git.baikalelectronics.ru Git - kernel.git/commit

author	Paolo Abeni <pabeni@redhat.com>
	Tue, 10 May 2022 14:57:34 +0000 (16:57 +0200)
committer	Jakub Kicinski <kuba@kernel.org>
	Wed, 11 May 2022 22:06:42 +0000 (15:06 -0700)
commit	5099933915e2d7c7ea92d2cd80042438b5b1438b
tree	cf45a0626337a12ad074bde229bce94890aee34d	tree \| snapshot
parent	1773047a6daf78663602515053d1dec1570fd3a5	commit \| diff

net/sched: act_pedit: really ensure the skb is writable

Currently pedit tries to ensure that the accessed skb offset
is writable via skb_unclone(). The action potentially allows
touching any skb bytes, so it may end-up modifying shared data.

The above causes some sporadic MPTCP self-test failures, due to
this code:

tc -n $ns2 filter add dev ns2eth$i egress \
protocol ip prio 1000 \
handle 42 fw \
action pedit munge offset 148 u8 invert \
pipe csum tcp \
index 100

The above modifies a data byte outside the skb head and the skb is
a cloned one, carrying a TCP output packet.

This change addresses the issue by keeping track of a rough
over-estimate highest skb offset accessed by the action and ensuring
such offset is really writable.

Note that this may cause performance regressions in some scenarios,
but hopefully pedit is not in the critical path.

Fixes: e89869832520 ("act_pedit: access skb->data safely")
Acked-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Tested-by: Geliang Tang <geliang.tang@suse.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/1fcf78e6679d0a287dd61bb0f04730ce33b3255d.1652194627.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

include/net/tc_act/tc_pedit.h		diff \| blob \| history
net/sched/act_pedit.c		diff \| blob \| history