On Wed, 25 Sep 2024 10:11:24 +0200
Laurent Vivier <lvivier(a)redhat.com> wrote:

...
  The offset allows any headers are that are not part
 of the data to checksum to be skipped.
 
 Signed-off-by: Laurent Vivier <lvivier(a)redhat.com>
 ---
 
 Notes:
     v2:
       - check iov_skip_bytes() return value
 
  checksum.c | 16 ++++++++++++++--
  checksum.h |  3 ++-
  2 files changed, 16 insertions(+), 3 deletions(-)
 
 diff --git a/checksum.c b/checksum.c
 index 006614fcbb28..68ffaddb5bb0 100644
 --- a/checksum.c
 +++ b/checksum.c
 @@ -59,6 +59,7 @@
  #include "util.h"
  #include "ip.h"
  #include "checksum.h"
 +#include "iov.h"
  
  /* Checksums are optional for UDP over IPv4, so we usually just set
   * them to 0.  Change this to 1 to calculate real UDP over IPv4
 @@ -498,15 +499,26 @@ uint16_t csum(const void *buf, size_t len, uint32_t init)
   * @iov		Pointer to the array of IO vectors
   * @n		Length of the array
   * @init	Initial 32-bit checksum, 0 for no pre-computed checksum
 + * @offset:	Offset of the data to checksum within the full data length 
Nit, which I can fix up on merge: @init and @offset are swapped here.

...
    *
   * Return: 16-bit folded, complemented checksum
   */
  /* cppcheck-suppress unusedFunction */
 -uint16_t csum_iov(const struct iovec *iov, size_t n, uint32_t init)
 +uint16_t csum_iov(const struct iovec *iov, size_t n, size_t offset,
 +		  uint32_t init)
  {
  	unsigned int i;
 +	size_t first;
  
 -	for (i = 0; i < n; i++)
 +	i = iov_skip_bytes(iov, n, offset, &first);
 +	if (i >= n)
 +		return (uint16_t)~csum_fold(init);
 +
 +	init = csum_unfolded((char *)iov[i].iov_base + first,
 +			     iov[i].iov_len, init);
 +	i++;
 +
 +	for (; i < n; i++)
  		init = csum_unfolded(iov[i].iov_base, iov[i].iov_len, init); 
I wonder if this could become:

	for (i = iov_skip_bytes(iov, n, offset, &start); i < n; i++) {
		init = csum_unfolded((char *)iov[i].iov_base + start,
			 	     iov[i].iov_len, init);
		start = 0;
	}

	return (uint16_t)~csum_fold(init);

...but I haven't tested it and didn't really think it through. I'm fine
with the original version too.

-- 
Stefano

On Wed, Sep 25, 2024 at 07:39:19PM +0200, Stefano Brivio wrote:
...
  On Wed, 25 Sep 2024 10:11:25 +0200
 Laurent Vivier <lvivier(a)redhat.com> wrote:
 
  TCP header and payload are supposed to be in the
same buffer,
 and tcp_update_check_tcp4()/tcp_update_check_tcp6() compute
 the checksum from the base address of the header using the
 length of the IP payload.
 
 In the future (for vhost-user) we need to dispatch the TCP header and
 the TCP payload through several buffers. To be able to manage that, we
 provide an iovec array that points to the data of the TCP frame.
 We provide also an offset to be able to provide an array that contains
 the TCP frame embedded in an lower level frame, and this offset points
 to the TCP header inside the iovec array.
 
 Signed-off-by: Laurent Vivier <lvivier(a)redhat.com>
 ---
 
 Notes:
     v2:
       - s/payload_offset/l4offset/
       - check memory address of the checksum (alignment, iovec boundaries)
 
  checksum.c |   1 -
  tcp.c      | 116 ++++++++++++++++++++++++++++++++++++++++-------------
  2 files changed, 88 insertions(+), 29 deletions(-)
 
 diff --git a/checksum.c b/checksum.c
 index 68ffaddb5bb0..4854c1937c39 100644
 --- a/checksum.c
 +++ b/checksum.c
 @@ -503,7 +503,6 @@ uint16_t csum(const void *buf, size_t len, uint32_t init)
   *
   * Return: 16-bit folded, complemented checksum
   */
 -/* cppcheck-suppress unusedFunction */
  uint16_t csum_iov(const struct iovec *iov, size_t n, size_t offset,
  		  uint32_t init)
  {
 diff --git a/tcp.c b/tcp.c
 index c9472d905520..f0a6f7a507a7 100644
 --- a/tcp.c
 +++ b/tcp.c
 @@ -755,36 +755,81 @@ static void tcp_sock_set_bufsize(const struct ctx *c, int s)
  }
  
  /**
 - * tcp_update_check_tcp4() - Update TCP checksum from stored one
 - * @iph:	IPv4 header
 - * @bp:		TCP header followed by TCP payload
 - */
 -static void tcp_update_check_tcp4(const struct iphdr *iph,
 -				  struct tcp_payload_t *bp)
 + * tcp_update_check_tcp4() - Calculate TCP checksum for IPv6
 + * @src:	IPv4 source address
 + * @dst:	IPv4 destination address
 + * @iov:	Pointer to the array of IO vectors
 + * @iov_cnt:	Length of the array
 + * @l4offset:	IPv4 payload offset in the iovec array
 + */
 +void tcp_update_check_tcp4(struct in_addr src,
 +			   struct in_addr dst,
 +			   const struct iovec *iov, int iov_cnt,
 +			   size_t l4offset)
  {
 -	uint16_t l4len = ntohs(iph->tot_len) - sizeof(struct iphdr);
 -	struct in_addr saddr = { .s_addr = iph->saddr };
 -	struct in_addr daddr = { .s_addr = iph->daddr };
 -	uint32_t sum = proto_ipv4_header_psum(l4len, IPPROTO_TCP, saddr, daddr);
 +	size_t check_ofs;
 +	__sum16 *check;
 +	int check_idx;
 +	uint32_t sum;
 +
 +	sum = proto_ipv4_header_psum(iov_size(iov, iov_cnt) - l4offset,
 +				     IPPROTO_TCP, src, dst);
 +
 +	check_idx = iov_skip_bytes(iov, iov_cnt,
 +				   l4offset + offsetof(struct tcphdr, check),
 +				   &check_ofs);
 +
 +	if (check_idx >= iov_cnt)
 +		die("TCP4 buffer is too small");
 +	if (check_ofs + sizeof(*check) > iov[check_idx].iov_len)
 +		die("TCP4 checksum field memory is not contiguous"); 
 
 I'm not really fond of those die() calls. First off, they should report
 a couple more details (at least check_idx, iov_cnt).
 
 Second, we could fail gracefully (hence, we should) instead of aborting
 the whole thing: those could be err() calls. 
It's a question of how plausible a graceful recovery is at this point.
If we hit this, the guest has given us buffers that aren't even 2-byte
aligned.  Is it reasonable to keep trying to working with a guest that
does that?

...
  If we fail to calculate checksums, we can leave them
as zero, and the
 receiver will drop those frames anyway, if you don't want to add
 complexity (propagation of return values) for something that should
 never happen. 
I think the checksum is (in the general vhost-user case)
uninitialised, not zero, at this point.  To set it to zero, we'd still
need to get a usable pointer to it.  Not that that really changes what
would happen - 0 has the same chance of being right by accident as an
uninitialised value.

...
  The rest looks good to me, but I didn't go
through David's comments so
 I'll wait for his review before applying. 
-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

On Wed, Sep 25, 2024 at 10:11:25AM +0200, Laurent Vivier wrote:
...
  TCP header and payload are supposed to be in the same
buffer,
 and tcp_update_check_tcp4()/tcp_update_check_tcp6() compute
 the checksum from the base address of the header using the
 length of the IP payload.
 
 In the future (for vhost-user) we need to dispatch the TCP header and
 the TCP payload through several buffers. To be able to manage that, we
 provide an iovec array that points to the data of the TCP frame.
 We provide also an offset to be able to provide an array that contains
 the TCP frame embedded in an lower level frame, and this offset points
 to the TCP header inside the iovec array.
 
 Signed-off-by: Laurent Vivier <lvivier(a)redhat.com>
 ---
 
 Notes:
     v2:
       - s/payload_offset/l4offset/
       - check memory address of the checksum (alignment, iovec boundaries)
 
  checksum.c |   1 -
  tcp.c      | 116 ++++++++++++++++++++++++++++++++++++++++-------------
  2 files changed, 88 insertions(+), 29 deletions(-)
 
 diff --git a/checksum.c b/checksum.c
 index 68ffaddb5bb0..4854c1937c39 100644
 --- a/checksum.c
 +++ b/checksum.c
 @@ -503,7 +503,6 @@ uint16_t csum(const void *buf, size_t len, uint32_t init)
   *
   * Return: 16-bit folded, complemented checksum
   */
 -/* cppcheck-suppress unusedFunction */
  uint16_t csum_iov(const struct iovec *iov, size_t n, size_t offset,
  		  uint32_t init)
  {
 diff --git a/tcp.c b/tcp.c
 index c9472d905520..f0a6f7a507a7 100644
 --- a/tcp.c
 +++ b/tcp.c
 @@ -755,36 +755,81 @@ static void tcp_sock_set_bufsize(const struct ctx *c, int s)
  }
  
  /**
 - * tcp_update_check_tcp4() - Update TCP checksum from stored one
 - * @iph:	IPv4 header
 - * @bp:		TCP header followed by TCP payload
 - */
 -static void tcp_update_check_tcp4(const struct iphdr *iph,
 -				  struct tcp_payload_t *bp)
 + * tcp_update_check_tcp4() - Calculate TCP checksum for IPv6 
Nit: s/IPv6/IPv4/

...
  + * @src:	IPv4 source address
 + * @dst:	IPv4 destination address
 + * @iov:	Pointer to the array of IO vectors
 + * @iov_cnt:	Length of the array
 + * @l4offset:	IPv4 payload offset in the iovec array
 + */
 +void tcp_update_check_tcp4(struct in_addr src,
 +			   struct in_addr dst,
 +			   const struct iovec *iov, int iov_cnt,
 +			   size_t l4offset)
  {
 -	uint16_t l4len = ntohs(iph->tot_len) - sizeof(struct iphdr);
 -	struct in_addr saddr = { .s_addr = iph->saddr };
 -	struct in_addr daddr = { .s_addr = iph->daddr };
 -	uint32_t sum = proto_ipv4_header_psum(l4len, IPPROTO_TCP, saddr, daddr);
 +	size_t check_ofs;
 +	__sum16 *check;
 +	int check_idx;
 +	uint32_t sum;
 +
 +	sum = proto_ipv4_header_psum(iov_size(iov, iov_cnt) - l4offset,
 +				     IPPROTO_TCP, src, dst); 
Previously, we took the size from the IP header, which we'd previously
calculated.  It seems a shame to replace that with a call to
iov_size() which will make another pass through the whole vector.

...
  +
 +	check_idx = iov_skip_bytes(iov, iov_cnt,
 +				   l4offset + offsetof(struct tcphdr, check),
 +				   &check_ofs);
 +
 +	if (check_idx >= iov_cnt)
 +		die("TCP4 buffer is too small");
 +	if (check_ofs + sizeof(*check) > iov[check_idx].iov_len)
 +		die("TCP4 checksum field memory is not contiguous");
 +
 +	check = (__sum16 *)((char *)iov[check_idx].iov_base + check_ofs); 
Strictly speaking, it's UB to even *create* an improperly aligned
pointer, even if you never dereference it.  So the alignment check
should go before casting to (__sum16 *).

...
  -	bp->th.check = 0;
 -	bp->th.check = csum(bp, l4len, sum);
 +	if ((uintptr_t)check & (__alignof__(*check) - 1))
 +		die("TCP4 checksum field is not correctly aligned in memory"); 
I really think it would be worth packaging this logic (skip_bytes +
contiguous check + alignment check + pointer cast) into another helper
(iov_field()?).  I strongly suspect we'll have further use for it down
the line.

...
  +
 +	*check = 0;
 +	*check = csum_iov(iov, iov_cnt, l4offset, sum);
  }
  
  /**
   * tcp_update_check_tcp6() - Calculate TCP checksum for IPv6
 - * @ip6h:	IPv6 header
 - * @bp:		TCP header followed by TCP payload
 - */
 -static void tcp_update_check_tcp6(const struct ipv6hdr *ip6h,
 -				  struct tcp_payload_t *bp)
 + * @src:	IPv6 source address
 + * @dst:	IPv6 destination address
 + * @iov:	Pointer to the array of IO vectors
 + * @iov_cnt:	Length of the array
 + * @l4offset:	IPv6 payload offset in the iovec array
 + */
 +void tcp_update_check_tcp6(const struct in6_addr *src,
 +			   const struct in6_addr *dst,
 +			   const struct iovec *iov, int iov_cnt,
 +			   size_t l4offset) 
Same comments as the IPv4 version here apply here too.

...
   {
 -	uint16_t l4len = ntohs(ip6h->payload_len);
 -	uint32_t sum = proto_ipv6_header_psum(l4len, IPPROTO_TCP,
 -					      &ip6h->saddr, &ip6h->daddr);
 +	size_t check_ofs;
 +	__sum16 *check;
 +	int check_idx;
 +	uint32_t sum;
 +
 +	sum = proto_ipv6_header_psum(iov_size(iov, iov_cnt) - l4offset,
 +				     IPPROTO_TCP, src, dst);
 +
 +	check_idx = iov_skip_bytes(iov, iov_cnt,
 +				   l4offset + offsetof(struct tcphdr, check),
 +				   &check_ofs);
 +
 +	if (check_idx >= iov_cnt)
 +		die("TCP6 buffer is too small"); 
Alternatively, you could check the relevant offset against the total
size, which you've already calculated.  Or indeed, it might make sense
to check the total IOV size against the minimum size for a TCP packet
somewhere earlier in the call graph.  In that case this could become
an ASSERT().

...
  +	if (check_ofs + sizeof(*check) >
iov[check_idx].iov_len)
 +		die("TCP6 checksum field memory is not contiguous");
  
 -	bp->th.check = 0;
 -	bp->th.check = csum(bp, l4len, sum);
 +	check = (__sum16 *)((char *)iov[check_idx].iov_base + check_ofs);
 +
 +	if ((uintptr_t)check & (__alignof__(*check) - 1))
 +		die("TCP6 checksum field is not correctly aligned in memory");
 +
 +	*check = 0;
 +	*check = csum_iov(iov, iov_cnt, l4offset, sum);
  }
  
  /**
 @@ -935,10 +980,18 @@ static size_t tcp_fill_headers4(const struct tcp_tap_conn *conn,
  
  	tcp_fill_header(&bp->th, conn, seq);
  
 -	if (no_tcp_csum)
 +	if (no_tcp_csum) {
  		bp->th.check = 0;
 -	else
 -		tcp_update_check_tcp4(iph, bp);
 +	} else {
 +		const struct iovec iov = {
 +			.iov_base = bp,
 +			.iov_len = ntohs(iph->tot_len) - sizeof(struct iphdr),
 +		};
 +		struct in_addr saddr = { .s_addr = iph->saddr };
 +		struct in_addr daddr = { .s_addr = iph->daddr };
 +
 +		tcp_update_check_tcp4(saddr, daddr, &iov, 1, 0);
 +	}
  
  	tap_hdr_update(taph, l3len + sizeof(struct ethhdr));
  
 @@ -980,10 +1033,17 @@ static size_t tcp_fill_headers6(const struct tcp_tap_conn *conn,
  
  	tcp_fill_header(&bp->th, conn, seq);
  
 -	if (no_tcp_csum)
 +	if (no_tcp_csum) {
  		bp->th.check = 0;
 -	else
 -		tcp_update_check_tcp6(ip6h, bp);
 +	} else {
 +		const struct iovec iov = {
 +			.iov_base = bp,
 +			.iov_len = ntohs(ip6h->payload_len)
 +		};
 +
 +		tcp_update_check_tcp6(&ip6h->saddr, &ip6h->daddr,
 +				      &iov, 1, 0);
 +	}
  
  	tap_hdr_update(taph, l4len + sizeof(*ip6h) + sizeof(struct ethhdr));
   
-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

On Fri, Sep 27, 2024 at 03:49:50PM +0200, Laurent Vivier wrote:
...
  On 26/09/2024 03:45, David Gibson wrote:
  On Wed, Sep 25, 2024 at 10:11:25AM +0200, Laurent
Vivier wrote:
  TCP header and payload are supposed to be in the
same buffer,
 and tcp_update_check_tcp4()/tcp_update_check_tcp6() compute
 the checksum from the base address of the header using the
 length of the IP payload.
 
 In the future (for vhost-user) we need to dispatch the TCP header and
 the TCP payload through several buffers. To be able to manage that, we
 provide an iovec array that points to the data of the TCP frame.
 We provide also an offset to be able to provide an array that contains
 the TCP frame embedded in an lower level frame, and this offset points
 to the TCP header inside the iovec array.
 
 Signed-off-by: Laurent Vivier <lvivier(a)redhat.com>
 ---
 
 Notes:
      v2:
        - s/payload_offset/l4offset/
        - check memory address of the checksum (alignment, iovec boundaries)
 
   checksum.c |   1 -
   tcp.c      | 116 ++++++++++++++++++++++++++++++++++++++++-------------
   2 files changed, 88 insertions(+), 29 deletions(-)
 
 diff --git a/checksum.c b/checksum.c
 index 68ffaddb5bb0..4854c1937c39 100644
 --- a/checksum.c
 +++ b/checksum.c
 @@ -503,7 +503,6 @@ uint16_t csum(const void *buf, size_t len, uint32_t init)
    *
    * Return: 16-bit folded, complemented checksum
    */
 -/* cppcheck-suppress unusedFunction */
   uint16_t csum_iov(const struct iovec *iov, size_t n, size_t offset,
   		  uint32_t init)
   {
 diff --git a/tcp.c b/tcp.c
 index c9472d905520..f0a6f7a507a7 100644
 --- a/tcp.c
 +++ b/tcp.c
 @@ -755,36 +755,81 @@ static void tcp_sock_set_bufsize(const struct ctx *c, int s)
   }
   /**
 - * tcp_update_check_tcp4() - Update TCP checksum from stored one
 - * @iph:	IPv4 header
 - * @bp:		TCP header followed by TCP payload
 - */
 -static void tcp_update_check_tcp4(const struct iphdr *iph,
 -				  struct tcp_payload_t *bp)
 + * tcp_update_check_tcp4() - Calculate TCP checksum for IPv6 
 
 Nit: s/IPv6/IPv4/
 
  + * @src:	IPv4 source address
 + * @dst:	IPv4 destination address
 + * @iov:	Pointer to the array of IO vectors
 + * @iov_cnt:	Length of the array
 + * @l4offset:	IPv4 payload offset in the iovec array
 + */
 +void tcp_update_check_tcp4(struct in_addr src,
 +			   struct in_addr dst,
 +			   const struct iovec *iov, int iov_cnt,
 +			   size_t l4offset)
   {
 -	uint16_t l4len = ntohs(iph->tot_len) - sizeof(struct iphdr);
 -	struct in_addr saddr = { .s_addr = iph->saddr };
 -	struct in_addr daddr = { .s_addr = iph->daddr };
 -	uint32_t sum = proto_ipv4_header_psum(l4len, IPPROTO_TCP, saddr, daddr);
 +	size_t check_ofs;
 +	__sum16 *check;
 +	int check_idx;
 +	uint32_t sum;
 +
 +	sum = proto_ipv4_header_psum(iov_size(iov, iov_cnt) - l4offset,
 +				     IPPROTO_TCP, src, dst); 
 
 Previously, we took the size from the IP header, which we'd previously
 calculated.  It seems a shame to replace that with a call to
 iov_size() which will make another pass through the whole vector.
 
  +
 +	check_idx = iov_skip_bytes(iov, iov_cnt,
 +				   l4offset + offsetof(struct tcphdr, check),
 +				   &check_ofs);
 +
 +	if (check_idx >= iov_cnt)
 +		die("TCP4 buffer is too small");
 +	if (check_ofs + sizeof(*check) > iov[check_idx].iov_len)
 +		die("TCP4 checksum field memory is not contiguous");
 +
 +	check = (__sum16 *)((char *)iov[check_idx].iov_base + check_ofs); 
 
 Strictly speaking, it's UB to even *create* an improperly aligned
 pointer, even if you never dereference it.  So the alignment check
 should go before casting to (__sum16 *).
 
  -	bp->th.check = 0;
 -	bp->th.check = csum(bp, l4len, sum);
 +	if ((uintptr_t)check & (__alignof__(*check) - 1))
 +		die("TCP4 checksum field is not correctly aligned in memory"); 
 
 I really think it would be worth packaging this logic (skip_bytes +
 contiguous check + alignment check + pointer cast) into another helper
 (iov_field()?).  I strongly suspect we'll have further use for it down
 the line.
  
 
 I'm addressing all your other comments but I don't really have the time to
 write a generic and clean function to do that. I prefer to duplicate the
 code for the moment, we will be able to cleanup this in the future. 
Ok, fair enough.  If I get a chance, I might take a crack at writing a
suitable helper.

-- 
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson