{"id":812087,"url":"http://patchwork.ozlabs.org/api/1.2/patches/812087/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/patch/150502962259.28817.7472180087690436639.stgit@firesoul/","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/1.2/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<150502962259.28817.7472180087690436639.stgit@firesoul>","list_archive_url":null,"date":"2017-09-10T07:47:02","name":"[V3,net] xdp: implement xdp_redirect_map for generic XDP","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"e973426a1b198173a5262ac55cf044b2ba643e11","submitter":{"id":13625,"url":"http://patchwork.ozlabs.org/api/1.2/people/13625/?format=json","name":"Jesper Dangaard Brouer","email":"brouer@redhat.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/1.2/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/150502962259.28817.7472180087690436639.stgit@firesoul/mbox/","series":[{"id":2375,"url":"http://patchwork.ozlabs.org/api/1.2/series/2375/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/list/?series=2375","date":"2017-09-10T07:47:02","name":"[V3,net] xdp: implement xdp_redirect_map for generic XDP","version":3,"mbox":"http://patchwork.ozlabs.org/series/2375/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/812087/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/812087/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","ext-mx08.extmail.prod.ext.phx2.redhat.com;\n\tdmarc=none (p=none dis=none) header.from=redhat.com","ext-mx08.extmail.prod.ext.phx2.redhat.com;\n\tspf=fail smtp.mailfrom=brouer@redhat.com"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xqjnY5wCPz9sNc\n\tfor <patchwork-incoming@ozlabs.org>;\n\tSun, 10 Sep 2017 17:47:13 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751193AbdIJHrI (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tSun, 10 Sep 2017 03:47:08 -0400","from mx1.redhat.com ([209.132.183.28]:50302 \"EHLO mx1.redhat.com\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1751126AbdIJHrH (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tSun, 10 Sep 2017 03:47:07 -0400","from smtp.corp.redhat.com\n\t(int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby mx1.redhat.com (Postfix) with ESMTPS id 83F05C0587D7;\n\tSun, 10 Sep 2017 07:47:07 +0000 (UTC)","from firesoul.localdomain (ovpn-200-42.brq.redhat.com\n\t[10.40.200.42])\n\tby smtp.corp.redhat.com (Postfix) with ESMTP id 5420B63F8B;\n\tSun, 10 Sep 2017 07:47:04 +0000 (UTC)","from [192.168.5.1] (localhost [IPv6:::1])\n\tby firesoul.localdomain (Postfix) with ESMTP id ABA65300AEE3C;\n\tSun, 10 Sep 2017 09:47:02 +0200 (CEST)"],"DMARC-Filter":"OpenDMARC Filter v1.3.2 mx1.redhat.com 83F05C0587D7","Subject":"[V3 PATCH net] xdp: implement xdp_redirect_map for generic XDP","From":"Jesper Dangaard Brouer <brouer@redhat.com>","To":"netdev@vger.kernel.org, \"David S. Miller\" <davem@davemloft.net>","Cc":"John Fastabend <john.fastabend@gmail.com>,\n\tAndy Gospodarek <andy@greyhouse.net>,\n\tJesper Dangaard Brouer <brouer@redhat.com>","Date":"Sun, 10 Sep 2017 09:47:02 +0200","Message-ID":"<150502962259.28817.7472180087690436639.stgit@firesoul>","In-Reply-To":"<20170908.205426.624386613610674398.davem@davemloft.net>","References":"<20170908.205426.624386613610674398.davem@davemloft.net>","User-Agent":"StGit/0.17.1-dirty","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"7bit","X-Scanned-By":"MIMEDefang 2.79 on 10.5.11.11","X-Greylist":"Sender IP whitelisted, not delayed by milter-greylist-4.5.16\n\t(mx1.redhat.com [10.5.110.32]);\n\tSun, 10 Sep 2017 07:47:07 +0000 (UTC)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"Using bpf_redirect_map is allowed for generic XDP programs, but the\nappropriate map lookup was never performed in xdp_do_generic_redirect().\n\nInstead the map-index is directly used as the ifindex.  For the\nxdp_redirect_map sample in SKB-mode '-S', this resulted in trying\nsending on ifindex 0 which isn't valid, resulting in getting SKB\npackets dropped.  Thus, the reported performance numbers are wrong in\ncommit 24251c264798 (\"samples/bpf: add option for native and skb mode\nfor redirect apps\") for the 'xdp_redirect_map -S' case.\n\nBefore commit 109980b894e9 (\"bpf: don't select potentially stale\nri->map from buggy xdp progs\") it could crash the kernel.  Like this\ncommit also check that the map_owner owner is correct before\ndereferencing the map pointer.  But make sure that this API misusage\ncan be caught by a tracepoint. Thus, allowing userspace via\ntracepoints to detect misbehaving bpf_progs.\n\nFixes: 6103aa96ec07 (\"net: implement XDP_REDIRECT for xdp generic\")\nFixes: 24251c264798 (\"samples/bpf: add option for native and skb mode for redirect apps\")\nSigned-off-by: Jesper Dangaard Brouer <brouer@redhat.com>\n---\n include/trace/events/xdp.h |    4 ++--\n net/core/filter.c          |   38 ++++++++++++++++++++++++++------------\n 2 files changed, 28 insertions(+), 14 deletions(-)","diff":"diff --git a/include/trace/events/xdp.h b/include/trace/events/xdp.h\nindex 862575ac8da9..4e16c43fba10 100644\n--- a/include/trace/events/xdp.h\n+++ b/include/trace/events/xdp.h\n@@ -138,11 +138,11 @@ DEFINE_EVENT_PRINT(xdp_redirect_template, xdp_redirect_map_err,\n \n #define _trace_xdp_redirect_map(dev, xdp, fwd, map, idx)\t\t\\\n \t trace_xdp_redirect_map(dev, xdp, fwd ? fwd->ifindex : 0,\t\\\n-\t\t\t\t0, map, idx);\n+\t\t\t\t0, map, idx)\n \n #define _trace_xdp_redirect_map_err(dev, xdp, fwd, map, idx, err)\t\\\n \t trace_xdp_redirect_map_err(dev, xdp, fwd ? fwd->ifindex : 0,\t\\\n-\t\t\t\t    err, map, idx);\n+\t\t\t\t    err, map, idx)\n \n #endif /* _TRACE_XDP_H */\n \ndiff --git a/net/core/filter.c b/net/core/filter.c\nindex 3a50a9b021e2..24dd33dd9f04 100644\n--- a/net/core/filter.c\n+++ b/net/core/filter.c\n@@ -2506,21 +2506,19 @@ static int xdp_do_redirect_map(struct net_device *dev, struct xdp_buff *xdp,\n \tstruct redirect_info *ri = this_cpu_ptr(&redirect_info);\n \tconst struct bpf_prog *map_owner = ri->map_owner;\n \tstruct bpf_map *map = ri->map;\n+\tstruct net_device *fwd = NULL;\n \tu32 index = ri->ifindex;\n-\tstruct net_device *fwd;\n \tint err;\n \n \tri->ifindex = 0;\n \tri->map = NULL;\n \tri->map_owner = NULL;\n \n-\t/* This is really only caused by a deliberately crappy\n-\t * BPF program, normally we would never hit that case,\n-\t * so no need to inform someone via tracepoints either,\n-\t * just bail out.\n-\t */\n-\tif (unlikely(map_owner != xdp_prog))\n-\t\treturn -EINVAL;\n+\tif (unlikely(map_owner != xdp_prog)) {\n+\t\terr = -EFAULT;\n+\t\tmap = NULL;\n+\t\tgoto err;\n+\t}\n \n \tfwd = __dev_map_lookup_elem(map, index);\n \tif (!fwd) {\n@@ -2576,13 +2574,27 @@ int xdp_do_generic_redirect(struct net_device *dev, struct sk_buff *skb,\n \t\t\t    struct bpf_prog *xdp_prog)\n {\n \tstruct redirect_info *ri = this_cpu_ptr(&redirect_info);\n+\tconst struct bpf_prog *map_owner = ri->map_owner;\n+\tstruct bpf_map *map = ri->map;\n+\tstruct net_device *fwd = NULL;\n \tu32 index = ri->ifindex;\n-\tstruct net_device *fwd;\n \tunsigned int len;\n \tint err = 0;\n \n-\tfwd = dev_get_by_index_rcu(dev_net(dev), index);\n \tri->ifindex = 0;\n+\tri->map = NULL;\n+\tri->map_owner = NULL;\n+\n+\tif (map) {\n+\t\tif (unlikely(map_owner != xdp_prog)) {\n+\t\t\terr = -EFAULT;\n+\t\t\tmap = NULL;\n+\t\t\tgoto err;\n+\t\t}\n+\t\tfwd = __dev_map_lookup_elem(map, index);\n+\t} else {\n+\t\tfwd = dev_get_by_index_rcu(dev_net(dev), index);\n+\t}\n \tif (unlikely(!fwd)) {\n \t\terr = -EINVAL;\n \t\tgoto err;\n@@ -2600,10 +2612,12 @@ int xdp_do_generic_redirect(struct net_device *dev, struct sk_buff *skb,\n \t}\n \n \tskb->dev = fwd;\n-\t_trace_xdp_redirect(dev, xdp_prog, index);\n+\tmap ? _trace_xdp_redirect_map(dev, xdp_prog, fwd, map, index)\n+\t\t: _trace_xdp_redirect(dev, xdp_prog, index);\n \treturn 0;\n err:\n-\t_trace_xdp_redirect_err(dev, xdp_prog, index, err);\n+\tmap ? _trace_xdp_redirect_map_err(dev, xdp_prog, fwd, map, index, err)\n+\t\t: _trace_xdp_redirect_err(dev, xdp_prog, index, err);\n \treturn err;\n }\n EXPORT_SYMBOL_GPL(xdp_do_generic_redirect);\n","prefixes":["V3","net"]}