Commit 5c857225 authored by Jesper Dangaard Brouer's avatar Jesper Dangaard Brouer Committed by Alexei Starovoitov
Browse files

veth: Adjust hard_start offset on redirect XDP frames 



When native XDP redirect into a veth device, the frame arrives in the
xdp_frame structure. It is then processed in veth_xdp_rcv_one(),
which can run a new XDP bpf_prog on the packet. Doing so requires
converting xdp_frame to xdp_buff, but the tricky part is that
xdp_frame memory area is located in the top (data_hard_start) memory
area that xdp_buff will point into.

The current code tried to protect the xdp_frame area, by assigning
xdp_buff.data_hard_start past this memory. This results in 32 bytes
less headroom to expand into via BPF-helper bpf_xdp_adjust_head().

This protect step is actually not needed, because BPF-helper
bpf_xdp_adjust_head() already reserve this area, and don't allow
BPF-prog to expand into it. Thus, it is safe to point data_hard_start
directly at xdp_frame memory area.

Fixes: 9fc8d518 ("veth: Handle xdp_frames in xdp napi ring")
Reported-by: default avatarMao Wenan <maowenan@huawei.com>
Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Acked-by: default avatarToshiaki Makita <toshiaki.makita1@gmail.com>
Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/bpf/158945338331.97035.5923525383710752178.stgit@firesoul
parent db612f74

drivers/net/veth.c

+4 −4
Original line number Diff line number Diff line
@@ -564,13 +564,15 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq, 
					struct veth_stats *stats)

{

	void *hard_start = frame->data - frame->headroom;

	void *head = hard_start - sizeof(struct xdp_frame);

	int len = frame->len, delta = 0;

	struct xdp_frame orig_frame;

	struct bpf_prog *xdp_prog;

	unsigned int headroom;

	struct sk_buff *skb;



	/* bpf_xdp_adjust_head() assures BPF cannot access xdp_frame area */

	hard_start -= sizeof(struct xdp_frame);



	rcu_read_lock();

	xdp_prog = rcu_dereference(rq->xdp_prog);

	if (likely(xdp_prog)) {
@@ -592,7 +594,6 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq, 
			break;

		case XDP_TX:

			orig_frame = *frame;

			xdp.data_hard_start = head;

			xdp.rxq->mem = frame->mem;

			if (unlikely(veth_xdp_tx(rq, &xdp, bq) < 0)) {

				trace_xdp_exception(rq->dev, xdp_prog, act);
@@ -605,7 +606,6 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq, 
			goto xdp_xmit;

		case XDP_REDIRECT:

			orig_frame = *frame;

			xdp.data_hard_start = head;

			xdp.rxq->mem = frame->mem;

			if (xdp_do_redirect(rq->dev, &xdp, xdp_prog)) {

				frame = &orig_frame;
@@ -629,7 +629,7 @@ static struct sk_buff *veth_xdp_rcv_one(struct veth_rq *rq, 
	rcu_read_unlock();



	headroom = sizeof(struct xdp_frame) + frame->headroom - delta;

	skb = veth_build_skb(head, headroom, len, 0);

	skb = veth_build_skb(hard_start, headroom, len, 0);

	if (!skb) {

		xdp_return_frame(frame);

		stats->rx_drops++;

CRA Git | Maintained and supported by SUSTech CRA and CCSE