[Kernel-packages] [Bug 1982980] Re: store the last executed chain also for clsact egress

[Launchpad Bug Tracker]

This bug was fixed in the package linux-bluefield - 5.4.0-1045.50

---------------
linux-bluefield (5.4.0-1045.50) focal; urgency=medium

  * focal/linux-bluefield: 5.4.0-1045.50 -proposed tracker (LP:
#1983921)

  * pwr-mlxbf.c: Improve driver dependencies and fix zero allocating memory size
    (LP: #1980750)
    - SAUCE: pwr-mlxbf.c: Improve driver dependencies
    - SAUCE: pwr-mlxbf.c: Fix zero allocating memory size
    - SAUCE: pwr-mlxbf.c: Update driver version to 1.1

  *  store the last executed chain also for clsact egress (LP: #1982980)
    - net/sched: store the last executed chain also for clsact egress

  * i2c-mlxbf.c: support lock mechanism (LP: #1981105)
    - SAUCE: i2c-mlxbf.c: support lock mechanism

  * i2c-mlxbf.c: fix wrong variable name (LP: #1982357)
    - SAUCE: i2c-mlxbf.c: fix wrong variable name

  [ Ubuntu: 5.4.0-125.141 ]

  * focal/linux: 5.4.0-125.141 -proposed tracker (LP: #1983947)
  * nbd: requests can become stuck when disconnecting from server with qemu-nbd
    (LP: #1896350)
    - blk-mq: blk-mq: provide forced completion method
    - blk-mq: move failure injection out of blk_mq_complete_request
    - nbd: don't handle response without a corresponding request message
    - nbd: make sure request completion won't concurrent
    - nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed
    - nbd: fix io hung while disconnecting device
  * CVE-2021-33656
    - vt: drop old FONT ioctls
  * CVE-2021-33061
    - ixgbe: add the ability for the PF to disable VF link state
    - ixgbe: add improvement for MDD response functionality
    - ixgbevf: add disable link state

 -- Zachary Tahenakos <zachary.tahena...@canonical.com>  Thu, 11 Aug
2022 15:11:51 -0400

** Changed in: linux-bluefield (Ubuntu)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33061

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33656

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1982980

Title:
   store the last executed chain also for clsact egress

Status in linux-bluefield package in Ubuntu:
  Fix Released

Bug description:
  * Explain the bug(s)

  Misses on multi chain tc egress rules that are offloaded from ovs datapath 
rules (ct rules on ovs' internal port devices)
  will restart from recirc_id(0) again in OvS dp, instead of recirc_id that 
matches where we left off
  in tc (ovs recirc_id should be equal tc chain).

  * brief explanation of fixes

  Set the tc skb extension that stores the last executed tc chain which ovs 
reads on misses to
  set the starting recirc_id from.

  * How to test

    Setup ovs with ovs offload enabled, and add ip to internal port, example 
with veth device:
   
   
    function config_veth() {
      local ns=$1
      local ip=$2
      local peer=${ns}_peer
      local veth=${ns}_veth

      echo "Create namespace $ns, veths: hv $veth <-> ns $peer ($ip)"
      ip netns add $ns
      ip link del $veth &>/dev/null
      ip link add $veth type veth peer name $peer
      ip link set $veth up
      ip link set $peer netns $ns
      ip netns exec $ns ifconfig $peer $ip/24 mtu 1400 up
    }
    
     IP1="7.7.7.1"
     IP2="7.7.7.2"
     config_veth ns0 $IP1
     ifconfig ovs-br $IP2
     ovs-vsctl add-br ovs-br
     ovs-vsctl add-port ovs-br ns0_veth
     ovs-vsctl add-port ovs-br ns1_veth

     
   
   
    Add openflow rules and check if packets arriving to table=0 (default table 
that corrosponds to recirc_id(0))
    have ct mark that was only set if a later table was executed. Add a 
unsupported offload action (in this case group), so we 
    will have miss from offloaded tc rules to ovs dp:
    
   
   
     ovs-ofctl del-flows ovs-br
   
     ovs-ofctl -O OpenFlow12 add-group ovs-br 
'group_id=2,type=select,bucket=ct(commit,zone=1,table=2)'

     ovs-ofctl add-flow ovs-br "table=0, arp, action=normal"
     
     ovs-ofctl add-flow ovs-br "table=0, ip, +trk, actions=drop"               
#bad flow
     ovs-ofctl add-flow ovs-br "table=0, ip, -trk, actions=ct(commit,table=1)" 
#good flow

     ovs-ofctl add-flow ovs-br "table=1, in_port=1, actions=group:2"

     ovs-ofctl add-flow ovs-br "table=2, ip, actions=normal"

   
    

     run udp/tcp traffic from default ns 7.7.7.1 to ns1 7.7.7.2 and
     check ovs-appctl dpctl/dump-flows
     
     if bug occurs there should be a drop rule, because we got to recirc_id(0) 
after missing in tc, and tc
     already did the -trk ct(commit...) rule, so packet should be tracked 
(+trk) when missed to ovs.
    
   

  * What it could break.
     Running the wrong datapath rules in OvS datapath.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1982980/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp