Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp6136565iog;
        Thu, 23 Jun 2022 12:06:43 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1syTE8toOxkcTjMLaqbj8XP0LpYyf+Y3vCjnwMGVpVogx9XFRBKus7w3LyLqAO11ImGq2nJ
X-Received: by 2002:a17:90a:1485:b0:1ec:788e:a053 with SMTP id k5-20020a17090a148500b001ec788ea053mr5501589pja.16.1656011203153;
        Thu, 23 Jun 2022 12:06:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656011203; cv=none;
        d=google.com; s=arc-20160816;
        b=qCx99eqjADn40uwE4ufBs2SA+Yqrhw2lo4tBJ0Wq1mHlvK0wnlw6q2dukC5Z4cRG6A
         Oi/8JaXJqpUjihuq7XDcsuAk+o7GP8ZvJ8gMtNXRKTBwUIXhkeFjO19mH6OFwwfjd4y8
         OtkYBDBzj/N2SHJHGvUv3/wb1tVMrikIBpqfuhOQvXLoaV2xeGBy62qVku7iNNZmEFkM
         cME+nfren/Ma68WD7nEMJVRcvVOj3kYPgiAA7vBkIgsStYCapKoaIpAzk5oh3k3jf+Kn
         qD+bvU3wcKiYaERwRTFNCAjTlF7zLbQekD9Oz+jjGAVnG1pYFOFWH2soKmdpB8H0rYw6
         9b0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=+19dJEQ5d5V5KmmBCr8ptNwbqI05Gk05ziXOjiFYAIg=;
        b=Mt33fIvxvCeGsUJaB3RGemsKgZGvKv0fSGaZsMuDJMzwcOFthtJlHeGLKDt5AWKaTc
         nu/LKh7O24ArVs7Oe7ud6zZc0PV7XA1uygHzJunJiqdB5DVTtqI/dFoKglqrRM6PEGWr
         bJxf+0Z7oRhBIQoMIRsHSMm0O+4q2vOTzJQLN0LIhN26FkZj38cj7+xIf5K4XZe5xCcb
         UtCcWlWHMMrCNjzex2lmuCxMQ7nbXaj1sTCfTFzwdukZ2IeMN49fDK5O6O7yW0wkzyJZ
         N9N7CC700rCigZBG2U+1KYy2TZc1KpS2hDeDstb/ygWDUcTyHL0brhf4TnUuB3yAyaDA
         qwIw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1YraXPoM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id q16-20020a656250000000b003fe3b8c6ff1si28255080pgv.154.2022.06.23.12.06.30;
        Thu, 23 Jun 2022 12:06:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1YraXPoM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237036AbiFWSUN (ORCPT <rfc822;aki.vanness@gmail.com>
        + 99 others); Thu, 23 Jun 2022 14:20:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41834 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236878AbiFWSQ5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Jun 2022 14:16:57 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BECE462C08;
        Thu, 23 Jun 2022 10:23:29 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 759BEB824B9;
        Thu, 23 Jun 2022 17:23:28 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C6EA6C3411B;
        Thu, 23 Jun 2022 17:23:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1656005007;
        bh=MI0us4Sq8Vv1X84apacd1lN1GFMH+hp6Cs8UnZiFiUU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=1YraXPoMMrR3ItnDemkdcAlDmrf07cQNEemvuoBJnyTsdML3eQCGGyTnlt7J/RfrI
         UBZ6juHafcJp2x6XlD4yt2MHSsX7b4YJC9G+0C20x6Keg1cKhDy50bzXvaLvzuNLtv
         Offz6xgY9vvJ0wTKrSo8k0x4exnQUBmp0GkATm4k=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@ubuntu.com>,
        Ilya Maximets <i.maximets@ovn.org>,
        Aaron Conole <aconole@redhat.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 222/234] net: openvswitch: fix leak of nested actions
Date:   Thu, 23 Jun 2022 18:44:49 +0200
Message-Id: <20220623164349.332105516@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220623164343.042598055@linuxfoundation.org>
References: <20220623164343.042598055@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Ilya Maximets <i.maximets@ovn.org>

commit 1f30fb9166d4f15a1aa19449b9da871fe0ed4796 upstream.

While parsing user-provided actions, openvswitch module may dynamically
allocate memory and store pointers in the internal copy of the actions.
So this memory has to be freed while destroying the actions.

Currently there are only two such actions: ct() and set().  However,
there are many actions that can hold nested lists of actions and
ovs_nla_free_flow_actions() just jumps over them leaking the memory.

For example, removal of the flow with the following actions will lead
to a leak of the memory allocated by nf_ct_tmpl_alloc():

  actions:clone(ct(commit),0)

Non-freed set() action may also leak the 'dst' structure for the
tunnel info including device references.

Under certain conditions with a high rate of flow rotation that may
cause significant memory leak problem (2MB per second in reporter's
case).  The problem is also hard to mitigate, because the user doesn't
have direct control over the datapath flows generated by OVS.

Fix that by iterating over all the nested actions and freeing
everything that needs to be freed recursively.

New build time assertion should protect us from this problem if new
actions will be added in the future.

Unfortunately, openvswitch module doesn't use NLA_F_NESTED, so all
attributes has to be explicitly checked.  sample() and clone() actions
are mixing extra attributes into the user-provided action list.  That
prevents some code generalization too.

Fixes: 34ae932a4036 ("openvswitch: Make tunnel set action attach a metadata dst")
Link: https://mail.openvswitch.org/pipermail/ovs-dev/2022-March/392922.html
Reported-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[Backport for 4.19: Removed handling of OVS_ACTION_ATTR_DEC_TTL
 and OVS_ACTION_ATTR_CHECK_PKT_LEN as these actions do not exist
 in this version.  BUILD_BUG_ON condition adjusted accordingly.]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/openvswitch/flow_netlink.c |   61 +++++++++++++++++++++++++++++++++++++----
 1 file changed, 56 insertions(+), 5 deletions(-)

--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2253,6 +2253,36 @@ static struct sw_flow_actions *nla_alloc
 	return sfa;
 }
 
+static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len);
+
+static void ovs_nla_free_clone_action(const struct nlattr *action)
+{
+	const struct nlattr *a = nla_data(action);
+	int rem = nla_len(action);
+
+	switch (nla_type(a)) {
+	case OVS_CLONE_ATTR_EXEC:
+		/* The real list of actions follows this attribute. */
+		a = nla_next(a, &rem);
+		ovs_nla_free_nested_actions(a, rem);
+		break;
+	}
+}
+
+static void ovs_nla_free_sample_action(const struct nlattr *action)
+{
+	const struct nlattr *a = nla_data(action);
+	int rem = nla_len(action);
+
+	switch (nla_type(a)) {
+	case OVS_SAMPLE_ATTR_ARG:
+		/* The real list of actions follows this attribute. */
+		a = nla_next(a, &rem);
+		ovs_nla_free_nested_actions(a, rem);
+		break;
+	}
+}
+
 static void ovs_nla_free_set_action(const struct nlattr *a)
 {
 	const struct nlattr *ovs_key = nla_data(a);
@@ -2266,25 +2296,46 @@ static void ovs_nla_free_set_action(cons
 	}
 }
 
-void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts)
+static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len)
 {
 	const struct nlattr *a;
 	int rem;
 
-	if (!sf_acts)
+	/* Whenever new actions are added, the need to update this
+	 * function should be considered.
+	 */
+	BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 20);
+
+	if (!actions)
 		return;
 
-	nla_for_each_attr(a, sf_acts->actions, sf_acts->actions_len, rem) {
+	nla_for_each_attr(a, actions, len, rem) {
 		switch (nla_type(a)) {
-		case OVS_ACTION_ATTR_SET:
-			ovs_nla_free_set_action(a);
+		case OVS_ACTION_ATTR_CLONE:
+			ovs_nla_free_clone_action(a);
 			break;
+
 		case OVS_ACTION_ATTR_CT:
 			ovs_ct_free_action(a);
 			break;
+
+		case OVS_ACTION_ATTR_SAMPLE:
+			ovs_nla_free_sample_action(a);
+			break;
+
+		case OVS_ACTION_ATTR_SET:
+			ovs_nla_free_set_action(a);
+			break;
 		}
 	}
+}
+
+void ovs_nla_free_flow_actions(struct sw_flow_actions *sf_acts)
+{
+	if (!sf_acts)
+		return;
 
+	ovs_nla_free_nested_actions(sf_acts->actions, sf_acts->actions_len);
 	kfree(sf_acts);
 }