lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 30 Apr 2020 20:55:30 +0300
From:   Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
To:     Vladimir Oltean <olteanv@...il.com>
Cc:     Andrew Lunn <andrew@...n.ch>,
        Florian Fainelli <f.fainelli@...il.com>,
        Vivien Didelot <vivien.didelot@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jiri Pirko <jiri@...nulli.us>,
        Ido Schimmel <idosch@...sch.org>,
        Jakub Kicinski <kuba@...nel.org>,
        netdev <netdev@...r.kernel.org>, Li Yang <leoyang.li@....com>,
        Roopa Prabhu <roopa@...ulusnetworks.com>
Subject: Re: [PATCH net-next 1/4] bridge: Allow enslaving DSA master network
 devices

On 30/04/2020 20:50, Vladimir Oltean wrote:
> Hi Nikolay, Roopa,
> 
> On Wed, 29 Apr 2020 at 19:33, Nikolay Aleksandrov
> <nikolay@...ulusnetworks.com> wrote:
>>
>> +CC Roopa
>>
>> On 29/04/2020 19:27, Nikolay Aleksandrov wrote:
>>> On 29/04/2020 19:19, Vladimir Oltean wrote:
>>>> From: Florian Fainelli <f.fainelli@...il.com>
>>>>
>>>> Commit 8db0a2ee2c63 ("net: bridge: reject DSA-enabled master netdevices
>>>> as bridge members") added a special check in br_if.c in order to check
>>>> for a DSA master network device with a tagging protocol configured. This
>>>> was done because back then, such devices, once enslaved in a bridge
>>>> would become inoperative and would not pass DSA tagged traffic anymore
>>>> due to br_handle_frame returning RX_HANDLER_CONSUMED.
>>>>
>>>> But right now we have valid use cases which do require bridging of DSA
>>>> masters. One such example is when the DSA master ports are DSA switch
>>>> ports themselves (in a disjoint tree setup). This should be completely
>>>> equivalent, functionally speaking, from having multiple DSA switches
>>>> hanging off of the ports of a switchdev driver. So we should allow the
>>>> enslaving of DSA tagged master network devices.
>>>>
>>>> Make br_handle_frame() return RX_HANDLER_PASS in order to call into the
>>>> DSA specific tagging protocol handlers, and lift the restriction from
>>>> br_add_if.
>>>>
>>>> Signed-off-by: Florian Fainelli <f.fainelli@...il.com>
>>>> Signed-off-by: Vladimir Oltean <vladimir.oltean@....com>
>>>> ---
>>>>  net/bridge/br_if.c    | 4 +---
>>>>  net/bridge/br_input.c | 4 +++-
>>>>  2 files changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
>>>> index ca685c0cdf95..e0fbdb855664 100644
>>>> --- a/net/bridge/br_if.c
>>>> +++ b/net/bridge/br_if.c
>>>> @@ -18,7 +18,6 @@
>>>>  #include <linux/rtnetlink.h>
>>>>  #include <linux/if_ether.h>
>>>>  #include <linux/slab.h>
>>>> -#include <net/dsa.h>
>>>>  #include <net/sock.h>
>>>>  #include <linux/if_vlan.h>
>>>>  #include <net/switchdev.h>
>>>> @@ -571,8 +570,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
>>>>       */
>>>>      if ((dev->flags & IFF_LOOPBACK) ||
>>>>          dev->type != ARPHRD_ETHER || dev->addr_len != ETH_ALEN ||
>>>> -        !is_valid_ether_addr(dev->dev_addr) ||
>>>> -        netdev_uses_dsa(dev))
>>>> +        !is_valid_ether_addr(dev->dev_addr))
>>>>              return -EINVAL;
>>>>
>>>>      /* No bridging of bridges */
>>>> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
>>>> index d5c34f36f0f4..396bc0c18cb5 100644
>>>> --- a/net/bridge/br_input.c
>>>> +++ b/net/bridge/br_input.c
>>>> @@ -17,6 +17,7 @@
>>>>  #endif
>>>>  #include <linux/neighbour.h>
>>>>  #include <net/arp.h>
>>>> +#include <net/dsa.h>
>>>>  #include <linux/export.h>
>>>>  #include <linux/rculist.h>
>>>>  #include "br_private.h"
>>>> @@ -263,7 +264,8 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
>>>>      struct sk_buff *skb = *pskb;
>>>>      const unsigned char *dest = eth_hdr(skb)->h_dest;
>>>>
>>>> -    if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
>>>> +    if (unlikely(skb->pkt_type == PACKET_LOOPBACK) ||
>>>> +        netdev_uses_dsa(skb->dev))
>>>>              return RX_HANDLER_PASS;
>>>>
>>>>      if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
>>>>
>>>
>>> Yet another test in fast-path for all packets.
>>> Since br_handle_frame will not be executed at all for such devices I'd suggest
>>> to look into a scheme that avoid installing rx_handler and thus prevents br_handle_frame
>>> to be called in the frist place. In case that is not possible then we can discuss adding
>>> one more test in fast-path.
>>>
>>> Actually you can just add a dummy rx_handler that simply returns RX_HANDLER_PASS for
>>> these devices and keep rx_handler_data so all br_port_get_* will continue working.
>>>
>>> Thanks,
>>>  Nik
>>>
> 
> Actually both of those are problematic, since br_port_get_check_rcu
> and br_port_get_check_rtnl check for the rx_handler pointer against
> br_handle_frame.

Right, but they can be changed to use a different validation.

> Actually a plain old revert of 8db0a2ee2c63 works just fine for what I
> need it to, not sure if there's any point in making this any more
> complicated than that.
> What do you think?
> 

Sounds much better to me if it works for you.

Thanks!

> Thanks,
> -Vladimir
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ