2012-11-15 08:49:18 +00:00
|
|
|
/*
|
|
|
|
|
* IPV6 GSO/GRO offload support
|
|
|
|
|
* Linux INET6 implementation
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
|
* as published by the Free Software Foundation; either version
|
|
|
|
|
* 2 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* UDPv6 GSO support
|
|
|
|
|
*/
|
|
|
|
|
#include <linux/skbuff.h>
|
2014-08-22 20:34:44 +00:00
|
|
|
#include <linux/netdevice.h>
|
2012-11-15 08:49:18 +00:00
|
|
|
#include <net/protocol.h>
|
|
|
|
|
#include <net/ipv6.h>
|
|
|
|
|
#include <net/udp.h>
|
2012-11-15 16:35:37 +00:00
|
|
|
#include <net/ip6_checksum.h>
|
2012-11-15 08:49:18 +00:00
|
|
|
#include "ip6_offload.h"
|
|
|
|
|
|
|
|
|
|
static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
|
2013-08-31 05:44:37 +00:00
|
|
|
netdev_features_t features)
|
2012-11-15 08:49:18 +00:00
|
|
|
{
|
|
|
|
|
struct sk_buff *segs = ERR_PTR(-EINVAL);
|
|
|
|
|
unsigned int mss;
|
|
|
|
|
unsigned int unfrag_ip6hlen, unfrag_len;
|
|
|
|
|
struct frag_hdr *fptr;
|
2013-05-30 06:45:27 +00:00
|
|
|
u8 *packet_start, *prevhdr;
|
2012-11-15 08:49:18 +00:00
|
|
|
u8 nexthdr;
|
|
|
|
|
u8 frag_hdr_sz = sizeof(struct frag_hdr);
|
|
|
|
|
__wsum csum;
|
2013-05-30 06:45:27 +00:00
|
|
|
int tnl_hlen;
|
2012-11-15 08:49:18 +00:00
|
|
|
|
|
|
|
|
mss = skb_shinfo(skb)->gso_size;
|
|
|
|
|
if (unlikely(skb->len <= mss))
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
|
|
|
|
|
/* Packet is from an untrusted source, reset gso_segs. */
|
|
|
|
|
|
|
|
|
|
skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
|
|
|
|
|
|
2015-02-03 21:36:15 +00:00
|
|
|
/* Set the IPv6 fragment id if not set yet */
|
|
|
|
|
if (!skb_shinfo(skb)->ip6_frag_id)
|
2015-03-25 16:07:45 +00:00
|
|
|
ipv6_proxy_select_ident(dev_net(skb->dev), skb);
|
2015-02-03 21:36:15 +00:00
|
|
|
|
2012-11-15 08:49:18 +00:00
|
|
|
segs = NULL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
2014-06-05 00:20:16 +00:00
|
|
|
if (skb->encapsulation && skb_shinfo(skb)->gso_type &
|
|
|
|
|
(SKB_GSO_UDP_TUNNEL|SKB_GSO_UDP_TUNNEL_CSUM))
|
2014-09-30 03:22:29 +00:00
|
|
|
segs = skb_udp_tunnel_segment(skb, features, true);
|
2013-08-31 05:44:37 +00:00
|
|
|
else {
|
2014-09-20 21:52:29 +00:00
|
|
|
const struct ipv6hdr *ipv6h;
|
|
|
|
|
struct udphdr *uh;
|
|
|
|
|
|
|
|
|
|
if (!pskb_may_pull(skb, sizeof(struct udphdr)))
|
|
|
|
|
goto out;
|
|
|
|
|
|
2013-08-31 05:44:37 +00:00
|
|
|
/* Do software UFO. Complete and fill in the UDP checksum as HW cannot
|
|
|
|
|
* do checksum of UDP packets sent as multiple IP fragments.
|
|
|
|
|
*/
|
2014-09-20 21:52:29 +00:00
|
|
|
|
|
|
|
|
uh = udp_hdr(skb);
|
|
|
|
|
ipv6h = ipv6_hdr(skb);
|
|
|
|
|
|
|
|
|
|
uh->check = 0;
|
|
|
|
|
csum = skb_checksum(skb, 0, skb->len, 0);
|
|
|
|
|
uh->check = udp_v6_check(skb->len, &ipv6h->saddr,
|
|
|
|
|
&ipv6h->daddr, csum);
|
|
|
|
|
if (uh->check == 0)
|
|
|
|
|
uh->check = CSUM_MANGLED_0;
|
|
|
|
|
|
2013-08-31 05:44:37 +00:00
|
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
|
|
|
|
2016-02-25 00:46:21 +00:00
|
|
|
/* If there is no outer header we can fake a checksum offload
|
|
|
|
|
* due to the fact that we have already done the checksum in
|
|
|
|
|
* software prior to segmenting the frame.
|
|
|
|
|
*/
|
|
|
|
|
if (!skb->encap_hdr_csum)
|
|
|
|
|
features |= NETIF_F_HW_CSUM;
|
|
|
|
|
|
2013-08-31 05:44:37 +00:00
|
|
|
/* Check if there is enough headroom to insert fragment header. */
|
|
|
|
|
tnl_hlen = skb_tnl_header_len(skb);
|
2013-11-05 01:41:27 +00:00
|
|
|
if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
|
2013-08-31 05:44:37 +00:00
|
|
|
if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Find the unfragmentable header and shift it left by frag_hdr_sz
|
|
|
|
|
* bytes to insert fragment header.
|
|
|
|
|
*/
|
|
|
|
|
unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
|
ipv6: Prevent overrun when parsing v6 header options
The KASAN warning repoted below was discovered with a syzkaller
program. The reproducer is basically:
int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
send(s, &one_byte_of_data, 1, MSG_MORE);
send(s, &more_than_mtu_bytes_data, 2000, 0);
The socket() call sets the nexthdr field of the v6 header to
NEXTHDR_HOP, the first send call primes the payload with a non zero
byte of data, and the second send call triggers the fragmentation path.
The fragmentation code tries to parse the header options in order
to figure out where to insert the fragment option. Since nexthdr points
to an invalid option, the calculation of the size of the network header
can made to be much larger than the linear section of the skb and data
is read outside of it.
This fix makes ip6_find_1stfrag return an error if it detects
running out-of-bounds.
[ 42.361487] ==================================================================
[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
[ 42.366469]
[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
[ 42.368824] Call Trace:
[ 42.369183] dump_stack+0xb3/0x10b
[ 42.369664] print_address_description+0x73/0x290
[ 42.370325] kasan_report+0x252/0x370
[ 42.370839] ? ip6_fragment+0x11c8/0x3730
[ 42.371396] check_memory_region+0x13c/0x1a0
[ 42.371978] memcpy+0x23/0x50
[ 42.372395] ip6_fragment+0x11c8/0x3730
[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110
[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0
[ 42.374263] ? ip6_forward+0x2e30/0x2e30
[ 42.374803] ip6_finish_output+0x584/0x990
[ 42.375350] ip6_output+0x1b7/0x690
[ 42.375836] ? ip6_finish_output+0x990/0x990
[ 42.376411] ? ip6_fragment+0x3730/0x3730
[ 42.376968] ip6_local_out+0x95/0x160
[ 42.377471] ip6_send_skb+0xa1/0x330
[ 42.377969] ip6_push_pending_frames+0xb3/0xe0
[ 42.378589] rawv6_sendmsg+0x2051/0x2db0
[ 42.379129] ? rawv6_bind+0x8b0/0x8b0
[ 42.379633] ? _copy_from_user+0x84/0xe0
[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290
[ 42.380878] ? ___sys_sendmsg+0x162/0x930
[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120
[ 42.382074] ? sock_has_perm+0x1f6/0x290
[ 42.382614] ? ___sys_sendmsg+0x167/0x930
[ 42.383173] ? lock_downgrade+0x660/0x660
[ 42.383727] inet_sendmsg+0x123/0x500
[ 42.384226] ? inet_sendmsg+0x123/0x500
[ 42.384748] ? inet_recvmsg+0x540/0x540
[ 42.385263] sock_sendmsg+0xca/0x110
[ 42.385758] SYSC_sendto+0x217/0x380
[ 42.386249] ? SYSC_connect+0x310/0x310
[ 42.386783] ? __might_fault+0x110/0x1d0
[ 42.387324] ? lock_downgrade+0x660/0x660
[ 42.387880] ? __fget_light+0xa1/0x1f0
[ 42.388403] ? __fdget+0x18/0x20
[ 42.388851] ? sock_common_setsockopt+0x95/0xd0
[ 42.389472] ? SyS_setsockopt+0x17f/0x260
[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe
[ 42.390650] SyS_sendto+0x40/0x50
[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.391731] RIP: 0033:0x7fbbb711e383
[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
[ 42.397257]
[ 42.397411] Allocated by task 3789:
[ 42.397702] save_stack_trace+0x16/0x20
[ 42.398005] save_stack+0x46/0xd0
[ 42.398267] kasan_kmalloc+0xad/0xe0
[ 42.398548] kasan_slab_alloc+0x12/0x20
[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380
[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0
[ 42.399654] __alloc_skb+0xf8/0x580
[ 42.400003] sock_wmalloc+0xab/0xf0
[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0
[ 42.400813] ip6_append_data+0x1a8/0x2f0
[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0
[ 42.401505] inet_sendmsg+0x123/0x500
[ 42.401860] sock_sendmsg+0xca/0x110
[ 42.402209] ___sys_sendmsg+0x7cb/0x930
[ 42.402582] __sys_sendmsg+0xd9/0x190
[ 42.402941] SyS_sendmsg+0x2d/0x50
[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.403718]
[ 42.403871] Freed by task 1794:
[ 42.404146] save_stack_trace+0x16/0x20
[ 42.404515] save_stack+0x46/0xd0
[ 42.404827] kasan_slab_free+0x72/0xc0
[ 42.405167] kfree+0xe8/0x2b0
[ 42.405462] skb_free_head+0x74/0xb0
[ 42.405806] skb_release_data+0x30e/0x3a0
[ 42.406198] skb_release_all+0x4a/0x60
[ 42.406563] consume_skb+0x113/0x2e0
[ 42.406910] skb_free_datagram+0x1a/0xe0
[ 42.407288] netlink_recvmsg+0x60d/0xe40
[ 42.407667] sock_recvmsg+0xd7/0x110
[ 42.408022] ___sys_recvmsg+0x25c/0x580
[ 42.408395] __sys_recvmsg+0xd6/0x190
[ 42.408753] SyS_recvmsg+0x2d/0x50
[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 42.409513]
[ 42.409665] The buggy address belongs to the object at ffff88000969e780
[ 42.409665] which belongs to the cache kmalloc-512 of size 512
[ 42.410846] The buggy address is located 24 bytes inside of
[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980)
[ 42.411941] The buggy address belongs to the page:
[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 42.413298] flags: 0x100000000008100(slab|head)
[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
[ 42.415074] page dumped because: kasan: bad access detected
[ 42.415604]
[ 42.415757] Memory state around the buggy address:
[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 42.418273] ^
[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 42.419882] ==================================================================
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Craig Gallek <kraig@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-05-16 18:36:23 +00:00
|
|
|
if (unfrag_ip6hlen < 0)
|
|
|
|
|
return ERR_PTR(unfrag_ip6hlen);
|
2013-08-31 05:44:37 +00:00
|
|
|
nexthdr = *prevhdr;
|
|
|
|
|
*prevhdr = NEXTHDR_FRAGMENT;
|
|
|
|
|
unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
|
|
|
|
|
unfrag_ip6hlen + tnl_hlen;
|
|
|
|
|
packet_start = (u8 *) skb->head + SKB_GSO_CB(skb)->mac_offset;
|
|
|
|
|
memmove(packet_start-frag_hdr_sz, packet_start, unfrag_len);
|
|
|
|
|
|
|
|
|
|
SKB_GSO_CB(skb)->mac_offset -= frag_hdr_sz;
|
|
|
|
|
skb->mac_header -= frag_hdr_sz;
|
|
|
|
|
skb->network_header -= frag_hdr_sz;
|
|
|
|
|
|
|
|
|
|
fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
|
|
|
|
|
fptr->nexthdr = nexthdr;
|
|
|
|
|
fptr->reserved = 0;
|
2015-03-19 10:22:32 +00:00
|
|
|
if (!skb_shinfo(skb)->ip6_frag_id)
|
2015-03-25 16:07:45 +00:00
|
|
|
ipv6_proxy_select_ident(dev_net(skb->dev), skb);
|
2015-03-19 10:22:32 +00:00
|
|
|
fptr->identification = skb_shinfo(skb)->ip6_frag_id;
|
2013-08-31 05:44:37 +00:00
|
|
|
|
|
|
|
|
/* Fragment the skb. ipv6 header and the remaining fields of the
|
|
|
|
|
* fragment header are updated in ipv6_gso_segment()
|
|
|
|
|
*/
|
|
|
|
|
segs = skb_segment(skb, features);
|
2013-05-30 06:45:27 +00:00
|
|
|
}
|
2012-11-15 08:49:18 +00:00
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
return segs;
|
|
|
|
|
}
|
2014-08-22 20:34:44 +00:00
|
|
|
|
|
|
|
|
static struct sk_buff **udp6_gro_receive(struct sk_buff **head,
|
|
|
|
|
struct sk_buff *skb)
|
|
|
|
|
{
|
|
|
|
|
struct udphdr *uh = udp_gro_udphdr(skb);
|
|
|
|
|
|
2014-08-31 22:12:43 +00:00
|
|
|
if (unlikely(!uh))
|
|
|
|
|
goto flush;
|
|
|
|
|
|
2014-08-22 20:34:44 +00:00
|
|
|
/* Don't bother verifying checksum if we're going to flush anyway. */
|
2014-09-11 02:23:18 +00:00
|
|
|
if (NAPI_GRO_CB(skb)->flush)
|
2014-08-31 22:12:43 +00:00
|
|
|
goto skip;
|
2014-08-22 20:34:44 +00:00
|
|
|
|
2014-08-31 22:12:43 +00:00
|
|
|
if (skb_gro_checksum_validate_zero_check(skb, IPPROTO_UDP, uh->check,
|
|
|
|
|
ip6_gro_compute_pseudo))
|
|
|
|
|
goto flush;
|
|
|
|
|
else if (uh->check)
|
|
|
|
|
skb_gro_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
|
|
|
|
|
ip6_gro_compute_pseudo);
|
|
|
|
|
|
|
|
|
|
skip:
|
2014-10-03 22:48:08 +00:00
|
|
|
NAPI_GRO_CB(skb)->is_ipv6 = 1;
|
2016-04-05 15:22:51 +00:00
|
|
|
return udp_gro_receive(head, skb, uh, udp6_lib_lookup_skb);
|
2014-08-31 22:12:43 +00:00
|
|
|
|
|
|
|
|
flush:
|
|
|
|
|
NAPI_GRO_CB(skb)->flush = 1;
|
|
|
|
|
return NULL;
|
2014-08-22 20:34:44 +00:00
|
|
|
}
|
|
|
|
|
|
2014-09-09 15:16:17 +00:00
|
|
|
static int udp6_gro_complete(struct sk_buff *skb, int nhoff)
|
2014-08-22 20:34:44 +00:00
|
|
|
{
|
|
|
|
|
const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
|
|
|
|
|
struct udphdr *uh = (struct udphdr *)(skb->data + nhoff);
|
|
|
|
|
|
2015-02-11 00:30:29 +00:00
|
|
|
if (uh->check) {
|
|
|
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM;
|
2014-08-22 20:34:44 +00:00
|
|
|
uh->check = ~udp_v6_check(skb->len - nhoff, &ipv6h->saddr,
|
|
|
|
|
&ipv6h->daddr, 0);
|
2015-02-11 00:30:29 +00:00
|
|
|
} else {
|
|
|
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL;
|
|
|
|
|
}
|
2014-08-22 20:34:44 +00:00
|
|
|
|
2016-04-05 15:22:51 +00:00
|
|
|
return udp_gro_complete(skb, nhoff, udp6_lib_lookup_skb);
|
2014-08-22 20:34:44 +00:00
|
|
|
}
|
|
|
|
|
|
2012-11-15 08:49:18 +00:00
|
|
|
static const struct net_offload udpv6_offload = {
|
2012-11-15 08:49:23 +00:00
|
|
|
.callbacks = {
|
|
|
|
|
.gso_segment = udp6_ufo_fragment,
|
2014-08-22 20:34:44 +00:00
|
|
|
.gro_receive = udp6_gro_receive,
|
|
|
|
|
.gro_complete = udp6_gro_complete,
|
2012-11-15 08:49:23 +00:00
|
|
|
},
|
2012-11-15 08:49:18 +00:00
|
|
|
};
|
|
|
|
|
|
2016-04-05 15:22:51 +00:00
|
|
|
int udpv6_offload_init(void)
|
2012-11-15 08:49:18 +00:00
|
|
|
{
|
|
|
|
|
return inet6_add_offload(&udpv6_offload, IPPROTO_UDP);
|
|
|
|
|
}
|
2016-04-05 15:22:51 +00:00
|
|
|
|
|
|
|
|
int udpv6_offload_exit(void)
|
|
|
|
|
{
|
|
|
|
|
return inet6_del_offload(&udpv6_offload, IPPROTO_UDP);
|
|
|
|
|
}
|