151e2562dbee16912d6837f2f7f3607d82d45c01
[openwrt/staging/svanheule.git] /
1 From: Jakub Sitnicki <jakub@cloudflare.com>
2 Date: Thu, 8 Aug 2024 11:56:22 +0200
3 Subject: [PATCH] udp: Fall back to software USO if IPv6 extension headers are
4 present
5
6 In commit 10154dbded6d ("udp: Allow GSO transmit from devices with no
7 checksum offload") we have intentionally allowed UDP GSO packets marked
8 CHECKSUM_NONE to pass to the GSO stack, so that they can be segmented and
9 checksummed by a software fallback when the egress device lacks these
10 features.
11
12 What was not taken into consideration is that a CHECKSUM_NONE skb can be
13 handed over to the GSO stack also when the egress device advertises the
14 tx-udp-segmentation / NETIF_F_GSO_UDP_L4 feature.
15
16 This will happen when there are IPv6 extension headers present, which we
17 check for in __ip6_append_data(). Syzbot has discovered this scenario,
18 producing a warning as below:
19
20 ip6tnl0: caps=(0x00000006401d7869, 0x00000006401d7869)
21 WARNING: CPU: 0 PID: 5112 at net/core/dev.c:3293 skb_warn_bad_offload+0x166/0x1a0 net/core/dev.c:3291
22 Modules linked in:
23 CPU: 0 PID: 5112 Comm: syz-executor391 Not tainted 6.10.0-rc7-syzkaller-01603-g80ab5445da62 #0
24 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
25 RIP: 0010:skb_warn_bad_offload+0x166/0x1a0 net/core/dev.c:3291
26 [...]
27 Call Trace:
28 <TASK>
29 __skb_gso_segment+0x3be/0x4c0 net/core/gso.c:127
30 skb_gso_segment include/net/gso.h:83 [inline]
31 validate_xmit_skb+0x585/0x1120 net/core/dev.c:3661
32 __dev_queue_xmit+0x17a4/0x3e90 net/core/dev.c:4415
33 neigh_output include/net/neighbour.h:542 [inline]
34 ip6_finish_output2+0xffa/0x1680 net/ipv6/ip6_output.c:137
35 ip6_finish_output+0x41e/0x810 net/ipv6/ip6_output.c:222
36 ip6_send_skb+0x112/0x230 net/ipv6/ip6_output.c:1958
37 udp_v6_send_skb+0xbf5/0x1870 net/ipv6/udp.c:1292
38 udpv6_sendmsg+0x23b3/0x3270 net/ipv6/udp.c:1588
39 sock_sendmsg_nosec net/socket.c:730 [inline]
40 __sock_sendmsg+0xef/0x270 net/socket.c:745
41 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2585
42 ___sys_sendmsg net/socket.c:2639 [inline]
43 __sys_sendmmsg+0x3b2/0x740 net/socket.c:2725
44 __do_sys_sendmmsg net/socket.c:2754 [inline]
45 __se_sys_sendmmsg net/socket.c:2751 [inline]
46 __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2751
47 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
48 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
49 entry_SYSCALL_64_after_hwframe+0x77/0x7f
50 [...]
51 </TASK>
52
53 We are hitting the bad offload warning because when an egress device is
54 capable of handling segmentation offload requested by
55 skb_shinfo(skb)->gso_type, the chain of gso_segment callbacks won't produce
56 any segment skbs and return NULL. See the skb_gso_ok() branch in
57 {__udp,tcp,sctp}_gso_segment helpers.
58
59 To fix it, force a fallback to software USO when processing a packet with
60 IPv6 extension headers, since we don't know if these can checksummed by
61 all devices which offer USO.
62
63 Fixes: 10154dbded6d ("udp: Allow GSO transmit from devices with no checksum offload")
64 Reported-by: syzbot+e15b7e15b8a751a91d9a@syzkaller.appspotmail.com
65 Closes: https://lore.kernel.org/all/000000000000e1609a061d5330ce@google.com/
66 Reviewed-by: Willem de Bruijn <willemb@google.com>
67 Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
68 Link: https://patch.msgid.link/20240808-udp-gso-egress-from-tunnel-v4-2-f5c5b4149ab9@cloudflare.com
69 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
70 ---
71
72 --- a/net/ipv4/udp_offload.c
73 +++ b/net/ipv4/udp_offload.c
74 @@ -278,6 +278,12 @@ struct sk_buff *__udp_gso_segment(struct
75 if (gso_skb->len <= sizeof(*uh) + mss)
76 return ERR_PTR(-EINVAL);
77
78 + /* We don't know if egress device can segment and checksum the packet
79 + * when IPv6 extension headers are present. Fall back to software GSO.
80 + */
81 + if (gso_skb->ip_summed != CHECKSUM_PARTIAL)
82 + features &= ~(NETIF_F_GSO_UDP_L4 | NETIF_F_CSUM_MASK);
83 +
84 if (skb_gso_ok(gso_skb, features | NETIF_F_GSO_ROBUST)) {
85 /* Packet is from an untrusted source, reset gso_segs. */
86 skb_shinfo(gso_skb)->gso_segs = DIV_ROUND_UP(gso_skb->len - sizeof(*uh),