[5.15,3/4] gso: fix dodgy bit handling for GSO_UDP_L4

Message ID	20240909182506.270136-4-willemdebruijn.kernel@gmail.com (mailing list archive)
State	Not Applicable
Delegated to:	Netdev Maintainers
Headers	show Received: from mail-qk1-f170.google.com (mail-qk1-f170.google.com [209.85.222.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BD858189510; Mon, 9 Sep 2024 18:25:15 +0000 (UTC) From: Willem de Bruijn <willemdebruijn.kernel@gmail.com> To: stable@vger.kernel.org Cc: netdev@vger.kernel.org, gregkh@linuxfoundation.org, christian@theune.cc, mathieu.tortuyaux@gmail.com, Yan Zhai <yan@cloudflare.com>, Willem de Bruijn <willemdebruijn.kernel@gmail.com>, Willem de Bruijn <willemb@google.com>, Jason Wang <jasowang@redhat.com>, "David S. Miller" <davem@davemloft.net> Subject: [PATCH 5.15 3/4] gso: fix dodgy bit handling for GSO_UDP_L4 Date: Mon, 9 Sep 2024 14:22:47 -0400 Message-ID: <20240909182506.270136-4-willemdebruijn.kernel@gmail.com> In-Reply-To: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> References: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Backport fix for net: missing check virtio \| expand [5.15,0/4] Backport fix for net: missing check virtio [5.15,1/4] net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation [5.15,2/4] net: change maximum number of UDP segments to 128 [5.15,3/4] gso: fix dodgy bit handling for GSO_UDP_L4 [5.15,4/4] net: drop bad gso csum_start and offset in virtio_net_hdr

Message ID

20240909182506.270136-4-willemdebruijn.kernel@gmail.com (mailing list archive)

State

Not Applicable

Delegated to:

Netdev Maintainers

Headers

From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: stable@vger.kernel.org
Cc: netdev@vger.kernel.org,
	gregkh@linuxfoundation.org,
	christian@theune.cc,
	mathieu.tortuyaux@gmail.com,
	Yan Zhai <yan@cloudflare.com>,
	Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
	Willem de Bruijn <willemb@google.com>,
	Jason Wang <jasowang@redhat.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.15 3/4] gso: fix dodgy bit handling for GSO_UDP_L4
Date: Mon,  9 Sep 2024 14:22:47 -0400
Message-ID: <20240909182506.270136-4-willemdebruijn.kernel@gmail.com>
In-Reply-To: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com>
References: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Backport fix for net: missing check virtio | expand

Context	Check	Description
netdev/tree_selection	success	Guessing tree name failed - patch did not apply, async

Context

Check

Description

netdev/tree_selection

success

Guessing tree name failed - patch did not apply, async

Commit Message

Willem de Bruijn Sept. 9, 2024, 6:22 p.m. UTC

From: Yan Zhai <yan@cloudflare.com>

[ Upstream commit 9840036786d90cea11a90d1f30b6dc003b34ee67 ]

Commit 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4
packets.") checks DODGY bit for UDP, but for packets that can be fed
directly to the device after gso_segs reset, it actually falls through
to fragmentation:

https://lore.kernel.org/all/CAJPywTKDdjtwkLVUW6LRA2FU912qcDmQOQGt2WaDo28KzYDg+A@mail.gmail.com/

This change restores the expected behavior of GSO_UDP_L4 packets.

Fixes: 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 packets.")
Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

[5.15 stable: clean backport]
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 net/ipv4/udp_offload.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index c61268849948a..f0bc91af94d7c 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -272,13 +272,20 @@  struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
 	__sum16 check;
 	__be16 newlen;
 
-	if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST)
-		return __udp_gso_segment_list(gso_skb, features, is_ipv6);
-
 	mss = skb_shinfo(gso_skb)->gso_size;
 	if (gso_skb->len <= sizeof(*uh) + mss)
 		return ERR_PTR(-EINVAL);
 
+	if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) {
+		/* Packet is from an untrusted source, reset gso_segs. */
+		skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh),
+							     mss);
+		return NULL;
+	}
+
+	if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST)
+		return __udp_gso_segment_list(gso_skb, features, is_ipv6);
+
 	skb_pull(gso_skb, sizeof(*uh));
 
 	/* clear destructor to avoid skb_segment assigning it to tail */

[5.15,3/4] gso: fix dodgy bit handling for GSO_UDP_L4

Checks

Commit Message

Patch