From patchwork Mon Sep 9 18:22:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Willem de Bruijn X-Patchwork-Id: 13797408 Received: from mail-qt1-f172.google.com (mail-qt1-f172.google.com [209.85.160.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC89C17799F; Mon, 9 Sep 2024 18:25:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725906315; cv=none; b=jMLeNhsqYcFRWr0xGvMQnCD6ZMgDhtrsBQLpsOBeJuXJDLhdqVHHxP3Oud/tg8y20+QVIZnf/guYa0OodHTIwkm4swTAjTaXjIidcikCkMjyFZjmpeZS1JWCqK6r3rfBLntMcR5EKatJ1LZ9TQw9RGZQW1IUzEhemOZtxwk1TCQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725906315; c=relaxed/simple; bh=45l4S9sDOnkZMDqFyTuQSTLHbSwbgq6XZFmuvHeh46c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Gc5DErrsbRktwKsnF4CAEkd7PfjHhDfwNel6ntfCzUizI863WMzuk7b41ejEn9gi58GZWw1vyRJqEZ6upGShRcq2NULRIkwTKCe6vG6MThT+d/STyDZfrzpbXpZv3lmdHfwT95WTGFjcZDEPJAKyn7qPIgrTrejd6HGMR2KsnG8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ccqul/x5; arc=none smtp.client-ip=209.85.160.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ccqul/x5" Received: by mail-qt1-f172.google.com with SMTP id d75a77b69052e-45826431d4bso11479231cf.0; Mon, 09 Sep 2024 11:25:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725906313; x=1726511113; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Yl2h3nH890XCPuBqDE9iWH/23/OUuljwY/dx88x4zZ8=; b=ccqul/x5HZ8oLz60fECSsu3lKE0BjcCRgM0VKT2IeonUZ8+6htSLa3rmkH/0tonCO0 3gULLc7tOsgu2+BvS9Q4/sdPlwpXUj2FGpUBI9n6peHhflnMRlBPb6c5Vbp4FaoNeKVO 7i+asBfi6Wn2BmpbMzVW7foxpyy6KER72Ygu5ypJaYa6oI/zK21Y+6XAvV9t0T/s4dD0 XFefP1+AUMshx3MeyrXvi0EmruhqzT2wGvYMbpWBIenDKGFgHkrafRZUPpame6DJzWpQ JPnO56sBn0hcHre/PUGL5hcSWMOOvtB67zuU/Qz4HVSC4XGikkwnJuTfpmiBUzEoMqEs JtTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725906313; x=1726511113; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Yl2h3nH890XCPuBqDE9iWH/23/OUuljwY/dx88x4zZ8=; b=mEfM5X4KPfQ4+3XTMwurvOMkZ/bexA8t8MhdtOAiZ51n//plYnWj63INVNHiifl08p FHey6vUB/5OSKSMFQ8gmVb+SDXzv3bw+mlhlXE2rZqSgBoCzD/fp407Uhy18xJo1/u+A HWazsJuZ5WSkD+egI++O/8uFNiG5C148bzZE2mE5ZmzAD5rTXTFOvnHQGETPluL8PznX dAReh+pNEcTvdfE5PCkqsHEl4Pk4NWI2Vxq+GyRROkUzFFpjnuXWiMvygwQ1X5dz+1ON qhRIf3h9Jt/TwJ15yu6fg46SwvC06XG9uT+Qh8pYlTjHznSlPjVeBxbmjPdgrue9m7BH qALg== X-Gm-Message-State: AOJu0YxIrDx0Ik35YhFc8bec/Sl1c/g+nt1W5gtG6tNSGgqRCtJCv80t PxzsGix74lQO8XlVubCBP2QKHyoT8gleFkpH8o3umzgD+mDvdnv0c4iTEQ== X-Google-Smtp-Source: AGHT+IECppETEAvkobv6B0BDTmHRUfu7uuGzEj1qNtwc5mmHYJTO3LdekRw/ZQnY12A+1SzyfJYevw== X-Received: by 2002:a05:622a:2c9:b0:458:3d1b:8de4 with SMTP id d75a77b69052e-4583d1b921emr1405781cf.39.1725906312204; Mon, 09 Sep 2024 11:25:12 -0700 (PDT) Received: from willemb.c.googlers.com.com (23.67.48.34.bc.googleusercontent.com. [34.48.67.23]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45822e9b231sm22539071cf.47.2024.09.09.11.25.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Sep 2024 11:25:11 -0700 (PDT) From: Willem de Bruijn To: stable@vger.kernel.org Cc: netdev@vger.kernel.org, gregkh@linuxfoundation.org, christian@theune.cc, mathieu.tortuyaux@gmail.com, Willem de Bruijn , syzbot+01cdbc31e9c0ae9b33ac@syzkaller.appspotmail.com, syzbot+c99d835ff081ca30f986@syzkaller.appspotmail.com, Eric Dumazet , Jason Wang , "David S. Miller" Subject: [PATCH 5.15 1/4] net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation Date: Mon, 9 Sep 2024 14:22:45 -0400 Message-ID: <20240909182506.270136-2-willemdebruijn.kernel@gmail.com> X-Mailer: git-send-email 2.46.0.598.g6f2099f65c-goog In-Reply-To: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> References: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Willem de Bruijn [ Upstream commit fc8b2a619469378717e7270d2a4e1ef93c585f7a ] Syzbot reported two new paths to hit an internal WARNING using the new virtio gso type VIRTIO_NET_HDR_GSO_UDP_L4. RIP: 0010:skb_checksum_help+0x4a2/0x600 net/core/dev.c:3260 skb len=64521 gso_size=344 and RIP: 0010:skb_warn_bad_offload+0x118/0x240 net/core/dev.c:3262 Older virtio types have historically had loose restrictions, leading to many entirely impractical fuzzer generated packets causing problems deep in the kernel stack. Ideally, we would have had strict validation for all types from the start. New virtio types can have tighter validation. Limit UDP GSO packets inserted via virtio to the same limits imposed by the UDP_SEGMENT socket interface: 1. must use checksum offload 2. checksum offload matches UDP header 3. no more segments than UDP_MAX_SEGMENTS 4. UDP GSO does not take modifier flags, notably SKB_GSO_TCP_ECN Fixes: 860b7f27b8f7 ("linux/virtio_net.h: Support USO offload in vnet header.") Reported-by: syzbot+01cdbc31e9c0ae9b33ac@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/0000000000005039270605eb0b7f@google.com/ Reported-by: syzbot+c99d835ff081ca30f986@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/0000000000005426680605eb0b9f@google.com/ Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet Acked-by: Jason Wang Signed-off-by: David S. Miller [5.15 stable: clean backport] Signed-off-by: Willem de Bruijn --- include/linux/virtio_net.h | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index 29b19d0a324c7..137357fb6a574 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -3,8 +3,8 @@ #define _LINUX_VIRTIO_NET_H #include +#include #include -#include #include static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type) @@ -155,9 +155,22 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, unsigned int nh_off = p_off; struct skb_shared_info *shinfo = skb_shinfo(skb); - /* UFO may not include transport header in gso_size. */ - if (gso_type & SKB_GSO_UDP) + switch (gso_type & ~SKB_GSO_TCP_ECN) { + case SKB_GSO_UDP: + /* UFO may not include transport header in gso_size. */ nh_off -= thlen; + break; + case SKB_GSO_UDP_L4: + if (!(hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM)) + return -EINVAL; + if (skb->csum_offset != offsetof(struct udphdr, check)) + return -EINVAL; + if (skb->len - p_off > gso_size * UDP_MAX_SEGMENTS) + return -EINVAL; + if (gso_type != SKB_GSO_UDP_L4) + return -EINVAL; + break; + } /* Kernel has a special handling for GSO_BY_FRAGS. */ if (gso_size == GSO_BY_FRAGS) From patchwork Mon Sep 9 18:22:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Willem de Bruijn X-Patchwork-Id: 13797409 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-qt1-f176.google.com (mail-qt1-f176.google.com [209.85.160.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8EAFF188CDF; Mon, 9 Sep 2024 18:25:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725906316; cv=none; b=ewn+MWQyIJdqNwvje+fRPJ2DS+oq3FYP1Zys9oFqKbs16GjJsveZfx6CV/Ab3x2QajvYFPOdxGhBP4IEGYwwpZs+Bgq1oraFlu3KRAZwBAoyTmAUBo9RzN1X/vPQJBoOa0/G7VrqZeOaIIQTBFM7S0x1aNdL1YMBJsCFBwwOmwk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725906316; c=relaxed/simple; bh=sqp3Jb7309g99lM2SaWG66wBurjC2CnfBdhzLNMbQIg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kNrr3KCKNrjC65RrW1bIG6C2rURMppYRX8bcbRP3tS3oybzEI+5vy/3EQjYwcqOhLw5jm9Afgr1ongwtZfvm5LRzbZy09clsgnfF7l/lGNrk/dEPgVZOJ6juo12sX9OrM+G57PqcAapU93/vnb/5uRTXBUf/3ZTzcB55SuRkgK8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AlBqXSvn; arc=none smtp.client-ip=209.85.160.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AlBqXSvn" Received: by mail-qt1-f176.google.com with SMTP id d75a77b69052e-457cfc2106aso28964811cf.2; Mon, 09 Sep 2024 11:25:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725906313; x=1726511113; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hdqYkffSI1WpSWXJPkr0N2UKeKHDjtAb4mnO6w7K3G0=; b=AlBqXSvnVQCrhCvnQsrbwQbxJpDn/D3oWw2ernlR+TkRBIEprV0Z8ZxrFeQq4/oXg+ CZBpxcSDyhwKpkLLfcesFtIeAVTdJAIyJLB/LhTo1bXgx+2GkJ/3tO8VWGzmUWxtMsiV mPPGwchSaVj1JIEKUDOeNWWlNmw9WNfnZfKqV7bAbSoJUlO62D4lpIFZqJ/D/kvYrKGn nrJuYtepoOdS6BQejpQURrt4DTehzFH+YWP56+1j4dTWDB9d/ApmFU+x4fLADb43R1fO C9fQ5R02WffQBqSSZ+Zh9NneswiTs4z0jGVRHkBopQALZXgWl3iwvNGnYdxZbZs8PRWt PhVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725906313; x=1726511113; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hdqYkffSI1WpSWXJPkr0N2UKeKHDjtAb4mnO6w7K3G0=; b=oC8CbQ8NXXheLLzIPKCPAV/ElxMfEIXS9XnhhhIePEe7OvJlT4F4LB5g3Rqufg7EsP R3nG5N6ORPpgzBaVKQMTlL4G/3wjUIeAVkaQPJsDmMrccqcmvR73eOnyUB6tP/h+mul5 aBH3S+mlg96zzTon12Gbod9KGVZW5vQDdk7lBQF0HRNC1EouQoCSzh7OQP3L8P5A36in ZtSLrMd2YKGX4UCDN//bqaSWkobJPOurXmM0zbuKz0wqJHqX49ChcN7vGrrMap+yskqo 9fOf+QYvpYcnxxbIsmqjwysTne5V/UxLCPcbnfa8p0j74ZH/2ldVcqNwWFVKxKFxmL/r +s1w== X-Gm-Message-State: AOJu0Yy8eWT6cd8OqaCyVTdL05PAru4usx7xa950TRAg37UGqVm7CR4u gxYClPB0uBumeaJq4cb8aG5CZ0KkHV2FGISTWie/0DjLLQrrfIg14QQTJA== X-Google-Smtp-Source: AGHT+IEjdhwn4B/Dr3o0istglWgnYHr+lKlXlsDSBsRfe/14wykfq0QlbOwmgbXVQzBLwj8Jb2B9FQ== X-Received: by 2002:a05:622a:38a:b0:458:3148:9a50 with SMTP id d75a77b69052e-45831489bacmr63595531cf.51.1725906313388; Mon, 09 Sep 2024 11:25:13 -0700 (PDT) Received: from willemb.c.googlers.com.com (23.67.48.34.bc.googleusercontent.com. [34.48.67.23]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45822e9b231sm22539071cf.47.2024.09.09.11.25.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Sep 2024 11:25:12 -0700 (PDT) From: Willem de Bruijn To: stable@vger.kernel.org Cc: netdev@vger.kernel.org, gregkh@linuxfoundation.org, christian@theune.cc, mathieu.tortuyaux@gmail.com, Yuri Benditovich , Willem de Bruijn , "David S. Miller" Subject: [PATCH 5.15 2/4] net: change maximum number of UDP segments to 128 Date: Mon, 9 Sep 2024 14:22:46 -0400 Message-ID: <20240909182506.270136-3-willemdebruijn.kernel@gmail.com> X-Mailer: git-send-email 2.46.0.598.g6f2099f65c-goog In-Reply-To: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> References: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Yuri Benditovich [ Upstream commit 1382e3b6a3500c245e5278c66d210c02926f804f ] The commit fc8b2a619469 ("net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation") adds check of potential number of UDP segments vs UDP_MAX_SEGMENTS in linux/virtio_net.h. After this change certification test of USO guest-to-guest transmit on Windows driver for virtio-net device fails, for example with packet size of ~64K and mss of 536 bytes. In general the USO should not be more restrictive than TSO. Indeed, in case of unreasonably small mss a lot of segments can cause queue overflow and packet loss on the destination. Limit of 128 segments is good for any practical purpose, with minimal meaningful mss of 536 the maximal UDP packet will be divided to ~120 segments. The number of segments for UDP packets is validated vs UDP_MAX_SEGMENTS also in udp.c (v4,v6), this does not affect quest-to-guest path but does affect packets sent to host, for example. It is important to mention that UDP_MAX_SEGMENTS is kernel-only define and not available to user mode socket applications. In order to request MSS smaller than MTU the applications just uses setsockopt with SOL_UDP and UDP_SEGMENT and there is no limitations on socket API level. Fixes: fc8b2a619469 ("net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation") Signed-off-by: Yuri Benditovich Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller [5.15-stable: fix conflict with neighboring but unrelated code from e2a4392b61f6 ("udp: introduce udp->udp_flags") Signed-off-by: Willem de Bruijn --- include/linux/udp.h | 2 +- tools/testing/selftests/net/udpgso.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/udp.h b/include/linux/udp.h index fdf5afb393162..ca31f830b0110 100644 --- a/include/linux/udp.h +++ b/include/linux/udp.h @@ -94,7 +94,7 @@ struct udp_sock { int forward_deficit; }; -#define UDP_MAX_SEGMENTS (1 << 6UL) +#define UDP_MAX_SEGMENTS (1 << 7UL) static inline struct udp_sock *udp_sk(const struct sock *sk) { diff --git a/tools/testing/selftests/net/udpgso.c b/tools/testing/selftests/net/udpgso.c index 7badaf215de28..b02080d09fbc0 100644 --- a/tools/testing/selftests/net/udpgso.c +++ b/tools/testing/selftests/net/udpgso.c @@ -34,7 +34,7 @@ #endif #ifndef UDP_MAX_SEGMENTS -#define UDP_MAX_SEGMENTS (1 << 6UL) +#define UDP_MAX_SEGMENTS (1 << 7UL) #endif #define CONST_MTU_TEST 1500 From patchwork Mon Sep 9 18:22:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Willem de Bruijn X-Patchwork-Id: 13797410 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD858189510; Mon, 9 Sep 2024 18:25:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725906317; cv=none; b=LeUsP145nvCLyjlStbkPqVUOFeuTPZDSLJ+Dzz2JE9NmU2bq7KPOo/3E/rLqTk7cnERWWLtShcSInfwc3D0d4DmMMW2bpayYfddRgTk5nZqb+7lp3e+Goi6PicPxNNyjpjATkwEq3Bf7q+bv/FRbG7ZVvMv/kSwLQ9eS2e4bJ6o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725906317; c=relaxed/simple; bh=Ts/Ac+zGB36ykU/Dq1exHp12pcr0yZ5WbwSmbQyya9o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=j8dps/Lay2pUmgHKj/e6ni6tHVRIWDT3NLf077Q04mkL87MKzvTi9eFJpt4g5HySi20G2Hb3jodqNLtkl9DA2xjEAkHaFtzRtcWjj3SZt+TpRZJ82Kk24qKo7lz101esmo/j9nGYCI1eEycQw32bKVBwoJxoeUOojeQF5sCMHa4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=B68+7Tik; arc=none smtp.client-ip=209.85.222.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="B68+7Tik" Received: by mail-qk1-f170.google.com with SMTP id af79cd13be357-7a99fd4ea26so192317385a.1; Mon, 09 Sep 2024 11:25:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725906315; x=1726511115; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pnPu7TX7C3KTRthKNKCdbYSD8w6NB8k+65H1weyCIvA=; b=B68+7TikYM1nv3OFjJrr5q4+Ztuj9JGqQnnV6xG34i9j0jET6DPHAsuVUj2WQenAOU w7wuUkcapUNgh7TkYTRnNzVr1jtgABrH+hTBwm7AxI99GqqjDCpXVULQ+a/xZ01Ad7e3 UT6zG4MhDWovnycrfAHdWtDUxfpcgG5MnPRV9Ze/4qnNpcAeDitRRomkadMkzXTaoCv2 emcQSPE5bhf/Hfa13AktEwcxc+GHo8TBhwriucOZbrjpvx9pION7zv6KgpyP5JwxaSGE 4BsLEFd1srqWJPsuFdd0I5s9lwb4/la29gXwiX9OVvNnAgRiOmv12tBde42mAPvOqaOR CZNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725906315; x=1726511115; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pnPu7TX7C3KTRthKNKCdbYSD8w6NB8k+65H1weyCIvA=; b=uII1Eg2N/mY643T5EmZA3+9as9+E8SJsVfIG3tjrR8G6zdFKBTpgtFS4JuJtzvsiOg BJFQ8XrOV1sZxibhrgXAC3wTMubuMmX+5Okm1yGyT7zk3vkkgXPrHWC0VpU5zQmrc3we XK0IIpFoIrPMqcuslWBCWao+kkWt7WCF3r2ih1sxuEADM5dh4JPoCmhMUjR3xsqhGM4k yC6XXS7MYoFwOuSfgnaYaBOzsmrYsn/sAJb6qn0oSTdEQTcBLMQzk2PkRVkz7mHnbrsP OjrZsnQ9n9mrE4nQ8aIgtVs0KbXfaWvB+vO1Z5eqz7OGhIWwFDJyQdmjEj6/qyMagXEL PVpQ== X-Gm-Message-State: AOJu0Yz2N+Am5yU1rK5tI5EPDzEPdPFv4i2ZEi5VRv7V1mkop1hCy6QS hfr+P3z9mhm0fcU9DuXe1F2ojyLbsasSvQiyb4SLGQSvaHGoQmvWVw00SQ== X-Google-Smtp-Source: AGHT+IHRPwH5l1L/OckqnB+sOIu0Tf1VjIgCVsP+1q9FVX2DFYm7SzY+9FSeC2KeIZ4f/CilDSm8xA== X-Received: by 2002:a05:622a:5d2:b0:458:a70:d9b5 with SMTP id d75a77b69052e-4581f4753b7mr91610491cf.15.1725906314676; Mon, 09 Sep 2024 11:25:14 -0700 (PDT) Received: from willemb.c.googlers.com.com (23.67.48.34.bc.googleusercontent.com. [34.48.67.23]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45822e9b231sm22539071cf.47.2024.09.09.11.25.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Sep 2024 11:25:14 -0700 (PDT) From: Willem de Bruijn To: stable@vger.kernel.org Cc: netdev@vger.kernel.org, gregkh@linuxfoundation.org, christian@theune.cc, mathieu.tortuyaux@gmail.com, Yan Zhai , Willem de Bruijn , Willem de Bruijn , Jason Wang , "David S. Miller" Subject: [PATCH 5.15 3/4] gso: fix dodgy bit handling for GSO_UDP_L4 Date: Mon, 9 Sep 2024 14:22:47 -0400 Message-ID: <20240909182506.270136-4-willemdebruijn.kernel@gmail.com> X-Mailer: git-send-email 2.46.0.598.g6f2099f65c-goog In-Reply-To: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> References: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Yan Zhai [ Upstream commit 9840036786d90cea11a90d1f30b6dc003b34ee67 ] Commit 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 packets.") checks DODGY bit for UDP, but for packets that can be fed directly to the device after gso_segs reset, it actually falls through to fragmentation: https://lore.kernel.org/all/CAJPywTKDdjtwkLVUW6LRA2FU912qcDmQOQGt2WaDo28KzYDg+A@mail.gmail.com/ This change restores the expected behavior of GSO_UDP_L4 packets. Fixes: 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 packets.") Suggested-by: Willem de Bruijn Signed-off-by: Yan Zhai Reviewed-by: Willem de Bruijn Acked-by: Jason Wang Signed-off-by: David S. Miller [5.15 stable: clean backport] Signed-off-by: Willem de Bruijn --- net/ipv4/udp_offload.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index c61268849948a..f0bc91af94d7c 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -272,13 +272,20 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, __sum16 check; __be16 newlen; - if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) - return __udp_gso_segment_list(gso_skb, features, is_ipv6); - mss = skb_shinfo(gso_skb)->gso_size; if (gso_skb->len <= sizeof(*uh) + mss) return ERR_PTR(-EINVAL); + if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { + /* Packet is from an untrusted source, reset gso_segs. */ + skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh), + mss); + return NULL; + } + + if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) + return __udp_gso_segment_list(gso_skb, features, is_ipv6); + skb_pull(gso_skb, sizeof(*uh)); /* clear destructor to avoid skb_segment assigning it to tail */ From patchwork Mon Sep 9 18:22:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Willem de Bruijn X-Patchwork-Id: 13797411 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-qt1-f181.google.com (mail-qt1-f181.google.com [209.85.160.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C93481898F1; Mon, 9 Sep 2024 18:25:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.181 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725906318; cv=none; b=c3gEB7vKaiTQHGAi/RB+a94wnFLXq26tUB3u0TTCOdXeIe1d5MQVYmidyrVdhnR77NUSDMNSgqD2ehpOq60YKvZbYTQl1nMY7opL103GCqHBgKnKsbUgUmcVFgGVBLOyELKSLFhuVbaGGRtbzx1Mk4vD7MdlVZXtJVerEO3Gr64= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1725906318; c=relaxed/simple; bh=c0UkyO4dRrZt6YTLPCWHFSnlwf8AjfAg1BDn+9MD5Gg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=g8VqT8bgiZvy/plyH6h+8eAOZlQLO4QwE58HBT8ah3Ukfj1TSNxY50+aqOwGa6ZZTIEfCVQODG/6L+TybTSay+q7oSV8pPDu9yD2hrvFzuvoMrAfqM1wbg3F68IMwJTJ/m7vYTuXr/C9wSetXKckkLEHoWDI0Xxz7DHTaYT/Jb8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=RqlfvKXU; arc=none smtp.client-ip=209.85.160.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RqlfvKXU" Received: by mail-qt1-f181.google.com with SMTP id d75a77b69052e-45821ebb4e6so14263591cf.2; Mon, 09 Sep 2024 11:25:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725906316; x=1726511116; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RX9Sc+83Yo9dOLkn3aa7t0ygd0a58dUOvhxdQ/fmNtw=; b=RqlfvKXU767vgZ+3a86gEQH9rn1vv4c5gf/fDLLuTCz7OW6NBOSACPnDOTkpQHJ7Hc lGYxxh8eiQJTWR25YeXG1+Pdn+Ifz1mDnNu9DpQLXvZ/L6aqEtKCrFHfKydDj55RIL+9 NhvGtOiOyEXC53tb1iJVtKCpSR7nXqkVeJh7hghafa2ndAUV/twk/29WbbeGU5nufsXQ CZt9WjxSt1h+pl1vLnBU/31O3rHoA3851Cfneiiy40PuCIDmoW/fcyePtH8ps0VT9H9g yrzOyBpA1LiUBLSU1qBIjbK/MMJiz8MJ6uoO76Uxp+LrzYfshEZDzPYz+T+K+/orIDG4 PUfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725906316; x=1726511116; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RX9Sc+83Yo9dOLkn3aa7t0ygd0a58dUOvhxdQ/fmNtw=; b=nSmwQ1ip2EizpT924ly7BrTdP0FIRgGdJvvcINUW6nc4mOZdK8sEwfJ8w54bn+a4gX g9C2r92sisqOaz77sWDS3h3UGZp8U1p7ANaUkVYqbtUzXu7dUmdzo45rmVC+a9tjXRdD H0HLBff6xf5eGPk3yA0+wqCMVcxnTTEot3VQ995UBoRTdpU2J+EOUACpgsxOhBN+ifLD 20dnf4/8W7tGIfhQL3S4J2hbvHfi+ctoBUUzsrv6zIQcV5Quo+umJpbkXci12/UyK3Nh aJRdTIEODicLixRE4RkodF3/U8EmVmD7vzkTZ8inA4JkGLSJMe12xJ9o45mKFCH6APvh OacA== X-Gm-Message-State: AOJu0YyspEkek/NLE74ZLXYyC7eT8Ch8c2FCCs0VTE6Xuqrdya1EVUcy FwwWgq7TXQqYEXIXAqdWGNjJTgwroHRGB+ylreSEHdNuOFsxlB7WEmMPCA== X-Google-Smtp-Source: AGHT+IH8vrfyH4CVR4LmtRFTnHoqZO218qLFkLD5vUp5YoTcjLWB4NFqico01KG9srpvuLW28BZqMw== X-Received: by 2002:a05:622a:6a85:b0:458:2182:b07a with SMTP id d75a77b69052e-4582182b5acmr91986271cf.18.1725906315659; Mon, 09 Sep 2024 11:25:15 -0700 (PDT) Received: from willemb.c.googlers.com.com (23.67.48.34.bc.googleusercontent.com. [34.48.67.23]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45822e9b231sm22539071cf.47.2024.09.09.11.25.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Sep 2024 11:25:14 -0700 (PDT) From: Willem de Bruijn To: stable@vger.kernel.org Cc: netdev@vger.kernel.org, gregkh@linuxfoundation.org, christian@theune.cc, mathieu.tortuyaux@gmail.com, Willem de Bruijn , Jakub Kicinski Subject: [PATCH 5.15 4/4] net: drop bad gso csum_start and offset in virtio_net_hdr Date: Mon, 9 Sep 2024 14:22:48 -0400 Message-ID: <20240909182506.270136-5-willemdebruijn.kernel@gmail.com> X-Mailer: git-send-email 2.46.0.598.g6f2099f65c-goog In-Reply-To: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> References: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Willem de Bruijn [ Upstream commit 89add40066f9ed9abe5f7f886fe5789ff7e0c50e ] Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Mitigate with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests. Link: https://syzkaller.appspot.com/bug?extid=e1db31216c789f552871 Link: https://lore.kernel.org/netdev/20240723223109.2196886-1-kuba@kernel.org Fixes: e269d79c7d35 ("net: missing check virtio") Cc: stable@vger.kernel.org Signed-off-by: Willem de Bruijn Link: https://patch.msgid.link/20240729201108.1615114-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski [5.15 stable: clean backport] Signed-off-by: Willem de Bruijn --- include/linux/virtio_net.h | 16 +++++----------- net/ipv4/tcp_offload.c | 3 +++ net/ipv4/udp_offload.c | 4 ++++ 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index 137357fb6a574..823e28042f410 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -51,7 +51,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, unsigned int thlen = 0; unsigned int p_off = 0; unsigned int ip_proto; - u64 ret, remainder, gso_size; if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) { @@ -88,16 +87,6 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, u32 off = __virtio16_to_cpu(little_endian, hdr->csum_offset); u32 needed = start + max_t(u32, thlen, off + sizeof(__sum16)); - if (hdr->gso_size) { - gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); - ret = div64_u64_rem(skb->len, gso_size, &remainder); - if (!(ret && (hdr->gso_size > needed) && - ((remainder > needed) || (remainder == 0)))) { - return -EINVAL; - } - skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG; - } - if (!pskb_may_pull(skb, needed)) return -EINVAL; @@ -170,6 +159,11 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, if (gso_type != SKB_GSO_UDP_L4) return -EINVAL; break; + case SKB_GSO_TCPV4: + case SKB_GSO_TCPV6: + if (skb->csum_offset != offsetof(struct tcphdr, check)) + return -EINVAL; + break; } /* Kernel has a special handling for GSO_BY_FRAGS. */ diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c index fc61cd3fea652..357d3be04f84c 100644 --- a/net/ipv4/tcp_offload.c +++ b/net/ipv4/tcp_offload.c @@ -71,6 +71,9 @@ struct sk_buff *tcp_gso_segment(struct sk_buff *skb, if (thlen < sizeof(*th)) goto out; + if (unlikely(skb_checksum_start(skb) != skb_transport_header(skb))) + goto out; + if (!pskb_may_pull(skb, thlen)) goto out; diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c index f0bc91af94d7c..e009247ca7f14 100644 --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -276,6 +276,10 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb, if (gso_skb->len <= sizeof(*uh) + mss) return ERR_PTR(-EINVAL); + if (unlikely(skb_checksum_start(gso_skb) != + skb_transport_header(gso_skb))) + return ERR_PTR(-EINVAL); + if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) { /* Packet is from an untrusted source, reset gso_segs. */ skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh),