lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250320160027.GH889584@horms.kernel.org>
Date: Thu, 20 Mar 2025 16:00:27 +0000
From: Simon Horman <horms@...nel.org>
To: Petr Machata <petrm@...dia.com>
Cc: "David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Andrew Lunn <andrew+netdev@...n.ch>, netdev@...r.kernel.org,
	Ido Schimmel <idosch@...dia.com>, Amit Cohen <amcohen@...dia.com>,
	mlxsw@...dia.com, Vladimir Oltean <olteanv@...il.com>,
	Vladyslav Mykhaliuk <vmykhaliuk@...dia.com>
Subject: Re: [PATCH net-next 5/6] mlxsw: Add VXLAN bridge ports to same
 hardware domain as physical bridge ports

On Mon, Mar 17, 2025 at 06:37:30PM +0100, Petr Machata wrote:
> From: Amit Cohen <amcohen@...dia.com>
> 
> When hardware floods packets to bridge ports, but flooding to VXLAN bridge
> port fails during encapsulation to one of the remote VTEPs, the packets are
> trapped to CPU. In such case, the packets are marked with
> skb->offload_fwd_mark, which means that packet was L2-forwarded in
> hardware. Software data path repeats flooding, but packets which are
> marked with skb->offload_fwd_mark will not be flooded by the bridge to
> bridge ports which are in the same hardware domain as the ingress port.
> 
> Currently, mlxsw does not add VXLAN bridge ports to the same hardware
> domain as physical bridge ports despite the fact that the device is able
> to forward packets to and from VXLAN tunnels in hardware. In some scenarios
> (as mentioned above) this can result in remote VTEPs receiving duplicate
> packets. The packets are first flooded by hardware and after an
> encapsulation failure, they are flooded again to all remote VTEPs by
> software.
> 
> Solve this by adding VXLAN bridge ports to the same hardware domain as
> physical bridge ports, so then nbp_switchdev_allowed_egress() will return
> false also for VXLAN, and packets will not be sent twice from VXLAN device.
> 
> switchdev_bridge_port_offload() should get vxlan_dev not as const, so
> some changes are required. Call switchdev API from
> mlxsw_sp_bridge_vxlan_{join,leave}() which handle offload configurations.
> 
> Reported-by: Vladimir Oltean <olteanv@...il.com>
> Closes: https://lore.kernel.org/all/20250210152246.4ajumdchwhvbarik@skbuf/
> Reported-by: Vladyslav Mykhaliuk <vmykhaliuk@...dia.com>
> Signed-off-by: Amit Cohen <amcohen@...dia.com>
> Reviewed-by: Petr Machata <petrm@...dia.com>
> Reviewed-by: Ido Schimmel <idosch@...dia.com>
> Signed-off-by: Petr Machata <petrm@...dia.com>

Reviewed-by: Simon Horman <horms@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ