linux

mirror of https://github.com/hardkernel/linux.git synced 2026-06-05 02:21:52 +09:00

Go to file

Paul Chaignon de1067cc8c bpf: Scrub packet on bpf_redirect_peer

[ Upstream commit c4327229948879814229b46aa26a750718888503 ]

When bpf_redirect_peer is used to redirect packets to a device in
another network namespace, the skb isn't scrubbed. That can lead skb
information from one namespace to be "misused" in another namespace.

As one example, this is causing Cilium to drop traffic when using
bpf_redirect_peer to redirect packets that just went through IPsec
decryption to a container namespace. The following pwru trace shows (1)
the packet path from the host's XFRM layer to the container's XFRM
layer where it's dropped and (2) the number of active skb extensions at
each function.

    NETNS       MARK  IFACE  TUPLE                                FUNC
    4026533547  d00   eth0   10.244.3.124:35473->10.244.2.158:53  xfrm_rcv_cb
                             .active_extensions = (__u8)2,
    4026533547  d00   eth0   10.244.3.124:35473->10.244.2.158:53  xfrm4_rcv_cb
                             .active_extensions = (__u8)2,
    4026533547  d00   eth0   10.244.3.124:35473->10.244.2.158:53  gro_cells_receive
                             .active_extensions = (__u8)2,
    [...]
    4026533547  0     eth0   10.244.3.124:35473->10.244.2.158:53  skb_do_redirect
                             .active_extensions = (__u8)2,
    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  ip_rcv
                             .active_extensions = (__u8)2,
    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  ip_rcv_core
                             .active_extensions = (__u8)2,
    [...]
    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  udp_queue_rcv_one_skb
                             .active_extensions = (__u8)2,
    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  __xfrm_policy_check
                             .active_extensions = (__u8)2,
    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  __xfrm_decode_session
                             .active_extensions = (__u8)2,
    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  security_xfrm_decode_session
                             .active_extensions = (__u8)2,
    4026534999  0     eth0   10.244.3.124:35473->10.244.2.158:53  kfree_skb_reason(SKB_DROP_REASON_XFRM_POLICY)
                             .active_extensions = (__u8)2,

In this case, there are no XFRM policies in the container's network
namespace so the drop is unexpected. When we decrypt the IPsec packet,
the XFRM state used for decryption is set in the skb extensions. This
information is preserved across the netns switch. When we reach the
XFRM policy check in the container's netns, __xfrm_policy_check drops
the packet with LINUX_MIB_XFRMINNOPOLS because a (container-side) XFRM
policy can't be found that matches the (host-side) XFRM state used for
decryption.

This patch fixes this by scrubbing the packet when using
bpf_redirect_peer, as is done on typical netns switches via veth
devices except skb->mark and skb->tstamp are not zeroed.

Fixes: 9aa1206e8f ("bpf: Add redirect_peer helper")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://patch.msgid.link/1728ead5e0fe45e7a6542c36bd4e3ca07a73b7d6.1746460653.git.paul.chaignon@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

2025-05-18 08:21:21 +02:00

arch

arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2

2025-05-18 08:21:20 +02:00

block

blk-iocost: do not WARN if iocg was already offlined

2025-04-25 10:44:03 +02:00

certs

sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3

2025-04-25 10:44:04 +02:00

crypto

crypto: null - Use spin lock instead of mutex

2025-05-02 07:47:01 +02:00

Documentation

sched/isolation: Prevent boot crash when the boot CPU is nohz_full

2025-03-28 21:58:48 +01:00

drivers

can: mcp251xfd: fix TDC setting for low data bit rates

2025-05-18 08:21:21 +02:00

ksmbd: fix memory leak in parse_lease_state()

2025-05-18 08:21:21 +02:00

include

ipv4: Drop tos parameter from flowi4_update_output()

2025-05-18 08:21:21 +02:00

init

sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP

2025-05-02 07:47:04 +02:00

io_uring

io_uring/net: fix accept multishot handling

2025-04-25 10:43:58 +02:00

ipc

ipc: fix memleak if msg_init_ns failed in create_ipc_ns

2024-12-14 19:54:06 +01:00

kernel

tracing: Fix oob write in trace_seq_to_buffer()

2025-05-09 09:41:36 +02:00

lib

ubsan: Fix panic from test_ubsan_out_of_bounds

2025-05-02 07:47:08 +02:00

LICENSES

LICENSES/LGPL-2.1: Add LGPL-2.1-or-later as valid identifiers

2021-12-16 14:33:10 +01:00

mm: fix apply_to_existing_page_range()

2025-04-25 10:44:04 +02:00

net

bpf: Scrub packet on bpf_redirect_peer

2025-05-18 08:21:21 +02:00

rust

scripts: generate_rust_analyzer: provide cfgs for core and alloc

2025-03-28 21:58:57 +01:00

samples

tracing: Verify event formats that have "%*p.."

2025-05-02 07:46:49 +02:00

scripts

objtool: Silence more KCOV warnings, part 2

2025-05-02 07:47:10 +02:00

security

landlock: Add the errata interface

2025-04-25 10:44:02 +02:00

sound

ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties

2025-05-09 09:41:46 +02:00

tools

selftests/mincore: Allow read-ahead pages to reach the end of the file

2025-05-02 07:47:06 +02:00

usr

usr/gen_init_cpio.c: remove unnecessary -1 values from int file

2022-10-03 14:21:44 -07:00

virt

KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()

2024-06-27 13:46:21 +02:00

.clang-format

inet: ping: use hlist_nulls rcu iterator during lookup

2022-12-01 12:42:46 +01:00

.cocciconfig

…

.get_maintainer.ignore

get_maintainer: add Alan to .get_maintainer.ignore

2022-08-20 15:17:44 -07:00

.gitattributes

.gitattributes: use 'dts' diff driver for dts files

2019-12-04 19:44:11 -08:00

.gitignore

Remove *.orig pattern from .gitignore

2024-10-17 15:21:15 +02:00

.mailmap

Merge tag 'mm-hotfixes-stable-2022-12-10-1' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

2022-12-10 17:10:52 -08:00

.rustfmt.toml

rust: add .rustfmt.toml

2022-09-28 09:02:20 +02:00

COPYING

COPYING: state that all contributions really are covered by this file

2020-02-10 13:32:20 -08:00

CREDITS

MAINTAINERS: Remove Michal Marek from Kbuild maintainers

2022-11-16 14:53:00 +09:00

Kbuild

Merge tag 'kbuild-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

2022-10-10 12:00:45 -07:00

Kconfig

kbuild: ensure full rebuild when the compiler is updated

2020-05-12 13:28:33 +09:00

MAINTAINERS

sign-file,extract-cert: move common SSL helper functions to a header

2025-04-25 10:44:04 +02:00

Makefile

Linux 6.1.138

2025-05-09 09:41:46 +02:00

README

Drop all 00-INDEX files from Documentation/

2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.