In ioam6_output(), we call skb_cow_head() with LL_RESERVED_SPACE(). The
latter uses "dst", which is potentially not the good one anymore. As a
consequence, there might not be enough headroom, depending on the "new"
dev (e.g., needed_headroom > 0). Therefore, we first need to get the
"new" dst entry (from the cache or by calling ip6_route_output()), just
like seg6 and rpl both do, and only then call skb_cow_head() with
LL_RESERVED_SPACE() on the "new" dst entry.
Fixes: 8cb3bf8bff3c ("ipv6: ioam: Add support for the ip6ip6 encapsulation")
Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
---
net/ipv6/ioam6_iptunnel.c | 65 +++++++++++++++++++--------------------
1 file changed, 32 insertions(+), 33 deletions(-)
diff --git a/net/ipv6/ioam6_iptunnel.c b/net/ipv6/ioam6_iptunnel.c
index bf7120ecea1e..b08c13550144 100644
--- a/net/ipv6/ioam6_iptunnel.c
+++ b/net/ipv6/ioam6_iptunnel.c
@@ -295,7 +295,7 @@ static int ioam6_do_encap(struct net *net, struct sk_buff *skb,
static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
{
- struct dst_entry *dst = skb_dst(skb);
+ struct dst_entry *dst, *orig_dst = skb_dst(skb);
struct in6_addr orig_daddr;
struct ioam6_lwt *ilwt;
int err = -EINVAL;
@@ -304,7 +304,7 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
if (skb->protocol != htons(ETH_P_IPV6))
goto drop;
- ilwt = ioam6_lwt_state(dst->lwtstate);
+ ilwt = ioam6_lwt_state(orig_dst->lwtstate);
/* Check for insertion frequency (i.e., "k over n" insertions) */
pkt_cnt = atomic_fetch_inc(&ilwt->pkt_cnt);
@@ -346,45 +346,44 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
goto drop;
}
- err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
- if (unlikely(err))
- goto drop;
+ local_bh_disable();
+ dst = dst_cache_get(&ilwt->cache);
+ local_bh_enable();
+
+ if (unlikely(!dst)) {
+ struct ipv6hdr *hdr = ipv6_hdr(skb);
+ struct flowi6 fl6;
+
+ memset(&fl6, 0, sizeof(fl6));
+ fl6.daddr = hdr->daddr;
+ fl6.saddr = hdr->saddr;
+ fl6.flowlabel = ip6_flowinfo(hdr);
+ fl6.flowi6_mark = skb->mark;
+ fl6.flowi6_proto = hdr->nexthdr;
+
+ dst = ip6_route_output(net, NULL, &fl6);
+ if (dst->error) {
+ err = dst->error;
+ dst_release(dst);
+ goto drop;
+ }
- if (!ipv6_addr_equal(&orig_daddr, &ipv6_hdr(skb)->daddr)) {
local_bh_disable();
- dst = dst_cache_get(&ilwt->cache);
+ dst_cache_set_ip6(&ilwt->cache, dst, &fl6.saddr);
local_bh_enable();
+ }
- if (unlikely(!dst)) {
- struct ipv6hdr *hdr = ipv6_hdr(skb);
- struct flowi6 fl6;
-
- memset(&fl6, 0, sizeof(fl6));
- fl6.daddr = hdr->daddr;
- fl6.saddr = hdr->saddr;
- fl6.flowlabel = ip6_flowinfo(hdr);
- fl6.flowi6_mark = skb->mark;
- fl6.flowi6_proto = hdr->nexthdr;
-
- dst = ip6_route_output(net, NULL, &fl6);
- if (dst->error) {
- err = dst->error;
- dst_release(dst);
- goto drop;
- }
-
- local_bh_disable();
- dst_cache_set_ip6(&ilwt->cache, dst, &fl6.saddr);
- local_bh_enable();
- }
+ skb_dst_drop(skb);
+ skb_dst_set(skb, dst);
- skb_dst_drop(skb);
- skb_dst_set(skb, dst);
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ if (unlikely(err))
+ goto drop;
+ if (!ipv6_addr_equal(&orig_daddr, &ipv6_hdr(skb)->daddr))
return dst_output(net, sk, skb);
- }
out:
- return dst->lwtstate->orig_output(net, sk, skb);
+ return orig_dst->lwtstate->orig_output(net, sk, skb);
drop:
kfree_skb(skb);
return err;
--
2.34.1On Tue, 2024-07-02 at 19:44 +0200, Justin Iurman wrote:
> In ioam6_output(), we call skb_cow_head() with LL_RESERVED_SPACE(). The
> latter uses "dst", which is potentially not the good one anymore. As a
> consequence, there might not be enough headroom, depending on the "new"
> dev (e.g., needed_headroom > 0). Therefore, we first need to get the
> "new" dst entry (from the cache or by calling ip6_route_output()), just
> like seg6 and rpl both do, and only then call skb_cow_head() with
> LL_RESERVED_SPACE() on the "new" dst entry.
>
> Fixes: 8cb3bf8bff3c ("ipv6: ioam: Add support for the ip6ip6 encapsulation")
> Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
> ---
> net/ipv6/ioam6_iptunnel.c | 65 +++++++++++++++++++--------------------
> 1 file changed, 32 insertions(+), 33 deletions(-)
>
> diff --git a/net/ipv6/ioam6_iptunnel.c b/net/ipv6/ioam6_iptunnel.c
> index bf7120ecea1e..b08c13550144 100644
> --- a/net/ipv6/ioam6_iptunnel.c
> +++ b/net/ipv6/ioam6_iptunnel.c
> @@ -295,7 +295,7 @@ static int ioam6_do_encap(struct net *net, struct sk_buff *skb,
>
> static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
> {
> - struct dst_entry *dst = skb_dst(skb);
> + struct dst_entry *dst, *orig_dst = skb_dst(skb);
> struct in6_addr orig_daddr;
> struct ioam6_lwt *ilwt;
> int err = -EINVAL;
> @@ -304,7 +304,7 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
> if (skb->protocol != htons(ETH_P_IPV6))
> goto drop;
>
> - ilwt = ioam6_lwt_state(dst->lwtstate);
> + ilwt = ioam6_lwt_state(orig_dst->lwtstate);
>
> /* Check for insertion frequency (i.e., "k over n" insertions) */
> pkt_cnt = atomic_fetch_inc(&ilwt->pkt_cnt);
> @@ -346,45 +346,44 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
> goto drop;
> }
>
> - err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
> - if (unlikely(err))
> - goto drop;
> + local_bh_disable();
> + dst = dst_cache_get(&ilwt->cache);
> + local_bh_enable();
This makes the dst lookup and cache update unconditional, at best
slowing down ioam6_output(), possibly introducing unintended side
effects.
> +
> + if (unlikely(!dst)) {
> + struct ipv6hdr *hdr = ipv6_hdr(skb);
> + struct flowi6 fl6;
> +
> + memset(&fl6, 0, sizeof(fl6));
> + fl6.daddr = hdr->daddr;
> + fl6.saddr = hdr->saddr;
> + fl6.flowlabel = ip6_flowinfo(hdr);
> + fl6.flowi6_mark = skb->mark;
> + fl6.flowi6_proto = hdr->nexthdr;
> +
> + dst = ip6_route_output(net, NULL, &fl6);
> + if (dst->error) {
> + err = dst->error;
> + dst_release(dst);
> + goto drop;
> + }
>
> - if (!ipv6_addr_equal(&orig_daddr, &ipv6_hdr(skb)->daddr)) {
> local_bh_disable();
> - dst = dst_cache_get(&ilwt->cache);
> + dst_cache_set_ip6(&ilwt->cache, dst, &fl6.saddr);
> local_bh_enable();
> + }
>
> - if (unlikely(!dst)) {
> - struct ipv6hdr *hdr = ipv6_hdr(skb);
> - struct flowi6 fl6;
> -
> - memset(&fl6, 0, sizeof(fl6));
> - fl6.daddr = hdr->daddr;
> - fl6.saddr = hdr->saddr;
> - fl6.flowlabel = ip6_flowinfo(hdr);
> - fl6.flowi6_mark = skb->mark;
> - fl6.flowi6_proto = hdr->nexthdr;
> -
> - dst = ip6_route_output(net, NULL, &fl6);
> - if (dst->error) {
> - err = dst->error;
> - dst_release(dst);
> - goto drop;
> - }
> -
> - local_bh_disable();
> - dst_cache_set_ip6(&ilwt->cache, dst, &fl6.saddr);
> - local_bh_enable();
> - }
> + skb_dst_drop(skb);
> + skb_dst_set(skb, dst);
>
> - skb_dst_drop(skb);
> - skb_dst_set(skb, dst);
> + err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
> + if (unlikely(err))
> + goto drop;
This is quite a bit of code churn, but you just need to postpone the
cow operation after the dst lookup right?
I suggest to simply move the cow there, something alike (completely
untested):
---
diff --git a/net/ipv6/ioam6_iptunnel.c b/net/ipv6/ioam6_iptunnel.c
index bf7120ecea1e..636480bded0e 100644
--- a/net/ipv6/ioam6_iptunnel.c
+++ b/net/ipv6/ioam6_iptunnel.c
@@ -346,10 +346,6 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
goto drop;
}
- err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
- if (unlikely(err))
- goto drop;
-
if (!ipv6_addr_equal(&orig_daddr, &ipv6_hdr(skb)->daddr)) {
local_bh_disable();
dst = dst_cache_get(&ilwt->cache);
@@ -381,9 +377,17 @@ static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
skb_dst_drop(skb);
skb_dst_set(skb, dst);
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ if (unlikely(err))
+ goto drop;
+
return dst_output(net, sk, skb);
}
out:
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ if (unlikely(err))
+ goto drop;
+
return dst->lwtstate->orig_output(net, sk, skb);
drop:
kfree_skb(skb);
---
Thanks,
Paolo
© 2016 - 2025 Red Hat, Inc.