[PATCH net 0/2] bareudp: Pull inner IP header on xmit/recv.

[PATCH net 0/2] bareudp: Pull inner IP header on xmit/recv.

[Guillaume Nault]

Bareudp accesses the inner IP header in its xmit and and recv paths.
However it doesn't ensure that this header is part of skb->head.

Both vxlan and geneve have received fixes for similar problems in the
past. This series fixes bareudp using the same approach.

Guillaume Nault (2):
  bareudp: Pull inner IP header in bareudp_udp_encap_recv().
  bareudp: Pull inner IP header on xmit.

 drivers/net/bareudp.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

-- 
2.39.2

[PATCH net 1/2] bareudp: Pull inner IP header in bareudp_udp_encap_recv().

[Guillaume Nault]

Bareudp reads the inner IP header to get the ECN value. Therefore, it
needs to ensure that it's part of the skb's linear data.

This is similar to the vxlan and geneve fixes for that same problem:
  * commit f7789419137b ("vxlan: Pull inner IP header in vxlan_rcv().")
  * commit 1ca1ba465e55 ("geneve: make sure to pull inner header in
    geneve_rx()")

Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 drivers/net/bareudp.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index 7aca0544fb29..b4e820a123ca 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -68,6 +68,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 	__be16 proto;
 	void *oiph;
 	int err;
+	int nh;
 
 	bareudp = rcu_dereference_sk_user_data(sk);
 	if (!bareudp)
@@ -148,10 +149,25 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 	}
 	skb_dst_set(skb, &tun_dst->dst);
 	skb->dev = bareudp->dev;
-	oiph = skb_network_header(skb);
-	skb_reset_network_header(skb);
 	skb_reset_mac_header(skb);
 
+	/* Save offset of outer header relative to skb->head,
+	 * because we are going to reset the network header to the inner header
+	 * and might change skb->head.
+	 */
+	nh = skb_network_header(skb) - skb->head;
+
+	skb_reset_network_header(skb);
+
+	if (!pskb_inet_may_pull(skb)) {
+		DEV_STATS_INC(bareudp->dev, rx_length_errors);
+		DEV_STATS_INC(bareudp->dev, rx_errors);
+		goto drop;
+	}
+
+	/* Get the outer header. */
+	oiph = skb->head + nh;
+
 	if (!ipv6_mod_enabled() || family == AF_INET)
 		err = IP_ECN_decapsulate(oiph, skb);
 	else
-- 
2.39.2

[PATCH net 2/2] bareudp: Pull inner IP header on xmit.

[Guillaume Nault]

Both bareudp_xmit_skb() and bareudp6_xmit_skb() read their skb's inner
IP header to get its ECN value (with ip_tunnel_ecn_encap()). Therefore
we need to ensure that the inner IP header is part of the skb's linear
data.

Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
 drivers/net/bareudp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
index b4e820a123ca..e80992b4f9de 100644
--- a/drivers/net/bareudp.c
+++ b/drivers/net/bareudp.c
@@ -317,6 +317,9 @@ static int bareudp_xmit_skb(struct sk_buff *skb, struct net_device *dev,
 	__be32 saddr;
 	int err;
 
+	if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB)))
+		return -EINVAL;
+
 	if (!sock)
 		return -ESHUTDOWN;
 
@@ -384,6 +387,9 @@ static int bareudp6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
 	__be16 sport;
 	int err;
 
+	if (!skb_vlan_inet_prepare(skb, skb->protocol != htons(ETH_P_TEB)))
+		return -EINVAL;
+
 	if (!sock)
 		return -ESHUTDOWN;
 
-- 
2.39.2

Re: [PATCH net 0/2] bareudp: Pull inner IP header on xmit/recv.

[Guillaume Nault]

On Tue, Sep 10, 2024 at 08:31:00PM +0200, Guillaume Nault wrote:
> Bareudp accesses the inner IP header in its xmit and and recv paths.
> However it doesn't ensure that this header is part of skb->head.

Forgot the Fixes: tag... :/
Will send v2 soon.

Re: [PATCH net 0/2] bareudp: Pull inner IP header on xmit/recv.

[Jakub Kicinski]

On Wed, 11 Sep 2024 11:06:39 +0200 Guillaume Nault wrote:
> Forgot the Fixes: tag... :/
> Will send v2 soon.

Too soon, in fact:
https://www.kernel.org/doc/html/next/process/maintainer-netdev.html#tl-dr

Re: [PATCH net 0/2] bareudp: Pull inner IP header on xmit/recv.

[Guillaume Nault]

On Wed, Sep 11, 2024 at 07:58:16AM -0700, Jakub Kicinski wrote:
> On Wed, 11 Sep 2024 11:06:39 +0200 Guillaume Nault wrote:
> > Forgot the Fixes: tag... :/
> > Will send v2 soon.
> 
> Too soon, in fact:
> https://www.kernel.org/doc/html/next/process/maintainer-netdev.html#tl-dr

Forgot that rule, sorry. Thanks for reminding me.