Re: [PATCH v6 5/6] bpf: clear decap state on skb_adjust_room shrink path

BPF List
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Nick Hudson" <nhudson@akamai.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v6 5/6] bpf: clear decap state on skb_adjust_room shrink path
Date: Tue, 05 May 2026 04:14:29 +0000	[thread overview]
Message-ID: <20260505041430.55823C2BCB4@smtp.kernel.org> (raw)
In-Reply-To: <20260504101759.3319427-6-nhudson@akamai.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] The patch fails to clear SKB_GSO_TUNNEL_REMCSUM when decapsulating UDP or GRE tunnels, leaving the SKB in a corrupted GSO state.
- [High] Unconditionally clearing `skb->encapsulation` for non-GSO packets breaks hardware ESP offloads for non-GSO ESP-in-UDP packets.
--

commit 531781236d1767d9010b79132e818c1dd8e04a3e
Author: Nick Hudson <nhudson@akamai.com>

bpf: clear decap state on skb_adjust_room shrink path

This commit updates bpf_skb_adjust_room() to selectively clear decapsulation
state when shrinking the skb. For GSO packets, it removes only the gso_type
bits corresponding to the requested decap layer and clears skb->encapsulation
if no tunnel bits remain. For non-GSO packets, it unconditionally clears
skb->encapsulation.

> diff --git a/net/core/filter.c b/net/core/filter.c
> index 04871a57f085..ff1c936bb46d 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
[ ... ]
> @@ -3666,9 +3666,48 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 off, u32 len_diff,
>  		if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO))
>  			skb_increase_gso_size(shinfo, len_diff);
>  
> +		/* Selective GSO flag clearing based on decap type.
> +		 * Only clear the flags for the tunnel layer being removed.
> +		 */
> +		if ((flags & BPF_F_ADJ_ROOM_DECAP_L4_UDP) &&
> +		    (shinfo->gso_type & (SKB_GSO_UDP_TUNNEL |
> +					 SKB_GSO_UDP_TUNNEL_CSUM)))
> +			shinfo->gso_type &= ~(SKB_GSO_UDP_TUNNEL |
> +					      SKB_GSO_UDP_TUNNEL_CSUM);
> +		if ((flags & BPF_F_ADJ_ROOM_DECAP_L4_GRE) &&
> +		    (shinfo->gso_type & (SKB_GSO_GRE | SKB_GSO_GRE_CSUM)))
> +			shinfo->gso_type &= ~(SKB_GSO_GRE |
> +					      SKB_GSO_GRE_CSUM);

When decapsulating a tunnel that uses Remote Checksum Offload (like FOU or
VXLAN), the SKB has both the tunnel GSO flag and SKB_GSO_TUNNEL_REMCSUM set
in shinfo->gso_type.

Does this code leave SKB_GSO_TUNNEL_REMCSUM set when decapsulating these UDP
or GRE tunnels?

> +		if ((flags & BPF_F_ADJ_ROOM_DECAP_IPXIP4) &&
> +		    (shinfo->gso_type & SKB_GSO_IPXIP4))
> +			shinfo->gso_type &= ~SKB_GSO_IPXIP4;
> +		if ((flags & BPF_F_ADJ_ROOM_DECAP_IPXIP6) &&
> +		    (shinfo->gso_type & SKB_GSO_IPXIP6))
> +			shinfo->gso_type &= ~SKB_GSO_IPXIP6;
> +
> +		/* Clear encapsulation flag only when no tunnel GSO flags remain */
> +		if (flags & (BPF_F_ADJ_ROOM_DECAP_L4_MASK |
> +			     BPF_F_ADJ_ROOM_DECAP_IPXIP_MASK)) {
> +			if (!(shinfo->gso_type & (SKB_GSO_UDP_TUNNEL |
> +						  SKB_GSO_UDP_TUNNEL_CSUM |
> +						  SKB_GSO_GRE |
> +						  SKB_GSO_GRE_CSUM |
> +						  SKB_GSO_IPXIP4 |
> +						  SKB_GSO_IPXIP6 |
> +						  SKB_GSO_ESP)))
> +				if (skb->encapsulation)
> +					skb->encapsulation = 0;

Because the exclusionary mask above doesn't include SKB_GSO_TUNNEL_REMCSUM (or
SKB_GSO_PARTIAL), will this check evaluate to true and incorrectly execute
skb->encapsulation = 0 if a remote checksum flag is the only one remaining?

Could this leave the SKB in a corrupted GSO state with a tunnel remote
checksum flag active but skb->encapsulation == 0, potentially leading to
incorrect checksum calculations, out-of-bounds inner header accesses, or
kernel panics during GSO segmentation?

> +		}
> +
>  		/* Header must be checked, and gso_segs recomputed. */
>  		shinfo->gso_type |= SKB_GSO_DODGY;
>  		shinfo->gso_segs = 0;
> +	} else {
> +		/* For non-GSO packets, clear encapsulation if decap flags are set */
> +		if ((flags & (BPF_F_ADJ_ROOM_DECAP_L4_MASK |
> +			      BPF_F_ADJ_ROOM_DECAP_IPXIP_MASK)) &&
> +		    skb->encapsulation)
> +			skb->encapsulation = 0;
>  	}

The commit message notes the goal of keeping encapsulation set for cases like
ESP-in-UDP where tunnel state remains. Does unconditionally clearing
skb->encapsulation here for non-GSO packets break hardware ESP offloads for
non-GSO ESP-in-UDP packets?

Hardware NIC drivers and the IPsec stack (such as xfrm_dev_offload_ok) strictly
rely on skb->encapsulation == 1 to offload ESP crypto and checksums, even for
non-GSO packets.

Could this unconditionally clear operation destroy ESP offloading for non-GSO
packets, introducing the inconsistency between GSO and non-GSO handling that
the commit is intending to prevent?

>  
>  	return 0;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260504101759.3319427-1-nhudson@akamai.com?part=5

next prev parent reply	other threads:[~2026-05-05  4:14 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-04 10:17 [PATCH bpf-next v6 0/6] bpf: decap flags and GSO state updates Nick Hudson
2026-05-04 10:17 ` [PATCH v6 1/6] bpf: name the enum for BPF_FUNC_skb_adjust_room flags Nick Hudson
2026-05-04 11:03   ` bot+bpf-ci
2026-05-04 10:17 ` [PATCH v6 2/6] bpf: refactor masks for ADJ_ROOM flags and encap validation Nick Hudson
2026-05-04 11:03   ` bot+bpf-ci
2026-05-04 17:14   ` Willem de Bruijn
2026-05-04 10:17 ` [PATCH v6 3/6] bpf: add BPF_F_ADJ_ROOM_DECAP_* flags for tunnel decapsulation Nick Hudson
2026-05-04 11:03   ` bot+bpf-ci
2026-05-05  4:14   ` sashiko-bot
2026-05-04 10:17 ` [PATCH v6 4/6] bpf: allow new DECAP flags and add guard rails Nick Hudson
2026-05-05  4:14   ` sashiko-bot
2026-05-04 10:17 ` [PATCH v6 5/6] bpf: clear decap state on skb_adjust_room shrink path Nick Hudson
2026-05-04 17:15   ` Willem de Bruijn
2026-05-05  4:14   ` sashiko-bot [this message]
2026-05-04 10:17 ` [PATCH v6 6/6] selftests/bpf: tc_tunnel - validate decap GSO and encapsulation state Nick Hudson
2026-05-05  4:14   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260505041430.55823C2BCB4@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=nhudson@akamai.com \
    --cc=sashiko@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox