forked from Minki/linux
121d57af30
Validate gso_type during segmentation as SKB_GSO_DODGY sources
may pass packets where the gso_type does not match the contents.
Syzkaller was able to enter the SCTP gso handler with a packet of
gso_type SKB_GSO_TCPV4.
On entry of transport layer gso handlers, verify that the gso_type
matches the transport protocol.
Fixes: 90017accff
("sctp: Add GSO support")
Link: http://lkml.kernel.org/r/<001a1137452496ffc305617e5fe0@google.com>
Reported-by: syzbot+fee64147a25aecd48055@syzkaller.appspotmail.com
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
347 lines
8.2 KiB
C
347 lines
8.2 KiB
C
/*
|
|
* IPV4 GSO/GRO offload support
|
|
* Linux INET implementation
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*
|
|
* TCPv4 GSO/GRO support
|
|
*/
|
|
|
|
#include <linux/skbuff.h>
|
|
#include <net/tcp.h>
|
|
#include <net/protocol.h>
|
|
|
|
static void tcp_gso_tstamp(struct sk_buff *skb, unsigned int ts_seq,
|
|
unsigned int seq, unsigned int mss)
|
|
{
|
|
while (skb) {
|
|
if (before(ts_seq, seq + mss)) {
|
|
skb_shinfo(skb)->tx_flags |= SKBTX_SW_TSTAMP;
|
|
skb_shinfo(skb)->tskey = ts_seq;
|
|
return;
|
|
}
|
|
|
|
skb = skb->next;
|
|
seq += mss;
|
|
}
|
|
}
|
|
|
|
static struct sk_buff *tcp4_gso_segment(struct sk_buff *skb,
|
|
netdev_features_t features)
|
|
{
|
|
if (!(skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4))
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
if (unlikely(skb->ip_summed != CHECKSUM_PARTIAL)) {
|
|
const struct iphdr *iph = ip_hdr(skb);
|
|
struct tcphdr *th = tcp_hdr(skb);
|
|
|
|
/* Set up checksum pseudo header, usually expect stack to
|
|
* have done this already.
|
|
*/
|
|
|
|
th->check = 0;
|
|
skb->ip_summed = CHECKSUM_PARTIAL;
|
|
__tcp_v4_send_check(skb, iph->saddr, iph->daddr);
|
|
}
|
|
|
|
return tcp_gso_segment(skb, features);
|
|
}
|
|
|
|
struct sk_buff *tcp_gso_segment(struct sk_buff *skb,
|
|
netdev_features_t features)
|
|
{
|
|
struct sk_buff *segs = ERR_PTR(-EINVAL);
|
|
unsigned int sum_truesize = 0;
|
|
struct tcphdr *th;
|
|
unsigned int thlen;
|
|
unsigned int seq;
|
|
__be32 delta;
|
|
unsigned int oldlen;
|
|
unsigned int mss;
|
|
struct sk_buff *gso_skb = skb;
|
|
__sum16 newcheck;
|
|
bool ooo_okay, copy_destructor;
|
|
|
|
th = tcp_hdr(skb);
|
|
thlen = th->doff * 4;
|
|
if (thlen < sizeof(*th))
|
|
goto out;
|
|
|
|
if (!pskb_may_pull(skb, thlen))
|
|
goto out;
|
|
|
|
oldlen = (u16)~skb->len;
|
|
__skb_pull(skb, thlen);
|
|
|
|
mss = skb_shinfo(skb)->gso_size;
|
|
if (unlikely(skb->len <= mss))
|
|
goto out;
|
|
|
|
if (skb_gso_ok(skb, features | NETIF_F_GSO_ROBUST)) {
|
|
/* Packet is from an untrusted source, reset gso_segs. */
|
|
|
|
skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
|
|
|
|
segs = NULL;
|
|
goto out;
|
|
}
|
|
|
|
copy_destructor = gso_skb->destructor == tcp_wfree;
|
|
ooo_okay = gso_skb->ooo_okay;
|
|
/* All segments but the first should have ooo_okay cleared */
|
|
skb->ooo_okay = 0;
|
|
|
|
segs = skb_segment(skb, features);
|
|
if (IS_ERR(segs))
|
|
goto out;
|
|
|
|
/* Only first segment might have ooo_okay set */
|
|
segs->ooo_okay = ooo_okay;
|
|
|
|
/* GSO partial and frag_list segmentation only requires splitting
|
|
* the frame into an MSS multiple and possibly a remainder, both
|
|
* cases return a GSO skb. So update the mss now.
|
|
*/
|
|
if (skb_is_gso(segs))
|
|
mss *= skb_shinfo(segs)->gso_segs;
|
|
|
|
delta = htonl(oldlen + (thlen + mss));
|
|
|
|
skb = segs;
|
|
th = tcp_hdr(skb);
|
|
seq = ntohl(th->seq);
|
|
|
|
if (unlikely(skb_shinfo(gso_skb)->tx_flags & SKBTX_SW_TSTAMP))
|
|
tcp_gso_tstamp(segs, skb_shinfo(gso_skb)->tskey, seq, mss);
|
|
|
|
newcheck = ~csum_fold((__force __wsum)((__force u32)th->check +
|
|
(__force u32)delta));
|
|
|
|
while (skb->next) {
|
|
th->fin = th->psh = 0;
|
|
th->check = newcheck;
|
|
|
|
if (skb->ip_summed == CHECKSUM_PARTIAL)
|
|
gso_reset_checksum(skb, ~th->check);
|
|
else
|
|
th->check = gso_make_checksum(skb, ~th->check);
|
|
|
|
seq += mss;
|
|
if (copy_destructor) {
|
|
skb->destructor = gso_skb->destructor;
|
|
skb->sk = gso_skb->sk;
|
|
sum_truesize += skb->truesize;
|
|
}
|
|
skb = skb->next;
|
|
th = tcp_hdr(skb);
|
|
|
|
th->seq = htonl(seq);
|
|
th->cwr = 0;
|
|
}
|
|
|
|
/* Following permits TCP Small Queues to work well with GSO :
|
|
* The callback to TCP stack will be called at the time last frag
|
|
* is freed at TX completion, and not right now when gso_skb
|
|
* is freed by GSO engine
|
|
*/
|
|
if (copy_destructor) {
|
|
int delta;
|
|
|
|
swap(gso_skb->sk, skb->sk);
|
|
swap(gso_skb->destructor, skb->destructor);
|
|
sum_truesize += skb->truesize;
|
|
delta = sum_truesize - gso_skb->truesize;
|
|
/* In some pathological cases, delta can be negative.
|
|
* We need to either use refcount_add() or refcount_sub_and_test()
|
|
*/
|
|
if (likely(delta >= 0))
|
|
refcount_add(delta, &skb->sk->sk_wmem_alloc);
|
|
else
|
|
WARN_ON_ONCE(refcount_sub_and_test(-delta, &skb->sk->sk_wmem_alloc));
|
|
}
|
|
|
|
delta = htonl(oldlen + (skb_tail_pointer(skb) -
|
|
skb_transport_header(skb)) +
|
|
skb->data_len);
|
|
th->check = ~csum_fold((__force __wsum)((__force u32)th->check +
|
|
(__force u32)delta));
|
|
if (skb->ip_summed == CHECKSUM_PARTIAL)
|
|
gso_reset_checksum(skb, ~th->check);
|
|
else
|
|
th->check = gso_make_checksum(skb, ~th->check);
|
|
out:
|
|
return segs;
|
|
}
|
|
|
|
struct sk_buff **tcp_gro_receive(struct sk_buff **head, struct sk_buff *skb)
|
|
{
|
|
struct sk_buff **pp = NULL;
|
|
struct sk_buff *p;
|
|
struct tcphdr *th;
|
|
struct tcphdr *th2;
|
|
unsigned int len;
|
|
unsigned int thlen;
|
|
__be32 flags;
|
|
unsigned int mss = 1;
|
|
unsigned int hlen;
|
|
unsigned int off;
|
|
int flush = 1;
|
|
int i;
|
|
|
|
off = skb_gro_offset(skb);
|
|
hlen = off + sizeof(*th);
|
|
th = skb_gro_header_fast(skb, off);
|
|
if (skb_gro_header_hard(skb, hlen)) {
|
|
th = skb_gro_header_slow(skb, hlen, off);
|
|
if (unlikely(!th))
|
|
goto out;
|
|
}
|
|
|
|
thlen = th->doff * 4;
|
|
if (thlen < sizeof(*th))
|
|
goto out;
|
|
|
|
hlen = off + thlen;
|
|
if (skb_gro_header_hard(skb, hlen)) {
|
|
th = skb_gro_header_slow(skb, hlen, off);
|
|
if (unlikely(!th))
|
|
goto out;
|
|
}
|
|
|
|
skb_gro_pull(skb, thlen);
|
|
|
|
len = skb_gro_len(skb);
|
|
flags = tcp_flag_word(th);
|
|
|
|
for (; (p = *head); head = &p->next) {
|
|
if (!NAPI_GRO_CB(p)->same_flow)
|
|
continue;
|
|
|
|
th2 = tcp_hdr(p);
|
|
|
|
if (*(u32 *)&th->source ^ *(u32 *)&th2->source) {
|
|
NAPI_GRO_CB(p)->same_flow = 0;
|
|
continue;
|
|
}
|
|
|
|
goto found;
|
|
}
|
|
|
|
goto out_check_final;
|
|
|
|
found:
|
|
/* Include the IP ID check below from the inner most IP hdr */
|
|
flush = NAPI_GRO_CB(p)->flush;
|
|
flush |= (__force int)(flags & TCP_FLAG_CWR);
|
|
flush |= (__force int)((flags ^ tcp_flag_word(th2)) &
|
|
~(TCP_FLAG_CWR | TCP_FLAG_FIN | TCP_FLAG_PSH));
|
|
flush |= (__force int)(th->ack_seq ^ th2->ack_seq);
|
|
for (i = sizeof(*th); i < thlen; i += 4)
|
|
flush |= *(u32 *)((u8 *)th + i) ^
|
|
*(u32 *)((u8 *)th2 + i);
|
|
|
|
/* When we receive our second frame we can made a decision on if we
|
|
* continue this flow as an atomic flow with a fixed ID or if we use
|
|
* an incrementing ID.
|
|
*/
|
|
if (NAPI_GRO_CB(p)->flush_id != 1 ||
|
|
NAPI_GRO_CB(p)->count != 1 ||
|
|
!NAPI_GRO_CB(p)->is_atomic)
|
|
flush |= NAPI_GRO_CB(p)->flush_id;
|
|
else
|
|
NAPI_GRO_CB(p)->is_atomic = false;
|
|
|
|
mss = skb_shinfo(p)->gso_size;
|
|
|
|
flush |= (len - 1) >= mss;
|
|
flush |= (ntohl(th2->seq) + skb_gro_len(p)) ^ ntohl(th->seq);
|
|
|
|
if (flush || skb_gro_receive(head, skb)) {
|
|
mss = 1;
|
|
goto out_check_final;
|
|
}
|
|
|
|
p = *head;
|
|
th2 = tcp_hdr(p);
|
|
tcp_flag_word(th2) |= flags & (TCP_FLAG_FIN | TCP_FLAG_PSH);
|
|
|
|
out_check_final:
|
|
flush = len < mss;
|
|
flush |= (__force int)(flags & (TCP_FLAG_URG | TCP_FLAG_PSH |
|
|
TCP_FLAG_RST | TCP_FLAG_SYN |
|
|
TCP_FLAG_FIN));
|
|
|
|
if (p && (!NAPI_GRO_CB(skb)->same_flow || flush))
|
|
pp = head;
|
|
|
|
out:
|
|
NAPI_GRO_CB(skb)->flush |= (flush != 0);
|
|
|
|
return pp;
|
|
}
|
|
|
|
int tcp_gro_complete(struct sk_buff *skb)
|
|
{
|
|
struct tcphdr *th = tcp_hdr(skb);
|
|
|
|
skb->csum_start = (unsigned char *)th - skb->head;
|
|
skb->csum_offset = offsetof(struct tcphdr, check);
|
|
skb->ip_summed = CHECKSUM_PARTIAL;
|
|
|
|
skb_shinfo(skb)->gso_segs = NAPI_GRO_CB(skb)->count;
|
|
|
|
if (th->cwr)
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_TCP_ECN;
|
|
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(tcp_gro_complete);
|
|
|
|
static struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *skb)
|
|
{
|
|
/* Don't bother verifying checksum if we're going to flush anyway. */
|
|
if (!NAPI_GRO_CB(skb)->flush &&
|
|
skb_gro_checksum_validate(skb, IPPROTO_TCP,
|
|
inet_gro_compute_pseudo)) {
|
|
NAPI_GRO_CB(skb)->flush = 1;
|
|
return NULL;
|
|
}
|
|
|
|
return tcp_gro_receive(head, skb);
|
|
}
|
|
|
|
static int tcp4_gro_complete(struct sk_buff *skb, int thoff)
|
|
{
|
|
const struct iphdr *iph = ip_hdr(skb);
|
|
struct tcphdr *th = tcp_hdr(skb);
|
|
|
|
th->check = ~tcp_v4_check(skb->len - thoff, iph->saddr,
|
|
iph->daddr, 0);
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV4;
|
|
|
|
if (NAPI_GRO_CB(skb)->is_atomic)
|
|
skb_shinfo(skb)->gso_type |= SKB_GSO_TCP_FIXEDID;
|
|
|
|
return tcp_gro_complete(skb);
|
|
}
|
|
|
|
static const struct net_offload tcpv4_offload = {
|
|
.callbacks = {
|
|
.gso_segment = tcp4_gso_segment,
|
|
.gro_receive = tcp4_gro_receive,
|
|
.gro_complete = tcp4_gro_complete,
|
|
},
|
|
};
|
|
|
|
int __init tcpv4_offload_init(void)
|
|
{
|
|
return inet_add_offload(&tcpv4_offload, IPPROTO_TCP);
|
|
}
|