lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 5 Jul 2022 18:42:53 +0300
From:   Ido Schimmel <idosch@...dia.com>
To:     Vlad Buslov <vladbu@...dia.com>
Cc:     netdev@...r.kernel.org, Maor Dickman <maord@...dia.com>,
        Roopa Prabhu <roopa@...dia.com>, razor@...ckwall.org
Subject: Re: Bridge VLAN memory leak

On Tue, Jul 05, 2022 at 05:46:49PM +0300, Vlad Buslov wrote:
> On Tue 05 Jul 2022 at 16:55, Ido Schimmel <idosch@...dia.com> wrote:
> > On Mon, Jul 04, 2022 at 06:47:29PM +0300, Vlad Buslov wrote:
> >> Hi Ido,
> >> 
> >> While implementing QinQ offload support in mlx5 I encountered a memory
> >> leak[0] in the bridge implementation which seems to be related to the new
> >> BR_VLFLAG_ADDED_BY_SWITCHDEV flag that you have recently added.
> >
> > FTR, added here:
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=279737939a8194f02fa352ab4476a1b241f44ef4
> >
> >> 
> >> To reproduce the issue netdevice must support bridge VLAN offload, so I
> >> can't provide a simple script that uses veth or anything like that.
> >> Instead, I'll describe the issue step-by-step:
> >> 
> >> 1. Create a bridge, add offload-capable netdevs to it and assign some
> >> VLAN to them. __vlan_vid_add() function will set the
> >> BR_VLFLAG_ADDED_BY_SWITCHDEV flag since br_switchdev_port_vlan_add()
> >> should return 0 if dev can offload VLANs and will also skip call to
> >> vlan_vid_add() in such case:
> >> 
> >>         /* Try switchdev op first. In case it is not supported, fallback to
> >>          * 8021q add.
> >>          */
> >>         err = br_switchdev_port_vlan_add(dev, v->vid, flags, false, extack);
> >>         if (err == -EOPNOTSUPP)
> >>                 return vlan_vid_add(dev, br->vlan_proto, v->vid);
> >>         v->priv_flags |= BR_VLFLAG_ADDED_BY_SWITCHDEV;
> >> 
> >> 2. Enable filtering and set VLAN protocol to 802.1ad. That will trigger
> >> the following code in __br_vlan_set_proto() that re-creates existing
> >> VLANs with vlan_vid_add() function call whether they have the
> >> BR_VLFLAG_ADDED_BY_SWITCHDEV flag set or not:
> >> 
> >>          /* Add VLANs for the new proto to the device filter. */
> >>          list_for_each_entry(p, &br->port_list, list) {
> >>                  vg = nbp_vlan_group(p);
> >>                  list_for_each_entry(vlan, &vg->vlan_list, vlist) {
> >>                          err = vlan_vid_add(p->dev, proto, vlan->vid);
> >>                          if (err)
> >>                                  goto err_filt;
> >>                  }
> >>          }
> >> 
> >> 3. Now delete the bridge. That will delete all existing VLANs via
> >> __vlan_vid_del() function, which skips calling vlan_vid_del() (that is
> >> necessary to clean up after vlan_vid_add()) if VLAN has
> >> BR_VLFLAG_ADDED_BY_SWITCHDEV flag set:
> >> 
> >>          /* Try switchdev op first. In case it is not supported, fallback to
> >>           * 8021q del.
> >>           */
> >>          err = br_switchdev_port_vlan_del(dev, v->vid);
> >>          if (!(v->priv_flags & BR_VLFLAG_ADDED_BY_SWITCHDEV))
> >>                  vlan_vid_del(dev, br->vlan_proto, v->vid);
> >
> > Looking at the code before the change, I'm pretty sure you will be able
> > to reproduce the leak prior to above mentioned commit:
> >
> > ```
> > -	err = br_switchdev_port_vlan_del(dev, vid);
> > -	if (err == -EOPNOTSUPP) {
> > -		vlan_vid_del(dev, br->vlan_proto, vid);
> > -		return 0;
> > -	}
> > -	return err;
> > ```
> >
> >> 
> >> 
> >> The issue doesn't reproduce for me anymore if I just clear the
> >> BR_VLFLAG_ADDED_BY_SWITCHDEV flag when re-creating VLANs on step 2.
> >> However, I'm not sure whether it is the right approach in this case.
> >> WDYT?
> >
> > As a switchdev driver you already know about the new VLAN protocol via
> > 'SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL' so do we really need the VLANs
> > to be programmed again? The VLAN protocol is not communicated in
> > 'SWITCHDEV_OBJ_ID_PORT_VLAN' anyway.
> 
> In my WIP implementation of 802.1ad offload I just re-create all
> existing VLANs in hardware with new protocol upon receiving
> SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL notification.

Would it be easier for you if you got the VLAN protocol in
'SWITCHDEV_OBJ_ID_PORT_VLAN' and __br_vlan_set_proto() would invoke
__vlan_vid_add() and __vlan_vid_del() instead of calling the 8021q
driver directly?

> 
> >
> > Can you try the below (compile tested only)?
> 
> With the patch applied memleak no longer reproduces.
> 
> >
> > ```
> > diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
> > index 6e53dc991409..9ffd40b8270c 100644
> > --- a/net/bridge/br_vlan.c
> > +++ b/net/bridge/br_vlan.c
> > @@ -959,6 +959,8 @@ int __br_vlan_set_proto(struct net_bridge *br, __be16 proto,
> >  	list_for_each_entry(p, &br->port_list, list) {
> >  		vg = nbp_vlan_group(p);
> >  		list_for_each_entry(vlan, &vg->vlan_list, vlist) {
> > +			if (vlan->priv_flags & BR_VLFLAG_ADDED_BY_SWITCHDEV)
> > +				continue;
> >  			err = vlan_vid_add(p->dev, proto, vlan->vid);
> >  			if (err)
> >  				goto err_filt;
> > @@ -973,8 +975,11 @@ int __br_vlan_set_proto(struct net_bridge *br, __be16 proto,
> >  	/* Delete VLANs for the old proto from the device filter. */
> >  	list_for_each_entry(p, &br->port_list, list) {
> >  		vg = nbp_vlan_group(p);
> > -		list_for_each_entry(vlan, &vg->vlan_list, vlist)
> > +		list_for_each_entry(vlan, &vg->vlan_list, vlist) {
> > +			if (vlan->priv_flags & BR_VLFLAG_ADDED_BY_SWITCHDEV)
> > +				continue;
> >  			vlan_vid_del(p->dev, oldproto, vlan->vid);
> > +		}
> >  	}
> >  
> >  	return 0;
> > @@ -983,13 +988,19 @@ int __br_vlan_set_proto(struct net_bridge *br, __be16 proto,
> >  	attr.u.vlan_protocol = ntohs(oldproto);
> >  	switchdev_port_attr_set(br->dev, &attr, NULL);
> >  
> > -	list_for_each_entry_continue_reverse(vlan, &vg->vlan_list, vlist)
> > +	list_for_each_entry_continue_reverse(vlan, &vg->vlan_list, vlist) {
> > +		if (vlan->priv_flags & BR_VLFLAG_ADDED_BY_SWITCHDEV)
> > +			continue;
> >  		vlan_vid_del(p->dev, proto, vlan->vid);
> > +	}
> >  
> >  	list_for_each_entry_continue_reverse(p, &br->port_list, list) {
> >  		vg = nbp_vlan_group(p);
> > -		list_for_each_entry(vlan, &vg->vlan_list, vlist)
> > +		list_for_each_entry(vlan, &vg->vlan_list, vlist) {
> > +			if (vlan->priv_flags & BR_VLFLAG_ADDED_BY_SWITCHDEV)
> > +				continue;
> >  			vlan_vid_del(p->dev, proto, vlan->vid);
> > +		}
> >  	}
> >  
> >  	return err;
> > ```
> >
> >> 
> >> [0]:
> >> 
> >> unreferenced object 0xffff8881f6771200 (size 256):
> >>   comm "ip", pid 446855, jiffies 4298238841 (age 55.240s)
> >>   hex dump (first 32 bytes):
> >>     00 00 7f 0e 83 88 ff ff 00 00 00 00 00 00 00 00  ................
> >>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >>   backtrace:
> >>     [<00000000012819ac>] vlan_vid_add+0x437/0x750
> >>     [<00000000f2281fad>] __br_vlan_set_proto+0x289/0x920
> >>     [<000000000632b56f>] br_changelink+0x3d6/0x13f0
> >>     [<0000000089d25f04>] __rtnl_newlink+0x8ae/0x14c0
> >>     [<00000000f6276baf>] rtnl_newlink+0x5f/0x90
> >>     [<00000000746dc902>] rtnetlink_rcv_msg+0x336/0xa00
> >>     [<000000001c2241c0>] netlink_rcv_skb+0x11d/0x340
> >>     [<0000000010588814>] netlink_unicast+0x438/0x710
> >>     [<00000000e1a4cd5c>] netlink_sendmsg+0x788/0xc40
> >>     [<00000000e8992d4e>] sock_sendmsg+0xb0/0xe0
> >>     [<00000000621b8f91>] ____sys_sendmsg+0x4ff/0x6d0
> >>     [<000000000ea26996>] ___sys_sendmsg+0x12e/0x1b0
> >>     [<00000000684f7e25>] __sys_sendmsg+0xab/0x130
> >>     [<000000004538b104>] do_syscall_64+0x3d/0x90
> >>     [<0000000091ed9678>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
> >> 
> >> 
> >> Regards,
> >> Vlad
> 

Powered by blists - more mailing lists