| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8a57a463fbb4c2613670d265a911341a1e13a056.1764056123.git.pabeni@redhat.com>
Date: Tue, 25 Nov 2025 17:11:14 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Simon Horman <horms@...nel.org>,
Donald Hunter <donald.hunter@...il.com>,
Andrew Lunn <andrew+netdev@...n.ch>,
Shuah Khan <shuah@...nel.org>,
Willem de Bruijn <willemdebruijn.kernel@...il.com>
Subject: [PATCH net-next 09/10] geneve: use GRO hint option in the RX path
At the GRO stage, when a valid hint option is found, try match the whole
nested headers and try to aggregate on the inner protocol; in case of hdr
mismatch extract the nested address and port to properly flush on a
per-inner flow basis.
On GRO completion, the (unmodified) nested headers will be considered part
of the (constant) outer geneve encap header so that plain UDP tunnel
segmentation will yield valid wire packets.
In the geneve RX path, when processing a GSO packet carrying a GRO hint
option, update the nested header length fields from the wire packet size to
the GSO-packet one. If the nested header additionally carries a checksum,
convert it to CSUM-partial.
Signed-off-by: Paolo Abeni <pabeni@...hat.com>
---
drivers/net/geneve.c | 160 +++++++++++++++++++++++++++++++++++++++++--
1 file changed, 155 insertions(+), 5 deletions(-)
diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index 5030ad0db3fc..b33c72538cfb 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -259,9 +259,8 @@ static struct geneve_dev *geneve_lookup_skb(struct geneve_sock *gs,
/* geneve receive/decap routine */
static void geneve_rx(struct geneve_dev *geneve, struct geneve_sock *gs,
- struct sk_buff *skb)
+ struct sk_buff *skb, const struct genevehdr *gnvh)
{
- struct genevehdr *gnvh = geneve_hdr(skb);
struct metadata_dst *tun_dst = NULL;
unsigned int len;
int nh, err = 0;
@@ -558,6 +557,76 @@ geneve_opt_gro_hint_validate_csum(const struct sk_buff *skb,
return !csum_fold(csum_add(psum, csum));
}
+static int geneve_post_decap_hint(const struct sock *sk, struct sk_buff *skb,
+ unsigned int gh_len)
+{
+ struct geneve_opt_gro_hint *gro_hint;
+ unsigned int len, total_len;
+ struct ipv6hdr *ipv6h;
+ struct iphdr *iph;
+ struct udphdr *uh;
+ __be16 p;
+
+ gro_hint = geneve_sk_gro_hint(sk, (void *)skb->data - gh_len, &p, &len);
+ if (!gro_hint)
+ return 0;
+
+ if (!skb_is_gso(skb))
+ return 0;
+
+ if (unlikely(!pskb_may_pull(skb, gro_hint->nested_hdr_len)))
+ return -ENOMEM;
+
+ if (unlikely(skb_shinfo(skb)->gso_type & SKB_GSO_DODGY &&
+ !geneve_opt_gro_hint_validate(skb->data, gro_hint)))
+ return -EINVAL;
+
+ ipv6h = (void *)skb->data + gro_hint->nested_nh_offset;
+ iph = (struct iphdr *)ipv6h;
+ total_len = skb->len - gro_hint->nested_nh_offset;
+ if (total_len > GRO_LEGACY_MAX_SIZE)
+ return -E2BIG;
+
+ /*
+ * After stripping the outer encap, the packet still carries a
+ * tunnel encapsulation: the nested one.
+ */
+ skb->encapsulation = 1;
+
+ /* GSO expect a valid transpor header, move it to the current one. */
+ skb_set_transport_header(skb, gro_hint->nested_tp_offset);
+
+ /* Adjust the nested IP{6} hdr to actual GSO len. */
+ if (gro_hint->nested_is_v6) {
+ ipv6h->payload_len = htons(total_len - sizeof(*ipv6h));
+ } else {
+ __be16 old_len = iph->tot_len;
+
+ iph->tot_len = htons(total_len);
+
+ /* For IPv4 additionally adjust the nested csum. */
+ csum_replace2(&iph->check, old_len, iph->tot_len);
+ ip_send_check(iph);
+ }
+
+ /* Adjust the nested UDP header len and checksum. */
+ uh = udp_hdr(skb);
+ uh->len = htons(skb->len - gro_hint->nested_tp_offset);
+ if (uh->check) {
+ len = skb->len - gro_hint->nested_nh_offset;
+ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM;
+ if (gro_hint->nested_is_v6)
+ uh->check = ~udp_v6_check(len, &ipv6h->saddr,
+ &ipv6h->daddr, 0);
+ else
+ uh->check = ~udp_v4_check(len, iph->saddr,
+ iph->daddr, 0);
+ } else {
+ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL;
+ }
+ return 0;
+}
+
/* Callback from net/ipv4/udp.c to receive packets */
static int geneve_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
{
@@ -599,7 +668,15 @@ static int geneve_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
goto drop;
}
- geneve_rx(geneve, gs, skb);
+ /* The hint will also set the transport header to the nested one. */
+ geneveh = geneve_hdr(skb);
+ if (geneve_post_decap_hint(sk, skb, sizeof(struct genevehdr) +
+ opts_len)) {
+ DEV_STATS_INC(geneve->dev, rx_errors);
+ goto drop;
+ }
+
+ geneve_rx(geneve, gs, skb, geneveh);
return 0;
drop:
@@ -690,6 +767,79 @@ static struct socket *geneve_create_sock(struct net *net, bool ipv6,
return sock;
}
+static bool geneve_hdr_match(struct sk_buff *skb,
+ const struct genevehdr *gh,
+ const struct genevehdr *gh2,
+ const struct geneve_opt_gro_hint *gro_hint)
+{
+ void *nested, *nested2, *nh, *nh2;
+ struct udphdr *udp, *udp2;
+ unsigned int gh_len;
+
+ /* Match the geneve hdr and options */
+ if (gh->opt_len != gh2->opt_len)
+ return false;
+
+ gh_len = geneve_hlen(gh);
+ if (memcmp(gh, gh2, gh_len))
+ return false;
+
+ if (!gro_hint)
+ return true;
+
+ /*
+ * When gro is present consider the nested headers as part
+ * of the geneve options
+ */
+ nested = (void *)gh + gh_len;
+ nested2 = (void *)gh2 + gh_len;
+ if (!memcmp(nested, nested2, gro_hint->nested_hdr_len))
+ return true;
+
+ /*
+ * The nested headers differ; the packets can still belong to
+ * the same flow when IPs/proto/ports match; if so flushing is
+ * required.
+ */
+ nh = nested + gro_hint->nested_nh_offset;
+ nh2 = nested2 + gro_hint->nested_nh_offset;
+ if (gro_hint->nested_is_v6) {
+ struct ipv6hdr *iph = nh, *iph2 = nh2;
+ unsigned int nested_nlen;
+ __be32 first_word;
+
+ first_word = *(__be32 *)iph ^ *(__be32 *)iph2;
+ if ((first_word & htonl(0xF00FFFFF)) ||
+ !ipv6_addr_equal(&iph->saddr, &iph2->saddr) ||
+ !ipv6_addr_equal(&iph->daddr, &iph2->daddr) ||
+ iph->nexthdr != iph2->nexthdr)
+ return false;
+
+ nested_nlen = gro_hint->nested_tp_offset -
+ gro_hint->nested_nh_offset;
+ if (nested_nlen > sizeof(struct ipv6hdr) &&
+ (memcmp(iph + 1, iph2 + 1,
+ nested_nlen - sizeof(struct ipv6hdr))))
+ return false;
+ } else {
+ struct iphdr *iph = nh, *iph2 = nh2;
+
+ if ((iph->protocol ^ iph2->protocol) |
+ ((__force u32)iph->saddr ^ (__force u32)iph2->saddr) |
+ ((__force u32)iph->daddr ^ (__force u32)iph2->daddr))
+ return false;
+ }
+
+ udp = nested + gro_hint->nested_tp_offset;
+ udp2 = nested2 + gro_hint->nested_tp_offset;
+ if (udp->source != udp2->source || udp->dest != udp2->dest ||
+ udp->check != udp2->check)
+ return false;
+
+ NAPI_GRO_CB(skb)->flush = 1;
+ return true;
+}
+
static struct sk_buff *geneve_gro_receive(struct sock *sk,
struct list_head *head,
struct sk_buff *skb)
@@ -742,8 +892,7 @@ static struct sk_buff *geneve_gro_receive(struct sock *sk,
continue;
gh2 = (struct genevehdr *)(p->data + off_gnv);
- if (gh->opt_len != gh2->opt_len ||
- memcmp(gh, gh2, gh_len)) {
+ if (!geneve_hdr_match(skb, gh, gh2, gro_hint)) {
NAPI_GRO_CB(p)->same_flow = 0;
continue;
}
@@ -779,6 +928,7 @@ static int geneve_gro_complete(struct sock *sk, struct sk_buff *skb,
gh = (struct genevehdr *)(skb->data + nhoff);
gh_len = geneve_hlen(gh);
type = gh->proto_type;
+ geneve_opt_gro_hint(gh, &type, &gh_len);
/* since skb->encapsulation is set, eth_gro_complete() sets the inner mac header */
if (likely(type == htons(ETH_P_TEB)))
--
2.52.0
Powered by blists - more mailing lists