From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6E6F8C433EF
	for <netdev@archiver.kernel.org>; Tue,  5 Apr 2022 14:24:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1383921AbiDEOYK (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Tue, 5 Apr 2022 10:24:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41532 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242697AbiDEN7E (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 5 Apr 2022 09:59:04 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 816E314FBB5
        for <netdev@vger.kernel.org>; Tue,  5 Apr 2022 05:57:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1649163422;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=MieTPQFs8VOXyiBgZhn9rhV52nQUcA3L833nsfzanM8=;
        b=KEw28suMJ2GfuTfTThG/vrfhgsT0fmEWPDfdZADCl2Mx5puB3+oJpz3CSlYAjdk76MgoQX
        ux60uBPa1DD1U8DAbx6kalPUR6Z6HMJ2kEZnZBOkjUPwkSbFVvXQi3WJSzfpOrjyvtbQTf
        ZDgntC6G0jlJMA695p8o3unMIwK6PPI=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-553-nOsaf9cQOtq3c5ulp4vhag-1; Tue, 05 Apr 2022 08:56:59 -0400
X-MC-Unique: nOsaf9cQOtq3c5ulp4vhag-1
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BE8FF3C1EA4D;
        Tue,  5 Apr 2022 12:56:58 +0000 (UTC)
Received: from RHTPC1VM0NT (unknown [10.22.17.196])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 6F5DB40CF8E5;
        Tue,  5 Apr 2022 12:56:58 +0000 (UTC)
From:   Aaron Conole <aconole@redhat.com>
To:     Ilya Maximets <i.maximets@ovn.org>
Cc:     netdev@vger.kernel.org, dev@openvswitch.org,
        linux-kernel@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: Re: [ovs-dev] [PATCH net] net: openvswitch: fix leak of nested actions
References: <20220404154345.2980792-1-i.maximets@ovn.org>
Date:   Tue, 05 Apr 2022 08:56:52 -0400
In-Reply-To: <20220404154345.2980792-1-i.maximets@ovn.org> (Ilya Maximets's
        message of "Mon, 4 Apr 2022 17:43:45 +0200")
Message-ID: <f7t4k371yej.fsf@redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Ilya Maximets <i.maximets@ovn.org> writes:

> While parsing user-provided actions, openvswitch module may dynamically
> allocate memory and store pointers in the internal copy of the actions.
> So this memory has to be freed while destroying the actions.
>
> Currently there are only two such actions: ct() and set().  However,
> there are many actions that can hold nested lists of actions and
> ovs_nla_free_flow_actions() just jumps over them leaking the memory.
>
> For example, removal of the flow with the following actions will lead
> to a leak of the memory allocated by nf_ct_tmpl_alloc():
>
>   actions:clone(ct(commit),0)
>
> Non-freed set() action may also leak the 'dst' structure for the
> tunnel info including device references.
>
> Under certain conditions with a high rate of flow rotation that may
> cause significant memory leak problem (2MB per second in reporter's
> case).  The problem is also hard to mitigate, because the user doesn't
> have direct control over the datapath flows generated by OVS.
>
> Fix that by iterating over all the nested actions and freeing
> everything that needs to be freed recursively.
>
> New build time assertion should protect us from this problem if new
> actions will be added in the future.
>
> Unfortunately, openvswitch module doesn't use NLA_F_NESTED, so all
> attributes has to be explicitly checked.  sample() and clone() actions
> are mixing extra attributes into the user-provided action list.  That
> prevents some code generalization too.
>
> Fixes: 34ae932a4036 ("openvswitch: Make tunnel set action attach a metada=
ta dst")
> Link: https://mail.openvswitch.org/pipermail/ovs-dev/2022-March/392922.ht=
ml
> Reported-by: St=C3=A9phane Graber <stgraber@ubuntu.com>
> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
> ---

Acked-by: Aaron Conole <aconole@redhat.com>