[patch net] team: loadbalance: push lacpdus to exact delivery

[patch net] team: loadbalance: push lacpdus to exact delivery

[Jiri Pirko]

From: Jiri Pirko <jiri@mellanox.com>

When team is in bridge and LACP is utilized, LACPDU packets are pushed
to userspace using raw socket and there they are processed. However,
since 8626c56c8279b, LACPDU skbs are dropped by bridge rx_handler so
they never reach packet handlers in rx path. Fix this by explicity treat
LACPDUs to be pushed to exact delivery in team rx_handler.

Reported-by: Ido Schimmel <idosch@mellanox.com>
Fixes: 8626c56c8279b ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
---
 drivers/net/team/team_mode_loadbalance.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
index cdb19b3..e7c8210 100644
--- a/drivers/net/team/team_mode_loadbalance.c
+++ b/drivers/net/team/team_mode_loadbalance.c
@@ -17,6 +17,19 @@
 #include <linux/filter.h>
 #include <linux/if_team.h>
 
+static rx_handler_result_t lb_receive(struct team *team, struct team_port *port,
+				      struct sk_buff *skb)
+{
+	if (unlikely(skb->protocol == htons(ETH_P_SLOW))) {
+		/* LACPDU packets should go to exact delivery */
+		const unsigned char *dest = eth_hdr(skb)->h_dest;
+
+		if (is_link_local_ether_addr(dest) && dest[5] == 0x02)
+			return RX_HANDLER_EXACT;
+	}
+	return RX_HANDLER_ANOTHER;
+}
+
 struct lb_priv;
 
 typedef struct team_port *lb_select_tx_port_func_t(struct team *,
@@ -652,6 +665,7 @@ static const struct team_mode_ops lb_mode_ops = {
 	.port_enter		= lb_port_enter,
 	.port_leave		= lb_port_leave,
 	.port_disabled		= lb_port_disabled,
+	.receive		= lb_receive,
 	.transmit		= lb_transmit,
 };
 
-- 
2.5.5

Re: [patch net] team: loadbalance: push lacpdus to exact delivery

[Jiri Pirko]

Thu, Aug 25, 2016 at 06:23:34PM CEST, jiri@resnulli.us wrote:
>From: Jiri Pirko <jiri@mellanox.com>
>
>When team is in bridge and LACP is utilized, LACPDU packets are pushed
>to userspace using raw socket and there they are processed. However,
>since 8626c56c8279b, LACPDU skbs are dropped by bridge rx_handler so
>they never reach packet handlers in rx path. Fix this by explicity treat
>LACPDUs to be pushed to exact delivery in team rx_handler.
>
>Reported-by: Ido Schimmel <idosch@mellanox.com>
>Fixes: 8626c56c8279b ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
>Signed-off-by: Jiri Pirko <jiri@mellanox.com>
>---
> drivers/net/team/team_mode_loadbalance.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
>diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
>index cdb19b3..e7c8210 100644
>--- a/drivers/net/team/team_mode_loadbalance.c
>+++ b/drivers/net/team/team_mode_loadbalance.c
>@@ -17,6 +17,19 @@
> #include <linux/filter.h>
> #include <linux/if_team.h>


Forgot an include :( Sent v2.

> 
>+static rx_handler_result_t lb_receive(struct team *team, struct team_port *port,
>+				      struct sk_buff *skb)
>+{
>+	if (unlikely(skb->protocol == htons(ETH_P_SLOW))) {
>+		/* LACPDU packets should go to exact delivery */
>+		const unsigned char *dest = eth_hdr(skb)->h_dest;
>+
>+		if (is_link_local_ether_addr(dest) && dest[5] == 0x02)
>+			return RX_HANDLER_EXACT;
>+	}
>+	return RX_HANDLER_ANOTHER;
>+}
>+
> struct lb_priv;
> 
> typedef struct team_port *lb_select_tx_port_func_t(struct team *,
>@@ -652,6 +665,7 @@ static const struct team_mode_ops lb_mode_ops = {
> 	.port_enter		= lb_port_enter,
> 	.port_leave		= lb_port_leave,
> 	.port_disabled		= lb_port_disabled,
>+	.receive		= lb_receive,
> 	.transmit		= lb_transmit,
> };
> 
>-- 
>2.5.5
>

Re: [patch net] team: loadbalance: push lacpdus to exact delivery

[Mahesh Bandewar (महेश बंडेवार)]

On Thu, Aug 25, 2016 at 9:23 AM, Jiri Pirko <jiri@resnulli.us> wrote:
> From: Jiri Pirko <jiri@mellanox.com>
>
> When team is in bridge and LACP is utilized, LACPDU packets are pushed
> to userspace using raw socket and there they are processed. However,
> since 8626c56c8279b, LACPDU skbs are dropped by bridge rx_handler so
> they never reach packet handlers in rx path. Fix this by explicity treat
> LACPDUs to be pushed to exact delivery in team rx_handler.
>
> Reported-by: Ido Schimmel <idosch@mellanox.com>
> Fixes: 8626c56c8279b ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
> Signed-off-by: Jiri Pirko <jiri@mellanox.com>
> ---
>  drivers/net/team/team_mode_loadbalance.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
>
> diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
> index cdb19b3..e7c8210 100644
> --- a/drivers/net/team/team_mode_loadbalance.c
> +++ b/drivers/net/team/team_mode_loadbalance.c
> @@ -17,6 +17,19 @@
>  #include <linux/filter.h>
>  #include <linux/if_team.h>
>
> +static rx_handler_result_t lb_receive(struct team *team, struct team_port *port,
> +                                     struct sk_buff *skb)
> +{
> +       if (unlikely(skb->protocol == htons(ETH_P_SLOW))) {
> +               /* LACPDU packets should go to exact delivery */
> +               const unsigned char *dest = eth_hdr(skb)->h_dest;
> +
> +               if (is_link_local_ether_addr(dest) && dest[5] == 0x02)
> +                       return RX_HANDLER_EXACT;
I believe every link-local-frame should get this treatment whether
it's 802.3ad or otherwise (e.g. LLDP etc.), no?
BTW same should be true for bonding too (of course except LACP since
it handles/consumes it!)
> +       }
> +       return RX_HANDLER_ANOTHER;
> +}
> +
>  struct lb_priv;
>
>  typedef struct team_port *lb_select_tx_port_func_t(struct team *,
> @@ -652,6 +665,7 @@ static const struct team_mode_ops lb_mode_ops = {
>         .port_enter             = lb_port_enter,
>         .port_leave             = lb_port_leave,
>         .port_disabled          = lb_port_disabled,
> +       .receive                = lb_receive,
>         .transmit               = lb_transmit,
>  };
>
> --
> 2.5.5
>

Re: [patch net] team: loadbalance: push lacpdus to exact delivery

[Jiri Pirko]

Thu, Aug 25, 2016 at 06:37:35PM CEST, maheshb@google.com wrote:
>On Thu, Aug 25, 2016 at 9:23 AM, Jiri Pirko <jiri@resnulli.us> wrote:
>> From: Jiri Pirko <jiri@mellanox.com>
>>
>> When team is in bridge and LACP is utilized, LACPDU packets are pushed
>> to userspace using raw socket and there they are processed. However,
>> since 8626c56c8279b, LACPDU skbs are dropped by bridge rx_handler so
>> they never reach packet handlers in rx path. Fix this by explicity treat
>> LACPDUs to be pushed to exact delivery in team rx_handler.
>>
>> Reported-by: Ido Schimmel <idosch@mellanox.com>
>> Fixes: 8626c56c8279b ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
>> Signed-off-by: Jiri Pirko <jiri@mellanox.com>
>> ---
>>  drivers/net/team/team_mode_loadbalance.c | 14 ++++++++++++++
>>  1 file changed, 14 insertions(+)
>>
>> diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
>> index cdb19b3..e7c8210 100644
>> --- a/drivers/net/team/team_mode_loadbalance.c
>> +++ b/drivers/net/team/team_mode_loadbalance.c
>> @@ -17,6 +17,19 @@
>>  #include <linux/filter.h>
>>  #include <linux/if_team.h>
>>
>> +static rx_handler_result_t lb_receive(struct team *team, struct team_port *port,
>> +                                     struct sk_buff *skb)
>> +{
>> +       if (unlikely(skb->protocol == htons(ETH_P_SLOW))) {
>> +               /* LACPDU packets should go to exact delivery */
>> +               const unsigned char *dest = eth_hdr(skb)->h_dest;
>> +
>> +               if (is_link_local_ether_addr(dest) && dest[5] == 0x02)
>> +                       return RX_HANDLER_EXACT;
>I believe every link-local-frame should get this treatment whether
>it's 802.3ad or otherwise (e.g. LLDP etc.), no?
>BTW same should be true for bonding too (of course except LACP since
>it handles/consumes it!)

I think so as well, but stayed more conservative for this fix. LLDP case
is handled in bridge rx_handler though...


>> +       }
>> +       return RX_HANDLER_ANOTHER;
>> +}
>> +
>>  struct lb_priv;
>>
>>  typedef struct team_port *lb_select_tx_port_func_t(struct team *,
>> @@ -652,6 +665,7 @@ static const struct team_mode_ops lb_mode_ops = {
>>         .port_enter             = lb_port_enter,
>>         .port_leave             = lb_port_leave,
>>         .port_disabled          = lb_port_disabled,
>> +       .receive                = lb_receive,
>>         .transmit               = lb_transmit,
>>  };
>>
>> --
>> 2.5.5
>>

Re: [patch net] team: loadbalance: push lacpdus to exact delivery

[Mahesh Bandewar (महेश बंडेवार)]

On Thu, Aug 25, 2016 at 9:46 AM, Jiri Pirko <jiri@resnulli.us> wrote:
> Thu, Aug 25, 2016 at 06:37:35PM CEST, maheshb@google.com wrote:
>>On Thu, Aug 25, 2016 at 9:23 AM, Jiri Pirko <jiri@resnulli.us> wrote:
>>> From: Jiri Pirko <jiri@mellanox.com>
>>>
>>> When team is in bridge and LACP is utilized, LACPDU packets are pushed
>>> to userspace using raw socket and there they are processed. However,
>>> since 8626c56c8279b, LACPDU skbs are dropped by bridge rx_handler so
>>> they never reach packet handlers in rx path. Fix this by explicity treat
>>> LACPDUs to be pushed to exact delivery in team rx_handler.
>>>
>>> Reported-by: Ido Schimmel <idosch@mellanox.com>
>>> Fixes: 8626c56c8279b ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
>>> Signed-off-by: Jiri Pirko <jiri@mellanox.com>
>>> ---
>>>  drivers/net/team/team_mode_loadbalance.c | 14 ++++++++++++++
>>>  1 file changed, 14 insertions(+)
>>>
>>> diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
>>> index cdb19b3..e7c8210 100644
>>> --- a/drivers/net/team/team_mode_loadbalance.c
>>> +++ b/drivers/net/team/team_mode_loadbalance.c
>>> @@ -17,6 +17,19 @@
>>>  #include <linux/filter.h>
>>>  #include <linux/if_team.h>
>>>
>>> +static rx_handler_result_t lb_receive(struct team *team, struct team_port *port,
>>> +                                     struct sk_buff *skb)
>>> +{
>>> +       if (unlikely(skb->protocol == htons(ETH_P_SLOW))) {
>>> +               /* LACPDU packets should go to exact delivery */
>>> +               const unsigned char *dest = eth_hdr(skb)->h_dest;
>>> +
>>> +               if (is_link_local_ether_addr(dest) && dest[5] == 0x02)
>>> +                       return RX_HANDLER_EXACT;
>>I believe every link-local-frame should get this treatment whether
>>it's 802.3ad or otherwise (e.g. LLDP etc.), no?
>>BTW same should be true for bonding too (of course except LACP since
>>it handles/consumes it!)
>
> I think so as well, but stayed more conservative for this fix. LLDP case
> is handled in bridge rx_handler though...
>
bridge rx_handler when team is in bridge, otherwise these link-local
frames will be appear on master. So I guess it's a choice between
being conservative (and fix only LACP case as this fix does) or fix a
generic case.

>
>>> +       }
>>> +       return RX_HANDLER_ANOTHER;
>>> +}
>>> +
>>>  struct lb_priv;
>>>
>>>  typedef struct team_port *lb_select_tx_port_func_t(struct team *,
>>> @@ -652,6 +665,7 @@ static const struct team_mode_ops lb_mode_ops = {
>>>         .port_enter             = lb_port_enter,
>>>         .port_leave             = lb_port_leave,
>>>         .port_disabled          = lb_port_disabled,
>>> +       .receive                = lb_receive,
>>>         .transmit               = lb_transmit,
>>>  };
>>>
>>> --
>>> 2.5.5
>>>

Re: [patch net] team: loadbalance: push lacpdus to exact delivery

[Jiri Pirko]

Thu, Aug 25, 2016 at 07:35:27PM CEST, maheshb@google.com wrote:
>On Thu, Aug 25, 2016 at 9:46 AM, Jiri Pirko <jiri@resnulli.us> wrote:
>> Thu, Aug 25, 2016 at 06:37:35PM CEST, maheshb@google.com wrote:
>>>On Thu, Aug 25, 2016 at 9:23 AM, Jiri Pirko <jiri@resnulli.us> wrote:
>>>> From: Jiri Pirko <jiri@mellanox.com>
>>>>
>>>> When team is in bridge and LACP is utilized, LACPDU packets are pushed
>>>> to userspace using raw socket and there they are processed. However,
>>>> since 8626c56c8279b, LACPDU skbs are dropped by bridge rx_handler so
>>>> they never reach packet handlers in rx path. Fix this by explicity treat
>>>> LACPDUs to be pushed to exact delivery in team rx_handler.
>>>>
>>>> Reported-by: Ido Schimmel <idosch@mellanox.com>
>>>> Fixes: 8626c56c8279b ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
>>>> Signed-off-by: Jiri Pirko <jiri@mellanox.com>
>>>> ---
>>>>  drivers/net/team/team_mode_loadbalance.c | 14 ++++++++++++++
>>>>  1 file changed, 14 insertions(+)
>>>>
>>>> diff --git a/drivers/net/team/team_mode_loadbalance.c b/drivers/net/team/team_mode_loadbalance.c
>>>> index cdb19b3..e7c8210 100644
>>>> --- a/drivers/net/team/team_mode_loadbalance.c
>>>> +++ b/drivers/net/team/team_mode_loadbalance.c
>>>> @@ -17,6 +17,19 @@
>>>>  #include <linux/filter.h>
>>>>  #include <linux/if_team.h>
>>>>
>>>> +static rx_handler_result_t lb_receive(struct team *team, struct team_port *port,
>>>> +                                     struct sk_buff *skb)
>>>> +{
>>>> +       if (unlikely(skb->protocol == htons(ETH_P_SLOW))) {
>>>> +               /* LACPDU packets should go to exact delivery */
>>>> +               const unsigned char *dest = eth_hdr(skb)->h_dest;
>>>> +
>>>> +               if (is_link_local_ether_addr(dest) && dest[5] == 0x02)
>>>> +                       return RX_HANDLER_EXACT;
>>>I believe every link-local-frame should get this treatment whether
>>>it's 802.3ad or otherwise (e.g. LLDP etc.), no?
>>>BTW same should be true for bonding too (of course except LACP since
>>>it handles/consumes it!)
>>
>> I think so as well, but stayed more conservative for this fix. LLDP case
>> is handled in bridge rx_handler though...
>>
>bridge rx_handler when team is in bridge, otherwise these link-local
>frames will be appear on master. So I guess it's a choice between
>being conservative (and fix only LACP case as this fix does) or fix a
>generic case.

Let's be conservative in -net and possibly fix change this as a
follow-up in net-next

>
>>
>>>> +       }
>>>> +       return RX_HANDLER_ANOTHER;
>>>> +}
>>>> +
>>>>  struct lb_priv;
>>>>
>>>>  typedef struct team_port *lb_select_tx_port_func_t(struct team *,
>>>> @@ -652,6 +665,7 @@ static const struct team_mode_ops lb_mode_ops = {
>>>>         .port_enter             = lb_port_enter,
>>>>         .port_leave             = lb_port_leave,
>>>>         .port_disabled          = lb_port_disabled,
>>>> +       .receive                = lb_receive,
>>>>         .transmit               = lb_transmit,
>>>>  };
>>>>
>>>> --
>>>> 2.5.5
>>>>

Re: [patch net] team: loadbalance: push lacpdus to exact delivery

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 1649 bytes --]

Hi Jiri,

[auto build test ERROR on net/master]

url:    https://github.com/0day-ci/linux/commits/Jiri-Pirko/team-loadbalance-push-lacpdus-to-exact-delivery/20160826-004635
config: sparc64-allyesconfig (attached as .config)
compiler: sparc64-linux-gnu-gcc (Debian 5.4.0-6) 5.4.0 20160609
reproduce:
        wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        make.cross ARCH=sparc64 

All errors (new ones prefixed by >>):

   drivers/net/team/team_mode_loadbalance.c:27:21: sparse: undefined identifier 'is_link_local_ether_addr'
   drivers/net/team/team_mode_loadbalance.c: In function 'lb_receive':
>> drivers/net/team/team_mode_loadbalance.c:27:7: error: implicit declaration of function 'is_link_local_ether_addr' [-Werror=implicit-function-declaration]
      if (is_link_local_ether_addr(dest) && dest[5] == 0x02)
          ^
   cc1: some warnings being treated as errors

vim +/is_link_local_ether_addr +27 drivers/net/team/team_mode_loadbalance.c

    21					      struct sk_buff *skb)
    22	{
    23		if (unlikely(skb->protocol == htons(ETH_P_SLOW))) {
    24			/* LACPDU packets should go to exact delivery */
    25			const unsigned char *dest = eth_hdr(skb)->h_dest;
    26	
  > 27			if (is_link_local_ether_addr(dest) && dest[5] == 0x02)
    28				return RX_HANDLER_EXACT;
    29		}
    30		return RX_HANDLER_ANOTHER;

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/octet-stream, Size: 47062 bytes --]