagine. > > > > > > Yes, the checksum is validated with skb_gro_checksum_validate. If the > > > packets are UDP encapsulated, they are segmented before decapsulation. > > > Original values are already restored. If an additional encapsulation > > > happens, the encap checksum will be calculated after segmentation. > > > Original values are restored before that. > > > > I was wondering more about additional other encapsulation protocols. > > > > >From a quick read, it seems like csum_level is associated only with > > CHECKSUM_UNNECESSARY. > > > > What if a device returns CHECKSUM_COMPLETE for packets with a tunnel > > that is decapsulated before forwarding. Say, just VLAN. That gets > > untagged in __netif_receive_skb_core with skb_vlan_untag calling > > skb_pull_rcsum. After segmentation the ip_summed is restored, with > > skb->csum still containing the unmodified csum that includes the VLAN > > tag? > > Hm, that could be really a problem. So setting CHECKSUM_UNNECESSARY > should be ok, but restoring the old values are not. Our checksum > magic is rather complex, it's hard to get it right for all possible > cases. Maybe we can just set CHECKSUM_UNNECESSARY for all packets > and keep this value after segmentation. Note that I'm not 100% sure that the issue can occur. But it seems likely. Yes, inverse CHECKSUM_UNNECESSARY conversion after verifying the checksum is probably the way to go. Inverse, because it is the opposite of __skb_gro_checksum_convert. Or forgo (this variant of) GRO when encountering unexpected outer encap headers?
Powered by blists - more mailing lists