From patchwork Tue Mar 11 14:12:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Iurman X-Patchwork-Id: 14011951 X-Patchwork-Delegate: kuba@kernel.org Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D6F825B669 for ; Tue, 11 Mar 2025 14:13:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=139.165.32.111 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702393; cv=none; b=CRCs01fRbw5s1ZHr7MLqtYQ5pDWPETWR3INuPSVdu1ddWL74p996NpBFb+sEfNWwvDo+bP3np2klEaDJaX2U71Kss4+rvflS04njnyZt/8GcaDhwLtA8Sk8RQIkUWL8CGyLbnqg3ykiUfmxf9St09o9AtdPoftQ8I6Q3M6pV6Is= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702393; c=relaxed/simple; bh=7lGqBClSSjyfxt8qcHmSGKs2y62wqql2e+bX2Acp64k=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=m6qJj3VSMLMTh9QfR0HILoEML9iMSkQrFzF9mWo5JCtTu3N64cF82PIx3OzngR6qdN5CtUwtlZfnUIQY1q7a5bUfUxLkrBP0TfrrTHVKQBOEstExEj01Y8Ip2PkvHaP8VAia56gYFY5WpKb6rTJmRS+CmNA45NfGVPIA1bbcHYo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be; spf=pass smtp.mailfrom=uliege.be; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b=DYSnrtWD; arc=none smtp.client-ip=139.165.32.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uliege.be Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b="DYSnrtWD" Received: from localhost.localdomain (unknown [195.29.54.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by serv108.segi.ulg.ac.be (Postfix) with ESMTPSA id C1FE6200E1C5; Tue, 11 Mar 2025 15:13:03 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 serv108.segi.ulg.ac.be C1FE6200E1C5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uliege.be; s=ulg20190529; t=1741702389; bh=fhPTJcnJhGaIdlNdiWlJmdxebAZMfi41h3DDJqCYoTQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DYSnrtWD9XIGdwpBI2Lj77UObuCdacsDtQaagpCAaWLihpv0CEpYTN1xh5G1Mtucl 2PFxfp2Uo1bim3ivoR9VekQ9Tb9ypY+g/4XbIUc2o9QT5snFPpbr53hdv16ntJmybS ldM3Y+JSYAfmmov7HQel90mhhSmrCamlWSZidGTRKMi8gywNCE8TpwxtrMsjKO6PBR yTBGp/GQx2GXx1hiO2DYWJS4txPdMWn7OVJhA3F5LtuMKosqXzD38XqrLKsPRHVjHX 67UPKngw+5axHzxxbmWB9fqGqjquStjUCpuSf8GABpyOz23vdVVrhNSHmDgfVIy55B 1ufOFhVZDk8Qg== From: Justin Iurman To: netdev@vger.kernel.org Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, justin.iurman@uliege.be, Ido Schimmel Subject: [PATCH net 1/7] net: ipv6: ioam6: fix lwtunnel_output() loop Date: Tue, 11 Mar 2025 15:12:32 +0100 Message-Id: <20250311141238.19862-2-justin.iurman@uliege.be> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250311141238.19862-1-justin.iurman@uliege.be> References: <20250311141238.19862-1-justin.iurman@uliege.be> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Fix the lwtunnel_output() reentry loop in ioam6_iptunnel when the destination is the same after transformation. Note that a check on the destination address was already performed, but it was not enough. Fixes: 8cb3bf8bff3c ("ipv6: ioam: Add support for the ip6ip6 encapsulation") Cc: Ido Schimmel Signed-off-by: Justin Iurman --- net/ipv6/ioam6_iptunnel.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv6/ioam6_iptunnel.c b/net/ipv6/ioam6_iptunnel.c index 2c383c12a431..9d7a9be9a4d0 100644 --- a/net/ipv6/ioam6_iptunnel.c +++ b/net/ipv6/ioam6_iptunnel.c @@ -337,7 +337,6 @@ static int ioam6_do_encap(struct net *net, struct sk_buff *skb, static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb) { struct dst_entry *dst = skb_dst(skb), *cache_dst = NULL; - struct in6_addr orig_daddr; struct ioam6_lwt *ilwt; int err = -EINVAL; u32 pkt_cnt; @@ -352,8 +351,6 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb) if (pkt_cnt % ilwt->freq.n >= ilwt->freq.k) goto out; - orig_daddr = ipv6_hdr(skb)->daddr; - local_bh_disable(); cache_dst = dst_cache_get(&ilwt->cache); local_bh_enable(); @@ -422,7 +419,10 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb) goto drop; } - if (!ipv6_addr_equal(&orig_daddr, &ipv6_hdr(skb)->daddr)) { + /* avoid lwtunnel_output() reentry loop when destination is the same + * after transformation + */ + if (dst->lwtstate != cache_dst->lwtstate) { skb_dst_drop(skb); skb_dst_set(skb, cache_dst); return dst_output(net, sk, skb); From patchwork Tue Mar 11 14:12:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Iurman X-Patchwork-Id: 14011952 X-Patchwork-Delegate: kuba@kernel.org Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5441F25BAD5 for ; Tue, 11 Mar 2025 14:13:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=139.165.32.111 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702398; cv=none; b=A7mny4f5OUHdqBYhL172AOzsqPzRs63oJV7ziVixpYIq5J5pBvj5VaOIo/457++dbhGOcDBEcVN59E5GA/3BXVzmTgjkfW/p/kzyc6stp/6GOVlLwgdTE1Id3Lq6w3MPvD81WIc44HKf6ZmZwjaNNLwFPIo5RqpeAl9MuBZQN0s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702398; c=relaxed/simple; bh=MQpJJTgSJvXpqyx1M/U7NzUJVeHnEvia5NsabQqfeYg=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=XFxzIHmdXyh51FZnbR3QNJj5ULFeBAKnS1zVW1QeW/UX6COfjFqbf8AP18PRDR0J0eOhxZFI1F3phujqHCkLsHyG6YcWYMy9LWXG3Gq4qWiCRDwVZYfULiOBGp1GTt6zPAZ8l/1kCiCad4rQLn9qMGsW28skm1cJXU+tPbixaVM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be; spf=pass smtp.mailfrom=uliege.be; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b=jYvXYsIc; arc=none smtp.client-ip=139.165.32.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uliege.be Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b="jYvXYsIc" Received: from localhost.localdomain (unknown [195.29.54.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by serv108.segi.ulg.ac.be (Postfix) with ESMTPSA id B26C0200E1C8; Tue, 11 Mar 2025 15:13:09 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 serv108.segi.ulg.ac.be B26C0200E1C8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uliege.be; s=ulg20190529; t=1741702393; bh=FyWFmc81CaeAzhNKQ0gHsVb7UU0CVPtxWqPJTaGYRio=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jYvXYsIccCsYGoDR9J9ErAWFctztZyLp3QOaJI2/2Dxjdh9E2tCpSYPbCsQfgT5K/ HTpda+idhZegQL/HR3xIrUmQKg51381GMEoVLeXoN52IvuB9lBt/mfPYHu7EWvwLaU 2JCAwWTc1efnhjxQwJBAoWhaK0en5l/6a1HgNhX87hN2Sdw+P+VyKy58nuvvGQ1Ta4 wtKPNnv4XDGLm99ta6VYeCAWFvfmolGfEfMJGHnU46QjCTFUKBdkXLf99Rrwjbb1o1 5ISz5WCp4AW96I2DtDBL0anm17gezg9sBZLjjY+kzl4GAXjBhB2ohcDUvYkL62PrDD W0MW/gBvpMa7Q== From: Justin Iurman To: netdev@vger.kernel.org Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, justin.iurman@uliege.be, Alexander Aring , Ido Schimmel Subject: [PATCH net 2/7] net: ipv6: rpl: fix lwtunnel_input/output loop Date: Tue, 11 Mar 2025 15:12:33 +0100 Message-Id: <20250311141238.19862-3-justin.iurman@uliege.be> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250311141238.19862-1-justin.iurman@uliege.be> References: <20250311141238.19862-1-justin.iurman@uliege.be> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Fix the lwtunnel_input() and lwtunnel_output() reentry loop in rpl_iptunnel when the destination is the same after transformation. Some configurations leading to this may be considered pathological, but we don't want the kernel to crash even for these ones. Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel") Cc: Alexander Aring Cc: Ido Schimmel Signed-off-by: Justin Iurman --- net/ipv6/rpl_iptunnel.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/net/ipv6/rpl_iptunnel.c b/net/ipv6/rpl_iptunnel.c index 7c05ac846646..dfcc1a79a4ee 100644 --- a/net/ipv6/rpl_iptunnel.c +++ b/net/ipv6/rpl_iptunnel.c @@ -247,6 +247,14 @@ static int rpl_output(struct net *net, struct sock *sk, struct sk_buff *skb) goto drop; } + /* avoid lwtunnel_output() reentry loop when destination is the same + * after transformation + */ + if (orig_dst->lwtstate == dst->lwtstate) { + dst_release(dst); + return orig_dst->lwtstate->orig_output(net, sk, skb); + } + skb_dst_drop(skb); skb_dst_set(skb, dst); @@ -305,6 +313,12 @@ static int rpl_input(struct sk_buff *skb) skb_dst_set(skb, dst); } + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == dst->lwtstate) + return dst->lwtstate->orig_input(skb); + return dst_input(skb); drop: From patchwork Tue Mar 11 14:12:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Iurman X-Patchwork-Id: 14011953 X-Patchwork-Delegate: kuba@kernel.org Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8FB7725BAA6 for ; Tue, 11 Mar 2025 14:13:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=139.165.32.111 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702404; cv=none; b=GwTm8Udg56+S4TRaEO8gehr/6pHOqnyEgm3ciih3e56G6UyvsBUQR8K02r2hqmf5LN0C5ItqzmVR01lkt458nISR13wMdMSS1LJd/kRBE5+hlm1pZCFk7tOPRPTD3Fb3AThQik5C0igEtoIXKNouowx4GjrKH1LY3ffz672bTv4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702404; c=relaxed/simple; bh=MIV7/izstExolPlXQ7yNxt/kD8CFmRLjFk4u7naaJCU=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=uifSWJHCwcTCHuymy/LOeWeZ89II/Jt7TlqWWJZ2xIURFmuqq8tSEmFmgxz7s06/mI+dbbEp7Yx32B2gQ1EQ01ArFfDL7dOI4GD08AnQ9YoLEBY7PiGnXgyv16gaVrNFebx8It7vJwoHC9gyNpuJvsXT9Ya0jSjcGy6KHDRqdS8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be; spf=pass smtp.mailfrom=uliege.be; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b=lYlJQJrG; arc=none smtp.client-ip=139.165.32.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uliege.be Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b="lYlJQJrG" Received: from localhost.localdomain (unknown [195.29.54.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by serv108.segi.ulg.ac.be (Postfix) with ESMTPSA id 38B37200E1C2; Tue, 11 Mar 2025 15:13:13 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 serv108.segi.ulg.ac.be 38B37200E1C2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uliege.be; s=ulg20190529; t=1741702401; bh=SrFzeG7WESB6iRaodQ62GFVhuvaWk2gni+EKmPpz1UQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lYlJQJrGxwroYTsCLih1Q4NfMY5zU5NxEM9Yl1HBlxc7ln23ZjAW6mgMDE8bwNeKu oG1wOcH4Fhb0ph9GRlfsiZbQ5AJd62IjDaqGoDZ7bkd/N73iO1bz+DbykveVRcY1/4 zMTGcIqkh7CjcJzOJqesPRkfnP3sJl2SPacMMUNjV70LvJjHx0jEZORjwqEWO2nNWq 7v4ZTZnmMJovGTq9TTYNIJEM3xzq25eCiG2w2KwyHmLetZfxxUIi825ZFPkitxItdf BKt3HM3OjztA+gqeKxL+sA2jJ4eulNr1UfEXnBh+ZFLa3DaT58AqniIJ21+8NaKwsx C2RCPbmapdK3Q== From: Justin Iurman To: netdev@vger.kernel.org Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, justin.iurman@uliege.be, David Lebrun , Andrea Mayer , Stefano Salsano , Ahmed Abdelsalam , Ido Schimmel Subject: [PATCH net 3/7] net: ipv6: seg6: fix lwtunnel_input/output loop Date: Tue, 11 Mar 2025 15:12:34 +0100 Message-Id: <20250311141238.19862-4-justin.iurman@uliege.be> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250311141238.19862-1-justin.iurman@uliege.be> References: <20250311141238.19862-1-justin.iurman@uliege.be> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Fix the lwtunnel_input() and lwtunnel_output() reentry loop in seg6_iptunnel when the destination is the same after transformation. Some configurations leading to this may be considered pathological, but we don't want the kernel to crash even for these ones. The logic in this patch is a bit different from others of this series due to how we deal with nf hooks. Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") Cc: David Lebrun Cc: Andrea Mayer Cc: Stefano Salsano Cc: Ahmed Abdelsalam Cc: Ido Schimmel Signed-off-by: Justin Iurman --- net/ipv6/seg6_iptunnel.c | 37 +++++++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c index 51583461ae29..a6fce54acfbe 100644 --- a/net/ipv6/seg6_iptunnel.c +++ b/net/ipv6/seg6_iptunnel.c @@ -467,9 +467,16 @@ static int seg6_input_finish(struct net *net, struct sock *sk, return dst_input(skb); } +static int seg6_input_redirect_finish(struct net *net, struct sock *sk, + struct sk_buff *skb) +{ + return skb_dst(skb)->lwtstate->orig_input(skb); +} + static int seg6_input_core(struct net *net, struct sock *sk, struct sk_buff *skb) { + int (*in_func)(struct net *net, struct sock *sk, struct sk_buff *skb); struct dst_entry *orig_dst = skb_dst(skb); struct dst_entry *dst = NULL; struct lwtunnel_state *lwtst; @@ -515,12 +522,20 @@ static int seg6_input_core(struct net *net, struct sock *sk, skb_dst_set(skb, dst); } + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == dst->lwtstate) + in_func = seg6_input_redirect_finish; + else + in_func = seg6_input_finish; + if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled)) return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, dev_net(skb->dev), NULL, skb, NULL, - skb_dst(skb)->dev, seg6_input_finish); + skb_dst(skb)->dev, in_func); - return seg6_input_finish(dev_net(skb->dev), NULL, skb); + return in_func(dev_net(skb->dev), NULL, skb); drop: kfree_skb(skb); return err; @@ -554,6 +569,7 @@ static int seg6_input(struct sk_buff *skb) static int seg6_output_core(struct net *net, struct sock *sk, struct sk_buff *skb) { + int (*out_func)(struct net *net, struct sock *sk, struct sk_buff *skb); struct dst_entry *orig_dst = skb_dst(skb); struct dst_entry *dst = NULL; struct seg6_lwt *slwt; @@ -598,14 +614,23 @@ static int seg6_output_core(struct net *net, struct sock *sk, goto drop; } - skb_dst_drop(skb); - skb_dst_set(skb, dst); + /* avoid lwtunnel_output() reentry loop when destination is the same + * after transformation + */ + if (orig_dst->lwtstate == dst->lwtstate) { + dst_release(dst); + out_func = orig_dst->lwtstate->orig_output; + } else { + skb_dst_drop(skb); + skb_dst_set(skb, dst); + out_func = dst_output; + } if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled)) return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, sk, skb, - NULL, skb_dst(skb)->dev, dst_output); + NULL, skb_dst(skb)->dev, out_func); - return dst_output(net, sk, skb); + return out_func(net, sk, skb); drop: dst_release(dst); kfree_skb(skb); From patchwork Tue Mar 11 14:12:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Iurman X-Patchwork-Id: 14011954 X-Patchwork-Delegate: kuba@kernel.org Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4576A25CC90 for ; Tue, 11 Mar 2025 14:13:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=139.165.32.111 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702417; cv=none; b=uDoziI66iVXauc5as5m/GAsSLYs3s+f+glLQgISKII/u1gppQn6gBlzE1ne50llF1EXVdOnvOkrd1J2vvmU66DrpzwMD8aX3nzjjlI8Wk8FerJcicSPXc1apSb+dHDp6SP0G7ZD2NRSgLitMdPRKKmAZTJQekpaMPCAnV/aXOhQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702417; c=relaxed/simple; bh=KFgCFw/LWwTzp8SbprShaHvu4zYYjLIH7cETMYihSLA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=mu2ya/mYr/2p4wYSpncqKCgzMgM6dERxWViQo/i/3k9fKXVJQOjdJ5OS0N2M2tIzwWeyd1aTJlAYa2rRcp1CSXR7wb/9DnXdDVxXUI2SeqTGlukaQiRjwWfKu+dDk1ngku0hFKZSuDm0VtURM5MU9P8WsPAciHIxKeSpg0FOBD8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be; spf=pass smtp.mailfrom=uliege.be; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b=cl9Kr6AM; arc=none smtp.client-ip=139.165.32.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uliege.be Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b="cl9Kr6AM" Received: from localhost.localdomain (unknown [195.29.54.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by serv108.segi.ulg.ac.be (Postfix) with ESMTPSA id 3325D200E1C5; Tue, 11 Mar 2025 15:13:21 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 serv108.segi.ulg.ac.be 3325D200E1C5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uliege.be; s=ulg20190529; t=1741702413; bh=joi1SxIg0EYF9PYUiqdc6TliGocUm6BPu1aURxPOhC0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cl9Kr6AMw1ec4VX2kFBoUQL75HB6j6xP7Txw8RfdElD2V66v/LOd2JJ59IbX6jGjF YiQcRamcUNLJMR6oSmk0fWn9wRvHYlZ2wlahWF+vEcmtSGuXpkKPRuwoMvanlgH537 2y1UwdTlaCUeMOzZ2JijISgQpIx4ssUkra8WbtN1oEmJJh+4DZoCC3Og9EOPV9F+2d lukn0U0JhmJr4RKukjo8EtPSvFWj4I+vKrSl64cEsuA27nPEg5hNSkZ3H/MWWtAt7Y OG9F8iYTiM9SlrdgQucAffoBvJY3eIXl8s2qgt1H/XHHcOO7hWFT2WZuiH+QDD8Epc TPJcoFpo5xt5g== From: Justin Iurman To: netdev@vger.kernel.org Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, justin.iurman@uliege.be, David Lebrun , Andrea Mayer , Stefano Salsano , Ahmed Abdelsalam , Mathieu Xhonneux , Ido Schimmel Subject: [PATCH net 4/7] net: ipv6: seg6_local: fix lwtunnel_input() loop Date: Tue, 11 Mar 2025 15:12:35 +0100 Message-Id: <20250311141238.19862-5-justin.iurman@uliege.be> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250311141238.19862-1-justin.iurman@uliege.be> References: <20250311141238.19862-1-justin.iurman@uliege.be> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Fix the lwtunnel_input() reentry loop in seg6_local when the destination is the same after transformation. Some configurations leading to this may be considered pathological, but we don't want the kernel to crash even for these ones. This patch DOES NOT solve the crash reported in [1], it'll be addressed separately as it's a different issue. [1] https://lore.kernel.org/netdev/2bc9e2079e864a9290561894d2a602d6@akamai.com/ Fixes: 140f04c33bbc ("ipv6: sr: implement several seg6local actions") Fixes: 891ef8dd2a8d ("ipv6: sr: implement additional seg6local actions") Fixes: 004d4b274e2a ("ipv6: sr: Add seg6local action End.BPF") Fixes: 664d6f86868b ("seg6: add support for the SRv6 End.DT4 behavior") Cc: David Lebrun Cc: Andrea Mayer Cc: Stefano Salsano Cc: Ahmed Abdelsalam Cc: Mathieu Xhonneux Cc: Ido Schimmel Signed-off-by: Justin Iurman --- net/ipv6/seg6_local.c | 85 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 81 insertions(+), 4 deletions(-) diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c index ac1dbd492c22..15485010cdfb 100644 --- a/net/ipv6/seg6_local.c +++ b/net/ipv6/seg6_local.c @@ -378,8 +378,16 @@ static void seg6_next_csid_advance_arg(struct in6_addr *addr, static int input_action_end_finish(struct sk_buff *skb, struct seg6_local_lwt *slwt) { + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; + seg6_lookup_nexthop(skb, NULL, 0); + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); } @@ -418,8 +426,16 @@ static int end_next_csid_core(struct sk_buff *skb, struct seg6_local_lwt *slwt) static int input_action_end_x_finish(struct sk_buff *skb, struct seg6_local_lwt *slwt) { + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; + seg6_lookup_nexthop(skb, &slwt->nh6, 0); + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); } @@ -825,6 +841,7 @@ static int input_action_end_x(struct sk_buff *skb, struct seg6_local_lwt *slwt) static int input_action_end_t(struct sk_buff *skb, struct seg6_local_lwt *slwt) { + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; struct ipv6_sr_hdr *srh; srh = get_and_validate_srh(skb); @@ -835,6 +852,12 @@ static int input_action_end_t(struct sk_buff *skb, struct seg6_local_lwt *slwt) seg6_lookup_nexthop(skb, NULL, slwt->table); + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); drop: @@ -902,11 +925,11 @@ static int input_action_end_dx2(struct sk_buff *skb, static int input_action_end_dx6_finish(struct net *net, struct sock *sk, struct sk_buff *skb) { - struct dst_entry *orig_dst = skb_dst(skb); + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; struct in6_addr *nhaddr = NULL; struct seg6_local_lwt *slwt; - slwt = seg6_local_lwtunnel(orig_dst->lwtstate); + slwt = seg6_local_lwtunnel(lwtst); /* The inner packet is not associated to any local interface, * so we do not call netif_rx(). @@ -919,6 +942,12 @@ static int input_action_end_dx6_finish(struct net *net, struct sock *sk, seg6_lookup_nexthop(skb, nhaddr, 0); + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); } @@ -953,13 +982,13 @@ static int input_action_end_dx6(struct sk_buff *skb, static int input_action_end_dx4_finish(struct net *net, struct sock *sk, struct sk_buff *skb) { - struct dst_entry *orig_dst = skb_dst(skb); + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; enum skb_drop_reason reason; struct seg6_local_lwt *slwt; struct iphdr *iph; __be32 nhaddr; - slwt = seg6_local_lwtunnel(orig_dst->lwtstate); + slwt = seg6_local_lwtunnel(lwtst); iph = ip_hdr(skb); @@ -973,6 +1002,12 @@ static int input_action_end_dx4_finish(struct net *net, struct sock *sk, return -EINVAL; } + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); } @@ -1174,6 +1209,7 @@ static struct sk_buff *end_dt_vrf_core(struct sk_buff *skb, static int input_action_end_dt4(struct sk_buff *skb, struct seg6_local_lwt *slwt) { + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; enum skb_drop_reason reason; struct iphdr *iph; @@ -1197,6 +1233,12 @@ static int input_action_end_dt4(struct sk_buff *skb, if (unlikely(reason)) goto drop; + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); drop: @@ -1255,6 +1297,8 @@ static int seg6_end_dt6_build(struct seg6_local_lwt *slwt, const void *cfg, static int input_action_end_dt6(struct sk_buff *skb, struct seg6_local_lwt *slwt) { + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; + if (!decap_and_validate(skb, IPPROTO_IPV6)) goto drop; @@ -1279,6 +1323,12 @@ static int input_action_end_dt6(struct sk_buff *skb, */ seg6_lookup_any_nexthop(skb, NULL, 0, true); + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); legacy_mode: @@ -1287,6 +1337,12 @@ static int input_action_end_dt6(struct sk_buff *skb, seg6_lookup_any_nexthop(skb, NULL, slwt->table, true); + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); drop: @@ -1327,6 +1383,7 @@ static int input_action_end_dt46(struct sk_buff *skb, /* push an SRH on top of the current one */ static int input_action_end_b6(struct sk_buff *skb, struct seg6_local_lwt *slwt) { + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; struct ipv6_sr_hdr *srh; int err = -EINVAL; @@ -1342,6 +1399,12 @@ static int input_action_end_b6(struct sk_buff *skb, struct seg6_local_lwt *slwt) seg6_lookup_nexthop(skb, NULL, 0); + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); drop: @@ -1353,6 +1416,7 @@ static int input_action_end_b6(struct sk_buff *skb, struct seg6_local_lwt *slwt) static int input_action_end_b6_encap(struct sk_buff *skb, struct seg6_local_lwt *slwt) { + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; struct ipv6_sr_hdr *srh; int err = -EINVAL; @@ -1373,6 +1437,12 @@ static int input_action_end_b6_encap(struct sk_buff *skb, seg6_lookup_nexthop(skb, NULL, 0); + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); drop: @@ -1411,6 +1481,7 @@ bool seg6_bpf_has_valid_srh(struct sk_buff *skb) static int input_action_end_bpf(struct sk_buff *skb, struct seg6_local_lwt *slwt) { + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; struct seg6_bpf_srh_state *srh_state; struct ipv6_sr_hdr *srh; int ret; @@ -1457,6 +1528,12 @@ static int input_action_end_bpf(struct sk_buff *skb, if (ret != BPF_REDIRECT) seg6_lookup_nexthop(skb, NULL, 0); + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); drop: From patchwork Tue Mar 11 14:12:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Iurman X-Patchwork-Id: 14011955 X-Patchwork-Delegate: kuba@kernel.org Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 117DA25CC9A for ; Tue, 11 Mar 2025 14:13:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=139.165.32.111 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702418; cv=none; b=Xvhoi6LZ+TPtzwaNnGbVqPbediO3kaOcdDtzjdi4V3f9JUjGoYY+90wvphXWv1vgRcqxHiu25pHN+wuzcVCbDR0LZ8BGmkkmPtndGX2aaKBtkn+/NzJpNuC4FskNB0Oa3m933CgVzggUa+GMHal8CHwdl9mDmpSlDu02PlVP/60= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702418; c=relaxed/simple; bh=TZhNZUSgh0SiGhDNFT1D+CrgyCwwVbzAHIDSFhkLcpo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=HCzpbqsDnz1AYpW49LPePgZ1oyR0oa59biKL01uKrv1nqUrirSkEtUCLEADM5vsJY52jLL9CzEMz3VBNEpNc7ttelCrBmlWbJTm4YMkwYKbJ3SUMAh/V/Ziu0k/VK2vktAlUPrEbKvI49ojn7b2wS6z62NS/tPVrv3luDhCStDg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be; spf=pass smtp.mailfrom=uliege.be; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b=D9YylamX; arc=none smtp.client-ip=139.165.32.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uliege.be Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b="D9YylamX" Received: from localhost.localdomain (unknown [195.29.54.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by serv108.segi.ulg.ac.be (Postfix) with ESMTPSA id E4CF8200E1C2; Tue, 11 Mar 2025 15:13:33 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 serv108.segi.ulg.ac.be E4CF8200E1C2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uliege.be; s=ulg20190529; t=1741702415; bh=nYkGOHYV1F6z3g1saJxEyc+n0CrtFAN174knUMssbPM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D9YylamX06F796SrtQEC4f+W1HpK2sPOhsZdziHPoUPji8mFBtDVtOlryWxDPpTUm 1NGESUTQzmPWJ5HtIqKUqTBH1yVy5u6lrP0sKrBIpID811Db8Vth8/pqPdGOPzUKTi nOWGksWfNclh4CBmfeUfbDZtqQZf5vX3WYiBv74UgdMR1aBB1BRC7KoesbYJPp5WYr S3MZsqM7xEGK5ut4VX6imMGE4uv5ke1B0m/c1Md5JL8zcI+gcJWl7yugR82Du+rfAJ C1vm4wiHQ4m+zqKDxGG6A3YPHBVGrdb37vinbnCtYD3C+mRVnlvRpO1+/nYEoHup8I /tZIjUnXCb9Wg== From: Justin Iurman To: netdev@vger.kernel.org Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, justin.iurman@uliege.be, Tom Herbert , Ido Schimmel Subject: [PATCH net 5/7] net: ipv6: ila: fix lwtunnel_output() loop Date: Tue, 11 Mar 2025 15:12:36 +0100 Message-Id: <20250311141238.19862-6-justin.iurman@uliege.be> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250311141238.19862-1-justin.iurman@uliege.be> References: <20250311141238.19862-1-justin.iurman@uliege.be> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Fix the lwtunnel_output() reentry loop in ila_lwt when the destination is the same after transformation. Some configurations leading to this may be considered pathological, but we don't want the kernel to crash even for these ones. Fixes: 79ff2fc31e0f ("ila: Cache a route to translated address") Cc: Tom Herbert Cc: Ido Schimmel Signed-off-by: Justin Iurman --- net/ipv6/ila/ila_lwt.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/ipv6/ila/ila_lwt.c b/net/ipv6/ila/ila_lwt.c index 7d574f5132e2..67f7c7015693 100644 --- a/net/ipv6/ila/ila_lwt.c +++ b/net/ipv6/ila/ila_lwt.c @@ -96,6 +96,14 @@ static int ila_output(struct net *net, struct sock *sk, struct sk_buff *skb) } } + /* avoid lwtunnel_output() reentry loop when destination is the same + * after transformation + */ + if (orig_dst->lwtstate == dst->lwtstate) { + dst_release(dst); + return orig_dst->lwtstate->orig_output(net, sk, skb); + } + skb_dst_drop(skb); skb_dst_set(skb, dst); return dst_output(net, sk, skb); From patchwork Tue Mar 11 14:12:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Iurman X-Patchwork-Id: 14011931 X-Patchwork-Delegate: kuba@kernel.org Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA46A25D1FF; Tue, 11 Mar 2025 14:13:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=139.165.32.111 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702421; cv=none; b=bWv8BYuWpbAl1Uin2ExnMNptfUNwNegNNLzyXFcB0zOLGydkXI31A0+SIeDSdEKwcwF7uXntP6RMzpvLZ1tZUtdUi2QFtg88NMhS4opcY/bxKNKroU+xBzOcybZQhw1vU0CAeUlsSvklxpg4eQU/09CGNdzlsauZwiii3/7GJJ8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702421; c=relaxed/simple; bh=vf16/qFwjfGhuFg3ZWDp9bGUwboOaXnEeg66qrvdbUI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=l+MDtevNgEjfq/Pvi428VrjrArwqLWSXMld/3Yq+17KeE6sxA8wUvVgYFvYputrMYzkq5HW/ZqlOhK1XYED4faRxt1AHFb2GrOIqtCSxMv2+hpFnAi1CZfo3/yyRY2ymT7IjRcVEbUmS/7HnjtFvFrHaE2ONr5F0zXNqNWxp3CQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be; spf=pass smtp.mailfrom=uliege.be; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b=BUAbQ4Ow; arc=none smtp.client-ip=139.165.32.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uliege.be Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b="BUAbQ4Ow" Received: from localhost.localdomain (unknown [195.29.54.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by serv108.segi.ulg.ac.be (Postfix) with ESMTPSA id 972E2200E1C8; Tue, 11 Mar 2025 15:13:35 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 serv108.segi.ulg.ac.be 972E2200E1C8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uliege.be; s=ulg20190529; t=1741702418; bh=r8rPpTSOcA1huiswnu5JjPS6zX5wkv78jle2Vr8cPU4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BUAbQ4OwU1WwC4/G6olr2BaA3oHuj5S79nvOSyy7GJHAmiHJWub30lulsW417ytW4 5X5goBSRfAJUSSq6dD2awwKcpTDwi8vIFLAgvsPoi4qa0wjFWtdjNBiTSa6wyTPVUk Fd8iw4juYsJj/zgjyZXiLoipQBKLVGGAmdc7YTXtuG4G1sCKrzMXreAIAb8Vq3hcC1 yInombnxO358BEeLDMG0e4bQiw3wiEl/CEqRW4EitOki+DMrf5d1EHT/m/6YODMRnS UxgJD56v1paA+RMUSNI2xzc+QYDvAH5uWSfCoxghZiJBIM7J9d/Vh7syTcEhv0uzsq KEOUlFJNwvhBw== From: Justin Iurman To: netdev@vger.kernel.org Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, justin.iurman@uliege.be, bpf@vger.kernel.org, Guillaume Nault , Sebastian Andrzej Siewior , Menglong Dong , Peter Oskolkov , Ido Schimmel Subject: [PATCH net 6/7] net: core: bpf: fix lwtunnel_input/xmit loop Date: Tue, 11 Mar 2025 15:12:37 +0100 Message-Id: <20250311141238.19862-7-justin.iurman@uliege.be> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250311141238.19862-1-justin.iurman@uliege.be> References: <20250311141238.19862-1-justin.iurman@uliege.be> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Fix the lwtunnel_input() reentry loop and the lwtunnel_xmit() loop when the destination is the same after transformation. For xmit, we refuse BPF_LWT_REROUTE when dst_entry remains unchanged, since it's considered a buggy configuration and there is no other easy way to prevent the issue. Fixes: 3bd0b15281af ("bpf: add handling of BPF_LWT_REROUTE to lwt_bpf.c") Cc: bpf@vger.kernel.org Cc: Guillaume Nault Cc: Sebastian Andrzej Siewior Cc: Menglong Dong Cc: Peter Oskolkov Cc: Ido Schimmel Signed-off-by: Justin Iurman --- net/core/lwt_bpf.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c index ae74634310a3..5ed849a0b23d 100644 --- a/net/core/lwt_bpf.c +++ b/net/core/lwt_bpf.c @@ -88,6 +88,7 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt, static int bpf_lwt_input_reroute(struct sk_buff *skb) { + struct lwtunnel_state *lwtst = skb_dst(skb)->lwtstate; enum skb_drop_reason reason; int err = -EINVAL; @@ -110,6 +111,13 @@ static int bpf_lwt_input_reroute(struct sk_buff *skb) if (err) goto err; + + /* avoid lwtunnel_input() reentry loop when destination is the same + * after transformation + */ + if (lwtst == skb_dst(skb)->lwtstate) + return lwtst->orig_input(skb); + return dst_input(skb); err: @@ -180,6 +188,7 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb) struct net_device *l3mdev = l3mdev_master_dev_rcu(skb_dst(skb)->dev); int oif = l3mdev ? l3mdev->ifindex : 0; struct dst_entry *dst = NULL; + struct dst_entry *orig_dst; int err = -EAFNOSUPPORT; struct sock *sk; struct net *net; @@ -201,6 +210,8 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb) net = dev_net(skb_dst(skb)->dev); } + orig_dst = skb_dst(skb); + if (ipv4) { struct iphdr *iph = ip_hdr(skb); struct flowi4 fl4 = {}; @@ -254,6 +265,16 @@ static int bpf_lwt_xmit_reroute(struct sk_buff *skb) if (unlikely(err)) goto err; + /* avoid lwtunnel_xmit() reentry loop when destination is the same + * after transformation (i.e., disallow BPF_LWT_REROUTE when dst_entry + * remains the same). + */ + if (orig_dst->lwtstate == dst->lwtstate) { + dst_release(dst); + err = -EINVAL; + goto err; + } + skb_dst_drop(skb); skb_dst_set(skb, dst); From patchwork Tue Mar 11 14:12:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Justin Iurman X-Patchwork-Id: 14011957 X-Patchwork-Delegate: kuba@kernel.org Received: from serv108.segi.ulg.ac.be (serv108.segi.ulg.ac.be [139.165.32.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B1B2C25A653; Tue, 11 Mar 2025 14:13:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=139.165.32.111 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702423; cv=none; b=Zj5ugI9sbMyolhzvVZbduYoTx+X/MpZMMTawgXyHrK97SodIgZsGCnpI1WHjqC5bfySVRZdldMRdpWCxSFov5B46nSelKZ8iAhCNhh6AiztBtrsooo89ZLk2CQZJiq8/y7ZO9AOGZKBskczg8MZPjIh+0dQHvSouvEdPZuVh+kM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741702423; c=relaxed/simple; bh=YHwJy3GtrtpHb4FhhNowxshdtoJ0AgzqhgiJVohKkoY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Ix/clOAv4e14EQYKN/zsCRHmGra4xCY8yu/VpaU0kng2GdavHwfxvAp4NTME6W5PlC/iNhqbMdELkl8CTj6C8jmaNIcNIkQqDHURXdE9DkemxrWlnMg6cQ998IL99vfX7fKGXoNuzXPaLEa7ZSNlHIwxNh+v7QIILtxYQ8F2LNg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be; spf=pass smtp.mailfrom=uliege.be; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b=mbmcEf27; arc=none smtp.client-ip=139.165.32.111 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=uliege.be Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=uliege.be Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=uliege.be header.i=@uliege.be header.b="mbmcEf27" Received: from localhost.localdomain (unknown [195.29.54.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by serv108.segi.ulg.ac.be (Postfix) with ESMTPSA id 585AC200E1C5; Tue, 11 Mar 2025 15:13:38 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 serv108.segi.ulg.ac.be 585AC200E1C5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uliege.be; s=ulg20190529; t=1741702420; bh=jc91zC3P1TijT48kt8gt6oERnK6HY8Csn1YKPi7e9zQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mbmcEf27HSDvY74w6IewZsBALexjdY/gJMSpqG2/KATzB1QsVhP7x//ahKsp/Xtda uzCgUbrAQQHXFLOl6dmrzWnSgEd/K7Fl28S1uoIKAroJS9XMBm+SdsZjxNST1JJKlC 7nA4lrVdrEBNsAu/r6dcUKSTwuGwf2LW/Gh/2bm4whVHjdWenlUZdBmaINmgGiQPDJ fH1Vxx9o0GV/Mw9hr3L/TxfseWG+JPgl8k+Epwq1U2J0frPv0r951bYsw5B3xXbYtw QdMSPPKFup8RlVJLoa63U6ZJGK+L5ELP7/838+B2Apc0uXHZ4f2GDswVdeL9XJz1uk sqJFrBUnWVkrw== From: Justin Iurman To: netdev@vger.kernel.org Cc: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, justin.iurman@uliege.be, Shuah Khan , linux-kselftest@vger.kernel.org Subject: [PATCH net 7/7] selftests: net: test for lwtunnel dst ref loops Date: Tue, 11 Mar 2025 15:12:38 +0100 Message-Id: <20250311141238.19862-8-justin.iurman@uliege.be> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250311141238.19862-1-justin.iurman@uliege.be> References: <20250311141238.19862-1-justin.iurman@uliege.be> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org As recently specified by commit 0ea09cbf8350 ("docs: netdev: add a note on selftest posting") in net-next, the selftest is therefore shipped in this series. However, this selftest does not really test this series. It needs this series to avoid crashing the kernel. What it really tests, thanks to kmemleak, is what was fixed by the following commits: - commit c71a192976de ("net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels") - commit 92191dd10730 ("net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels") - commit c64a0727f9b1 ("net: ipv6: fix dst ref loop on input in seg6 lwt") - commit 13e55fbaec17 ("net: ipv6: fix dst ref loop on input in rpl lwt") - commit 0e7633d7b95b ("net: ipv6: fix dst ref loop in ila lwtunnel") - commit 5da15a9c11c1 ("net: ipv6: fix missing dst ref drop in ila lwtunnel") Cc: Shuah Khan Cc: linux-kselftest@vger.kernel.org Signed-off-by: Justin Iurman --- tools/testing/selftests/net/Makefile | 1 + tools/testing/selftests/net/config | 2 + .../selftests/net/lwt_dst_cache_ref_loop.sh | 250 ++++++++++++++++++ 3 files changed, 253 insertions(+) create mode 100755 tools/testing/selftests/net/lwt_dst_cache_ref_loop.sh diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index 73ee88d6b043..8f32b4f01aee 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -100,6 +100,7 @@ TEST_PROGS += vlan_bridge_binding.sh TEST_PROGS += bpf_offload.py TEST_PROGS += ipv6_route_update_soft_lockup.sh TEST_PROGS += busy_poll_test.sh +TEST_PROGS += lwt_dst_cache_ref_loop.sh # YNL files, must be before "include ..lib.mk" YNL_GEN_FILES := busy_poller netlink-dumps diff --git a/tools/testing/selftests/net/config b/tools/testing/selftests/net/config index 5b9baf708950..61e5116987f3 100644 --- a/tools/testing/selftests/net/config +++ b/tools/testing/selftests/net/config @@ -107,3 +107,5 @@ CONFIG_XFRM_INTERFACE=m CONFIG_XFRM_USER=m CONFIG_IP_NF_MATCH_RPFILTER=m CONFIG_IP6_NF_MATCH_RPFILTER=m +CONFIG_IPV6_ILA=m +CONFIG_IPV6_RPL_LWTUNNEL=y diff --git a/tools/testing/selftests/net/lwt_dst_cache_ref_loop.sh b/tools/testing/selftests/net/lwt_dst_cache_ref_loop.sh new file mode 100755 index 000000000000..9161f16154a5 --- /dev/null +++ b/tools/testing/selftests/net/lwt_dst_cache_ref_loop.sh @@ -0,0 +1,250 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0+ +# +# Author: Justin Iurman +# +# WARNING +# ------- +# This is just a dummy script that triggers encap cases with possible dst cache +# reference loops in affected lwt users (see list below). Some cases are +# pathological configurations for simplicity, others are valid. Overall, we +# don't want this issue to happen, no matter what. In order to catch any +# reference loops, kmemleak MUST be used. The results alone are always blindly +# successful, don't rely on them. Note that the following tests may crash the +# kernel if the fix to prevent lwtunnel_{input|output|xmit}() reentry loops is +# not present. +# +# Affected lwt users so far (please update accordingly if needed): +# - ila_lwt (output only) +# - ioam6_iptunnel (output only) +# - rpl_iptunnel (both input and output) +# - seg6_iptunnel (both input and output) + +source lib.sh + +check_compatibility() +{ + setup_ns tmp_node &>/dev/null + if [ $? != 0 ] + then + echo "SKIP: Cannot create netns." + exit $ksft_skip + fi + + ip link add name veth0 netns $tmp_node type veth \ + peer name veth1 netns $tmp_node &>/dev/null + local ret=$? + + ip -netns $tmp_node link set veth0 up &>/dev/null + ret=$((ret + $?)) + + ip -netns $tmp_node link set veth1 up &>/dev/null + ret=$((ret + $?)) + + if [ $ret != 0 ] + then + echo "SKIP: Cannot configure links." + cleanup_ns $tmp_node + exit $ksft_skip + fi + + lsmod 2>/dev/null | grep -q "ila" + ila_lsmod=$? + [ $ila_lsmod != 0 ] && modprobe ila &>/dev/null + + ip -netns $tmp_node route add 2001:db8:1::/64 \ + encap ila 1:2:3:4 csum-mode no-action ident-type luid hook-type output \ + dev veth0 &>/dev/null + + ip -netns $tmp_node route add 2001:db8:2::/64 \ + encap ioam6 trace prealloc type 0x800000 ns 0 size 4 dev veth0 &>/dev/null + + ip -netns $tmp_node route add 2001:db8:3::/64 \ + encap rpl segs 2001:db8:3::1 dev veth0 &>/dev/null + + ip -netns $tmp_node route add 2001:db8:4::/64 \ + encap seg6 mode inline segs 2001:db8:4::1 dev veth0 &>/dev/null + + ip -netns $tmp_node -6 route 2>/dev/null | grep -q "encap ila" + skip_ila=$? + + ip -netns $tmp_node -6 route 2>/dev/null | grep -q "encap ioam6" + skip_ioam6=$? + + ip -netns $tmp_node -6 route 2>/dev/null | grep -q "encap rpl" + skip_rpl=$? + + ip -netns $tmp_node -6 route 2>/dev/null | grep -q "encap seg6" + skip_seg6=$? + + cleanup_ns $tmp_node +} + +setup() +{ + setup_ns alpha beta gamma &>/dev/null + + ip link add name veth-alpha netns $alpha type veth \ + peer name veth-betaL netns $beta &>/dev/null + ip link add name veth-betaR netns $beta type veth \ + peer name veth-gamma netns $gamma &>/dev/null + + ip -netns $alpha link set veth-alpha name veth0 &>/dev/null + ip -netns $beta link set veth-betaL name veth0 &>/dev/null + ip -netns $beta link set veth-betaR name veth1 &>/dev/null + ip -netns $gamma link set veth-gamma name veth0 &>/dev/null + + ip -netns $alpha addr add 2001:db8:1::2/64 dev veth0 &>/dev/null + ip -netns $alpha link set veth0 up &>/dev/null + ip -netns $alpha link set lo up &>/dev/null + ip -netns $alpha route add 2001:db8:2::/64 \ + via 2001:db8:1::1 dev veth0 &>/dev/null + + ip -netns $beta addr add 2001:db8:1::1/64 dev veth0 &>/dev/null + ip -netns $beta addr add 2001:db8:2::1/64 dev veth1 &>/dev/null + ip -netns $beta link set veth0 up &>/dev/null + ip -netns $beta link set veth1 up &>/dev/null + ip -netns $beta link set lo up &>/dev/null + ip -netns $beta route del 2001:db8:2::/64 + ip -netns $beta route add 2001:db8:2::/64 dev veth1 + ip netns exec $beta sysctl -wq net.ipv6.conf.all.forwarding=1 &>/dev/null + + ip -netns $gamma addr add 2001:db8:2::2/64 dev veth0 &>/dev/null + ip -netns $gamma link set veth0 up &>/dev/null + ip -netns $gamma link set lo up &>/dev/null + ip -netns $gamma route add 2001:db8:1::/64 \ + via 2001:db8:2::1 dev veth0 &>/dev/null + + sleep 1 + + ip netns exec $alpha ping6 -c 5 -W 1 2001:db8:2::2 &>/dev/null + if [ $? != 0 ] + then + echo "SKIP: Setup failed." + cleanup + exit $ksft_skip + fi + + sleep 1 +} + +cleanup() +{ + cleanup_ns $alpha $beta $gamma + [ $ila_lsmod != 0 ] && modprobe -r ila &>/dev/null +} + +run_ila() +{ + if [ $skip_ila != 0 ] + then + echo "SKIP: ila (output)" + return + fi + + ip -netns $beta route del 2001:db8:2::/64 + + ip -netns $beta route add 2001:db8:2:0:0:0:0:2/128 \ + encap ila 2001:db8:2:0 csum-mode no-action ident-type luid hook-type output \ + dev veth1 &>/dev/null + sleep 1 + + echo "TEST: ila (output)" + ip netns exec $beta ping6 -c 2 -W 1 2001:db8:2::2 &>/dev/null + sleep 1 + + ip -netns $beta route del 2001:db8:2:0:0:0:0:2/128 + ip -netns $beta route add 2001:db8:2::/64 dev veth1 + sleep 1 +} + +run_ioam6() +{ + if [ $skip_ioam6 != 0 ] + then + echo "SKIP: ioam6 (output)" + return + fi + + ip -netns $beta route change 2001:db8:2::/64 \ + encap ioam6 trace prealloc type 0x800000 ns 1 size 4 \ + dev veth1 &>/dev/null + sleep 1 + + echo "TEST: ioam6 (output)" + ip netns exec $beta ping6 -c 2 -W 1 2001:db8:2::2 &>/dev/null + sleep 1 +} + +run_rpl() +{ + if [ $skip_rpl != 0 ] + then + echo "SKIP: rpl (input)" + echo "SKIP: rpl (output)" + return + fi + + ip -netns $beta route change 2001:db8:2::/64 \ + encap rpl segs 2001:db8:2::2 \ + dev veth1 &>/dev/null + sleep 1 + + echo "TEST: rpl (input)" + ip netns exec $alpha ping6 -c 2 -W 1 2001:db8:2::2 &>/dev/null + sleep 1 + + echo "TEST: rpl (output)" + ip netns exec $beta ping6 -c 2 -W 1 2001:db8:2::2 &>/dev/null + sleep 1 +} + +run_seg6() +{ + if [ $skip_seg6 != 0 ] + then + echo "SKIP: seg6 (input)" + echo "SKIP: seg6 (output)" + return + fi + + ip -netns $beta route change 2001:db8:2::/64 \ + encap seg6 mode inline segs 2001:db8:2::2 \ + dev veth1 &>/dev/null + sleep 1 + + echo "TEST: seg6 (input)" + ip netns exec $alpha ping6 -c 2 -W 1 2001:db8:2::2 &>/dev/null + sleep 1 + + echo "TEST: seg6 (output)" + ip netns exec $beta ping6 -c 2 -W 1 2001:db8:2::2 &>/dev/null + sleep 1 +} + +run() +{ + run_ila + run_ioam6 + run_rpl + run_seg6 +} + +if [ "$(id -u)" -ne 0 ] +then + echo "SKIP: Need root privileges." + exit $ksft_skip +fi + +if [ ! -x "$(command -v ip)" ] +then + echo "SKIP: Could not run test without ip tool." + exit $ksft_skip +fi + +check_compatibility +setup +run +cleanup + +exit $ksft_pass