From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Nick Hudson <nhudson@akamai.com>, bpf@vger.kernel.org
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Nick Hudson <nhudson@akamai.com>,
Max Tottenham <mtottenh@akamai.com>,
Anna Glasgall <aglasgal@akamai.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 4/5] bpf: add guard rails for new DECAP flags
Date: Tue, 17 Mar 2026 09:30:20 -0400 [thread overview]
Message-ID: <willemdebruijn.kernel.4f5a568542ec@gmail.com> (raw)
In-Reply-To: <20260317121429.2399539-5-nhudson@akamai.com>
Nick Hudson wrote:
> Add checks to require shrink-only decap, reject conflicting decap flag combinations, and verify removed length is sufficient for claimed header decapsulation.
>
> Co-developed-by: Max Tottenham <mtottenh@akamai.com>
> Signed-off-by: Max Tottenham <mtottenh@akamai.com>
> Co-developed-by: Anna Glasgall <aglasgal@akamai.com>
> Signed-off-by: Anna Glasgall <aglasgal@akamai.com>
> Signed-off-by: Nick Hudson <nhudson@akamai.com>
This patch probably should come before 3, as 3 enables the features
without the guard rails in place.
> ---
> net/core/filter.c | 45 ++++++++++++++++++++++++++++++++++++---------
> 1 file changed, 36 insertions(+), 9 deletions(-)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index ac7e1068fe4c..437e0da34f84 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -56,6 +56,7 @@
> #include <net/sock_reuseport.h>
> #include <net/busy_poll.h>
> #include <net/tcp.h>
> +#include <net/gre.h>
> #include <net/xfrm.h>
> #include <net/udp.h>
> #include <linux/bpf_trace.h>
> @@ -3745,20 +3746,46 @@ BPF_CALL_4(bpf_skb_adjust_room, struct sk_buff *, skb, s32, len_diff,
> return -ENOTSUPP;
> }
>
> - if (flags & BPF_F_ADJ_ROOM_DECAP_L3_MASK) {
> + if (flags & BPF_F_ADJ_ROOM_DECAP_MASK) {
> + u32 len_decap_min = 0;
> +
> if (!shrink)
> return -EINVAL;
>
> - switch (flags & BPF_F_ADJ_ROOM_DECAP_L3_MASK) {
> - case BPF_F_ADJ_ROOM_DECAP_L3_IPV4:
> + if ((flags & BPF_F_ADJ_ROOM_DECAP_L3_MASK) ==
> + BPF_F_ADJ_ROOM_DECAP_L3_MASK)
> + return -EINVAL;
> +
> + if ((flags & BPF_F_ADJ_ROOM_DECAP_L4_MASK) ==
> + BPF_F_ADJ_ROOM_DECAP_L4_MASK)
> + return -EINVAL;
> +
> + if ((flags & BPF_F_ADJ_ROOM_DECAP_IPXIP_MASK) ==
> + BPF_F_ADJ_ROOM_DECAP_IPXIP_MASK)
> + return -EINVAL;
> +
Are these equality tests shorthand based on knowledge that each only
have two options, so equality implies more than one option set? That
is not obvious/self documenting. Please add a brief comment.
> + if ((flags & BPF_F_ADJ_ROOM_DECAP_L4_MASK) &&
> + (flags & BPF_F_ADJ_ROOM_DECAP_IPXIP_MASK))
> + return -EINVAL;
> +
> + if (mode == BPF_ADJ_ROOM_MAC)
> + len_decap_min += proto == htons(ETH_P_IP) ?
> + sizeof(struct iphdr) : sizeof(struct ipv6hdr);
MAC is not a GSO related decap, can be used for insertion/deletion of
L2.5 headers. This should be dropped.
> +
> + if (flags & BPF_F_ADJ_ROOM_DECAP_L4_UDP)
> + len_decap_min += sizeof(struct udphdr);
> +
> + if (flags & BPF_F_ADJ_ROOM_DECAP_L4_GRE)
> + len_decap_min += sizeof(struct gre_base_hdr);
> +
> + if (len_diff_abs < len_decap_min)
> + return -EINVAL;
> +
> + if (flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV4)
> len_min = sizeof(struct iphdr);
> - break;
> - case BPF_F_ADJ_ROOM_DECAP_L3_IPV6:
> +
> + if (flags & BPF_F_ADJ_ROOM_DECAP_L3_IPV6)
> len_min = sizeof(struct ipv6hdr);
> - break;
> - default:
> - return -EINVAL;
> - }
> }
>
> len_cur = skb->len - skb_network_offset(skb);
> --
> 2.34.1
>
next prev parent reply other threads:[~2026-03-17 13:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 12:14 [PATCH v1 0/5] bpf: Add tunnel decapsulation and GSO state updates per new flags Nick Hudson
2026-03-17 12:14 ` [PATCH v1 1/5] bpf: name the enum for BPF_FUNC_skb_adjust_room flags Nick Hudson
2026-03-17 12:14 ` [PATCH v1 2/5] bpf: add BPF_F_ADJ_ROOM_DECAP_* flags for tunnel decapsulation Nick Hudson
2026-03-17 12:14 ` [PATCH v1 3/5] bpf: add helper masks for ADJ_ROOM decap flags Nick Hudson
2026-03-17 13:27 ` Willem de Bruijn
2026-03-17 13:47 ` Hudson, Nick
2026-03-17 14:01 ` Willem de Bruijn
2026-03-17 12:14 ` [PATCH v1 4/5] bpf: add guard rails for new DECAP flags Nick Hudson
2026-03-17 13:30 ` Willem de Bruijn [this message]
2026-03-17 12:14 ` [PATCH v1 5/5] bpf: clear decap tunnel GSO state in skb_adjust_room Nick Hudson
2026-03-17 13:02 ` bot+bpf-ci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.4f5a568542ec@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=aglasgal@akamai.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mtottenh@akamai.com \
--cc=netdev@vger.kernel.org \
--cc=nhudson@akamai.com \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.