From: Sabrina Dubroca <sd@queasysnail.net>
To: Antonio Quartulli <antonio@openvpn.net>
Cc: netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com,
ryazanov.s.a@gmail.com, edumazet@google.com, andrew@lunn.ch
Subject: Re: [PATCH net-next v6 11/25] ovpn: implement basic RX path (UDP)
Date: Mon, 2 Sep 2024 13:22:50 +0200 [thread overview]
Message-ID: <ZtWgCv2bH0fCarwq@hog> (raw)
In-Reply-To: <20240827120805.13681-12-antonio@openvpn.net>
2024-08-27, 14:07:51 +0200, Antonio Quartulli wrote:
> +static void ovpn_netdev_write(struct ovpn_peer *peer, struct sk_buff *skb)
> +{
> + /* we can't guarantee the packet wasn't corrupted before entering the
> + * VPN, therefore we give other layers a chance to check that
> + */
> + skb->ip_summed = CHECKSUM_NONE;
> +
> + /* skb hash for transport packet no longer valid after decapsulation */
> + skb_clear_hash(skb);
> +
> + /* post-decrypt scrub -- prepare to inject encapsulated packet onto the
> + * interface, based on __skb_tunnel_rx() in dst.h
> + */
> + skb->dev = peer->ovpn->dev;
> + skb_set_queue_mapping(skb, 0);
> + skb_scrub_packet(skb, true);
> +
> + skb_reset_network_header(skb);
> + skb_reset_transport_header(skb);
> + skb_probe_transport_header(skb);
> + skb_reset_inner_headers(skb);
> +
> + memset(skb->cb, 0, sizeof(skb->cb));
> +
> + /* cause packet to be "received" by the interface */
> + if (likely(gro_cells_receive(&peer->ovpn->gro_cells,
> + skb) == NET_RX_SUCCESS))
> + /* update RX stats with the size of decrypted packet */
> + dev_sw_netstats_rx_add(peer->ovpn->dev, skb->len);
I don't think accessing skb->len after passing the skb to
gro_cells_receive is safe, see
c7cc9200e9b4 ("macsec: avoid use-after-free in macsec_handle_frame()")
[...]
> static void ovpn_struct_free(struct net_device *net)
> {
> + struct ovpn_struct *ovpn = netdev_priv(net);
> +
> + gro_cells_destroy(&ovpn->gro_cells);
> + rcu_barrier();
What's the purpose of this rcu_barrier? I expect it in module_exit,
not when removing one netdevice.
> diff --git a/drivers/net/ovpn/skb.h b/drivers/net/ovpn/skb.h
> index 7966a10d915f..e070fe6f448c 100644
> --- a/drivers/net/ovpn/skb.h
> +++ b/drivers/net/ovpn/skb.h
> @@ -18,10 +18,7 @@
> #include <linux/types.h>
>
> struct ovpn_cb {
> - struct aead_request *req;
> struct ovpn_peer *peer;
> - struct ovpn_crypto_key_slot *ks;
> - unsigned int payload_offset;
Squashed into the wrong patch?
[...]
> +struct ovpn_struct *ovpn_from_udp_sock(struct sock *sk)
> +{
> + struct ovpn_socket *ovpn_sock;
> +
> + if (unlikely(READ_ONCE(udp_sk(sk)->encap_type) != UDP_ENCAP_OVPNINUDP))
> + return NULL;
> +
> + ovpn_sock = rcu_dereference_sk_user_data(sk);
[1]
> + if (unlikely(!ovpn_sock))
> + return NULL;
> +
> + /* make sure that sk matches our stored transport socket */
> + if (unlikely(!ovpn_sock->sock || sk != ovpn_sock->sock->sk))
> + return NULL;
> +
> + return ovpn_sock->ovpn;
> +}
> +static int ovpn_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
> +{
> + struct ovpn_peer *peer = NULL;
> + struct ovpn_struct *ovpn;
> + u32 peer_id;
> + u8 opcode;
> +
> + ovpn = ovpn_from_udp_sock(sk);
> + if (unlikely(!ovpn)) {
> + net_err_ratelimited("%s: cannot obtain ovpn object from UDP socket\n",
> + __func__);
> + goto drop;
> + }
[...]
> + /* pop off outer UDP header */
> + __skb_pull(skb, sizeof(struct udphdr));
> + ovpn_recv(peer, skb);
> + return 0;
> +
> +drop:
> + if (peer)
> + ovpn_peer_put(peer);
> + dev_core_stats_rx_dropped_inc(ovpn->dev);
If we get here from the first goto, ovpn is NULL. You could add a
drop_noovpn label right here to just do the free+return.
> + kfree_skb(skb);
> + return 0;
> +}
> +
> /**
> * ovpn_udp4_output - send IPv4 packet over udp socket
> * @ovpn: the openvpn instance
> @@ -257,8 +342,13 @@ void ovpn_udp_send_skb(struct ovpn_struct *ovpn, struct ovpn_peer *peer,
> */
> int ovpn_udp_socket_attach(struct socket *sock, struct ovpn_struct *ovpn)
> {
> + struct udp_tunnel_sock_cfg cfg = {
> + .sk_user_data = ovpn,
> + .encap_type = UDP_ENCAP_OVPNINUDP,
> + .encap_rcv = ovpn_udp_encap_recv,
> + };
> struct ovpn_socket *old_data;
> - int ret = 0;
> + int ret;
>
> /* sanity check */
> if (sock->sk->sk_protocol != IPPROTO_UDP) {
> @@ -272,6 +362,7 @@ int ovpn_udp_socket_attach(struct socket *sock, struct ovpn_struct *ovpn)
> if (!old_data) {
> /* socket is currently unused - we can take it */
> rcu_read_unlock();
> + setup_udp_tunnel_sock(sock_net(sock->sk), sock, &cfg);
This will set sk_user_data to the ovpn_struct, but ovpn_from_udp_sock
expects the ovpn_socket [1], which is stored into sk_user_data a
little bit later by ovpn_socket_new. If a packet reaches
ovpn_udp_encap_recv -> ovpn_from_udp_sock before ovpn_socket_new
overwrites sk_user_data, bad things probably happen.
--
Sabrina
next prev parent reply other threads:[~2024-09-02 11:24 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-27 12:07 [PATCH net-next v6 00/25] Introducing OpenVPN Data Channel Offload Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 01/25] netlink: add NLA_POLICY_MAX_LEN macro Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 02/25] rtnetlink: don't crash on unregister if no dellink exists Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 03/25] net: introduce OpenVPN Data Channel Offload (ovpn) Antonio Quartulli
2024-09-05 14:38 ` Sabrina Dubroca
2024-09-06 12:26 ` Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 04/25] ovpn: add basic netlink support Antonio Quartulli
2024-09-06 19:26 ` Simon Horman
2024-09-09 8:35 ` Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 05/25] ovpn: add basic interface creation/destruction/management routines Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 06/25] ovpn: implement interface creation/destruction via netlink Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 07/25] ovpn: keep carrier always on Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 08/25] ovpn: introduce the ovpn_peer object Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 09/25] ovpn: introduce the ovpn_socket object Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 10/25] ovpn: implement basic TX path (UDP) Antonio Quartulli
2024-08-30 17:02 ` Sabrina Dubroca
2024-09-02 12:03 ` Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 11/25] ovpn: implement basic RX " Antonio Quartulli
2024-09-02 11:22 ` Sabrina Dubroca [this message]
2024-09-02 12:24 ` Antonio Quartulli
2024-09-06 19:18 ` Simon Horman
2024-09-09 8:37 ` Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 12/25] ovpn: implement packet processing Antonio Quartulli
2024-09-02 14:42 ` Sabrina Dubroca
2024-09-04 12:07 ` Antonio Quartulli
2024-09-04 15:01 ` Sabrina Dubroca
2024-09-06 13:19 ` Antonio Quartulli
2024-09-10 13:04 ` Sabrina Dubroca
2024-09-11 12:52 ` Antonio Quartulli
2024-09-11 13:30 ` Sabrina Dubroca
2024-09-12 8:33 ` Antonio Quartulli
2024-09-22 19:51 ` Sergey Ryazanov
2024-09-23 12:48 ` Antonio Quartulli
2024-09-06 19:29 ` Simon Horman
2024-09-09 8:38 ` Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 13/25] ovpn: store tunnel and transport statistics Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 14/25] ovpn: implement TCP transport Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 15/25] ovpn: implement multi-peer support Antonio Quartulli
2024-09-03 14:40 ` Sabrina Dubroca
2024-09-04 10:10 ` Sabrina Dubroca
2024-09-06 13:26 ` Antonio Quartulli
2024-09-05 8:02 ` Antonio Quartulli
2024-09-05 10:47 ` Sabrina Dubroca
2024-09-09 9:12 ` Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 16/25] ovpn: implement peer lookup logic Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 17/25] ovpn: implement keepalive mechanism Antonio Quartulli
2024-09-03 15:17 ` Sabrina Dubroca
2024-09-09 9:17 ` Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 18/25] ovpn: add support for updating local UDP endpoint Antonio Quartulli
2024-08-27 12:07 ` [PATCH net-next v6 19/25] ovpn: add support for peer floating Antonio Quartulli
2024-09-05 9:55 ` Sabrina Dubroca
2024-09-09 8:52 ` Antonio Quartulli
2024-08-27 12:08 ` [PATCH net-next v6 20/25] ovpn: implement peer add/dump/delete via netlink Antonio Quartulli
2024-08-27 12:08 ` [PATCH net-next v6 21/25] ovpn: implement key add/del/swap " Antonio Quartulli
2024-08-27 12:08 ` [PATCH net-next v6 22/25] ovpn: kill key and notify userspace in case of IV exhaustion Antonio Quartulli
2024-08-27 12:08 ` [PATCH net-next v6 23/25] ovpn: notify userspace when a peer is deleted Antonio Quartulli
2024-08-27 12:08 ` [PATCH net-next v6 24/25] ovpn: add basic ethtool support Antonio Quartulli
2024-08-27 12:08 ` [PATCH net-next v6 25/25] testing/selftest: add test tool and scripts for ovpn module Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZtWgCv2bH0fCarwq@hog \
--to=sd@queasysnail.net \
--cc=andrew@lunn.ch \
--cc=antonio@openvpn.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=ryazanov.s.a@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.