From nobody Wed Apr 17 13:48:25 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VKMgY3Nvdz5Gwh8;
	Wed, 17 Apr 2024 13:48:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VKMgY2qTKz4nGG;
	Wed, 17 Apr 2024 13:48:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1713361705;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=MEoZgiATbrtX0bHCSe4bQaNjCbe44zccI4hCx0xm9is=;
	b=HhZjnp8ajUvQh3xBRQR0zzvz8HT76l05MrfYpi+zOtgevZuYMNsVdCXSnkJGRNYZPfjqe3
	mNRqhJY4BWz0ASG21qNpqF6SAKeAt9OZHhw3a2GEGH4OIIxRdH3mKBqhVRZ2sBhlGMRHhL
	HC8EzLAHrvvXzhiRt3mkB0cgPkQKqjJ6Q9LjKb8KXW+cMBTL58wtuKBIoCM8Xg25g/DUs3
	fZFw7k+YFV1dDnVYK+ILGxdgltCxo+ybi5KpBKnzlvQIyCySe/f3gfTeCq4RXiZTWubtMB
	BZdCHqpja4QuC03aZs1b8AUtrKmILER3IoLVZbzfnim0ME8naPGj7Uw+SsOU0A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1713361705; a=rsa-sha256; cv=none;
	b=SlSlO+kBDe+F1Z2Vsu9F2+xhVR9cNv25QWQ89jkHcMoer6ZF1QjjS3xlek3gnExfQj2Xyr
	KwgAtmRNknS3ZxJySuXxVFb99NfQRQVj9kEXUH5oQUlw1Khwa/RHMYgB9+1Mw5cmq60Bmw
	aMLhCTAIcXrhHqszia3zpBKY6DoUIgUxGGn2muQfa3jWpyXDZp1cLemynkXelMgO6+2J1Y
	TB8JGygJXtcOVFtNr9sMzf3snuFy3bnVfjRRcpGRvl+DZ+GY0ei5WgardvTxHKFLweeR6k
	i5c+W8i9vukoCpQIWFiIUi/Z5KkOWZdq5ARKk0CrD8HgTi1tlA1GDI8uFAmmIA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1713361705;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=MEoZgiATbrtX0bHCSe4bQaNjCbe44zccI4hCx0xm9is=;
	b=HoNItNvOMypR8kPD8wUE+OaLM1zlyt2XiuK8cBaYRmxzMKe5qvQTFEAIWFtoi6k1xdYXGA
	Y3NayISgvzBTsO7ViNECw0v45OM3ef1SLf65SDit2Jd8yLL5gifEzc/th0g+w1S+PYykzc
	0+IPuM91t/RFd9GTPspLbx+OrwX6cym61vL1jIlM+PmTNJjh6LOT4jZ9vvcmT3S2m9MABj
	PrZps8wa0MFIAr14yqko/o6sp8yK8fHJg3kpv+lyn9+qkwwBDN1l7mjN43UORrLjVq6Y2e
	+LOY4lTE5TAs9qXu2xcnPD4pyMFSc/Bcxh+WdT2rwkxVB2YOXZqyWJhGxO7Hig==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VKMgY2RRTzSs4;
	Wed, 17 Apr 2024 13:48:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43HDmP22020611;
	Wed, 17 Apr 2024 13:48:25 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43HDmPDY020608;
	Wed, 17 Apr 2024 13:48:25 GMT
	(envelope-from git)
Date: Wed, 17 Apr 2024 13:48:25 GMT
Message-Id: <202404171348.43HDmPDY020608@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Michael Tuexen <tuexen@FreeBSD.org>
Subject: git: 8244b35ff88c - stable/14 - TCP LRO: disable mbuf
  queuing when packet filter hooks are in place
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: tuexen
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 8244b35ff88c65a28bfc03d8a8d5ce56b7a023ce
Auto-Submitted: auto-generated

The branch stable/14 has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=8244b35ff88c65a28bfc03d8a8d5ce56b7a023ce

commit 8244b35ff88c65a28bfc03d8a8d5ce56b7a023ce
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-03-08 09:03:43 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-04-17 13:48:01 +0000

    TCP LRO: disable mbuf queuing when packet filter hooks are in place
    
    When doing mbuf queueing, the packet filter hooks in ether_demux(),
    ip_input(), and ip6_input() are by-passed. This means that the packet
    filters don't process incoming packets, which might result in
    connection failures. For example bypassing the TCP sequence number
    validation will result in dropping valid packets.
    Please note that this patch is only disabling mbuf queueing, not LRO.
    
    Reported by:            Herbert J. Skuhra
    Reviewed by:            glebius, rrs, rscheff
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D43769
    
    (cherry picked from commit d1ce01214a5540db8a7e09fdf46b7ea2d06ffc48)
---
 sys/netinet/tcp_lro_hpts.c | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/tcp_lro_hpts.c b/sys/netinet/tcp_lro_hpts.c
index 84944c8db1ce..9c0d4be91d53 100644
--- a/sys/netinet/tcp_lro_hpts.c
+++ b/sys/netinet/tcp_lro_hpts.c
@@ -47,6 +47,7 @@
 #include <net/if_types.h>
 #include <net/infiniband.h>
 #include <net/if_lagg.h>
+#include <net/pfil.h>
 
 #include <netinet/in.h>
 #include <netinet/ip6.h>
@@ -54,6 +55,7 @@
 #include <netinet/ip_var.h>
 #include <netinet/in_pcb.h>
 #include <netinet6/in6_pcb.h>
+#include <netinet6/ip6_var.h>
 #include <netinet/tcp.h>
 #include <netinet/tcp_lro.h>
 #include <netinet/tcp_var.h>
@@ -424,7 +426,7 @@ tcp_lro_lookup(struct ifnet *ifp, struct lro_parser *pa)
 {
 	struct inpcb *inp;
 
-	CURVNET_SET(ifp->if_vnet);
+	CURVNET_ASSERT_SET();
 	switch (pa->data.lro_type) {
 #ifdef INET6
 	case LRO_TYPE_IPV6_TCP:
@@ -449,10 +451,8 @@ tcp_lro_lookup(struct ifnet *ifp, struct lro_parser *pa)
 		break;
 #endif
 	default:
-		CURVNET_RESTORE();
 		return (NULL);
 	}
-	CURVNET_RESTORE();
 
 	return (intotcpcb(inp));
 }
@@ -488,9 +488,28 @@ _tcp_lro_flush_tcphpts(struct lro_ctrl *lc, struct lro_entry *le)
 	    IN6_IS_ADDR_UNSPECIFIED(&le->inner.data.s_addr.v6)))
 		return (TCP_LRO_CANNOT);
 #endif
+
+	CURVNET_SET(lc->ifp->if_vnet);
+	/*
+	 * Ensure that there are no packet filter hooks which would normally
+	 * being triggered in ether_demux(), ip_input(), or ip6_input().
+	 */
+	if (
+#ifdef INET
+	    PFIL_HOOKED_IN(V_inet_pfil_head) ||
+#endif
+#ifdef INET6
+	    PFIL_HOOKED_IN(V_inet6_pfil_head) ||
+#endif
+	    PFIL_HOOKED_IN(V_link_pfil_head)) {
+		CURVNET_RESTORE();
+		return (TCP_LRO_CANNOT);
+	}
+
 	/* Lookup inp, if any.  Returns locked TCP inpcb. */
 	tp = tcp_lro_lookup(lc->ifp,
 	    (le->inner.data.lro_type == LRO_TYPE_NONE) ? &le->outer : &le->inner);
+	CURVNET_RESTORE();
 	if (tp == NULL)
 		return (TCP_LRO_CANNOT);