| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 20 Jul 2023 18:13:29 +0200 From: Richard Gobert <richardbgobert@...il.com> To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, willemdebruijn.kernel@...il.com, dsahern@...nel.org, tom@...bertland.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, gal@...dia.com Subject: [PATCH v2 0/1] net: gro: fix misuse of CB in udp socket lookup GRO stack uses `udp_lib_lookup_skb` which relies on IP/IPv6 CB's info, and at the GRO stage, CB holds `napi_gro_cb` info. Specifically, `udp_lib_lookup_skb` tries to fetch `iff` and `flags` information from the CB, to find the relevant udp tunnel socket (GENEVE/VXLAN/..). Up until a patch I submitted recently [0], it worked merely by luck, due to the layouts of `napi_gro_cb` and IP6CB. AFAIU it worked because: `IP6CB(skb)->flags` is at offset 16 inside IP6CB: - Before the patch: `flags` was mapped to `flush`. - After the patch: `flags` was mapped to `data_offset`. `IP6CB(skb)->iff` is at offset 0 inside IP6CB: - Before the patch: `iif` was mapped to `frag0`. - After the patch: `iif` was mapped to a union of `frag0` and `last`. After my patch, on the receive phase, while `data_offset` is 40 (since IPv6 header is 40 bytes), `inet_iif` calls `ipv6_l3mdev_skb`, which checks whether `IP6CB(skb)->flags`'s `IP6SKB_L3SLAVE` bit is on or off (in our case its off). If it is off, `inet_iif` returns `IP6CB(skb)->iif`, which is mapped to `napi_gro_cb->frag0`, making `inet_iif` return 0 most of the times. `inet_sdif` returns zero due to a similar reason caused by `data_offset` being equal to 40 (and less than 64). On the other hand, the complete phase behaves differently. `data_offset` is usually greater than 64 and less than 128 so the `IP6SKB_L3SLAVE` flag is on. Thus, `inet_sdif` returns `IP6CB(skb)->iif`, which is mapped to `last` which contains a pointer. This causes `udp_sk_bound_dev_eq` to fail, which leads to `udp6_lib_lookup2` failing and not returning a socket. This leads the receive phase of GRO to find the right socket, and on the complete phase, it fails to find it and makes the throughput go down to nearly zero. Before [0] `flags` was mapped to `flush`. `flush`'s possible values were 1 and 0, making `inet6_iff` always returning `skb->skb_iif` and `inet6_sdif` returning 0, and leading to `udp_sk_bound_dev_eq` returning true. A fix is to not rely on CB, and get `iff` and `sdif` using skb->dev. l3mdev case requires special attention since it has a master and a slave device. [0] https://lore.kernel.org/netdev/20230601160924.GA9194@debian/ Changelog: v1 -> v2: * make functions inline * fix logical bug * add a comment when we can use the new functions * checkpatch fixes Richard Gobert (1): net: gro: fix misuse of CB in udp socket lookup include/net/udp.h | 2 ++ net/ipv4/udp.c | 28 ++++++++++++++++++++++++++-- net/ipv4/udp_offload.c | 7 +++++-- net/ipv6/udp.c | 29 +++++++++++++++++++++++++++-- net/ipv6/udp_offload.c | 7 +++++-- 5 files changed, 65 insertions(+), 8 deletions(-) -- 2.36.1
Powered by blists - more mailing lists