From nobody Sat May  4 10:35:01 2024
Delivered-To: wpasupplicant.patchew@gmail.com
Received: by 2002:a05:6a06:869:b0:4b8:7781:bd2f with SMTP id d41csp1242994pis;
        Thu, 5 May 2022 08:19:30 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwvBBWsPxMHZfrmtQkn5Bdr2BlASqgR9BYVircbXjOlm5kNmudm+ldqZPjfho6ezcsF4epu
X-Received: by 2002:a05:6808:e8f:b0:2f7:6c1a:c1a with SMTP id
 k15-20020a0568080e8f00b002f76c1a0c1amr2644742oil.129.1651763970876;
        Thu, 05 May 2022 08:19:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1651763970; cv=none;
        d=google.com; s=arc-20160816;
        b=GmMBCyW+u33Lfuh2KM61XJinXX/lMTBPwfG5T9KwFeUjStA/SeUbkkttKpDGcbFU63
         umeMoO5x6HSWOPQfv4tUXM2RDAumAtqK5hCtxlyyxIJxlGs27quDHxeBMIQIfeLroxVP
         k9RJwOlJmN5q7zZQ8P0/HumWmJ/TKNXbQxx/8K/Ebzc7Y95TxYZXYfJ3uFN4qLFd9psD
         AvhTMjxPbKYB7v5cJy1bBH61eDVnvGcLyTiijgQpx4GZ2BRmvb0Nd1QqtFaLssew/aGb
         w89sNUpMaA416C/BOEf5TgmnMYAx3wsnFCgCk1/xmz8KPF50ISoEREtuiJ2YMXsiF5+4
         lu6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:to:from
         :dkim-signature;
        bh=NjzztI/g3DGpwECMhfn49droPq5TshiT2QY7OqVjf5E=;
        b=hh+5GEtG+YRJLn8s64mQO64Si590Do4uGWI/KfaoCY4b/FvRIMiaaq9V+PdXrKxTjU
         rAbHi9v4OQaCDDe8iJKKMnRyspP3rJYE8MlH4FZtT6ZFI7XdadWOy3LVrXjGofCnJXdw
         wFJFQYpj3l9dUIA+WnWKl068xMoHfygFYpRD9YiW10UeXE/ZOKFVx0reygeu2QEogUwg
         2UNZFm5Nsv7Rmmh/PSnS7eyVejINrkDT04jFNKlsi+wG2Zm48aVL3p4cor208tn0Kux4
         aNdhqjDf6hF0R1MFXEbTA5M/jj7u5iRYLaFd0+Z79g5Dwwuuv+CA+W2m//V97Tky1h+n
         9/UA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719
 header.b=UrRCi535;
       spf=pass (google.com: domain of
 mptcp+bounces-5138-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="mptcp+bounces-5138-wpasupplicant.patchew=gmail.com@lists.linux.dev";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: 
 <mptcp+bounces-5138-wpasupplicant.patchew=gmail.com@lists.linux.dev>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 q26-20020a05683022da00b0060414324b81si1320007otc.333.2022.05.05.08.19.30
        for <wpasupplicant.patchew@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 05 May 2022 08:19:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 mptcp+bounces-5138-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719
 header.b=UrRCi535;
       spf=pass (google.com: domain of
 mptcp+bounces-5138-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="mptcp+bounces-5138-wpasupplicant.patchew=gmail.com@lists.linux.dev";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 0F6C5280985
	for <wpasupplicant.patchew@gmail.com>; Thu,  5 May 2022 15:19:30 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1EDD72570;
	Thu,  5 May 2022 15:19:29 +0000 (UTC)
X-Original-To: mptcp@lists.linux.dev
Received: from us-smtp-delivery-74.mimecast.com
 (us-smtp-delivery-74.mimecast.com [170.10.133.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 60CDB2568
	for <mptcp@lists.linux.dev>; Thu,  5 May 2022 15:19:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1651763966;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=NjzztI/g3DGpwECMhfn49droPq5TshiT2QY7OqVjf5E=;
	b=UrRCi535VqdRuQ3DLV5Z7+6wlc1ldNxDMyYMbDsP6lSWR8plb1sCioVuS4v4wd2kMu1GS/
	favUunOftsG1Dgvyl3iPBI8lYHumiyAQORpjFHgCsZGAlbyeUpavo2RAVXyhpJMcUUJHf3
	rM7LlAuxjurUw9lsfwW+Jc9KKronthY=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-404-W3OO5NmUN0OoWdehGEHO7Q-1; Thu, 05 May 2022 11:19:25 -0400
X-MC-Unique: W3OO5NmUN0OoWdehGEHO7Q-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
 [10.11.54.8])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D7789299E755
	for <mptcp@lists.linux.dev>; Thu,  5 May 2022 15:19:24 +0000 (UTC)
Received: from gerbillo.redhat.com (unknown [10.39.194.241])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 6B829C15D7D
	for <mptcp@lists.linux.dev>; Thu,  5 May 2022 15:19:24 +0000 (UTC)
From: Paolo Abeni <pabeni@redhat.com>
To: mptcp@lists.linux.dev
Subject: [PATCH net] From 4223a13095ac07a36ecaf0758734e031508529f9 Mon Sep 17
 00:00:00 2001 Message-Id:
 <4223a13095ac07a36ecaf0758734e031508529f9.1651760706.git.pabeni@redhat.com>
 From: Paolo Abeni <pabeni@redhat.com> Date: Tue,
 3 May 2022 05:52:04 +0000 Subject: [PATCH net] net/sched: act_pedit: really
 ensure the skb is writable
Date: Thu,  5 May 2022 17:18:47 +0200
Message-Id: 
 <f5b98636245e625134dcf8daed5b67389bd8439a.1651763903.git.pabeni@redhat.com>
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pabeni@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"; x-default="true"

Currently pedit tries to ensure that the accessed skb offset
is writeble via skb_unclone(). The action potentially allows
touching any skb bytes, so it may end-up modifying shared data.

The above causes some sporadic MPTCP self-test failures.

Address the issue keeping track of a rough over-estimate highest skb
offset accessed by the action and ensure such offset is really
writable.

Note that this may cause performance regressions in some scenario,
but hopefully pedit is not critical path.

v1 -> v2:
 - cleanup hint update (Jakub)
 - avoid raices while accessing the hint (Jakub)
 - re-organize the comments for clarity

Fixes: db2c24175d14 ("act_pedit: access skb->data safely")
Acked-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Tested-by: Geliang Tang <geliang.tang@suse.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 include/net/tc_act/tc_pedit.h |  1 +
 net/sched/act_pedit.c         | 25 +++++++++++++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
index 748cf87a4d7e..3e02709a1df6 100644
--- a/include/net/tc_act/tc_pedit.h
+++ b/include/net/tc_act/tc_pedit.h
@@ -14,6 +14,7 @@ struct tcf_pedit {
 	struct tc_action	common;
 	unsigned char		tcfp_nkeys;
 	unsigned char		tcfp_flags;
+	u32			tcfp_off_max_hint;
 	struct tc_pedit_key	*tcfp_keys;
 	struct tcf_pedit_key_ex	*tcfp_keys_ex;
 };
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index e01ef7f109f4..0fc07532e6f6 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -149,7 +149,7 @@ static int tcf_pedit_init(struct net *net, struct nlatt=
r *nla,
 	struct nlattr *pattr;
 	struct tcf_pedit *p;
 	int ret =3D 0, err;
-	int ksize;
+	int i, ksize;
 	u32 index;
=20
 	if (!nla) {
@@ -228,6 +228,18 @@ static int tcf_pedit_init(struct net *net, struct nlat=
tr *nla,
 		p->tcfp_nkeys =3D parm->nkeys;
 	}
 	memcpy(p->tcfp_keys, parm->keys, ksize);
+	p->tcfp_off_max_hint =3D 0;
+	for (i =3D 0; i < p->tcfp_nkeys; ++i) {
+		u32 cur =3D p->tcfp_keys[i].off;
+
+		/* The AT option can read a single byte, we can bound the actual
+		 * value with uchar max.
+		 */
+		cur +=3D (0xff & p->tcfp_keys[i].offmask) >> p->tcfp_keys[i].shift;
+
+		/* Each key touches 4 bytes starting from the computed offset */
+		p->tcfp_off_max_hint =3D max(p->tcfp_off_max_hint, cur + 4);
+	}
=20
 	p->tcfp_flags =3D parm->flags;
 	goto_ch =3D tcf_action_set_ctrlact(*a, parm->action, goto_ch);
@@ -308,13 +320,18 @@ static int tcf_pedit_act(struct sk_buff *skb, const s=
truct tc_action *a,
 			 struct tcf_result *res)
 {
 	struct tcf_pedit *p =3D to_pedit(a);
+	u32 max_offset;
 	int i;
=20
-	if (skb_unclone(skb, GFP_ATOMIC))
-		return p->tcf_action;
-
 	spin_lock(&p->tcf_lock);
=20
+	max_offset =3D (skb_transport_header_was_set(skb) ?
+		      skb_transport_offset(skb) :
+		      skb_network_offset(skb)) +
+		     p->tcfp_off_max_hint;
+	if (skb_ensure_writable(skb, min(skb->len, max_offset)))
+		return p->tcf_action;
+
 	tcf_lastuse_update(&p->tcf_tm);
=20
 	if (p->tcfp_nkeys > 0) {
--=20
2.35.1