lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200217150058.5586-1-olteanv@gmail.com>
Date:   Mon, 17 Feb 2020 17:00:58 +0200
From:   Vladimir Oltean <olteanv@...il.com>
To:     davem@...emloft.net
Cc:     horatiu.vultur@...rochip.com, alexandre.belloni@...tlin.com,
        andrew@...n.ch, f.fainelli@...il.com, vivien.didelot@...il.com,
        joergen.andreasen@...rochip.com, allan.nielsen@...rochip.com,
        claudiu.manoil@....com, netdev@...r.kernel.org,
        UNGLinuxDriver@...rochip.com
Subject: [PATCH net-next] net: mscc: ocelot: Workaround to allow traffic to CPU in standalone mode

From: Vladimir Oltean <vladimir.oltean@....com>

The Ocelot switches have what is, in my opinion, a design flaw: their
DSA header is in front of the Ethernet header, which means that they
subvert the DSA master's RX filter, which for all practical purposes,
either needs to be in promiscuous mode, or the OCELOT_TAG_PREFIX_LONG
needs to be used for extraction, which makes the switch add a fake DMAC
of ff:ff:ff:ff:ff:ff so that the DSA master accepts the frame.

The issue with this design, of course, is that the CPU will be spammed
with frames that it doesn't want to respond to, and there isn't any
hardware offload in place by default to drop them.

What is being done in the VSC7514 Ocelot driver is a process of
selective whitelisting. The "MAC address" of each Ocelot switch net
device, with all VLANs installed on that port, is being added as a FDB
entry towards PGID_CPU.

PGID_CPU is is a multicast set containing only BIT(cpu). I don't know
why it was chosen to be a multicast PGID (59) and not simply the unicast
one of this port, but it doesn't matter. The point is that the the CPU
port is special, and frames are "copied" to the CPU, disregarding the
source masks (third PGID lookup), if BIT(cpu) is found to be set in the
destination masks (first PGID lookup).

Frames that match the FDB will go to PGID_CPU by virtue of the DEST_IDX
from the respective MAC table entry, and frames that don't will go to
PGID_UC or PGID_MC, by virtue of the FLD_UNICAST, FLD_BROADCAST etc
settings for flooding. And that is where the distinction is made:
flooded frames will be subject to the third PGID lookup, while frames
that are whitelisted to the PGID_CPU by the MAC table aren't.

So we can use this mechanism to simulate an RX filter, given that we are
subverting the DSA master's implicit one, as mentioned in the first
paragraph. But this has some limitations:

- In Ocelot each net device has its own MAC address. When simulating
  this with MAC table entries, it will practically result in having N
  MAC addresses for each of the N front-panel ports (because FDB entries
  are not per source port). A bit strange, I think.

- In DSA we don't have the infrastructure in place to support this
  whitelisting mechanism. Calling .port_fdb_add on the CPU port for each
  slave net device dev_addr isn't, in itself, hard. The problem is with
  the VLANs that this port is part of. We would need to keep a duplicate
  list of the VLANs from the bridge, plus the ones added from 8021q, for
  each port. And we would need reference counting on each MAC address,
  such that when a front-panel port changes its MAC address and we need
  to delete the old FDB entry, we don't actually delete it if the other
  front-panel ports are still using it. Not to mention that this FDB
  entry would have to be added on the whole net of upstream DSA switches.

- Cascading a different DSA switch that has tags before the Ethernet
  header would not possibly work if we rely on the whitelisting
  mechanism exclusively.

So... it's complicated. What this patch does is to simply allow frames
to be flooded to the CPU, which is anyway what the Ocelot driver is
doing after removing the bridge from the net devices, see this snippet
from ocelot_bridge_stp_state_set:

    /* Apply FWD mask. The loop is needed to add/remove the current port as
     * a source for the other ports.
     */
    for (p = 0; p < ocelot->num_phys_ports; p++) {
            if (p == ocelot->cpu || (ocelot->bridge_fwd_mask & BIT(p))) {
                    (...)
            } else {
                    /* Only the CPU port, this is compatible with link
                     * aggregation.
                     */
                    ocelot_write_rix(ocelot,
                                     BIT(ocelot->cpu),
                                     ANA_PGID_PGID, PGID_SRC + p);
            }

Otherwise said, the ocelot driver itself is already not self-coherent,
since immediately after probe time, and immediately after removal from a
bridge, it behaves in different ways, although the front panel ports are
standalone in both cases.

While standalone traffic _does_ work for the Felix DSA wrapper after
enslaving and removing the ports from a bridge, this patch makes
standalone traffic work at probe time too, with the caveat that even
irrelevant frames will get processed by software, making it more
susceptible to potential denial of service.

Signed-off-by: Vladimir Oltean <vladimir.oltean@....com>
---
 drivers/net/ethernet/mscc/ocelot.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
index 86d543ab1ab9..94d39ccea017 100644
--- a/drivers/net/ethernet/mscc/ocelot.c
+++ b/drivers/net/ethernet/mscc/ocelot.c
@@ -2297,6 +2297,18 @@ void ocelot_set_cpu_port(struct ocelot *ocelot, int cpu,
 			 enum ocelot_tag_prefix injection,
 			 enum ocelot_tag_prefix extraction)
 {
+	int port;
+
+	for (port = 0; port < ocelot->num_phys_ports; port++) {
+		/* Disable old CPU port and enable new one */
+		ocelot_rmw_rix(ocelot, 0, BIT(ocelot->cpu),
+			       ANA_PGID_PGID, PGID_SRC + port);
+		if (port == cpu)
+			continue;
+		ocelot_rmw_rix(ocelot, BIT(cpu), BIT(cpu),
+			       ANA_PGID_PGID, PGID_SRC + port);
+	}
+
 	/* Configure and enable the CPU port. */
 	ocelot_write_rix(ocelot, 0, ANA_PGID_PGID, cpu);
 	ocelot_write_rix(ocelot, BIT(cpu), ANA_PGID_PGID, PGID_CPU);
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ