1 From: Richard Gobert <richardbgobert@gmail.com>
2 Date: Tue, 30 Apr 2024 16:35:54 +0200
3 Subject: [PATCH] net: gro: fix udp bad offset in socket lookup by adding
4 {inner_}network_offset to napi_gro_cb
6 Commits a602456 ("udp: Add GRO functions to UDP socket") and 57c67ff ("udp:
7 additional GRO support") introduce incorrect usage of {ip,ipv6}_hdr in the
8 complete phase of gro. The functions always return skb->network_header,
9 which in the case of encapsulated packets at the gro complete phase, is
10 always set to the innermost L3 of the packet. That means that calling
11 {ip,ipv6}_hdr for skbs which completed the GRO receive phase (both in
12 gro_list and *_gro_complete) when parsing an encapsulated packet's _outer_
13 L3/L4 may return an unexpected value.
15 This incorrect usage leads to a bug in GRO's UDP socket lookup.
16 udp{4,6}_lib_lookup_skb functions use ip_hdr/ipv6_hdr respectively. These
17 *_hdr functions return network_header which will point to the innermost L3,
18 resulting in the wrong offset being used in __udp{4,6}_lib_lookup with
21 This patch adds network_offset and inner_network_offset to napi_gro_cb, and
22 makes sure both are set correctly.
24 To fix the issue, network_offsets union is used inside napi_gro_cb, in
25 which both the outer and the inner network offsets are saved.
29 Endpoint configuration example (fou + local address bind)
31 # ip fou add port 6666 ipproto 4
32 # ip link add name tun1 type ipip remote 2.2.2.1 local 2.2.2.2 encap fou encap-dport 5555 encap-sport 6666 mode ipip
34 # ip a add 1.1.1.2/24 dev tun1
36 Netperf TCP_STREAM result on net-next before patch is applied:
38 net-next main, GRO enabled:
39 $ netperf -H 1.1.1.2 -t TCP_STREAM -l 5
41 Socket Socket Message Elapsed
42 Size Size Size Time Throughput
43 bytes bytes bytes secs. 10^6bits/sec
45 131072 16384 16384 5.28 2.37
47 net-next main, GRO disabled:
48 $ netperf -H 1.1.1.2 -t TCP_STREAM -l 5
50 Socket Socket Message Elapsed
51 Size Size Size Time Throughput
52 bytes bytes bytes secs. 10^6bits/sec
54 131072 16384 16384 5.01 2745.06
56 patch applied, GRO enabled:
57 $ netperf -H 1.1.1.2 -t TCP_STREAM -l 5
59 Socket Socket Message Elapsed
60 Size Size Size Time Throughput
61 bytes bytes bytes secs. 10^6bits/sec
63 131072 16384 16384 5.01 2877.38
65 Fixes: a6024562ffd7 ("udp: Add GRO functions to UDP socket")
66 Signed-off-by: Richard Gobert <richardbgobert@gmail.com>
67 Reviewed-by: Eric Dumazet <edumazet@google.com>
68 Reviewed-by: Willem de Bruijn <willemb@google.com>
69 Signed-off-by: Paolo Abeni <pabeni@redhat.com>
72 --- a/include/net/gro.h
73 +++ b/include/net/gro.h
74 @@ -86,6 +86,15 @@ struct napi_gro_cb {
76 /* used to support CHECKSUM_COMPLETE for tunneling protocols */
83 + u16 inner_network_offset;
85 + u16 network_offsets[2];
89 #define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb)
90 --- a/net/8021q/vlan_core.c
91 +++ b/net/8021q/vlan_core.c
92 @@ -478,6 +478,8 @@ static struct sk_buff *vlan_gro_receive(
96 + NAPI_GRO_CB(skb)->network_offsets[NAPI_GRO_CB(skb)->encap_mark] = hlen;
98 type = vhdr->h_vlan_encapsulated_proto;
100 ptype = gro_find_receive_by_type(type);
103 @@ -373,6 +373,7 @@ static inline void skb_gro_reset_offset(
104 const struct skb_shared_info *pinfo = skb_shinfo(skb);
105 const skb_frag_t *frag0 = &pinfo->frags[0];
107 + NAPI_GRO_CB(skb)->network_offset = 0;
108 NAPI_GRO_CB(skb)->data_offset = 0;
109 NAPI_GRO_CB(skb)->frag0 = NULL;
110 NAPI_GRO_CB(skb)->frag0_len = 0;
111 --- a/net/ipv4/af_inet.c
112 +++ b/net/ipv4/af_inet.c
113 @@ -1571,6 +1571,7 @@ struct sk_buff *inet_gro_receive(struct
114 /* The above will be needed by the transport layer if there is one
115 * immediately following this IP hdr.
117 + NAPI_GRO_CB(skb)->inner_network_offset = off;
119 /* Note : No need to call skb_gro_postpull_rcsum() here,
120 * as we already checked checksum over ipv4 header was 0
123 @@ -534,7 +534,8 @@ static inline struct sock *__udp4_lib_lo
124 struct sock *udp4_lib_lookup_skb(const struct sk_buff *skb,
125 __be16 sport, __be16 dport)
127 - const struct iphdr *iph = ip_hdr(skb);
128 + const u16 offset = NAPI_GRO_CB(skb)->network_offsets[skb->encapsulation];
129 + const struct iphdr *iph = (struct iphdr *)(skb->data + offset);
130 struct net *net = dev_net(skb->dev);
133 --- a/net/ipv4/udp_offload.c
134 +++ b/net/ipv4/udp_offload.c
135 @@ -718,7 +718,8 @@ EXPORT_SYMBOL(udp_gro_complete);
137 INDIRECT_CALLABLE_SCOPE int udp4_gro_complete(struct sk_buff *skb, int nhoff)
139 - const struct iphdr *iph = ip_hdr(skb);
140 + const u16 offset = NAPI_GRO_CB(skb)->network_offsets[skb->encapsulation];
141 + const struct iphdr *iph = (struct iphdr *)(skb->data + offset);
142 struct udphdr *uh = (struct udphdr *)(skb->data + nhoff);
144 /* do fraglist only if there is no outer UDP encap (or we already processed it) */
145 --- a/net/ipv6/ip6_offload.c
146 +++ b/net/ipv6/ip6_offload.c
147 @@ -240,6 +240,7 @@ INDIRECT_CALLABLE_SCOPE struct sk_buff *
150 skb_set_network_header(skb, off);
151 + NAPI_GRO_CB(skb)->inner_network_offset = off;
153 flush += ntohs(iph->payload_len) != skb->len - hlen;
157 @@ -275,7 +275,8 @@ static struct sock *__udp6_lib_lookup_sk
158 struct sock *udp6_lib_lookup_skb(const struct sk_buff *skb,
159 __be16 sport, __be16 dport)
161 - const struct ipv6hdr *iph = ipv6_hdr(skb);
162 + const u16 offset = NAPI_GRO_CB(skb)->network_offsets[skb->encapsulation];
163 + const struct ipv6hdr *iph = (struct ipv6hdr *)(skb->data + offset);
164 struct net *net = dev_net(skb->dev);
167 --- a/net/ipv6/udp_offload.c
168 +++ b/net/ipv6/udp_offload.c
169 @@ -164,7 +164,8 @@ flush:
171 INDIRECT_CALLABLE_SCOPE int udp6_gro_complete(struct sk_buff *skb, int nhoff)
173 - const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
174 + const u16 offset = NAPI_GRO_CB(skb)->network_offsets[skb->encapsulation];
175 + const struct ipv6hdr *ipv6h = (struct ipv6hdr *)(skb->data + offset);
176 struct udphdr *uh = (struct udphdr *)(skb->data + nhoff);
178 /* do fraglist only if there is no outer UDP encap (or we already processed it) */