[Kernel-packages] [Bug 1974096] Re: cls_flower: Fix inability to match GRE/IPIP packets

2022-07-11 Thread Launchpad Bug Tracker
This bug was fixed in the package linux-bluefield - 5.4.0-1040.44

---
linux-bluefield (5.4.0-1040.44) focal; urgency=medium

  * focal/linux-bluefield: 5.4.0-1040.44 -proposed tracker (LP:
#1978639)

  * fix ref leak when switching zones (LP: #1979009)
- net/sched: act_ct: fix ref leak when switching zones

  * Fix XFRM flags validity check (LP: #1978967)
- SAUCE: net/xfrm: Fix XFRM flags validity check

  [ Ubuntu: 5.4.0-121.137 ]

  * focal/linux: 5.4.0-121.137 -proposed tracker (LP: #1978666)
  * Packaging resync (LP: #1786013)
- debian/dkms-versions -- update from kernel-versions (main/2022.05.30)
  * CVE-2022-28388
- can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error
  path
  * test_vxlan_under_vrf.sh in net from ubuntu_kernel_selftests failed (Check VM
connectivity through VXLAN (underlay in the default VRF) [FAIL])
(LP: #1871015)
- selftests: net: test_vxlan_under_vrf: fix HV connectivity test
  * [UBUNTU 20.04] CPU-MF: add extended counter set definitions for new IBM z16
(LP: #1974433)
- s390/cpumf: add new extended counter set for IBM z16
  * [UBUNTU 20.04] KVM nesting support leaks too much memory, might result in
stalls during cleanup (LP: #1974017)
- KVM: s390: vsie/gmap: reduce gmap_rmap overhead
  * [UBUNTU 20.04] Null Pointer issue in nfs code running Ubuntu on IBM Z
(LP: #1968096)
- NFS: Fix up nfs_ctx_key_to_expire()

  [ Ubuntu: 5.4.0-120.136 ]

  * CVE-2022-21123 // CVE-2022-21125 // CVE-2022-21166
- cpu/speculation: Add prototype for cpu_show_srbds()
- x86/cpu: Add Jasper Lake to Intel family
- x86/cpu: Add Lakefield, Alder Lake and Rocket Lake models to the to Intel
  CPU family
- x86/cpu: Add another Alder Lake CPU to the Intel family
- Documentation: Add documentation for Processor MMIO Stale Data
- x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug
- x86/speculation: Add a common function for MD_CLEAR mitigation update
- x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data
- x86/bugs: Group MDS, TAA & Processor MMIO Stale Data mitigations
- x86/speculation/mmio: Enable CPU Fill buffer clearing on idle
- x86/speculation/mmio: Add sysfs reporting for Processor MMIO Stale Data
- x86/speculation/srbds: Update SRBDS mitigation selection
- x86/speculation/mmio: Reuse SRBDS mitigation for SBDS
- KVM: x86/speculation: Disable Fill buffer clear within guests
- x86/speculation/mmio: Print SMT warning

 -- Zachary Tahenakos   Tue, 21 Jun
2022 13:59:23 -0400

** Changed in: linux-bluefield (Ubuntu Focal)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-21123

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-21125

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-21166

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28388

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1974096

Title:
  cls_flower: Fix inability to match GRE/IPIP packets

Status in linux-bluefield package in Ubuntu:
  Invalid
Status in linux-bluefield source package in Focal:
  Fix Released

Bug description:
  * Explain the bug
  When a packet of a new flow arrives in openvswitch kernel module, it 
dissects
  the packet and passes the extracted flow key to ovs-vswtichd daemon. If 
hw-
  offload configuration is enabled, the daemon creates a new TC flower 
entry to
  bypass openvswitch kernel module for the flow (TC flower can also offload 
flows
  to NICs but this time that does not matter).

  In this processing flow, I found the following issue in cases of GRE/IPIP
  packets.

  When ovs_flow_key_extract() in openvswitch module parses a packet of a new
  GRE (or IPIP) flow received on non-tunneling vports, it extracts 
information
  of the outer IP header for ip_proto/src_ip/dst_ip match keys.

  This means ovs-vswitchd creates a TC flower entry with IP 
protocol/addresses
  match keys whose values are those of the outer IP header. OTOH, TC flower,
  which uses flow_dissector (different parser from openvswitch module), 
extracts
  information of the inner IP header.

  * How to test
  The following flow is an example to describe the issue in more detail.

 <--- Outer IP -> <-- Inner IP 
-->

+--+--+--+--+--+--+
| ip_proto | src_ip   | dst_ip   | ip_proto | src_ip   | dst_ip 
  |
| 47 (GRE) | 192.168.10.1 | 192.168.10.2 | 6 (TCP)  | 10.0.0.1 | 
10.0.0.2 |

+--+--+--+--+--+--+

  In this case, TC flower entry and extracted information are shown
  as below:


[Kernel-packages] [Bug 1974096] Re: cls_flower: Fix inability to match GRE/IPIP packets

2022-06-03 Thread Bodong Wang
Need to revert this patch as it introduces a new issue for IPSec.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1974096

Title:
  cls_flower: Fix inability to match GRE/IPIP packets

Status in linux-bluefield package in Ubuntu:
  Invalid
Status in linux-bluefield source package in Focal:
  Fix Committed

Bug description:
  * Explain the bug
  When a packet of a new flow arrives in openvswitch kernel module, it 
dissects
  the packet and passes the extracted flow key to ovs-vswtichd daemon. If 
hw-
  offload configuration is enabled, the daemon creates a new TC flower 
entry to
  bypass openvswitch kernel module for the flow (TC flower can also offload 
flows
  to NICs but this time that does not matter).

  In this processing flow, I found the following issue in cases of GRE/IPIP
  packets.

  When ovs_flow_key_extract() in openvswitch module parses a packet of a new
  GRE (or IPIP) flow received on non-tunneling vports, it extracts 
information
  of the outer IP header for ip_proto/src_ip/dst_ip match keys.

  This means ovs-vswitchd creates a TC flower entry with IP 
protocol/addresses
  match keys whose values are those of the outer IP header. OTOH, TC flower,
  which uses flow_dissector (different parser from openvswitch module), 
extracts
  information of the inner IP header.

  * How to test
  The following flow is an example to describe the issue in more detail.

 <--- Outer IP -> <-- Inner IP 
-->

+--+--+--+--+--+--+
| ip_proto | src_ip   | dst_ip   | ip_proto | src_ip   | dst_ip 
  |
| 47 (GRE) | 192.168.10.1 | 192.168.10.2 | 6 (TCP)  | 10.0.0.1 | 
10.0.0.2 |

+--+--+--+--+--+--+

  In this case, TC flower entry and extracted information are shown
  as below:

- ovs-vswitchd creates TC flower entry with:
- ip_proto: 47
- src_ip: 192.168.10.1
- dst_ip: 192.168.10.2

- TC flower extracts below for IP header matches:
- ip_proto: 6
- src_ip: 10.0.0.1
- dst_ip: 10.0.0.2

  Thus, GRE or IPIP packets never match the TC flower entry, as each
  dissector behaves differently.

  IMHO, the behavior of TC flower (flow dissector) does not look correct,
  as ip_proto/src_ip/dst_ip in TC flower match means the outermost IP
  header information except for GRE/IPIP cases. This patch adds a new
  flow_dissector flag FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP which skips
  dissection of the encapsulated inner GRE/IPIP header in TC flower
  classifier.

  * What it could break.
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1974096/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1974096] Re: cls_flower: Fix inability to match GRE/IPIP packets

2022-06-01 Thread Ubuntu Kernel Bot
This bug is awaiting verification that the linux-bluefield/5.4.0-1037.40
kernel in -proposed solves the problem. Please test the kernel and
update this bug with the results. If the problem is solved, change the
tag 'verification-needed-focal' to 'verification-done-focal'. If the
problem still exists, change the tag 'verification-needed-focal' to
'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-focal

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1974096

Title:
  cls_flower: Fix inability to match GRE/IPIP packets

Status in linux-bluefield package in Ubuntu:
  Invalid
Status in linux-bluefield source package in Focal:
  Fix Committed

Bug description:
  * Explain the bug
  When a packet of a new flow arrives in openvswitch kernel module, it 
dissects
  the packet and passes the extracted flow key to ovs-vswtichd daemon. If 
hw-
  offload configuration is enabled, the daemon creates a new TC flower 
entry to
  bypass openvswitch kernel module for the flow (TC flower can also offload 
flows
  to NICs but this time that does not matter).

  In this processing flow, I found the following issue in cases of GRE/IPIP
  packets.

  When ovs_flow_key_extract() in openvswitch module parses a packet of a new
  GRE (or IPIP) flow received on non-tunneling vports, it extracts 
information
  of the outer IP header for ip_proto/src_ip/dst_ip match keys.

  This means ovs-vswitchd creates a TC flower entry with IP 
protocol/addresses
  match keys whose values are those of the outer IP header. OTOH, TC flower,
  which uses flow_dissector (different parser from openvswitch module), 
extracts
  information of the inner IP header.

  * How to test
  The following flow is an example to describe the issue in more detail.

 <--- Outer IP -> <-- Inner IP 
-->

+--+--+--+--+--+--+
| ip_proto | src_ip   | dst_ip   | ip_proto | src_ip   | dst_ip 
  |
| 47 (GRE) | 192.168.10.1 | 192.168.10.2 | 6 (TCP)  | 10.0.0.1 | 
10.0.0.2 |

+--+--+--+--+--+--+

  In this case, TC flower entry and extracted information are shown
  as below:

- ovs-vswitchd creates TC flower entry with:
- ip_proto: 47
- src_ip: 192.168.10.1
- dst_ip: 192.168.10.2

- TC flower extracts below for IP header matches:
- ip_proto: 6
- src_ip: 10.0.0.1
- dst_ip: 10.0.0.2

  Thus, GRE or IPIP packets never match the TC flower entry, as each
  dissector behaves differently.

  IMHO, the behavior of TC flower (flow dissector) does not look correct,
  as ip_proto/src_ip/dst_ip in TC flower match means the outermost IP
  header information except for GRE/IPIP cases. This patch adds a new
  flow_dissector flag FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP which skips
  dissection of the encapsulated inner GRE/IPIP header in TC flower
  classifier.

  * What it could break.
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1974096/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1974096] Re: cls_flower: Fix inability to match GRE/IPIP packets

2022-05-25 Thread Zachary Tahenakos
** Changed in: linux-bluefield (Ubuntu Focal)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1974096

Title:
  cls_flower: Fix inability to match GRE/IPIP packets

Status in linux-bluefield package in Ubuntu:
  Invalid
Status in linux-bluefield source package in Focal:
  Fix Committed

Bug description:
  * Explain the bug
  When a packet of a new flow arrives in openvswitch kernel module, it 
dissects
  the packet and passes the extracted flow key to ovs-vswtichd daemon. If 
hw-
  offload configuration is enabled, the daemon creates a new TC flower 
entry to
  bypass openvswitch kernel module for the flow (TC flower can also offload 
flows
  to NICs but this time that does not matter).

  In this processing flow, I found the following issue in cases of GRE/IPIP
  packets.

  When ovs_flow_key_extract() in openvswitch module parses a packet of a new
  GRE (or IPIP) flow received on non-tunneling vports, it extracts 
information
  of the outer IP header for ip_proto/src_ip/dst_ip match keys.

  This means ovs-vswitchd creates a TC flower entry with IP 
protocol/addresses
  match keys whose values are those of the outer IP header. OTOH, TC flower,
  which uses flow_dissector (different parser from openvswitch module), 
extracts
  information of the inner IP header.

  * How to test
  The following flow is an example to describe the issue in more detail.

 <--- Outer IP -> <-- Inner IP 
-->

+--+--+--+--+--+--+
| ip_proto | src_ip   | dst_ip   | ip_proto | src_ip   | dst_ip 
  |
| 47 (GRE) | 192.168.10.1 | 192.168.10.2 | 6 (TCP)  | 10.0.0.1 | 
10.0.0.2 |

+--+--+--+--+--+--+

  In this case, TC flower entry and extracted information are shown
  as below:

- ovs-vswitchd creates TC flower entry with:
- ip_proto: 47
- src_ip: 192.168.10.1
- dst_ip: 192.168.10.2

- TC flower extracts below for IP header matches:
- ip_proto: 6
- src_ip: 10.0.0.1
- dst_ip: 10.0.0.2

  Thus, GRE or IPIP packets never match the TC flower entry, as each
  dissector behaves differently.

  IMHO, the behavior of TC flower (flow dissector) does not look correct,
  as ip_proto/src_ip/dst_ip in TC flower match means the outermost IP
  header information except for GRE/IPIP cases. This patch adds a new
  flow_dissector flag FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP which skips
  dissection of the encapsulated inner GRE/IPIP header in TC flower
  classifier.

  * What it could break.
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1974096/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1974096] Re: cls_flower: Fix inability to match GRE/IPIP packets

2022-05-19 Thread Stefan Bader
** Also affects: linux-bluefield (Ubuntu Focal)
   Importance: Undecided
   Status: New

** Changed in: linux-bluefield (Ubuntu Focal)
   Importance: Undecided => Medium

** Changed in: linux-bluefield (Ubuntu Focal)
   Status: New => In Progress

** Changed in: linux-bluefield (Ubuntu Focal)
 Assignee: (unassigned) => Bodong Wang (bodong-wang)

** Changed in: linux-bluefield (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1974096

Title:
  cls_flower: Fix inability to match GRE/IPIP packets

Status in linux-bluefield package in Ubuntu:
  Invalid
Status in linux-bluefield source package in Focal:
  In Progress

Bug description:
  * Explain the bug
  When a packet of a new flow arrives in openvswitch kernel module, it 
dissects
  the packet and passes the extracted flow key to ovs-vswtichd daemon. If 
hw-
  offload configuration is enabled, the daemon creates a new TC flower 
entry to
  bypass openvswitch kernel module for the flow (TC flower can also offload 
flows
  to NICs but this time that does not matter).

  In this processing flow, I found the following issue in cases of GRE/IPIP
  packets.

  When ovs_flow_key_extract() in openvswitch module parses a packet of a new
  GRE (or IPIP) flow received on non-tunneling vports, it extracts 
information
  of the outer IP header for ip_proto/src_ip/dst_ip match keys.

  This means ovs-vswitchd creates a TC flower entry with IP 
protocol/addresses
  match keys whose values are those of the outer IP header. OTOH, TC flower,
  which uses flow_dissector (different parser from openvswitch module), 
extracts
  information of the inner IP header.

  * How to test
  The following flow is an example to describe the issue in more detail.

 <--- Outer IP -> <-- Inner IP 
-->

+--+--+--+--+--+--+
| ip_proto | src_ip   | dst_ip   | ip_proto | src_ip   | dst_ip 
  |
| 47 (GRE) | 192.168.10.1 | 192.168.10.2 | 6 (TCP)  | 10.0.0.1 | 
10.0.0.2 |

+--+--+--+--+--+--+

  In this case, TC flower entry and extracted information are shown
  as below:

- ovs-vswitchd creates TC flower entry with:
- ip_proto: 47
- src_ip: 192.168.10.1
- dst_ip: 192.168.10.2

- TC flower extracts below for IP header matches:
- ip_proto: 6
- src_ip: 10.0.0.1
- dst_ip: 10.0.0.2

  Thus, GRE or IPIP packets never match the TC flower entry, as each
  dissector behaves differently.

  IMHO, the behavior of TC flower (flow dissector) does not look correct,
  as ip_proto/src_ip/dst_ip in TC flower match means the outermost IP
  header information except for GRE/IPIP cases. This patch adds a new
  flow_dissector flag FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP which skips
  dissection of the encapsulated inner GRE/IPIP header in TC flower
  classifier.

  * What it could break.
  N/A

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1974096/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp