Re: [PATCH v6 5/6] bpf: clear decap state on skb_adjust_room shrink path

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Nick Hudson" <nhudson@akamai.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v6 5/6] bpf: clear decap state on skb_adjust_room shrink path
Date: Tue, 05 May 2026 04:14:29 +0000	[thread overview]
Message-ID: <20260505041430.55823C2BCB4@smtp.kernel.org> (raw)
In-Reply-To: <20260504101759.3319427-6-nhudson@akamai.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] The patch fails to clear SKB_GSO_TUNNEL_REMCSUM when decapsulating UDP or GRE tunnels, leaving the SKB in a corrupted GSO state.
- [High] Unconditionally clearing `skb->encapsulation` for non-GSO packets breaks hardware ESP offloads for non-GSO ESP-in-UDP packets.
--

commit 531781236d1767d9010b79132e818c1dd8e04a3e
Author: Nick Hudson <nhudson@akamai.com>

bpf: clear decap state on skb_adjust_room shrink path

This commit updates bpf_skb_adjust_room() to selectively clear decapsulation
state when shrinking the skb. For GSO packets, it removes only the gso_type
bits corresponding to the requested decap layer and clears skb->encapsulation
if no tunnel bits remain. For non-GSO packets, it unconditionally clears
skb->encapsulation.

> diff --git a/net/core/filter.c b/net/core/filter.c
> index 04871a57f085..ff1c936bb46d 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
[ ... ]
> @@ -3666,9 +3666,48 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 off, u32 len_diff,
>  		if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO))
>  			skb_increase_gso_size(shinfo, len_diff);
>  
> +		/* Selective GSO flag clearing based on decap type.
> +		 * Only clear the flags for the tunnel layer being removed.
> +		 */
> +		if ((flags & BPF_F_ADJ_ROOM_DECAP_L4_UDP) &&
> +		    (shinfo->gso_type & (SKB_GSO_UDP_TUNNEL |
> +					 SKB_GSO_UDP_TUNNEL_CSUM)))
> +			shinfo->gso_type &= ~(SKB_GSO_UDP_TUNNEL |
> +					      SKB_GSO_UDP_TUNNEL_CSUM);
> +		if ((flags & BPF_F_ADJ_ROOM_DECAP_L4_GRE) &&
> +		    (shinfo->gso_type & (SKB_GSO_GRE | SKB_GSO_GRE_CSUM)))
> +			shinfo->gso_type &= ~(SKB_GSO_GRE |
> +					      SKB_GSO_GRE_CSUM);

When decapsulating a tunnel that uses Remote Checksum Offload (like FOU or
VXLAN), the SKB has both the tunnel GSO flag and SKB_GSO_TUNNEL_REMCSUM set
in shinfo->gso_type.

Does this code leave SKB_GSO_TUNNEL_REMCSUM set when decapsulating these UDP
or GRE tunnels?

> +		if ((flags & BPF_F_ADJ_ROOM_DECAP_IPXIP4) &&
> +		    (shinfo->gso_type & SKB_GSO_IPXIP4))
> +			shinfo->gso_type &= ~SKB_GSO_IPXIP4;
> +		if ((flags & BPF_F_ADJ_ROOM_DECAP_IPXIP6) &&
> +		    (shinfo->gso_type & SKB_GSO_IPXIP6))
> +			shinfo->gso_type &= ~SKB_GSO_IPXIP6;
> +
> +		/* Clear encapsulation flag only when no tunnel GSO flags remain */
> +		if (flags & (BPF_F_ADJ_ROOM_DECAP_L4_MASK |
> +			     BPF_F_ADJ_ROOM_DECAP_IPXIP_MASK)) {
> +			if (!(shinfo->gso_type & (SKB_GSO_UDP_TUNNEL |
> +						  SKB_GSO_UDP_TUNNEL_CSUM |
> +						  SKB_GSO_GRE |
> +						  SKB_GSO_GRE_CSUM |
> +						  SKB_GSO_IPXIP4 |
> +						  SKB_GSO_IPXIP6 |
> +						  SKB_GSO_ESP)))
> +				if (skb->encapsulation)
> +					skb->encapsulation = 0;

Because the exclusionary mask above doesn't include SKB_GSO_TUNNEL_REMCSUM (or
SKB_GSO_PARTIAL), will this check evaluate to true and incorrectly execute
skb->encapsulation = 0 if a remote checksum flag is the only one remaining?

Could this leave the SKB in a corrupted GSO state with a tunnel remote
checksum flag active but skb->encapsulation == 0, potentially leading to
incorrect checksum calculations, out-of-bounds inner header accesses, or
kernel panics during GSO segmentation?

> +		}
> +
>  		/* Header must be checked, and gso_segs recomputed. */
>  		shinfo->gso_type |= SKB_GSO_DODGY;
>  		shinfo->gso_segs = 0;
> +	} else {
> +		/* For non-GSO packets, clear encapsulation if decap flags are set */
> +		if ((flags & (BPF_F_ADJ_ROOM_DECAP_L4_MASK |
> +			      BPF_F_ADJ_ROOM_DECAP_IPXIP_MASK)) &&
> +		    skb->encapsulation)
> +			skb->encapsulation = 0;
>  	}

The commit message notes the goal of keeping encapsulation set for cases like
ESP-in-UDP where tunnel state remains. Does unconditionally clearing
skb->encapsulation here for non-GSO packets break hardware ESP offloads for
non-GSO ESP-in-UDP packets?

Hardware NIC drivers and the IPsec stack (such as xfrm_dev_offload_ok) strictly
rely on skb->encapsulation == 1 to offload ESP crypto and checksums, even for
non-GSO packets.

Could this unconditionally clear operation destroy ESP offloading for non-GSO
packets, introducing the inconsistency between GSO and non-GSO handling that
the commit is intending to prevent?

>  
>  	return 0;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260504101759.3319427-1-nhudson@akamai.com?part=5

next prev parent reply	other threads:[~2026-05-05  4:14 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-04 10:17 [PATCH bpf-next v6 0/6] bpf: decap flags and GSO state updates Nick Hudson
2026-05-04 10:17 ` [PATCH v6 1/6] bpf: name the enum for BPF_FUNC_skb_adjust_room flags Nick Hudson
2026-05-04 11:03   ` bot+bpf-ci
2026-05-04 10:17 ` [PATCH v6 2/6] bpf: refactor masks for ADJ_ROOM flags and encap validation Nick Hudson
2026-05-04 11:03   ` bot+bpf-ci
2026-05-19 10:40     ` Hudson, Nick
2026-05-04 17:14   ` Willem de Bruijn
2026-05-04 10:17 ` [PATCH v6 3/6] bpf: add BPF_F_ADJ_ROOM_DECAP_* flags for tunnel decapsulation Nick Hudson
2026-05-04 11:03   ` bot+bpf-ci
2026-05-05  4:14   ` sashiko-bot
2026-05-19 10:45     ` Hudson, Nick
2026-05-04 10:17 ` [PATCH v6 4/6] bpf: allow new DECAP flags and add guard rails Nick Hudson
2026-05-05  4:14   ` sashiko-bot
2026-05-04 10:17 ` [PATCH v6 5/6] bpf: clear decap state on skb_adjust_room shrink path Nick Hudson
2026-05-04 17:15   ` Willem de Bruijn
2026-05-05  4:14   ` sashiko-bot [this message]
2026-05-04 10:17 ` [PATCH v6 6/6] selftests/bpf: tc_tunnel - validate decap GSO and encapsulation state Nick Hudson
2026-05-05  4:14   ` sashiko-bot
2026-05-19 10:52     ` Hudson, Nick
2026-05-21 15:49       ` Martin KaFai Lau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260505041430.55823C2BCB4@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=nhudson@akamai.com \
    --cc=sashiko@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.