From: sashiko-bot@kernel.org
To: "Nick Hudson" <nhudson@akamai.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v6 4/6] bpf: allow new DECAP flags and add guard rails
Date: Tue, 05 May 2026 04:14:28 +0000 [thread overview]
Message-ID: <20260505041429.1C62BC2BCB4@smtp.kernel.org> (raw)
In-Reply-To: <20260504101759.3319427-5-nhudson@akamai.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Omitting the L3 decapsulation mask bypasses skb_dst_drop(), leaving the decapsulated inner packet with the outer tunnel's routing destination.
--
commit 65429a5bdf5c795afb0af1f3ce1b31c6d08218f7
Author: Nick Hudson <nhudson@akamai.com>
bpf: allow new DECAP flags and add guard rails
Add checks to require shrink-only decap, reject conflicting decap flag
combinations, and verify removed length is sufficient for claimed header
decapsulation.
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 1a96d0af1704..04871a57f085 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -3484,6 +3485,12 @@ static u32 bpf_skb_net_base_len(const struct sk_buff *skb)
> #define BPF_F_ADJ_ROOM_DECAP_L3_MASK (BPF_F_ADJ_ROOM_DECAP_L3_IPV4 | \
> BPF_F_ADJ_ROOM_DECAP_L3_IPV6)
>
> +#define BPF_F_ADJ_ROOM_DECAP_L4_MASK (BPF_F_ADJ_ROOM_DECAP_L4_UDP | \
> + BPF_F_ADJ_ROOM_DECAP_L4_GRE)
Does omitting the L3 decapsulation mask bypass skb_dst_drop()?
In bpf_skb_net_shrink(), dropping the stale routing destination cache is
gated by the L3 mask:
bool decap = flags & BPF_F_ADJ_ROOM_DECAP_L3_MASK;
...
if (decap) {
...
if (skb_valid_dst(skb))
skb_dst_drop(skb);
}
The UAPI documentation states that L3 decap flags are "Used when the inner
and outer IP versions are different". This instructs users to omit the L3
flag when decapsulating a tunnel with identical inner and outer IP versions.
If a BPF program follows this and uses BPF_F_ADJ_ROOM_DECAP_L4_UDP without
providing an L3 decap flag, decap evaluates to false.
Could this bypass skb_dst_drop(skb) and cause the newly decapsulated inner
packet to incorrectly inherit the outer tunnel's dst_entry, routing it to
the tunnel endpoint instead of its true destination?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260504101759.3319427-1-nhudson@akamai.com?part=4
next prev parent reply other threads:[~2026-05-05 4:14 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-04 10:17 [PATCH bpf-next v6 0/6] bpf: decap flags and GSO state updates Nick Hudson
2026-05-04 10:17 ` [PATCH v6 1/6] bpf: name the enum for BPF_FUNC_skb_adjust_room flags Nick Hudson
2026-05-04 11:03 ` bot+bpf-ci
2026-05-04 10:17 ` [PATCH v6 2/6] bpf: refactor masks for ADJ_ROOM flags and encap validation Nick Hudson
2026-05-04 11:03 ` bot+bpf-ci
2026-05-19 10:40 ` Hudson, Nick
2026-05-04 17:14 ` Willem de Bruijn
2026-05-04 10:17 ` [PATCH v6 3/6] bpf: add BPF_F_ADJ_ROOM_DECAP_* flags for tunnel decapsulation Nick Hudson
2026-05-04 11:03 ` bot+bpf-ci
2026-05-05 4:14 ` sashiko-bot
2026-05-19 10:45 ` Hudson, Nick
2026-05-04 10:17 ` [PATCH v6 4/6] bpf: allow new DECAP flags and add guard rails Nick Hudson
2026-05-05 4:14 ` sashiko-bot [this message]
2026-05-04 10:17 ` [PATCH v6 5/6] bpf: clear decap state on skb_adjust_room shrink path Nick Hudson
2026-05-04 17:15 ` Willem de Bruijn
2026-05-05 4:14 ` sashiko-bot
2026-05-04 10:17 ` [PATCH v6 6/6] selftests/bpf: tc_tunnel - validate decap GSO and encapsulation state Nick Hudson
2026-05-05 4:14 ` sashiko-bot
2026-05-19 10:52 ` Hudson, Nick
2026-05-21 15:49 ` Martin KaFai Lau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505041429.1C62BC2BCB4@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=nhudson@akamai.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.