From patchwork Tue Dec 13 04:39:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Subash Abhinov Kasiviswanathan (KS)" X-Patchwork-Id: 13071705 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B353DC4332F for ; Tue, 13 Dec 2022 04:41:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234352AbiLMElG (ORCPT ); Mon, 12 Dec 2022 23:41:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38774 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234273AbiLMEkv (ORCPT ); Mon, 12 Dec 2022 23:40:51 -0500 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E58A06409; Mon, 12 Dec 2022 20:40:49 -0800 (PST) Received: from pps.filterd (m0279864.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2BCLkaQL019045; Tue, 13 Dec 2022 04:40:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : mime-version : content-type; s=qcppdkim1; bh=nZGoVEKG4u8FtO8Swj8gB5zwdm9SSqkraSoJQV18Uq8=; b=JVvJgiqbw8OuN9h8VtJAWSkKbDW9WcdvtziA+ScljtOVC4rLRtfkr0KI3ZtqwuLgEzrM thI1J8VOwDziiwyc7kGKTolXvF2oN5gMPby48HLmM5YJvKUzgDY7Og9VwCQ8VuJqzmVh UirM7JZJzVSXJLdfrlT3+mFFh5iTtRicQR5dqlAPIdGy6nluYpLt7qmlQ6L4OC/KiMVd 4d+zRc9pHkeYr3p7XZq9OhlxosX8ZaMgWy0uVsnzgTuGtNyuJBcR2GmKIjd24bEClTZx oUNwk3jeJGRxs1XvVLjL10hp4dIDuvTzRtazMxja/eqoeLVlpHWTaI255PZZktOWEt+K 0Q== Received: from nalasppmta04.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3me09gayqg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 13 Dec 2022 04:40:17 +0000 Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA04.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 2BD4eGbC014861 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 13 Dec 2022 04:40:16 GMT Received: from subashab-lnx.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.36; Mon, 12 Dec 2022 20:40:15 -0800 From: Subash Abhinov Kasiviswanathan To: , , , , , , , , , , , , , , , , CC: Subash Abhinov Kasiviswanathan , "Sean Tranchetti" Subject: [PATCH net] filter: Account for tail adjustment during pull operations Date: Mon, 12 Dec 2022 21:39:41 -0700 Message-ID: <1670906381-25161-1-git-send-email-quic_subashab@quicinc.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: FM2D7NeEkw9PsWZPL8jrwW39iWh5U0Am X-Proofpoint-GUID: FM2D7NeEkw9PsWZPL8jrwW39iWh5U0Am X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.923,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-12-12_08,2022-12-12_02,2022-06-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 mlxlogscore=999 bulkscore=0 phishscore=0 adultscore=0 impostorscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 malwarescore=0 priorityscore=1501 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2212130042 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Extending the tail can have some unexpected side effects if a program is reading the content beyond the head skb headlen and all the skbs in the gso frag_list are linear with no head_frag - kernel BUG at net/core/skbuff.c:4219! pc : skb_segment+0xcf4/0xd2c lr : skb_segment+0x63c/0xd2c Call trace: skb_segment+0xcf4/0xd2c __udp_gso_segment+0xa4/0x544 udp4_ufo_fragment+0x184/0x1c0 inet_gso_segment+0x16c/0x3a4 skb_mac_gso_segment+0xd4/0x1b0 __skb_gso_segment+0xcc/0x12c udp_rcv_segment+0x54/0x16c udp_queue_rcv_skb+0x78/0x144 udp_unicast_rcv_skb+0x8c/0xa4 __udp4_lib_rcv+0x490/0x68c udp_rcv+0x20/0x30 ip_protocol_deliver_rcu+0x1b0/0x33c ip_local_deliver+0xd8/0x1f0 ip_rcv+0x98/0x1a4 deliver_ptype_list_skb+0x98/0x1ec __netif_receive_skb_core+0x978/0xc60 Fix this by marking these skbs as GSO_DODGY so segmentation can handle the tail updates accordingly. Fixes: 5293efe62df8 ("bpf: add bpf_skb_change_tail helper") Signed-off-by: Sean Tranchetti Signed-off-by: Subash Abhinov Kasiviswanathan --- net/core/filter.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index bb0136e..d5f7f79 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -1654,6 +1654,20 @@ static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp); static inline int __bpf_try_make_writable(struct sk_buff *skb, unsigned int write_len) { + struct sk_buff *list_skb = skb_shinfo(skb)->frag_list; + + if (skb_is_gso(skb) && list_skb && !list_skb->head_frag && + skb_headlen(list_skb)) { + int headlen = skb_headlen(skb); + int err = skb_ensure_writable(skb, write_len); + + /* pskb_pull_tail() has occurred */ + if (!err && headlen != skb_headlen(skb)) + skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; + + return err; + } + return skb_ensure_writable(skb, write_len); }