[net] xfrm: Linearize the skb after offloading if needed.

Message ID	20230614100202.1-YtK7H5@linutronix.de (mailing list archive)
State	Awaiting Upstream
Delegated to:	Netdev Maintainers
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 974C033E9 for <netdev@vger.kernel.org>; Wed, 14 Jun 2023 10:02:16 +0000 (UTC) Date: Wed, 14 Jun 2023 12:02:02 +0200 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de> To: netdev@vger.kernel.org Cc: "David S. Miller" <davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Eric Dumazet <edumazet@google.com>, Herbert Xu <herbert@gondor.apana.org.au>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, Steffen Klassert <steffen.klassert@secunet.com>, Thomas Gleixner <tglx@linutronix.de> Subject: [PATCH net] xfrm: Linearize the skb after offloading if needed. Message-ID: <20230614100202.1-YtK7H5@linutronix.de> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline
Series	[net] xfrm: Linearize the skb after offloading if needed. \| expand [net] xfrm: Linearize the skb after offloading if needed.

Message ID

20230614100202.1-YtK7H5@linutronix.de (mailing list archive)

State

Awaiting Upstream

Delegated to:

Netdev Maintainers

Headers

Date: Wed, 14 Jun 2023 12:02:02 +0200
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
To: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
	David Ahern <dsahern@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Thomas Gleixner <tglx@linutronix.de>
Subject: [PATCH net] xfrm: Linearize the skb after offloading if needed.
Message-ID: <20230614100202.1-YtK7H5@linutronix.de>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

Series

[net] xfrm: Linearize the skb after offloading if needed. | expand

Context	Check	Description
netdev/series_format	success	Single patches do not need cover letters
netdev/tree_selection	success	Clearly marked for net
netdev/fixes_present	success	Fixes tag present in non-next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 8 this patch: 8
netdev/cc_maintainers	success	CCed 8 of 8 maintainers
netdev/build_clang	success	Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	Fixes tag looks correct
netdev/build_allmodconfig_warn	success	Errors and warnings before: 8 this patch: 8
netdev/checkpatch	warning	WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")'
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0

Context

Check

Description

netdev/series_format

success

Single patches do not need cover letters

netdev/tree_selection

success

Clearly marked for net

netdev/fixes_present

success

Fixes tag present in non-next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 8 this patch: 8

netdev/cc_maintainers

success

CCed 8 of 8 maintainers

netdev/build_clang

success

Errors and warnings before: 8 this patch: 8

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

Fixes tag looks correct

netdev/build_allmodconfig_warn

success

Errors and warnings before: 8 this patch: 8

netdev/checkpatch

warning

WARNING: Please use correct Fixes: style 'Fixes: <12 chars of sha1> ("<title line>")' - ie: 'Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")'

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

Commit Message

Sebastian Andrzej Siewior June 14, 2023, 10:02 a.m. UTC

With offloading enabled, esp_xmit() gets invoked very late, from within
validate_xmit_xfrm() which is after validate_xmit_skb() validates and
linearizes the skb if the underlying device does not support fragments.

esp_output_tail() may add a fragment to the skb while adding the auth
tag/ IV. Devices without the proper support will then send skb->data
points to with the correct length so the packet will have garbage at the
end. A pcap sniffer will claim that the proper data has been sent since
it parses the skb properly.

It is not affected with INET_ESP_OFFLOAD disabled.

Linearize the skb after offloading if the sending hardware requires it.
It was tested on v4, v6 has been adopted.

Fixes: 7785bba299a8d ("esp: Add a software GRO codepath")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
 net/ipv4/esp4_offload.c | 3 +++
 net/ipv6/esp6_offload.c | 3 +++
 2 files changed, 6 insertions(+)

Comments

Steffen Klassert June 19, 2023, 11:14 a.m. UTC | #1

On Wed, Jun 14, 2023 at 12:02:02PM +0200, Sebastian Andrzej Siewior wrote:
> With offloading enabled, esp_xmit() gets invoked very late, from within
> validate_xmit_xfrm() which is after validate_xmit_skb() validates and
> linearizes the skb if the underlying device does not support fragments.
> 
> esp_output_tail() may add a fragment to the skb while adding the auth
> tag/ IV. Devices without the proper support will then send skb->data
> points to with the correct length so the packet will have garbage at the
> end. A pcap sniffer will claim that the proper data has been sent since
> it parses the skb properly.
> 
> It is not affected with INET_ESP_OFFLOAD disabled.
> 
> Linearize the skb after offloading if the sending hardware requires it.
> It was tested on v4, v6 has been adopted.
> 
> Fixes: 7785bba299a8d ("esp: Add a software GRO codepath")
> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

Applied to the ipsec tree, thanks a lot!

diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index 3969fa805679c..ee848be59e65a 100644
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -340,6 +340,9 @@  static int esp_xmit(struct xfrm_state *x, struct sk_buff *skb,  netdev_features_
 
 	secpath_reset(skb);
 
+	if (skb_needs_linearize(skb, skb->dev->features) &&
+	    __skb_linearize(skb))
+		return -ENOMEM;
 	return 0;
 }
 
diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index 75c02992c520f..7723402689973 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -374,6 +374,9 @@  static int esp6_xmit(struct xfrm_state *x, struct sk_buff *skb,  netdev_features
 
 	secpath_reset(skb);
 
+	if (skb_needs_linearize(skb, skb->dev->features) &&
+	    __skb_linearize(skb))
+		return -ENOMEM;
 	return 0;
 }

[net] xfrm: Linearize the skb after offloading if needed.

Checks

Commit Message

Comments

Patch