diff mbox series

[net,6/7] net: core: bpf: fix lwtunnel_input/xmit loop

Message ID 20250311141238.19862-7-justin.iurman@uliege.be (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series net: fix lwtunnel reentry loops | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 10 of 11 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 51 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Justin Iurman March 11, 2025, 2:12 p.m. UTC 
Fix the lwtunnel_input() reentry loop and the lwtunnel_xmit() loop when
the destination is the same after transformation. For xmit, we refuse
BPF_LWT_REROUTE when dst_entry remains unchanged, since it's considered
a buggy configuration and there is no other easy way to prevent the
issue.

Fixes: 3bd0b15281af ("bpf: add handling of BPF_LWT_REROUTE to lwt_bpf.c")
Cc: bpf@vger.kernel.org
Cc: Guillaume Nault <gnault@redhat.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Menglong Dong <menglong8.dong@gmail.com>
Cc: Peter Oskolkov <posk@google.com>
Cc: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
---
 net/core/lwt_bpf.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
diff mbox series

Patch

diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
index ae74634310a3..5ed849a0b23d 100644
--- a/net/core/lwt_bpf.c
+++ b/net/core/lwt_bpf.c
@@ -88,6 +88,7 @@  static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt,
 
 static int bpf_lwt_input_reroute(struct sk_buff *skb)
 {
+	struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate;
 	enum skb_drop_reason reason;
 	int err = -EINVAL;
 
@@ -110,6 +111,13 @@  static int bpf_lwt_input_reroute(struct sk_buff *skb)
 
 	if (err)
 		goto err;
+
+	/* avoid lwtunnel_input() reentry loop when destination is the same
+	 * after transformation
+	 */
+	if (lwtst == skb_dst(skb)->lwtstate)
+		return lwtst->orig_input(skb);
+
 	return dst_input(skb);
 
 err:
@@ -180,6 +188,7 @@  static int bpf_lwt_xmit_reroute(struct sk_buff *skb)
 	struct net_device *l3mdev = l3mdev_master_dev_rcu(skb_dst(skb)->dev);
 	int oif = l3mdev ? l3mdev->ifindex : 0;
 	struct dst_entry *dst = NULL;
+	struct dst_entry *orig_dst;
 	int err = -EAFNOSUPPORT;
 	struct sock *sk;
 	struct net *net;
@@ -201,6 +210,8 @@  static int bpf_lwt_xmit_reroute(struct sk_buff *skb)
 		net = dev_net(skb_dst(skb)->dev);
 	}
 
+	orig_dst = skb_dst(skb);
+
 	if (ipv4) {
 		struct iphdr *iph = ip_hdr(skb);
 		struct flowi4 fl4 = {};
@@ -254,6 +265,16 @@  static int bpf_lwt_xmit_reroute(struct sk_buff *skb)
 	if (unlikely(err))
 		goto err;
 
+	/* avoid lwtunnel_xmit() reentry loop when destination is the same
+	 * after transformation (i.e., disallow BPF_LWT_REROUTE when dst_entry
+	 * remains the same).
+	 */
+	if (orig_dst->lwtstate == dst->lwtstate) {
+		dst_release(dst);
+		err = -EINVAL;
+		goto err;
+	}
+
 	skb_dst_drop(skb);
 	skb_dst_set(skb, dst);