From: Sabrina Dubroca <sd@queasysnail.net>
To: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Simon Horman <horms@kernel.org>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
David Ahern <dsahern@kernel.org>,
Nathan Chancellor <nathan@kernel.org>
Subject: Re: [PATCH net-next v2 1/5] udp_tunnel: properly deal with xfrm gro encap.
Date: Tue, 25 Mar 2025 13:12:32 +0100 [thread overview]
Message-ID: <Z-KdsLBF9lCM1m34@krikkit> (raw)
In-Reply-To: <f4659f17b136eaec554d8678de0034c3578580c1.1742557254.git.pabeni@redhat.com>
2025-03-21, 12:52:52 +0100, Paolo Abeni wrote:
> The blamed commit below does not take in account that xfrm
> can enable GRO over UDP encapsulation without going through
> setup_udp_tunnel_sock().
>
> At deletion time such socket will still go through
> udp_tunnel_cleanup_gro(), and the failed GRO type lookup will
> trigger the reported warning.
>
> Add the GRO accounting for XFRM tunnel when GRO is enabled, and
> adjust the known gro types accordingly.
>
> Note that we can't use setup_udp_tunnel_sock() here, as the xfrm
> tunnel setup can be "incremental" - e.g. the encapsulation is created
> first and GRO is enabled later.
>
> Also we can not allow GRO sk lookup optimization for XFRM tunnels, as
> the socket could match the selection criteria at enable time, and
> later on the user-space could disconnect/bind it breaking such
> criteria.
>
> Reported-by: syzbot+8c469a2260132cd095c1@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=8c469a2260132cd095c1
> Fixes: 311b36574ceac ("udp_tunnel: use static call for GRO hooks when possible")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> v1 -> v2:
> - do proper account for xfrm, retain the warning
> ---
> net/ipv4/udp.c | 5 +++++
> net/ipv4/udp_offload.c | 4 +++-
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> index db606f7e41638..79efbf465fb04 100644
> --- a/net/ipv4/udp.c
> +++ b/net/ipv4/udp.c
> @@ -2903,10 +2903,15 @@ static void set_xfrm_gro_udp_encap_rcv(__u16 encap_type, unsigned short family,
> {
> #ifdef CONFIG_XFRM
> if (udp_test_bit(GRO_ENABLED, sk) && encap_type == UDP_ENCAP_ESPINUDP) {
> + bool old_enabled = !!udp_sk(sk)->gro_receive;
> +
> if (family == AF_INET)
> WRITE_ONCE(udp_sk(sk)->gro_receive, xfrm4_gro_udp_encap_rcv);
> else if (IS_ENABLED(CONFIG_IPV6) && family == AF_INET6)
> WRITE_ONCE(udp_sk(sk)->gro_receive, ipv6_stub->xfrm6_gro_udp_encap_rcv);
> +
> + if (!old_enabled && udp_sk(sk)->gro_receive)
> + udp_tunnel_update_gro_rcv(sk, true);
We're not under any lock at this point, so this is a bit racy. I think
we'll "only" end up leaking a ref on cur->count if this happens. Not
ideal, but much better than the current situation.
> }
> #endif
> }
> diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
> index 088aa8cb8ac0c..02365b818f1af 100644
> --- a/net/ipv4/udp_offload.c
> +++ b/net/ipv4/udp_offload.c
> @@ -37,9 +37,11 @@ struct udp_tunnel_type_entry {
> refcount_t count;
> };
>
> +/* vxlan, fou and xfrm have 2 different gro_receive hooks each */
> #define UDP_MAX_TUNNEL_TYPES (IS_ENABLED(CONFIG_GENEVE) + \
> IS_ENABLED(CONFIG_VXLAN) * 2 + \
> - IS_ENABLED(CONFIG_NET_FOU) * 2)
> + IS_ENABLED(CONFIG_NET_FOU) * 2 + \
> + IS_ENABLED(CONFIG_XFRM) * 2)
>
> DEFINE_STATIC_CALL(udp_tunnel_gro_rcv, dummy_gro_rcv);
> static DEFINE_STATIC_KEY_FALSE(udp_tunnel_static_call);
> --
> 2.48.1
>
>
--
Sabrina
next prev parent reply other threads:[~2025-03-25 12:13 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-21 11:52 [PATCH net-next v2 0/5] udp_tunnel: GRO optimization follow-up Paolo Abeni
2025-03-21 11:52 ` [PATCH net-next v2 1/5] udp_tunnel: properly deal with xfrm gro encap Paolo Abeni
2025-03-21 16:33 ` Willem de Bruijn
2025-03-25 9:52 ` Paolo Abeni
2025-03-25 12:12 ` Sabrina Dubroca [this message]
2025-03-21 11:52 ` [PATCH net-next v2 2/5] udp_tunnel: fix compile warning Paolo Abeni
2025-03-21 16:35 ` Willem de Bruijn
2025-03-21 17:11 ` Sabrina Dubroca
2025-03-25 16:09 ` Sabrina Dubroca
2025-03-21 11:52 ` [PATCH net-next v2 3/5] udp_tunnel: fix UaF in GRO accounting Paolo Abeni
2025-03-21 16:39 ` Willem de Bruijn
2025-03-25 16:10 ` Sabrina Dubroca
2025-03-21 11:52 ` [PATCH net-next v2 4/5] udp_tunnel: avoid inconsistent local variables usage Paolo Abeni
2025-03-21 16:39 ` Willem de Bruijn
2025-03-25 16:17 ` Sabrina Dubroca
2025-03-21 11:52 ` [PATCH net-next v2 5/5] udp_tunnel: prevent GRO lookup optimization for user-space sockets Paolo Abeni
2025-03-21 16:43 ` Willem de Bruijn
2025-03-25 16:22 ` Sabrina Dubroca
2025-03-25 16:24 ` [PATCH net-next v2 0/5] udp_tunnel: GRO optimization follow-up Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-KdsLBF9lCM1m34@krikkit \
--to=sd@queasysnail.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=nathan@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.