From nobody Fri Mar 08 09:11:11 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TrgQ76chyz5DDSC;
	Fri,  8 Mar 2024 09:11:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TrgQ76BJkz3ymX;
	Fri,  8 Mar 2024 09:11:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1709889071;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=h4/3/nv+yqsJ7lI/VmZja4qp7eaAapLvJqn+LKnBgMs=;
	b=B8om9sfwM+nJwJDCA+6W77MEcHd3Tqm6sYZit4pSN6qCNe0s5719XI7kOVljk+HHKwCzY3
	ahLvVHSzu/RPcOSes0VG0rf7bnVtV+ME+VCHhHjUvW9uGVbEgdG2c/K9f25N8T6ZLuYLHw
	eA7n6iNIMnUNQSjVmFbEP1kPUJH6NzvUtYtCsXlOmYf9S5hkaMAGPrfG5Fn3zKkdEwRgCf
	pAJwAMtq3fU5rZ7YsLj0pgGvEfntTpzkgcuUCIdmt3u5NsSUlElpWYCaP1RkHiWBr0KgQU
	faGd2f8T+QDx4UtEq+xlCiIrPsRNTfoNKPt0sC2pGVF1V75n84R/QHFCX9x28g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1709889071; a=rsa-sha256; cv=none;
	b=VOGnCW0qO1bWufzNEef5za6q8QAg2vMOstkSk6EC6nUnmihYI+6RcUQLufWR/nh3Xc1QN6
	GmpyLycE6GqQNfqGeKQljlB1jBS8gp9rVvTVlhgvFBZwY5Wxm8BO80qScll1ng1CVVJR9g
	v9lBNRl9usT4LVXEo3KSGodhnqm6sh0Fefddb21HPgjBun9pYPRllyTpIX/4J+LoEHI2j1
	XO17YnOXzG1RrMxMfZqOE88xh7sKEFHQLv2Jfv0PkWIYv3JpID7btkN30KCHdHEH4xCXgK
	bsCvjSy91tY+nCVR1eefzN/hOmWbfetHogVmHYELlF4OI1rNlJ+Rb5nKIsfb4g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1709889071;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=h4/3/nv+yqsJ7lI/VmZja4qp7eaAapLvJqn+LKnBgMs=;
	b=QbMoL20OMn2z4QFD27hR0YmtjUSnCS/7+u1a4j1okt+X5zMsbWGz/stSTTxtNw7nm9jRv1
	DzvPadirwVxoDP2fx3EdlUPFzYK8kmVgsDX7QTg12yr4l8tLvxjojHVyy1PvGOvjtKQuKe
	G0FQNpXZuPNW/KhBmAPpri4EKgiEsobPhhGO9pSPlFsPByrl7JnAFdTCkXtQBCxbZCi2vO
	sVrYHXOr3yo5k7BLvYIZG1wCQ4t30stUehRfLsr9wS0LTsy50bppmvh/dYqsw3OWew3eQ9
	3Nwpx9zr+7c4r5DVUsNY11Iqbr1EO3wAhfjJF9CIHM0VhAf3bL8+4SaXPvhahQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TrgQ75nNzz1BcH;
	Fri,  8 Mar 2024 09:11:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 4289BBsi056297;
	Fri, 8 Mar 2024 09:11:11 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 4289BBI4056294;
	Fri, 8 Mar 2024 09:11:11 GMT
	(envelope-from git)
Date: Fri, 8 Mar 2024 09:11:11 GMT
Message-Id: <202403080911.4289BBI4056294@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Michael Tuexen <tuexen@FreeBSD.org>
Subject: git: d1ce01214a55 - main - TCP LRO: disable mbuf queuing
  when packet filter hooks are in place
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: tuexen
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: d1ce01214a5540db8a7e09fdf46b7ea2d06ffc48
Auto-Submitted: auto-generated

The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=d1ce01214a5540db8a7e09fdf46b7ea2d06ffc48

commit d1ce01214a5540db8a7e09fdf46b7ea2d06ffc48
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2024-03-08 09:03:43 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2024-03-08 09:03:43 +0000

    TCP LRO: disable mbuf queuing when packet filter hooks are in place
    
    When doing mbuf queueing, the packet filter hooks in ether_demux(),
    ip_input(), and ip6_input() are by-passed. This means that the packet
    filters don't process incoming packets, which might result in
    connection failures. For example bypassing the TCP sequence number
    validation will result in dropping valid packets.
    Please note that this patch is only disabling mbuf queueing, not LRO.
    
    Reported by:            Herbert J. Skuhra
    Reviewed by:            glebius, rrs, rscheff
    MFC after:              1 week
    Sponsored by:           Netflix, Inc.
    Differential Revision:  https://reviews.freebsd.org/D43769
---
 sys/netinet/tcp_lro_hpts.c | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/tcp_lro_hpts.c b/sys/netinet/tcp_lro_hpts.c
index 84944c8db1ce..9c0d4be91d53 100644
--- a/sys/netinet/tcp_lro_hpts.c
+++ b/sys/netinet/tcp_lro_hpts.c
@@ -47,6 +47,7 @@
 #include <net/if_types.h>
 #include <net/infiniband.h>
 #include <net/if_lagg.h>
+#include <net/pfil.h>
 
 #include <netinet/in.h>
 #include <netinet/ip6.h>
@@ -54,6 +55,7 @@
 #include <netinet/ip_var.h>
 #include <netinet/in_pcb.h>
 #include <netinet6/in6_pcb.h>
+#include <netinet6/ip6_var.h>
 #include <netinet/tcp.h>
 #include <netinet/tcp_lro.h>
 #include <netinet/tcp_var.h>
@@ -424,7 +426,7 @@ tcp_lro_lookup(struct ifnet *ifp, struct lro_parser *pa)
 {
 	struct inpcb *inp;
 
-	CURVNET_SET(ifp->if_vnet);
+	CURVNET_ASSERT_SET();
 	switch (pa->data.lro_type) {
 #ifdef INET6
 	case LRO_TYPE_IPV6_TCP:
@@ -449,10 +451,8 @@ tcp_lro_lookup(struct ifnet *ifp, struct lro_parser *pa)
 		break;
 #endif
 	default:
-		CURVNET_RESTORE();
 		return (NULL);
 	}
-	CURVNET_RESTORE();
 
 	return (intotcpcb(inp));
 }
@@ -488,9 +488,28 @@ _tcp_lro_flush_tcphpts(struct lro_ctrl *lc, struct lro_entry *le)
 	    IN6_IS_ADDR_UNSPECIFIED(&le->inner.data.s_addr.v6)))
 		return (TCP_LRO_CANNOT);
 #endif
+
+	CURVNET_SET(lc->ifp->if_vnet);
+	/*
+	 * Ensure that there are no packet filter hooks which would normally
+	 * being triggered in ether_demux(), ip_input(), or ip6_input().
+	 */
+	if (
+#ifdef INET
+	    PFIL_HOOKED_IN(V_inet_pfil_head) ||
+#endif
+#ifdef INET6
+	    PFIL_HOOKED_IN(V_inet6_pfil_head) ||
+#endif
+	    PFIL_HOOKED_IN(V_link_pfil_head)) {
+		CURVNET_RESTORE();
+		return (TCP_LRO_CANNOT);
+	}
+
 	/* Lookup inp, if any.  Returns locked TCP inpcb. */
 	tp = tcp_lro_lookup(lc->ifp,
 	    (le->inner.data.lro_type == LRO_TYPE_NONE) ? &le->outer : &le->inner);
+	CURVNET_RESTORE();
 	if (tp == NULL)
 		return (TCP_LRO_CANNOT);