From: Mao Wenan <maowenan@huawei.com>
To: <netdev@vger.kernel.org>, <gregkh@linux-foundation.org>,
<eric.dumazet@gmail.com>, <davem@davemloft.net>,
<stable@vger.kernel.org>, <edumazet@google.com>
Subject: [PATCH stable 4.4 07/11] ip: add helpers to process in-order fragments faster.
Date: Wed, 23 Jan 2019 10:19:42 +0800 [thread overview]
Message-ID: <1548209986-83527-8-git-send-email-maowenan@huawei.com> (raw)
In-Reply-To: <1548209986-83527-1-git-send-email-maowenan@huawei.com>
From: Peter Oskolkov <posk@google.com>
[ Upstream commit 353c9cb360874e737fb000545f783df756c06f9a ]
This patch introduces several helper functions/macros that will be
used in the follow-up patch. No runtime changes yet.
The new logic (fully implemented in the second patch) is as follows:
* Nodes in the rb-tree will now contain not single fragments, but lists
of consecutive fragments ("runs").
* At each point in time, the current "active" run at the tail is
maintained/tracked. Fragments that arrive in-order, adjacent
to the previous tail fragment, are added to this tail run without
triggering the re-balancing of the rb-tree.
* If a fragment arrives out of order with the offset _before_ the tail run,
it is inserted into the rb-tree as a single fragment.
* If a fragment arrives after the current tail fragment (with a gap),
it starts a new "tail" run, as is inserted into the rb-tree
at the end as the head of the new run.
skb->cb is used to store additional information
needed here (suggested by Eric Dumazet).
Reported-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Peter Oskolkov <posk@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Mao Wenan <maowenan@huawei.com>
---
include/net/inet_frag.h | 4 +++
net/ipv4/ip_fragment.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 74 insertions(+), 4 deletions(-)
diff --git a/include/net/inet_frag.h b/include/net/inet_frag.h
index 861d24c..e7d9577 100644
--- a/include/net/inet_frag.h
+++ b/include/net/inet_frag.h
@@ -48,6 +48,7 @@ struct inet_frag_queue {
struct sk_buff *fragments; /* Used in IPv6. */
struct rb_root rb_fragments; /* Used in IPv4. */
struct sk_buff *fragments_tail;
+ struct sk_buff *last_run_head;
ktime_t stamp;
int len;
int meat;
@@ -118,6 +119,9 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
void inet_frag_maybe_warn_overflow(struct inet_frag_queue *q,
const char *prefix);
+/* Free all skbs in the queue; return the sum of their truesizes. */
+unsigned int inet_frag_rbtree_purge(struct rb_root *root);
+
static inline void inet_frag_put(struct inet_frag_queue *q, struct inet_frags *f)
{
if (atomic_dec_and_test(&q->refcnt))
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index e820eb9..73ec3a9 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -58,13 +58,57 @@
static int sysctl_ipfrag_max_dist __read_mostly = 64;
static const char ip_frag_cache_name[] = "ip4-frags";
-struct ipfrag_skb_cb
-{
+/* Use skb->cb to track consecutive/adjacent fragments coming at
+ * the end of the queue. Nodes in the rb-tree queue will
+ * contain "runs" of one or more adjacent fragments.
+ *
+ * Invariants:
+ * - next_frag is NULL at the tail of a "run";
+ * - the head of a "run" has the sum of all fragment lengths in frag_run_len.
+ */
+struct ipfrag_skb_cb {
struct inet_skb_parm h;
- int offset;
+ int offset;
+ struct sk_buff *next_frag;
+ int frag_run_len;
};
-#define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb))
+#define FRAG_CB(skb) ((struct ipfrag_skb_cb *)((skb)->cb))
+
+static void ip4_frag_init_run(struct sk_buff *skb)
+{
+ BUILD_BUG_ON(sizeof(struct ipfrag_skb_cb) > sizeof(skb->cb));
+
+ FRAG_CB(skb)->next_frag = NULL;
+ FRAG_CB(skb)->frag_run_len = skb->len;
+}
+
+/* Append skb to the last "run". */
+static void ip4_frag_append_to_last_run(struct inet_frag_queue *q,
+ struct sk_buff *skb)
+{
+ RB_CLEAR_NODE(&skb->rbnode);
+ FRAG_CB(skb)->next_frag = NULL;
+
+ FRAG_CB(q->last_run_head)->frag_run_len += skb->len;
+ FRAG_CB(q->fragments_tail)->next_frag = skb;
+ q->fragments_tail = skb;
+}
+
+/* Create a new "run" with the skb. */
+static void ip4_frag_create_run(struct inet_frag_queue *q, struct sk_buff *skb)
+{
+ if (q->last_run_head)
+ rb_link_node(&skb->rbnode, &q->last_run_head->rbnode,
+ &q->last_run_head->rbnode.rb_right);
+ else
+ rb_link_node(&skb->rbnode, NULL, &q->rb_fragments.rb_node);
+ rb_insert_color(&skb->rbnode, &q->rb_fragments);
+
+ ip4_frag_init_run(skb);
+ q->fragments_tail = skb;
+ q->last_run_head = skb;
+}
/* Describe an entry in the "incomplete datagrams" queue. */
struct ipq {
@@ -721,6 +765,28 @@ struct sk_buff *ip_check_defrag(struct net *net, struct sk_buff *skb, u32 user)
}
EXPORT_SYMBOL(ip_check_defrag);
+unsigned int inet_frag_rbtree_purge(struct rb_root *root)
+{
+ struct rb_node *p = rb_first(root);
+ unsigned int sum = 0;
+
+ while (p) {
+ struct sk_buff *skb = rb_entry(p, struct sk_buff, rbnode);
+
+ p = rb_next(p);
+ rb_erase(&skb->rbnode, root);
+ while (skb) {
+ struct sk_buff *next = FRAG_CB(skb)->next_frag;
+
+ sum += skb->truesize;
+ kfree_skb(skb);
+ skb = next;
+ }
+ }
+ return sum;
+}
+EXPORT_SYMBOL(inet_frag_rbtree_purge);
+
#ifdef CONFIG_SYSCTL
static int zero;
--
1.8.3.1
next prev parent reply other threads:[~2019-01-23 2:14 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-23 2:19 [PATCH stable 4.4 00/11] fix FragmentSmack in stable branch (CVE-2018-5391) Mao Wenan
2019-01-23 2:19 ` [PATCH stable 4.4 01/11] net: speed up skb_rbtree_purge() Mao Wenan
2019-01-23 2:19 ` [PATCH stable 4.4 02/11] ip: discard IPv4 datagrams with overlapping segments Mao Wenan
2019-01-23 2:19 ` [PATCH stable 4.4 03/11] net: modify skb_rbtree_purge to return the truesize of all purged skbs Mao Wenan
2019-01-23 2:19 ` [PATCH stable 4.4 04/11] inet: frags: get rif of inet_frag_evicting() Mao Wenan
2019-01-23 2:19 ` [PATCH stable 4.4 05/11] ip: use rb trees for IP frag queue Mao Wenan
2019-01-24 17:58 ` Greg KH
2019-01-25 1:50 ` maowenan
2019-01-25 7:07 ` Greg KH
2019-01-25 8:12 ` maowenan
2019-01-23 2:19 ` [PATCH stable 4.4 06/11] ipv6: defrag: drop non-last frags smaller than min mtu Mao Wenan
2019-01-24 18:31 ` Greg KH
2019-01-25 2:24 ` maowenan
2019-01-23 2:19 ` Mao Wenan [this message]
2019-01-23 2:19 ` [PATCH stable 4.4 08/11] ip: process in-order fragments efficiently Mao Wenan
2019-01-23 2:19 ` [PATCH stable 4.4 09/11] net: ipv4: do not handle duplicate fragments as overlapping Mao Wenan
2019-01-23 2:19 ` [PATCH stable 4.4 10/11] ip: frags: fix crash in ip_do_fragment() Mao Wenan
2019-01-23 2:19 ` [PATCH stable 4.4 11/11] ipv4: frags: precedence bug in ip_expire() Mao Wenan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1548209986-83527-8-git-send-email-maowenan@huawei.com \
--to=maowenan@huawei.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=gregkh@linux-foundation.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).