From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: stable@vger.kernel.org
Cc: netdev@vger.kernel.org, gregkh@linuxfoundation.org,
christian@theune.cc, mathieu.tortuyaux@gmail.com,
Yan Zhai <yan@cloudflare.com>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Willem de Bruijn <willemb@google.com>,
Jason Wang <jasowang@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.15 3/4] gso: fix dodgy bit handling for GSO_UDP_L4
Date: Mon, 9 Sep 2024 14:22:47 -0400 [thread overview]
Message-ID: <20240909182506.270136-4-willemdebruijn.kernel@gmail.com> (raw)
In-Reply-To: <20240909182506.270136-1-willemdebruijn.kernel@gmail.com>
From: Yan Zhai <yan@cloudflare.com>
[ Upstream commit 9840036786d90cea11a90d1f30b6dc003b34ee67 ]
Commit 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4
packets.") checks DODGY bit for UDP, but for packets that can be fed
directly to the device after gso_segs reset, it actually falls through
to fragmentation:
https://lore.kernel.org/all/CAJPywTKDdjtwkLVUW6LRA2FU912qcDmQOQGt2WaDo28KzYDg+A@mail.gmail.com/
This change restores the expected behavior of GSO_UDP_L4 packets.
Fixes: 1fd54773c267 ("udp: allow header check for dodgy GSO_UDP_L4 packets.")
Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[5.15 stable: clean backport]
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
net/ipv4/udp_offload.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index c61268849948a..f0bc91af94d7c 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -272,13 +272,20 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
__sum16 check;
__be16 newlen;
- if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST)
- return __udp_gso_segment_list(gso_skb, features, is_ipv6);
-
mss = skb_shinfo(gso_skb)->gso_size;
if (gso_skb->len <= sizeof(*uh) + mss)
return ERR_PTR(-EINVAL);
+ if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) {
+ /* Packet is from an untrusted source, reset gso_segs. */
+ skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh),
+ mss);
+ return NULL;
+ }
+
+ if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST)
+ return __udp_gso_segment_list(gso_skb, features, is_ipv6);
+
skb_pull(gso_skb, sizeof(*uh));
/* clear destructor to avoid skb_segment assigning it to tail */
--
2.46.0.598.g6f2099f65c-goog
next prev parent reply other threads:[~2024-09-09 18:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-09 18:22 [PATCH 5.15 0/4] Backport fix for net: missing check virtio Willem de Bruijn
2024-09-09 18:22 ` [PATCH 5.15 1/4] net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation Willem de Bruijn
2024-09-09 18:22 ` [PATCH 5.15 2/4] net: change maximum number of UDP segments to 128 Willem de Bruijn
2024-09-09 18:22 ` Willem de Bruijn [this message]
2024-09-09 18:22 ` [PATCH 5.15 4/4] net: drop bad gso csum_start and offset in virtio_net_hdr Willem de Bruijn
2024-09-10 7:30 ` [PATCH 5.15 0/4] Backport fix for net: missing check virtio Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240909182506.270136-4-willemdebruijn.kernel@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=christian@theune.cc \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=mathieu.tortuyaux@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
--cc=yan@cloudflare.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox