lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20251124-skb-meta-safeproof-netdevs-rx-only-v1-0-8978f5054417@cloudflare.com>
Date: Mon, 24 Nov 2025 17:28:36 +0100
From: Jakub Sitnicki <jakub@...udflare.com>
To: bpf@...r.kernel.org
Cc: netdev@...r.kernel.org, kernel-team@...udflare.com, 
 Martin KaFai Lau <martin.lau@...ux.dev>
Subject: [PATCH RFC bpf-next 00/15] Decouple skb metadata tracking from MAC
 header offset

This series continues the effort to provide reliable access to xdp/skb
metadata from BPF context on the receive path.

Currently skb metadata location is tied to the MAC header offset, which
breaks on L2 decapsulation (VLAN, GRE, etc.) when the MAC offset is
reset. The naive fix is to memmove metadata on every decap path, but we can
avoid this cost by tracking metadata position independently.

Introduce a dedicated meta_end field in skb_shared_info that records where
metadata ends relative to skb->head. This allows BPF dynptr
access (bpf_dynptr_from_skb_meta()) to work without memmove. For
skb->data_meta pointer access, which expects metadata immediately before
skb->data, make the verifier inject realignment code in TC BPF prologue.

Patches 1-9 enforce the calling convention: skb_metadata_set() must be
called after skb->data points past the metadata area, ensuring meta_end
captures the correct position. Patch 10 implements the core change.
Patches 11-14 extend the verifier to track data_meta usage, and patch 15
adds the realignment logic.

Note: This series does not address moving metadata on L2 encapsulation when
forwarding packets. VLAN and QinQ have already been patched when fixing TC
BPF helpers [1], but other tagging/tunnel code still requires changes.

Selftests are missing. The series has been developed against an out-of-tree
shell-based test suite at [2].

Note to maintainers: This not a typical series, in the sense that it
touches both the networking drivers and the BPF verifier. The driver
changes (patches 1-9) can be split out, if it makes things easier.

Thanks,
-jkbs

[1] https://lore.kernel.org/all/20251105-skb-meta-rx-path-v4-0-5ceb08a9b37b@cloudflare.com/
[2] https://github.com/jsitnicki/skb-metadata-tests/blob/main/rx_loopback_test.sh

Signed-off-by: Jakub Sitnicki <jakub@...udflare.com>
---
Jakub Sitnicki (15):
      bnxt_en: Call skb_metadata_set when skb->data points at metadata end
      i40e: Call skb_metadata_set when skb->data points at metadata end
      igb: Call skb_metadata_set when skb->data points at metadata end
      igc: Call skb_metadata_set when skb->data points at metadata end
      ixgbe: Call skb_metadata_set when skb->data points at metadata end
      net/mlx5e: Call skb_metadata_set when skb->data points at metadata end
      veth: Call skb_metadata_set when skb->data points at metadata end
      xsk: Call skb_metadata_set when skb->data points at metadata end
      xdp: Call skb_metadata_set when skb->data points at metadata end
      net: Track skb metadata end separately from MAC offset
      bpf, verifier: Remove side effects from may_access_direct_pkt_data
      bpf, verifier: Turn seen_direct_write flag into a bitmap
      bpf, verifier: Propagate packet access flags to gen_prologue
      bpf, verifier: Track when data_meta pointer is loaded
      bpf: Realign skb metadata for TC progs using data_meta

 drivers/net/ethernet/broadcom/bnxt/bnxt.c          |  2 +-
 drivers/net/ethernet/intel/i40e/i40e_xsk.c         |  2 +-
 drivers/net/ethernet/intel/igb/igb_xsk.c           |  2 +-
 drivers/net/ethernet/intel/igc/igc_main.c          |  4 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c       |  2 +-
 .../net/ethernet/mellanox/mlx5/core/en/xsk/rx.c    |  2 +-
 drivers/net/veth.c                                 |  4 +-
 include/linux/bpf.h                                |  2 +-
 include/linux/bpf_verifier.h                       |  7 ++-
 include/linux/skbuff.h                             | 37 +++++++++---
 kernel/bpf/cgroup.c                                |  2 +-
 kernel/bpf/verifier.c                              | 42 ++++++--------
 net/core/dev.c                                     |  5 +-
 net/core/filter.c                                  | 66 +++++++++++++++++++---
 net/core/skbuff.c                                  | 10 +---
 net/core/xdp.c                                     |  2 +-
 net/sched/bpf_qdisc.c                              |  3 +-
 .../testing/selftests/bpf/test_kmods/bpf_testmod.c |  6 +-
 18 files changed, 134 insertions(+), 66 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ