bpf: pull before calling skb_postpull_rcsum()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Anand hit a BUG() when pulling off headers on egress to a SW tunnel.
We get to skb_checksum_help() with an invalid checksum offset
(commit d7ea0d9df2a6 ("net: remove two BUG() from skb_checksum_help()")
converted those BUGs to WARN_ONs()).
He points out oddness in how skb_postpull_rcsum() gets used.
Indeed looks like we should pull before "postpull", otherwise
the CHECKSUM_PARTIAL fixup from skb_postpull_rcsum() will not
be able to do its job:

if (skb->ip_summed == CHECKSUM_PARTIAL &&
skb_checksum_start_offset(skb) < 0)
skb->ip_summed = CHECKSUM_NONE;

Reported-by: Anand Parthasarathy <anpartha@meta.com>
Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/r/20221220004701.402165-1-kuba@kernel.org
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>

authored by

Jakub Kicinski and committed by

Martin KaFai Lau 3 years ago 54c3f1a8 cc074822

+5 -2

1 changed file

expand all

net

core

filter.c

+5 -2

net/core/filter.c

··· 3180 3180 3181 3181 static int bpf_skb_generic_pop(struct sk_buff *skb, u32 off, u32 len) 3182 3182 { 3183 + void *old_data; 3184 + 3183 3185 /* skb_ensure_writable() is not needed here, as we're 3184 3186 * already working on an uncloned skb. 3185 3187 */ 3186 3188 if (unlikely(!pskb_may_pull(skb, off + len))) 3187 3189 return -ENOMEM; 3188 3190 3189 - skb_postpull_rcsum(skb, skb->data + off, len); 3190 - memmove(skb->data + len, skb->data, off); 3191 + old_data = skb->data; 3191 3192 __skb_pull(skb, len); 3193 + skb_postpull_rcsum(skb, old_data + off, len); 3194 + memmove(skb->data, old_data, off); 3192 3195 3193 3196 return 0; 3194 3197 }