From patchwork Fri Jun 4 01:52:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Maciej_=C5=BBenczykowski?= X-Patchwork-Id: 454579 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7687AC47096 for ; Fri, 4 Jun 2021 01:54:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 518BC613C9 for ; Fri, 4 Jun 2021 01:54:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230131AbhFDBzv (ORCPT ); Thu, 3 Jun 2021 21:55:51 -0400 Received: from mail-pf1-f180.google.com ([209.85.210.180]:36353 "EHLO mail-pf1-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229576AbhFDBzu (ORCPT ); Thu, 3 Jun 2021 21:55:50 -0400 Received: by mail-pf1-f180.google.com with SMTP id c12so6340500pfl.3; Thu, 03 Jun 2021 18:53:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=wBg06JBpiPCzgvoJ4HY+DQglchFViQwPvQYbexv1VvI=; b=J7CZDMGflxAkoaz4zNQRN/MDQCXtr/sHow7cgB8Jr2WGgwjl7Tu6ycwSbc0rQGZ8+9 nh2AI1LIeI/KM6bQifGDyjVaQD3SAU9Dfs/nAU1cybc8ntJrKFQ12qlJ2Zu9Sql10ETA chUwj0v15TsD6QEp8QvRawmAAE+IviEQ4zMRkmcUhDd3/Egbcc5KEWOT6bT8mYR8GQn+ DliO/Xc5Xcg0Grg/evOo/AoUEZomnithpuEO3ZeaalyPyd5UT3j0HAiFgg4epXkZgUAk xh+xy5aWWY6X63hFVRukALs7t8vaCJIv/n5mWSjFnGIRtzzGfJAmm6g7HBz23B60Uqe9 rBtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=wBg06JBpiPCzgvoJ4HY+DQglchFViQwPvQYbexv1VvI=; b=tn15DPw9Rmu0NLiKK6UifBMn4zVHjyTmWuRmp/VRdl3gD7sxbf4zI5AoOFWhGQSZKk 772o9+APyf4PRA2U27Eiy6IIVff5HLYOsdQpBE9fkxoN8IScFNOxHWHTC8Od1XdLx3af U8oyXpqvYlX6qv9+FFvUxTWifWtxWucTeEnhW1sQCBr4ZKYIfg4NfpxaXaRzIAXiGX8/ X7zMWUm48aNXGlPtBCF8H7KpZVTDaCao7G1PKmSeT/1FHnaV4jWLyNf2GKYovlegdYOQ bpEExwtW5Ct0oR90FXCNj6Z22CPQGBzMp4/UJIyIYvG33EKYSrzbanUTQdV4V2aGRzdK 8hKw== X-Gm-Message-State: AOAM531HorAYiN0h8y14qZMzoaRTVvl7yWweeeQgOsVLdmDA/wnTD0bc 8N+DPFnoARZ9e+qx9/EHRtc= X-Google-Smtp-Source: ABdhPJyLezzkJaJdoYuq76C9UPYY5C26bq1ehr7BHzIkk1tSJGa9IAH93tWSh1xjdPcekd79SMsnlw== X-Received: by 2002:a63:581c:: with SMTP id m28mr2353577pgb.353.1622771570513; Thu, 03 Jun 2021 18:52:50 -0700 (PDT) Received: from athina.mtv.corp.google.com ([2620:15c:211:0:c45:b07d:e001:d01]) by smtp.gmail.com with ESMTPSA id c130sm274502pfc.51.2021.06.03.18.52.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Jun 2021 18:52:49 -0700 (PDT) From: =?utf-8?q?Maciej_=C5=BBenczykowski?= To: =?utf-8?q?Maciej_=C5=BBenczykowski?= , Alexei Starovoitov , Daniel Borkmann Cc: Linux Network Development Mailing List , Linux Kernel Mailing List , BPF Mailing List , "David S . Miller" , Dongseok Yi , Willem de Bruijn Subject: [PATCH bpf-next 1/2] Revert "bpf: Check for BPF_F_ADJ_ROOM_FIXED_GSO when bpf_skb_change_proto" Date: Thu, 3 Jun 2021 18:52:37 -0700 Message-Id: <20210604015238.2422145-1-zenczykowski@gmail.com> X-Mailer: git-send-email 2.32.0.rc1.229.g3e70b5a671-goog MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Maciej Żenczykowski This reverts commit fa7b83bf3b156c767f3e4a25bbf3817b08f3ff8e. See the followup commit for the reasoning why I believe the appropriate approach is to simply make this change without a flag, but it can basically be summarized as using this helper without the flag is bug-prone or outright buggy, and thus the default should be this new behaviour. As this commit has only made it into net-next/master, but not into any real release, such a backwards incompatible change is still ok. Cc: Dongseok Yi Cc: Daniel Borkmann Cc: Willem de Bruijn Signed-off-by: Maciej Żenczykowski --- net/core/filter.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index caa88955562e..04848de3e058 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -3235,7 +3235,7 @@ static int bpf_skb_net_hdr_pop(struct sk_buff *skb, u32 off, u32 len) return ret; } -static int bpf_skb_proto_4_to_6(struct sk_buff *skb, u64 flags) +static int bpf_skb_proto_4_to_6(struct sk_buff *skb) { const u32 len_diff = sizeof(struct ipv6hdr) - sizeof(struct iphdr); u32 off = skb_mac_header_len(skb); @@ -3264,9 +3264,7 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb, u64 flags) } /* Due to IPv6 header, MSS needs to be downgraded. */ - if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO)) - skb_decrease_gso_size(shinfo, len_diff); - + skb_decrease_gso_size(shinfo, len_diff); /* Header must be checked, and gso_segs recomputed. */ shinfo->gso_type |= SKB_GSO_DODGY; shinfo->gso_segs = 0; @@ -3278,7 +3276,7 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb, u64 flags) return 0; } -static int bpf_skb_proto_6_to_4(struct sk_buff *skb, u64 flags) +static int bpf_skb_proto_6_to_4(struct sk_buff *skb) { const u32 len_diff = sizeof(struct ipv6hdr) - sizeof(struct iphdr); u32 off = skb_mac_header_len(skb); @@ -3307,9 +3305,7 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb, u64 flags) } /* Due to IPv4 header, MSS can be upgraded. */ - if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO)) - skb_increase_gso_size(shinfo, len_diff); - + skb_increase_gso_size(shinfo, len_diff); /* Header must be checked, and gso_segs recomputed. */ shinfo->gso_type |= SKB_GSO_DODGY; shinfo->gso_segs = 0; @@ -3321,17 +3317,17 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb, u64 flags) return 0; } -static int bpf_skb_proto_xlat(struct sk_buff *skb, __be16 to_proto, u64 flags) +static int bpf_skb_proto_xlat(struct sk_buff *skb, __be16 to_proto) { __be16 from_proto = skb->protocol; if (from_proto == htons(ETH_P_IP) && to_proto == htons(ETH_P_IPV6)) - return bpf_skb_proto_4_to_6(skb, flags); + return bpf_skb_proto_4_to_6(skb); if (from_proto == htons(ETH_P_IPV6) && to_proto == htons(ETH_P_IP)) - return bpf_skb_proto_6_to_4(skb, flags); + return bpf_skb_proto_6_to_4(skb); return -ENOTSUPP; } @@ -3341,7 +3337,7 @@ BPF_CALL_3(bpf_skb_change_proto, struct sk_buff *, skb, __be16, proto, { int ret; - if (unlikely(flags & ~(BPF_F_ADJ_ROOM_FIXED_GSO))) + if (unlikely(flags)) return -EINVAL; /* General idea is that this helper does the basic groundwork @@ -3361,7 +3357,7 @@ BPF_CALL_3(bpf_skb_change_proto, struct sk_buff *, skb, __be16, proto, * that. For offloads, we mark packet as dodgy, so that headers * need to be verified first. */ - ret = bpf_skb_proto_xlat(skb, proto, flags); + ret = bpf_skb_proto_xlat(skb, proto); bpf_compute_data_pointers(skb); return ret; } From patchwork Fri Jun 4 01:52:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Maciej_=C5=BBenczykowski?= X-Patchwork-Id: 455040 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A383EC47097 for ; Fri, 4 Jun 2021 01:53:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7C9F661404 for ; Fri, 4 Jun 2021 01:53:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229932AbhFDByw (ORCPT ); Thu, 3 Jun 2021 21:54:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229576AbhFDByv (ORCPT ); Thu, 3 Jun 2021 21:54:51 -0400 Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65D08C06174A; Thu, 3 Jun 2021 18:52:52 -0700 (PDT) Received: by mail-pf1-x431.google.com with SMTP id z26so6315018pfj.5; Thu, 03 Jun 2021 18:52:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rWOwslvWBfTdFK9pe5secWd9IFRH1Q9FtXwAnGwKEVU=; b=sERKOkseJBRpIlw6qDLx8DFOEh7xSh2tdQM+Vo5MzEGDxDraN0bj2YqlkkP1jS7OGc kDOjIN6Qke/N9oLTDBHCS2++/qtDB5Ly1wGl/N8zSXaEOQZ/nb8HvSZA2TQl70aGeuCz SAS9Elr+OVzQ3bXqs4kerFIXfsHwOlo8wG0FP6Kx7GaRf2wP0T2BRV+ZbOvNyzI6XPH1 tSpSD9pNSeCCdCvD3EI67q0WIOmN7H9Y43IyiAtDrczWQkisvZeswu/23IfxqlRzfoVw Ty5eyzuqWbZFkspyMyDnNsvuPhHV20oVKB9OSLCOusyLsShDCSvmuzPzHJknIh3kkRPv Fsjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rWOwslvWBfTdFK9pe5secWd9IFRH1Q9FtXwAnGwKEVU=; b=EX5ni06SfqkyoS5TnWC1Qw0MvrOca1n/Kh8pB3ik2aR84LaHr7d6DYuvl6ysePv6tt 3gf11GOnss3rG2wn/Q2yjfXhYkdMBU9kZT2f+B61tUdafsDo2y1ByqyCqzrvYdpZVfAe NqjgRlx+QyEQ3bnCRLtAHMpQEixlpOevIsHHBitBmCaSwmzfCXSuQRPEjSi74RTcWoDt 9cgQjihghbxva/4I9MbyqkoiAzY6K1i1VEv024Sfz9qZTS2OrEsmFDvFDDBMEkyXjguS DSz1W7RZA5wF+IvHOkoa0JhBUsKHzt8RgctzOvp2hY+y8jzigWn+Fl4+XfE/RrGgcQg/ 7cYw== X-Gm-Message-State: AOAM533D3EQXHDpazgr31pSUbhvj/aLf8DbBUfeoJm5eDvpAT1zarrVh HLU001zvoRNLVcpgEmvvpG6z/Urkugt+2Q== X-Google-Smtp-Source: ABdhPJybdLpn0UL/mudtnYCe9s2xDSm14wNZs+O3lI07HkGz4EpjbQPQRiVyfHDdEl8aThnW5TMLGQ== X-Received: by 2002:a63:7945:: with SMTP id u66mr2352213pgc.200.1622771571862; Thu, 03 Jun 2021 18:52:51 -0700 (PDT) Received: from athina.mtv.corp.google.com ([2620:15c:211:0:c45:b07d:e001:d01]) by smtp.gmail.com with ESMTPSA id c130sm274502pfc.51.2021.06.03.18.52.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Jun 2021 18:52:51 -0700 (PDT) From: =?utf-8?q?Maciej_=C5=BBenczykowski?= To: =?utf-8?q?Maciej_=C5=BBenczykowski?= , Alexei Starovoitov , Daniel Borkmann Cc: Linux Network Development Mailing List , Linux Kernel Mailing List , BPF Mailing List , "David S . Miller" , Dongseok Yi , Willem de Bruijn Subject: [PATCH bpf-next 2/2] bpf: do not change gso_size during bpf_skb_change_proto() Date: Thu, 3 Jun 2021 18:52:38 -0700 Message-Id: <20210604015238.2422145-2-zenczykowski@gmail.com> X-Mailer: git-send-email 2.32.0.rc1.229.g3e70b5a671-goog In-Reply-To: <20210604015238.2422145-1-zenczykowski@gmail.com> References: <20210604015238.2422145-1-zenczykowski@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Maciej Żenczykowski This is technically a backwards incompatible change in behaviour, but I'm going to argue that it is very unlikely to break things, and likely to fix *far* more then it breaks. In no particular order, various reasons follow: (a) I've long had a bug assigned to myself to debug a super rare kernel crash on Android Pixel phones which can (per stacktrace) be traced back to bpf clat ipv6 to ipv4 protocol conversion causing some sort of ugly failure much later on during transmit deep in the GSO engine, AFAICT precisely because of this change to gso_size, though I've never been able to manually reproduce it. I believe it may be related to the particular network offload support of attached usb ethernet dongle being used for tethering off of an IPv6-only cellular connection. The reason might be we end up with more segments than max permitted, or with a gso packet with only one segment... (either way we break some assumption and hit a BUG_ON) (b) There is no check that the gso_size is > 20 when reducing it by 20, so we might end up with a negative (or underflowing) gso_size or a gso_size of 0. This can't possibly be good. Indeed this is probably somehow exploitable (or at least can result in a kernel crash) by delivering crafted packets and perhaps triggering an infinite loop or a divide by zero... As a reminder: gso_size (mss) is related to mtu, but not directly derived from it: gso_size/mss may be significantly smaller then one would get by deriving from local mtu. And on some nics (which do loose mtu checking on receive, it may even potentially be larger, for example my work pc with 1500 mtu can receive 1520 byte frames [and sometimes does due to bugs in a vendor plat46 implementation]). Indeed even just going from 21 to 1 is potentially problematic because it increases the number of segments by a factor of 21 (think DoS, or some other crash due to too many segments). (c) It's always safe to not increase the gso_size, because it doesn't result in the max packet size increasing. So the skb_increase_gso_size() call was always unnecessary for correctness (and outright undesirable, see later). As such the only part which is potentially dangerous (ie. could cause backwards compatibility issues) is the removal of the skb_decrease_gso_size() call. (d) If the packets are ultimately destined to the local device, then there is absolutely no benefit to playing around with gso_size. It only matters if the packets will egress the device. ie. we're either forwarding, or transmitting from the device. (e) This logic only triggers for packets which are GSO. It does not trigger for skbs which are not GSO. It will not convert a non-GSO mtu sized packet into a GSO packet (and you don't even know what the mtu is, so you can't even fix it). As such your transmit path must *already* be able to handle an mtu 20 bytes larger then your receive path (for ipv4 to ipv6 translation) - and indeed 28 bytes larger due to ipv4 fragments. Thus removing the skb_decrease_gso_size() call doesn't actually increase the size of the packets your transmit side must be able to handle. ie. to handle non-GSO max-mtu packets, the ipv4/ipv6 device/route mtus must already be set correctly. Since for example with an ipv4 egress mtu of 1500, ipv4 to ipv6 translation will already build 1520 byte ipv6 frames, so you need a 1520 byte device mtu. This means if your ipv6 device's egress mtu is 1280, your ipv4 route must be 1260 (and actually 1252, because of the need to handle fragments). This is to handle normal non-GSO packets. Thus the reduction is simply not needed for GSO packets, because when they're correctly built, they will already be the right size. (f) TSO/GSO should be able to exactly undo GRO: the number of packets (TCP segments) should not be modified, so that TCP's mss counting works correctly (this matters for congestion control). If protocol conversion changes the gso_size, then the number of TCP segments may increase or decrease. Packet loss after protocol conversion can result in partial loss of mss segments that the sender sent. How's the sending TCP stack going to react to receiving ACKs/SACKs in the middle of the segments it sent? (g) skb_{decrease,increase}_gso_size() are already no-ops for GSO_BY_FRAGS case (besides triggering WARN_ON_ONCE). This means you already cannot guarantee that gso_size (and thus resulting packet mtu) is changed. ie. you must assume it won't be changed. (h) changing gso_size is outright buggy for UDP GSO packets, where framing matters (I believe that's also the case for SCTP, but it's already excluded by [g]). So the only remaining case is TCP, which also doesn't want it (see [f]). (i) see also the reasoning on the previous attempt at fixing this (commit fa7b83bf3b156c767f3e4a25bbf3817b08f3ff8e) which shows that the current behaviour causes TCP packet loss: In the forwarding path GRO -> BPF 6 to 4 -> GSO for TCP traffic, the coalesced packet payload can be > MSS, but < MSS + 20. bpf_skb_proto_6_to_4() will upgrade the MSS and it can be > the payload length. After then tcp_gso_segment checks for the payload length if it is <= MSS. The condition is causing the packet to be dropped. tcp_gso_segment(): [...] mss = skb_shinfo(skb)->gso_size; if (unlikely(skb->len <= mss)) goto out; [...] Thus changing the gso_size is simply a very bad idea. Increasing is unnecessary and buggy, and decreasing can go negative. Cc: Dongseok Yi Cc: Daniel Borkmann Cc: Willem de Bruijn Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") Signed-off-by: Maciej Żenczykowski --- net/core/filter.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index 04848de3e058..953b6c31b803 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -3263,8 +3263,6 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb) shinfo->gso_type |= SKB_GSO_TCPV6; } - /* Due to IPv6 header, MSS needs to be downgraded. */ - skb_decrease_gso_size(shinfo, len_diff); /* Header must be checked, and gso_segs recomputed. */ shinfo->gso_type |= SKB_GSO_DODGY; shinfo->gso_segs = 0; @@ -3304,8 +3302,6 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb) shinfo->gso_type |= SKB_GSO_TCPV4; } - /* Due to IPv4 header, MSS can be upgraded. */ - skb_increase_gso_size(shinfo, len_diff); /* Header must be checked, and gso_segs recomputed. */ shinfo->gso_type |= SKB_GSO_DODGY; shinfo->gso_segs = 0;