Skip to main content

Browse the archive

Revision 57d0c018b46ef5293da715af12c8adc32aa99847 authored by Vijay Pandurangan on 18 December 2015, 19:34:59 UTC, committed by Greg Kroah-Hartman on 31 January 2016, 19:23:35 UTC 
veth: don’t modify ip_summed; doing so treats packets with bad checksums as good.
 
[ Upstream commit ce8c839b74e3017996fad4e1b7ba2e2625ede82f ]

Packets that arrive from real hardware devices have ip_summed ==
CHECKSUM_UNNECESSARY if the hardware verified the checksums, or
CHECKSUM_NONE if the packet is bad or it was unable to verify it. The
current version of veth will replace CHECKSUM_NONE with
CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to
a veth device to be delivered to the application. This caused applications
at Twitter to receive corrupt data when network hardware was corrupting
packets.

We believe this was added as an optimization to skip computing and
verifying checksums for communication between containers. However, locally
generated packets have ip_summed == CHECKSUM_PARTIAL, so the code as
written does nothing for them. As far as we can tell, after removing this
code, these packets are transmitted from one stack to another unmodified
(tcpdump shows invalid checksums on both sides, as expected), and they are
delivered correctly to applications. We didn’t test every possible network
configuration, but we tried a few common ones such as bridging containers,
using NAT between the host and a container, and routing from hardware
devices to containers. We have effectively deployed this in production at
Twitter (by disabling RX checksum offloading on veth devices).

This code dates back to the first version of the driver, commit
<e314dbdc1c0dc6a548ecf> ("[NET]: Virtual ethernet device driver"), so I
suspect this bug occurred mostly because the driver API has evolved
significantly since then. Commit <0b7967503dc97864f283a> ("net/veth: Fix
packet checksumming") (in December 2010) fixed this for packets that get
created locally and sent to hardware devices, by not changing
CHECKSUM_PARTIAL. However, the same issue still occurs for packets coming
in from hardware devices.

Co-authored-by: Evan Jones <ej@evanjones.ca>
Signed-off-by: Evan Jones <ej@evanjones.ca>
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Cc: Phil Sutter <phil@nwl.cc>
Cc: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Vijay Pandurangan <vijayp@vijayp.ca>
Acked-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 3fabd53
History
File Mode Size
basic
coccinelle
dtc
gdb
genksyms
kconfig
ksymoops
mod
package
rt-tester
selinux
tracing
.gitignore -rw-r--r-- 116 bytes
Kbuild.include -rw-r--r-- 10.8 KB
Lindent -rwxr-xr-x 460 bytes
Makefile -rw-r--r-- 1.4 KB
Makefile.asm-generic -rw-r--r-- 683 bytes
Makefile.build -rw-r--r-- 13.4 KB
Makefile.clean -rw-r--r-- 2.8 KB
Makefile.dtbinst -rw-r--r-- 1.4 KB
Makefile.extrawarn -rw-r--r-- 2.4 KB
Makefile.fwinst -rw-r--r-- 2.0 KB
Makefile.headersinst -rw-r--r-- 4.7 KB
Makefile.help -rw-r--r-- 68 bytes
Makefile.host -rw-r--r-- 4.5 KB
Makefile.kasan -rw-r--r-- 887 bytes
Makefile.lib -rw-r--r-- 14.0 KB
Makefile.modbuiltin -rw-r--r-- 1.8 KB
Makefile.modinst -rw-r--r-- 1.2 KB
Makefile.modpost -rw-r--r-- 5.2 KB
Makefile.modsign -rw-r--r-- 1005 bytes
analyze_suspend.py -rwxr-xr-x 117.6 KB
asn1_compiler.c -rw-r--r-- 34.0 KB
bloat-o-meter -rwxr-xr-x 1.9 KB
bootgraph.pl -rwxr-xr-x 6.3 KB
check_extable.sh -rwxr-xr-x 4.9 KB
checkincludes.pl -rwxr-xr-x 1.8 KB
checkkconfigsymbols.py -rwxr-xr-x 9.3 KB
checkpatch.pl -rwxr-xr-x 159.7 KB
checkstack.pl -rwxr-xr-x 5.4 KB
checksyscalls.sh -rwxr-xr-x 5.6 KB
checkversion.pl -rwxr-xr-x 1.9 KB
cleanfile -rwxr-xr-x 3.4 KB
cleanpatch -rwxr-xr-x 5.0 KB
coccicheck -rwxr-xr-x 4.6 KB
config -rwxr-xr-x 4.5 KB
conmakehash.c -rw-r--r-- 6.0 KB
decode_stacktrace.sh -rwxr-xr-x 3.0 KB
decodecode -rwxr-xr-x 2.1 KB
depmod.sh -rwxr-xr-x 1.7 KB
diffconfig -rwxr-xr-x 3.7 KB
docproc.c -rw-r--r-- 13.8 KB
export_report.pl -rwxr-xr-x 4.5 KB
extract-ikconfig -rwxr-xr-x 1.7 KB
extract-vmlinux -rwxr-xr-x 1.6 KB
gcc-goto.sh -rwxr-xr-x 495 bytes
gcc-ld -rwxr-xr-x 676 bytes
gcc-version.sh -rwxr-xr-x 822 bytes
gcc-x86_32-has-stack-protector.sh -rwxr-xr-x 184 bytes
gcc-x86_64-has-stack-protector.sh -rwxr-xr-x 200 bytes
gen_initramfs_list.sh -rwxr-xr-x 7.9 KB
get_maintainer.pl -rwxr-xr-x 57.3 KB
gfp-translate -rwxr-xr-x 1.7 KB
headerdep.pl -rwxr-xr-x 3.5 KB
headers.sh -rwxr-xr-x 477 bytes
headers_check.pl -rwxr-xr-x 3.6 KB
headers_install.sh -rwxr-xr-x 1.3 KB
kallsyms.c -rw-r--r-- 16.7 KB
kernel-doc -rwxr-xr-x 72.1 KB
ld-version.sh -rwxr-xr-x 205 bytes
link-vmlinux.sh -rwxr-xr-x 5.7 KB
makelst -rwxr-xr-x 773 bytes
markup_oops.pl -rwxr-xr-x 8.1 KB
mkcompile_h -rwxr-xr-x 2.5 KB
mkmakefile -rwxr-xr-x 1.2 KB
mksysmap -rwxr-xr-x 1.3 KB
mkuboot.sh -rwxr-xr-x 379 bytes
mkversion -rw-r--r-- 74 bytes
module-common.lds -rw-r--r-- 833 bytes
namespace.pl -rwxr-xr-x 13.0 KB
objdiff -rwxr-xr-x 2.7 KB
patch-kernel -rwxr-xr-x 9.9 KB
pnmtologo.c -rw-r--r-- 11.9 KB
profile2linkerlist.pl -rwxr-xr-x 375 bytes
recordmcount.c -rw-r--r-- 12.4 KB
recordmcount.h -rw-r--r-- 16.4 KB
recordmcount.pl -rwxr-xr-x 17.8 KB
setlocalversion -rwxr-xr-x 3.9 KB
show_delta -rwxr-xr-x 3.0 KB
sign-file -rwxr-xr-x 12.2 KB
sortextable.c -rw-r--r-- 7.6 KB
sortextable.h -rw-r--r-- 5.5 KB
spelling.txt -rw-r--r-- 20.8 KB
tags.sh -rwxr-xr-x 10.2 KB
unifdef.c -rw-r--r-- 34.8 KB
ver_linux -rwxr-xr-x 3.1 KB
xen-hypercalls.sh -rw-r--r-- 351 bytes
xz_wrap.sh -rwxr-xr-x 562 bytes
back to top