Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dbe64279 authored by Yan Zhai's avatar Yan Zhai Committed by Greg Kroah-Hartman
Browse files

lwt: Check LWTUNNEL_XMIT_CONTINUE strictly 



[ Upstream commit a171fbec88a2c730b108c7147ac5e7b2f5a02b47 ]

LWTUNNEL_XMIT_CONTINUE is implicitly assumed in ip(6)_finish_output2,
such that any positive return value from a xmit hook could cause
unexpected continue behavior, despite that related skb may have been
freed. This could be error-prone for future xmit hook ops. One of the
possible errors is to return statuses of dst_output directly.

To make the code safer, redefine LWTUNNEL_XMIT_CONTINUE value to
distinguish from dst_output statuses and check the continue
condition explicitly.

Fixes: 3a0af8fd ("bpf: BPF for lightweight tunnel infrastructure")
Suggested-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: default avatarYan Zhai <yan@cloudflare.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/96b939b85eda00e8df4f7c080f770970a4c5f698.1692326837.git.yan@cloudflare.com


Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 67f8f2ba

include/net/lwtunnel.h

+4 −1
Original line number Diff line number Diff line
@@ -16,9 +16,12 @@ 
#define LWTUNNEL_STATE_INPUT_REDIRECT	BIT(1)

#define LWTUNNEL_STATE_XMIT_REDIRECT	BIT(2)



/* LWTUNNEL_XMIT_CONTINUE should be distinguishable from dst_output return

 * values (NET_XMIT_xxx and NETDEV_TX_xxx in linux/netdevice.h) for safety.

 */

enum {

	LWTUNNEL_XMIT_DONE,

	LWTUNNEL_XMIT_CONTINUE,

	LWTUNNEL_XMIT_CONTINUE = 0x100,

};

net/ipv4/ip_output.c

+1 −1
Original line number Diff line number Diff line
@@ -222,7 +222,7 @@ static int ip_finish_output2(struct net *net, struct sock *sk, struct sk_buff *s 
	if (lwtunnel_xmit_redirect(dst->lwtstate)) {

		int res = lwtunnel_xmit(skb);



		if (res < 0 || res == LWTUNNEL_XMIT_DONE)

		if (res != LWTUNNEL_XMIT_CONTINUE)

			return res;

	}

net/ipv6/ip6_output.c

+1 −1
Original line number Diff line number Diff line
@@ -130,7 +130,7 @@ static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff * 
	if (lwtunnel_xmit_redirect(dst->lwtstate)) {

		int res = lwtunnel_xmit(skb);



		if (res < 0 || res == LWTUNNEL_XMIT_DONE)

		if (res != LWTUNNEL_XMIT_CONTINUE)

			return res;

	}