• Vladimir Oltean's avatar
    net: dsa: sja1105: drop untagged packets on the CPU and DSA ports · b0b8c67e
    Vladimir Oltean authored
    The sja1105 driver is a bit special in its use of VLAN headers as DSA
    tags. This is because in VLAN-aware mode, the VLAN headers use an actual
    TPID of 0x8100, which is understood even by the DSA master as an actual
    VLAN header.
    
    Furthermore, control packets such as PTP and STP are transmitted with no
    VLAN header as a DSA tag, because, depending on switch generation, there
    are ways to steer these control packets towards a precise egress port
    other than VLAN tags. Transmitting control packets as untagged means
    leaving a door open for traffic in general to be transmitted as untagged
    from the DSA master, and for it to traverse the switch and exit a random
    switch port according to the FDB lookup.
    
    This behavior is a bit out of line with other DSA drivers which have
    native support for DSA tagging. There, it is to be expected that the
    switch only accepts DSA-tagged packets on its CPU port, dropping
    everything that does not match this pattern.
    
    We perhaps rely a bit too much on the switches' hardware dropping on the
    CPU port, and place no other restrictions in the kernel data path to
    avoid that. For example, sja1105 is also a bit special in that STP/PTP
    packets are transmitted using "management routes"
    (sja1105_port_deferred_xmit): when sending a link-local packet from the
    CPU, we must first write a SPI message to the switch to tell it to
    expect a packet towards multicast MAC DA 01-80-c2-00-00-0e, and to route
    it towards port 3 when it gets it. This entry expires as soon as it
    matches a packet received by the switch, and it needs to be reinstalled
    for the next packet etc. All in all quite a ghetto mechanism, but it is
    all that the sja1105 switches offer for injecting a control packet.
    The driver takes a mutex for serializing control packets and making the
    pairs of SPI writes of a management route and its associated skb atomic,
    but to be honest, a mutex is only relevant as long as all parties agree
    to take it. With the DSA design, it is possible to open an AF_PACKET
    socket on the DSA master net device, and blast packets towards
    01-80-c2-00-00-0e, and whatever locking the DSA switch driver might use,
    it all goes kaput because management routes installed by the driver will
    match skbs sent by the DSA master, and not skbs generated by the driver
    itself. So they will end up being routed on the wrong port.
    
    So through the lens of that, maybe it would make sense to avoid that
    from happening by doing something in the network stack, like: introduce
    a new bit in struct sk_buff, like xmit_from_dsa. Then, somewhere around
    dev_hard_start_xmit(), introduce the following check:
    
    	if (netdev_uses_dsa(dev) && !skb->xmit_from_dsa)
    		kfree_skb(skb);
    
    Ok, maybe that is a bit drastic, but that would at least prevent a bunch
    of problems. For example, right now, even though the majority of DSA
    switches drop packets without DSA tags sent by the DSA master (and
    therefore the majority of garbage that user space daemons like avahi and
    udhcpcd and friends create), it is still conceivable that an aggressive
    user space program can open an AF_PACKET socket and inject a spoofed DSA
    tag directly on the DSA master. We have no protection against that; the
    packet will be understood by the switch and be routed wherever user
    space says. Furthermore: there are some DSA switches where we even have
    register access over Ethernet, using DSA tags. So even user space
    drivers are possible in this way. This is a huge hole.
    
    However, the biggest thing that bothers me is that udhcpcd attempts to
    ask for an IP address on all interfaces by default, and with sja1105, it
    will attempt to get a valid IP address on both the DSA master as well as
    on sja1105 switch ports themselves. So with IP addresses in the same
    subnet on multiple interfaces, the routing table will be messed up and
    the system will be unusable for traffic until it is configured manually
    to not ask for an IP address on the DSA master itself.
    
    It turns out that it is possible to avoid that in the sja1105 driver, at
    least very superficially, by requesting the switch to drop VLAN-untagged
    packets on the CPU port. With the exception of control packets, all
    traffic originated from tag_sja1105.c is already VLAN-tagged, so only
    STP and PTP packets need to be converted. For that, we need to uphold
    the equivalence between an untagged and a pvid-tagged packet, and to
    remember that the CPU port of sja1105 uses a pvid of 4095.
    
    Now that we drop untagged traffic on the CPU port, non-aggressive user
    space applications like udhcpcd stop bothering us, and sja1105 effectively
    becomes just as vulnerable to the aggressive kind of user space programs
    as other DSA switches are (ok, users can also create 8021q uppers on top
    of the DSA master in the case of sja1105, but in future patches we can
    easily deny that, but it still doesn't change the fact that VLAN-tagged
    packets can still be injected over raw sockets).
    Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    b0b8c67e
sja1105_main.c 95.6 KB