bpf: Always return target ifindex in bpf_fib_lookup

stable inclusion from stable-v4.19.273 commit 96d9b11d688ced4c9e16312b1b95570e86b73260 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6KOHU CVE: NA -------------------------------- commit d1c362e1 upstream. The bpf_fib_lookup() helper performs a neighbour lookup for the destination IP and returns BPF_FIB_LKUP_NO_NEIGH if this fails, with the expectation that the BPF program will pass the packet up the stack in this case. However, with the addition of bpf_redirect_neigh() that can be used instead to perform the neighbour lookup, at the cost of a bit of duplicated work. For that we still need the target ifindex, and since bpf_fib_lookup() already has that at the time it performs the neighbour lookup, there is really no reason why it can't just return it in any case. So let's just always return the ifindex if the FIB lookup itself succeeds. Signed-off-by: N Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: N Daniel Borkmann <daniel@iogearbox.net> Cc: David Ahern <dsahern@gmail.com> Link: https://lore.kernel.org/bpf/20201009184234.134214-1-toke@redhat.comSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

bpf: Always return target ifindex in bpf_fib_lookup
stable inclusion from stable-v4.19.273 commit 96d9b11d688ced4c9e16312b1b95570e86b73260 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6KOHU CVE: NA -------------------------------- commit d1c362e1 upstream. The bpf_fib_lookup() helper performs a neighbour lookup for the destination IP and returns BPF_FIB_LKUP_NO_NEIGH if this fails, with the expectation that the BPF program will pass the packet up the stack in this case. However, with the addition of bpf_redirect_neigh() that can be used instead to perform the neighbour lookup, at the cost of a bit of duplicated work. For that we still need the target ifindex, and since bpf_fib_lookup() already has that at the time it performs the neighbour lookup, there is really no reason why it can't just return it in any case. So let's just always return the ifindex if the FIB lookup itself succeeds. Signed-off-by: N Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: N Daniel Borkmann <daniel@iogearbox.net> Cc: David Ahern <dsahern@gmail.com> Link: https://lore.kernel.org/bpf/20201009184234.134214-1-toke@redhat.comSigned-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
30d362dc · Toke Høiland-Jørgensen · Yongqiang Liu · 5e65706c · 30d362dc
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

net/core/filter.c net/core/filter.c +2 -1

未找到文件。
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4240,7 +4240,6 @@ static int bpf_fib_set_fwd_params(struct bpf_fib_lookup *params,
 	memcpy(params->smac, dev->dev_addr, ETH_ALEN);
 	params->h_vlan_TCI = 0;
 	params->h_vlan_proto = 0;
-	params->ifindex = dev->ifindex;

 	return 0;
 }
@@ -4338,6 +4337,7 @@ static int bpf_ipv4_fib_lookup(struct net *net, struct bpf_fib_lookup *params,
 		params->ipv4_dst = nh->nh_gw;

 	params->rt_metric = res.fi->fib_priority;
+	params->ifindex = dev->ifindex;

 	/* xdp and cls_bpf programs are run in RCU-bh so
 	 * rcu_read_lock_bh is not needed here
@@ -4452,6 +4452,7 @@ static int bpf_ipv6_fib_lookup(struct net *net, struct bpf_fib_lookup *params,

 	dev = f6i->fib6_nh.nh_dev;
 	params->rt_metric = f6i->fib6_metric;
+	params->ifindex = dev->ifindex;

 	/* xdp and cls_bpf programs are run in RCU-bh so rcu_read_lock_bh is
 	 * not needed here. Can not use __ipv6_neigh_lookup_noref here