mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-27 06:34:11 +08:00
4dd2b82d5a
syzbot was able to crash host by sending UDP packets with a 0 payload.
TCP does not have this issue since we do not aggregate packets without
payload.
Since dev_gro_receive() sets gso_size based on skb_gro_len(skb)
it seems not worth trying to cope with padded packets.
BUG: KASAN: slab-out-of-bounds in skb_gro_receive+0xf5f/0x10e0 net/core/skbuff.c:3826
Read of size 16 at addr ffff88808893fff0 by task syz-executor612/7889
CPU: 0 PID: 7889 Comm: syz-executor612 Not tainted 5.1.0-rc7+ #96
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load16_noabort+0x14/0x20 mm/kasan/generic_report.c:133
skb_gro_receive+0xf5f/0x10e0 net/core/skbuff.c:3826
udp_gro_receive_segment net/ipv4/udp_offload.c:382 [inline]
call_gro_receive include/linux/netdevice.h:2349 [inline]
udp_gro_receive+0xb61/0xfd0 net/ipv4/udp_offload.c:414
udp4_gro_receive+0x763/0xeb0 net/ipv4/udp_offload.c:478
inet_gro_receive+0xe72/0x1110 net/ipv4/af_inet.c:1510
dev_gro_receive+0x1cd0/0x23c0 net/core/dev.c:5581
napi_gro_frags+0x36b/0xd10 net/core/dev.c:5843
tun_get_user+0x2f24/0x3fb0 drivers/net/tun.c:1981
tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2027
call_write_iter include/linux/fs.h:1866 [inline]
do_iter_readv_writev+0x5e1/0x8e0 fs/read_write.c:681
do_iter_write fs/read_write.c:957 [inline]
do_iter_write+0x184/0x610 fs/read_write.c:938
vfs_writev+0x1b3/0x2f0 fs/read_write.c:1002
do_writev+0x15e/0x370 fs/read_write.c:1037
__do_sys_writev fs/read_write.c:1110 [inline]
__se_sys_writev fs/read_write.c:1107 [inline]
__x64_sys_writev+0x75/0xb0 fs/read_write.c:1107
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441cc0
Code: 05 48 3d 01 f0 ff ff 0f 83 9d 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 51 93 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 74 09 fc ff c3 48 83 ec 08 e8 ba 2b 00 00
RSP: 002b:00007ffe8c716118 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007ffe8c716150 RCX: 0000000000441cc0
RDX: 0000000000000001 RSI: 00007ffe8c716170 RDI: 00000000000000f0
RBP: 0000000000000000 R08: 000000000000ffff R09: 0000000000a64668
R10: 0000000020000040 R11: 0000000000000246 R12: 000000000000c2d9
R13: 0000000000402b50 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 5143:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_kmalloc mm/kasan/common.c:497 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:470
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:505
slab_post_alloc_hook mm/slab.h:437 [inline]
slab_alloc mm/slab.c:3393 [inline]
kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3555
mm_alloc+0x1d/0xd0 kernel/fork.c:1030
bprm_mm_init fs/exec.c:363 [inline]
__do_execve_file.isra.0+0xaa3/0x23f0 fs/exec.c:1791
do_execveat_common fs/exec.c:1865 [inline]
do_execve fs/exec.c:1882 [inline]
__do_sys_execve fs/exec.c:1958 [inline]
__se_sys_execve fs/exec.c:1953 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:1953
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 5351:
save_stack+0x45/0xd0 mm/kasan/common.c:75
set_track mm/kasan/common.c:87 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:459
kasan_slab_free+0xe/0x10 mm/kasan/common.c:467
__cache_free mm/slab.c:3499 [inline]
kmem_cache_free+0x86/0x260 mm/slab.c:3765
__mmdrop+0x238/0x320 kernel/fork.c:677
mmdrop include/linux/sched/mm.h:49 [inline]
finish_task_switch+0x47b/0x780 kernel/sched/core.c:2746
context_switch kernel/sched/core.c:2880 [inline]
__schedule+0x81b/0x1cc0 kernel/sched/core.c:3518
preempt_schedule_irq+0xb5/0x140 kernel/sched/core.c:3745
retint_kernel+0x1b/0x2d
arch_local_irq_restore arch/x86/include/asm/paravirt.h:767 [inline]
kmem_cache_free+0xab/0x260 mm/slab.c:3766
anon_vma_chain_free mm/rmap.c:134 [inline]
unlink_anon_vmas+0x2ba/0x870 mm/rmap.c:401
free_pgtables+0x1af/0x2f0 mm/memory.c:394
exit_mmap+0x2d1/0x530 mm/mmap.c:3144
__mmput kernel/fork.c:1046 [inline]
mmput+0x15f/0x4c0 kernel/fork.c:1067
exec_mmap fs/exec.c:1046 [inline]
flush_old_exec+0x8d9/0x1c20 fs/exec.c:1279
load_elf_binary+0x9bc/0x53f0 fs/binfmt_elf.c:864
search_binary_handler fs/exec.c:1656 [inline]
search_binary_handler+0x17f/0x570 fs/exec.c:1634
exec_binprm fs/exec.c:1698 [inline]
__do_execve_file.isra.0+0x1394/0x23f0 fs/exec.c:1818
do_execveat_common fs/exec.c:1865 [inline]
do_execve fs/exec.c:1882 [inline]
__do_sys_execve fs/exec.c:1958 [inline]
__se_sys_execve fs/exec.c:1953 [inline]
__x64_sys_execve+0x8f/0xc0 fs/exec.c:1953
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff88808893f7c0
which belongs to the cache mm_struct of size 1496
The buggy address is located 600 bytes to the right of
1496-byte region [ffff88808893f7c0, ffff88808893fd98)
The buggy address belongs to the page:
page:ffffea0002224f80 count:1 mapcount:0 mapping:ffff88821bc40ac0 index:0xffff88808893f7c0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00025b4f08 ffffea00027b9d08 ffff88821bc40ac0
raw: ffff88808893f7c0 ffff88808893e440 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808893fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88808893ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808893ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888088940000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888088940080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Fixes: e20cf8d3f1
("udp: implement GRO for plain UDP sockets.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
565 lines
15 KiB
C
565 lines
15 KiB
C
/*
|
|
* IPV4 GSO/GRO offload support
|
|
* Linux INET implementation
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*
|
|
* UDPv4 GSO support
|
|
*/
|
|
|
|
#include <linux/skbuff.h>
|
|
#include <net/udp.h>
|
|
#include <net/protocol.h>
|
|
#include <net/inet_common.h>
|
|
|
|
static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb,
|
|
netdev_features_t features,
|
|
struct sk_buff *(*gso_inner_segment)(struct sk_buff *skb,
|
|
netdev_features_t features),
|
|
__be16 new_protocol, bool is_ipv6)
|
|
{
|
|
int tnl_hlen = skb_inner_mac_header(skb) - skb_transport_header(skb);
|
|
bool remcsum, need_csum, offload_csum, gso_partial;
|
|
struct sk_buff *segs = ERR_PTR(-EINVAL);
|
|
struct udphdr *uh = udp_hdr(skb);
|
|
u16 mac_offset = skb->mac_header;
|
|
__be16 protocol = skb->protocol;
|
|
u16 mac_len = skb->mac_len;
|
|
int udp_offset, outer_hlen;
|
|
__wsum partial;
|
|
bool need_ipsec;
|
|
|
|
if (unlikely(!pskb_may_pull(skb, tnl_hlen)))
|
|
goto out;
|
|
|
|
/* Adjust partial header checksum to negate old length.
|
|
* We cannot rely on the value contained in uh->len as it is
|
|
* possible that the actual value exceeds the boundaries of the
|
|
* 16 bit length field due to the header being added outside of an
|
|
* IP or IPv6 frame that was already limited to 64K - 1.
|
|
*/
|
|
if (skb_shinfo(skb)->gso_type & SKB_GSO_PARTIAL)
|
|
partial = (__force __wsum)uh->len;
|
|
else
|
|
partial = (__force __wsum)htonl(skb->len);
|
|
partial = csum_sub(csum_unfold(uh->check), partial);
|
|
|
|
/* setup inner skb. */
|
|
skb->encapsulation = 0;
|
|
SKB_GSO_CB(skb)->encap_level = 0;
|
|
__skb_pull(skb, tnl_hlen);
|
|
skb_reset_mac_header(skb);
|
|
skb_set_network_header(skb, skb_inner_network_offset(skb));
|
|
skb->mac_len = skb_inner_network_offset(skb);
|
|
skb->protocol = new_protocol;
|
|
|
|
need_csum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP_TUNNEL_CSUM);
|
|
skb->encap_hdr_csum = need_csum;
|
|
|
|
remcsum = !!(skb_shinfo(skb)->gso_type & SKB_GSO_TUNNEL_REMCSUM);
|
|
skb->remcsum_offload = remcsum;
|
|
|
|
need_ipsec = skb_dst(skb) && dst_xfrm(skb_dst(skb));
|
|
/* Try to offload checksum if possible */
|
|
offload_csum = !!(need_csum &&
|
|
!need_ipsec &&
|
|
(skb->dev->features &
|
|
(is_ipv6 ? (NETIF_F_HW_CSUM | NETIF_F_IPV6_CSUM) :
|
|
(NETIF_F_HW_CSUM | NETIF_F_IP_CSUM))));
|
|
|
|
features &= skb->dev->hw_enc_features;
|
|
|
|
/* The only checksum offload we care about from here on out is the
|
|
* outer one so strip the existing checksum feature flags and
|
|
* instead set the flag based on our outer checksum offload value.
|
|
*/
|
|
if (remcsum) {
|
|
features &= ~NETIF_F_CSUM_MASK;
|
|
if (!need_csum || offload_csum)
|
|
features |= NETIF_F_HW_CSUM;
|
|
}
|
|
|
|
/* segment inner packet. */
|
|
segs = gso_inner_segment(skb, features);
|
|
if (IS_ERR_OR_NULL(segs)) {
|
|
skb_gso_error_unwind(skb, protocol, tnl_hlen, mac_offset,
|
|
mac_len);
|
|
goto out;
|
|
}
|
|
|
|
gso_partial = !!(skb_shinfo(segs)->gso_type & SKB_GSO_PARTIAL);
|
|
|
|
outer_hlen = skb_tnl_header_len(skb);
|
|
udp_offset = outer_hlen - tnl_hlen;
|
|
skb = segs;
|
|
do {
|
|
unsigned int len;
|
|
|
|
if (remcsum)
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
|
|
/* Set up inner headers if we are offloading inner checksum */
|
|
if (skb->ip_summed == CHECKSUM_PARTIAL) {
|
|
skb_reset_inner_headers(skb);
|
|
skb->encapsulation = 1;
|
|
}
|
|
|
|
skb->mac_len = mac_len;
|
|
skb->protocol = protocol;
|
|
|
|
__skb_push(skb, outer_hlen);
|
|
skb_reset_mac_header(skb);
|
|
skb_set_network_header(skb, mac_len);
|
|
skb_set_transport_header(skb, udp_offset);
|
|
len = skb->len - udp_offset;
|
|
uh = udp_hdr(skb);
|
|
|
|
/* If we are only performing partial GSO the inner header
|
|
* will be using a length value equal to only one MSS sized
|
|
* segment instead of the entire frame.
|
|
*/
|
|
if (gso_partial && skb_is_gso(skb)) {
|
|
uh->len = htons(skb_shinfo(skb)->gso_size +
|
|
SKB_GSO_CB(skb)->data_offset +
|
|
skb->head - (unsigned char *)uh);
|
|
} else {
|
|
uh->len = htons(len);
|
|
}
|
|
|
|
if (!need_csum)
|
|
continue;
|
|
|
|
uh->check = ~csum_fold(csum_add(partial,
|
|
(__force __wsum)htonl(len)));
|
|
|
|
if (skb->encapsulation || !offload_csum) {
|
|
uh->check = gso_make_checksum(skb, ~uh->check);
|
|
if (uh->check == 0)
|
|
uh->check = CSUM_MANGLED_0;
|
|
} else {
|
|
skb->ip_summed = CHECKSUM_PARTIAL;
|
|
skb->csum_start = skb_transport_header(skb) - skb->head;
|
|
skb->csum_offset = offsetof(struct udphdr, check);
|
|
}
|
|
} while ((skb = skb->next));
|
|
out:
|
|
return segs;
|
|
}
|
|
|
|
struct sk_buff *skb_udp_tunnel_segment(struct sk_buff *skb,
|
|
netdev_features_t features,
|
|
bool is_ipv6)
|
|
{
|
|
__be16 protocol = skb->protocol;
|
|
const struct net_offload **offloads;
|
|
const struct net_offload *ops;
|
|
struct sk_buff *segs = ERR_PTR(-EINVAL);
|
|
struct sk_buff *(*gso_inner_segment)(struct sk_buff *skb,
|
|
netdev_features_t features);
|
|
|
|
rcu_read_lock();
|
|
|
|
switch (skb->inner_protocol_type) {
|
|
case ENCAP_TYPE_ETHER:
|
|
protocol = skb->inner_protocol;
|
|
gso_inner_segment = skb_mac_gso_segment;
|
|
break;
|
|
case ENCAP_TYPE_IPPROTO:
|
|
offloads = is_ipv6 ? inet6_offloads : inet_offloads;
|
|
ops = rcu_dereference(offloads[skb->inner_ipproto]);
|
|
if (!ops || !ops->callbacks.gso_segment)
|
|
goto out_unlock;
|
|
gso_inner_segment = ops->callbacks.gso_segment;
|
|
break;
|
|
default:
|
|
goto out_unlock;
|
|
}
|
|
|
|
segs = __skb_udp_tunnel_segment(skb, features, gso_inner_segment,
|
|
protocol, is_ipv6);
|
|
|
|
out_unlock:
|
|
rcu_read_unlock();
|
|
|
|
return segs;
|
|
}
|
|
EXPORT_SYMBOL(skb_udp_tunnel_segment);
|
|
|
|
struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
|
|
netdev_features_t features)
|
|
{
|
|
struct sock *sk = gso_skb->sk;
|
|
unsigned int sum_truesize = 0;
|
|
struct sk_buff *segs, *seg;
|
|
struct udphdr *uh;
|
|
unsigned int mss;
|
|
bool copy_dtor;
|
|
__sum16 check;
|
|
__be16 newlen;
|
|
|
|
mss = skb_shinfo(gso_skb)->gso_size;
|
|
if (gso_skb->len <= sizeof(*uh) + mss)
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
skb_pull(gso_skb, sizeof(*uh));
|
|
|
|
/* clear destructor to avoid skb_segment assigning it to tail */
|
|
copy_dtor = gso_skb->destructor == sock_wfree;
|
|
if (copy_dtor)
|
|
gso_skb->destructor = NULL;
|
|
|
|
segs = skb_segment(gso_skb, features);
|
|
if (unlikely(IS_ERR_OR_NULL(segs))) {
|
|
if (copy_dtor)
|
|
gso_skb->destructor = sock_wfree;
|
|
return segs;
|
|
}
|
|
|
|
/* GSO partial and frag_list segmentation only requires splitting
|
|
* the frame into an MSS multiple and possibly a remainder, both
|
|
* cases return a GSO skb. So update the mss now.
|
|
*/
|
|
if (skb_is_gso(segs))
|
|
mss *= skb_shinfo(segs)->gso_segs;
|
|
|
|
seg = segs;
|
|
uh = udp_hdr(seg);
|
|
|
|
/* compute checksum adjustment based on old length versus new */
|
|
newlen = htons(sizeof(*uh) + mss);
|
|
check = csum16_add(csum16_sub(uh->check, uh->len), newlen);
|
|
|
|
for (;;) {
|
|
if (copy_dtor) {
|
|
seg->destructor = sock_wfree;
|
|
seg->sk = sk;
|
|
sum_truesize += seg->truesize;
|
|
}
|
|
|
|
if (!seg->next)
|
|
break;
|
|
|
|
uh->len = newlen;
|
|
uh->check = check;
|
|
|
|
if (seg->ip_summed == CHECKSUM_PARTIAL)
|
|
gso_reset_checksum(seg, ~check);
|
|
else
|
|
uh->check = gso_make_checksum(seg, ~check) ? :
|
|
CSUM_MANGLED_0;
|
|
|
|
seg = seg->next;
|
|
uh = udp_hdr(seg);
|
|
}
|
|
|
|
/* last packet can be partial gso_size, account for that in checksum */
|
|
newlen = htons(skb_tail_pointer(seg) - skb_transport_header(seg) +
|
|
seg->data_len);
|
|
check = csum16_add(csum16_sub(uh->check, uh->len), newlen);
|
|
|
|
uh->len = newlen;
|
|
uh->check = check;
|
|
|
|
if (seg->ip_summed == CHECKSUM_PARTIAL)
|
|
gso_reset_checksum(seg, ~check);
|
|
else
|
|
uh->check = gso_make_checksum(seg, ~check) ? : CSUM_MANGLED_0;
|
|
|
|
/* update refcount for the packet */
|
|
if (copy_dtor) {
|
|
int delta = sum_truesize - gso_skb->truesize;
|
|
|
|
/* In some pathological cases, delta can be negative.
|
|
* We need to either use refcount_add() or refcount_sub_and_test()
|
|
*/
|
|
if (likely(delta >= 0))
|
|
refcount_add(delta, &sk->sk_wmem_alloc);
|
|
else
|
|
WARN_ON_ONCE(refcount_sub_and_test(-delta, &sk->sk_wmem_alloc));
|
|
}
|
|
return segs;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__udp_gso_segment);
|
|
|
|
static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb,
|
|
netdev_features_t features)
|
|
{
|
|
struct sk_buff *segs = ERR_PTR(-EINVAL);
|
|
unsigned int mss;
|
|
__wsum csum;
|
|
struct udphdr *uh;
|
|
struct iphdr *iph;
|
|
|
|
if (skb->encapsulation &&
|
|
(skb_shinfo(skb)->gso_type &
|
|
(SKB_GSO_UDP_TUNNEL|SKB_GSO_UDP_TUNNEL_CSUM))) {
|
|
segs = skb_udp_tunnel_segment(skb, features, false);
|
|
goto out;
|
|
}
|
|
|
|
if (!(skb_shinfo(skb)->gso_type & (SKB_GSO_UDP | SKB_GSO_UDP_L4)))
|
|
goto out;
|
|
|
|
if (!pskb_may_pull(skb, sizeof(struct udphdr)))
|
|
goto out;
|
|
|
|
if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4)
|
|
return __udp_gso_segment(skb, features);
|
|
|
|
mss = skb_shinfo(skb)->gso_size;
|
|
if (unlikely(skb->len <= mss))
|
|
goto out;
|
|
|
|
/* Do software UFO. Complete and fill in the UDP checksum as
|
|
* HW cannot do checksum of UDP packets sent as multiple
|
|
* IP fragments.
|
|
*/
|
|
|
|
uh = udp_hdr(skb);
|
|
iph = ip_hdr(skb);
|
|
|
|
uh->check = 0;
|
|
csum = skb_checksum(skb, 0, skb->len, 0);
|
|
uh->check = udp_v4_check(skb->len, iph->saddr, iph->daddr, csum);
|
|
if (uh->check == 0)
|
|
uh->check = CSUM_MANGLED_0;
|
|
|
|
skb->ip_summed = CHECKSUM_UNNECESSARY;
|
|
|
|
/* If there is no outer header we can fake a checksum offload
|
|
* due to the fact that we have already done the checksum in
|
|
* software prior to segmenting the frame.
|
|
*/
|
|
if (!skb->encap_hdr_csum)
|
|
features |= NETIF_F_HW_CSUM;
|
|
|
|
/* Fragment the skb. IP headers of the fragments are updated in
|
|
* inet_gso_segment()
|
|
*/
|
|
segs = skb_segment(skb, features);
|
|
out:
|
|
return segs;
|
|
}
|
|
|
|
#define UDP_GRO_CNT_MAX 64
|
|
static struct sk_buff *udp_gro_receive_segment(struct list_head *head,
|
|
struct sk_buff *skb)
|
|
{
|
|
struct udphdr *uh = udp_hdr(skb);
|
|
struct sk_buff *pp = NULL;
|
|
struct udphdr *uh2;
|
|
struct sk_buff *p;
|
|
unsigned int ulen;
|
|
|
|
/* requires non zero csum, for symmetry with GSO */
|
|
if (!uh->check) {
|
|
NAPI_GRO_CB(skb)->flush = 1;
|
|
return NULL;
|
|
}
|
|
|
|
/* Do not deal with padded or malicious packets, sorry ! */
|
|
ulen = ntohs(uh->len);
|
|
if (ulen <= sizeof(*uh) || ulen != skb_gro_len(skb)) {
|
|
NAPI_GRO_CB(skb)->flush = 1;
|
|
return NULL;
|
|
}
|
|
/* pull encapsulating udp header */
|
|
skb_gro_pull(skb, sizeof(struct udphdr));
|
|
skb_gro_postpull_rcsum(skb, uh, sizeof(struct udphdr));
|
|
|
|
list_for_each_entry(p, head, list) {
|
|
if (!NAPI_GRO_CB(p)->same_flow)
|
|
continue;
|
|
|
|
uh2 = udp_hdr(p);
|
|
|
|
/* Match ports only, as csum is always non zero */
|
|
if ((*(u32 *)&uh->source != *(u32 *)&uh2->source)) {
|
|
NAPI_GRO_CB(p)->same_flow = 0;
|
|
continue;
|
|
}
|
|
|
|
/* Terminate the flow on len mismatch or if it grow "too much".
|
|
* Under small packet flood GRO count could elsewhere grow a lot
|
|
* leading to excessive truesize values.
|
|
* On len mismatch merge the first packet shorter than gso_size,
|
|
* otherwise complete the GRO packet.
|
|
*/
|
|
if (ulen > ntohs(uh2->len) || skb_gro_receive(p, skb) ||
|
|
ulen != ntohs(uh2->len) ||
|
|
NAPI_GRO_CB(p)->count >= UDP_GRO_CNT_MAX)
|
|
pp = p;
|
|
|
|
return pp;
|
|
}
|
|
|
|
/* mismatch, but we never need to flush */
|
|
return NULL;
|
|
}
|
|
|
|
INDIRECT_CALLABLE_DECLARE(struct sock *udp6_lib_lookup_skb(struct sk_buff *skb,
|
|
__be16 sport, __be16 dport));
|
|
struct sk_buff *udp_gro_receive(struct list_head *head, struct sk_buff *skb,
|
|
struct udphdr *uh, udp_lookup_t lookup)
|
|
{
|
|
struct sk_buff *pp = NULL;
|
|
struct sk_buff *p;
|
|
struct udphdr *uh2;
|
|
unsigned int off = skb_gro_offset(skb);
|
|
int flush = 1;
|
|
struct sock *sk;
|
|
|
|
rcu_read_lock();
|
|
sk = INDIRECT_CALL_INET(lookup, udp6_lib_lookup_skb,
|
|
udp4_lib_lookup_skb, skb, uh->source, uh->dest);
|
|
if (!sk)
|
|
goto out_unlock;
|
|
|
|
if (udp_sk(sk)->gro_enabled) {
|
|
pp = call_gro_receive(udp_gro_receive_segment, head, skb);
|
|
rcu_read_unlock();
|
|
return pp;
|
|
}
|
|
|
|
if (NAPI_GRO_CB(skb)->encap_mark ||
|
|
(skb->ip_summed != CHECKSUM_PARTIAL &&
|
|
NAPI_GRO_CB(skb)->csum_cnt == 0 &&
|
|
!NAPI_GRO_CB(skb)->csum_valid) ||
|
|
!udp_sk(sk)->gro_receive)
|
|
goto out_unlock;
|
|
|
|
/* mark that this skb passed once through the tunnel gro layer */
|
|
NAPI_GRO_CB(skb)->encap_mark = 1;
|
|
|
|
flush = 0;
|
|
|
|
list_for_each_entry(p, head, list) {
|
|
if (!NAPI_GRO_CB(p)->same_flow)
|
|
continue;
|
|
|
|
uh2 = (struct udphdr *)(p->data + off);
|
|
|
|
/* Match ports and either checksums are either both zero
|
|
* or nonzero.
|
|
*/
|
|
if ((*(u32 *)&uh->source != *(u32 *)&uh2->source) ||
|
|
(!uh->check ^ !uh2->check)) {
|
|
NAPI_GRO_CB(p)->same_flow = 0;
|
|
continue;
|
|
}
|
|
}
|
|
|
|
skb_gro_pull(skb, sizeof(struct udphdr)); /* pull encapsulating udp header */
|
|
skb_gro_postpull_rcsum(skb, uh, sizeof(struct udphdr));
|
|
pp = call_gro_receive_sk(udp_sk(sk)->gro_receive, sk, head, skb);
|
|
|
|
out_unlock:
|
|
rcu_read_unlock();
|
|
skb_gro_flush_final(skb, pp, flush);
|
|
return pp;
|
|
}
|
|
EXPORT_SYMBOL(udp_gro_receive);
|
|
|
|
INDIRECT_CALLABLE_SCOPE
|
|
struct sk_buff *udp4_gro_receive(struct list_head *head, struct sk_buff *skb)
|
|
{
|
|
struct udphdr *uh = udp_gro_udphdr(skb);
|
|
|
|
if (unlikely(!uh) || !static_branch_unlikely(&udp_encap_needed_key))
|
|
goto flush;
|
|
|
|
/* Don't bother verifying checksum if we're going to flush anyway. */
|
|
if (NAPI_GRO_CB(skb)->flush)
|
|
goto skip;
|
|
|
|
if (skb_gro_checksum_validate_zero_check(skb, IPPROTO_UDP, uh->check,
|
|
inet_gro_compute_pseudo))
|
|
goto flush;
|
|
else if (uh->check)
|
|
skb_gro_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
|
|
inet_gro_compute_pseudo);
|
|
skip:
|
|
NAPI_GRO_CB(skb)->is_ipv6 = 0;
|
|
return udp_gro_receive(head, skb, uh, udp4_lib_lookup_skb);
|
|
|
|
flush:
|
|
NAPI_GRO_CB(skb)->flush = 1;
|
|
return NULL;
|
|
}
|
|
|
|
static int udp_gro_complete_segment(struct sk_buff *skb)
|
|
{
|
|
struct udphdr *uh = udp_hdr(skb);
|
|
|
|
skb->csum_start = (unsigned char *)uh - skb->head;
|
|
skb->csum_offset = offsetof(struct udphdr, check);
|
|
skb->ip_summed = CHECKSUM_PARTIAL;
|
|
|
|
skb_shinfo(skb)->gso_segs = NAPI_GRO_CB(skb)->count;
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_L4;
|
|
return 0;
|
|
}
|
|
|
|
int udp_gro_complete(struct sk_buff *skb, int nhoff,
|
|
udp_lookup_t lookup)
|
|
{
|
|
__be16 newlen = htons(skb->len - nhoff);
|
|
struct udphdr *uh = (struct udphdr *)(skb->data + nhoff);
|
|
int err = -ENOSYS;
|
|
struct sock *sk;
|
|
|
|
uh->len = newlen;
|
|
|
|
rcu_read_lock();
|
|
sk = INDIRECT_CALL_INET(lookup, udp6_lib_lookup_skb,
|
|
udp4_lib_lookup_skb, skb, uh->source, uh->dest);
|
|
if (sk && udp_sk(sk)->gro_enabled) {
|
|
err = udp_gro_complete_segment(skb);
|
|
} else if (sk && udp_sk(sk)->gro_complete) {
|
|
skb_shinfo(skb)->gso_type = uh->check ? SKB_GSO_UDP_TUNNEL_CSUM
|
|
: SKB_GSO_UDP_TUNNEL;
|
|
|
|
/* Set encapsulation before calling into inner gro_complete()
|
|
* functions to make them set up the inner offsets.
|
|
*/
|
|
skb->encapsulation = 1;
|
|
err = udp_sk(sk)->gro_complete(sk, skb,
|
|
nhoff + sizeof(struct udphdr));
|
|
}
|
|
rcu_read_unlock();
|
|
|
|
if (skb->remcsum_offload)
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_TUNNEL_REMCSUM;
|
|
|
|
return err;
|
|
}
|
|
EXPORT_SYMBOL(udp_gro_complete);
|
|
|
|
INDIRECT_CALLABLE_SCOPE int udp4_gro_complete(struct sk_buff *skb, int nhoff)
|
|
{
|
|
const struct iphdr *iph = ip_hdr(skb);
|
|
struct udphdr *uh = (struct udphdr *)(skb->data + nhoff);
|
|
|
|
if (uh->check)
|
|
uh->check = ~udp_v4_check(skb->len - nhoff, iph->saddr,
|
|
iph->daddr, 0);
|
|
|
|
return udp_gro_complete(skb, nhoff, udp4_lib_lookup_skb);
|
|
}
|
|
|
|
static const struct net_offload udpv4_offload = {
|
|
.callbacks = {
|
|
.gso_segment = udp4_ufo_fragment,
|
|
.gro_receive = udp4_gro_receive,
|
|
.gro_complete = udp4_gro_complete,
|
|
},
|
|
};
|
|
|
|
int __init udpv4_offload_init(void)
|
|
{
|
|
return inet_add_offload(&udpv4_offload, IPPROTO_UDP);
|
|
}
|