lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 20 Feb 2022 08:31:41 -0800 From: Willem de Bruijn <willemdebruijn.kernel@...il.com> To: Tao Liu <thomas.liu@...oud.cn> Cc: davem@...emloft.net, yoshfuji@...ux-ipv6.org, dsahern@...nel.org, kuba@...nel.org, edumazet@...gle.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH net v3] gso: do not skip outer ip header in case of ipip and net_failover On Fri, Feb 18, 2022 at 6:36 AM Tao Liu <thomas.liu@...oud.cn> wrote: > > We encounter a tcp drop issue in our cloud environment. Packet GROed in > host forwards to a VM virtio_net nic with net_failover enabled. VM acts > as a IPVS LB with ipip encapsulation. The full path like: > host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat > -> ipip encap -> net_failover tx -> virtio_net tx > > When net_failover transmits a ipip pkt (gso_type = 0x0103, which means > SKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso > did because it supports TSO and GSO_IPXIP4. But network_header points to > inner ip header. > > Call Trace: > tcp4_gso_segment ------> return NULL > inet_gso_segment ------> inner iph, network_header points to > ipip_gso_segment > inet_gso_segment ------> outer iph > skb_mac_gso_segment > > Afterwards virtio_net transmits the pkt, only inner ip header is modified. > And the outer one just keeps unchanged. The pkt will be dropped in remote > host. > > Call Trace: > inet_gso_segment ------> inner iph, outer iph is skipped > skb_mac_gso_segment > __skb_gso_segment > validate_xmit_skb > validate_xmit_skb_list > sch_direct_xmit > __qdisc_run > __dev_queue_xmit ------> virtio_net > dev_hard_start_xmit > __dev_queue_xmit ------> net_failover > ip_finish_output2 > ip_output > iptunnel_xmit > ip_tunnel_xmit > ipip_tunnel_xmit ------> ipip > dev_hard_start_xmit > __dev_queue_xmit > ip_finish_output2 > ip_output > ip_forward > ip_rcv > __netif_receive_skb_one_core > netif_receive_skb_internal > napi_gro_receive > receive_buf > virtnet_poll > net_rx_action > > The root cause of this issue is specific with the rare combination of > SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option. > SKB_GSO_DODGY is set from external virtio_net. We need to reset network > header when callbacks.gso_segment() returns NULL. > > This patch also includes ipv6_gso_segment(), considering SIT, etc. > > Fixes: cb32f511a70b ("ipip: add GSO/TSO support") > Signed-off-by: Tao Liu <thomas.liu@...oud.cn> Reviewed-by: Willem de Bruijn <willemb@...gle.com>
Powered by blists - more mailing lists