From patchwork Mon Feb 19 10:59:32 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cheng Li <lic121@chinatelecom.cn>
X-Patchwork-Id: 1900926
X-Patchwork-Delegate: i.maximets@samsung.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Tdfrw2J5Qz1yP6
	for <incoming@patchwork.ozlabs.org>; Mon, 19 Feb 2024 22:07:42 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp1.osuosl.org (Postfix) with ESMTP id 38F17820F0;
	Mon, 19 Feb 2024 11:07:40 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
	by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 8Xx6TjsUW9dq; Mon, 19 Feb 2024 11:07:39 +0000 (UTC)
X-Comment: SPF check N/A for local connections -
 client-ip=2605:bc80:3010:104::8cd3:938; helo=lists.linuxfoundation.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 54F2D820E6
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp1.osuosl.org (Postfix) with ESMTPS id 54F2D820E6;
	Mon, 19 Feb 2024 11:07:39 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 378DBC0072;
	Mon, 19 Feb 2024 11:07:39 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 02207C0037
 for <dev@openvswitch.org>; Mon, 19 Feb 2024 11:07:37 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id DEF1B820E6
 for <dev@openvswitch.org>; Mon, 19 Feb 2024 11:07:37 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id hwNEyajX-4Ge for <dev@openvswitch.org>;
 Mon, 19 Feb 2024 11:07:36 +0000 (UTC)
X-Greylist: delayed 466 seconds by postgrey-1.37 at util1.osuosl.org;
 Mon, 19 Feb 2024 11:07:35 UTC
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 27E0C820E3
Authentication-Results: smtp1.osuosl.org; dmarc=none (p=none dis=none)
 header.from=chinatelecom.cn
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 27E0C820E3
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=182.42.152.55;
 helo=chinatelecom.cn; envelope-from=lic121@chinatelecom.cn;
 receiver=<UNKNOWN>
Received: from chinatelecom.cn (smtpnm6-09.21cn.com [182.42.152.55])
 by smtp1.osuosl.org (Postfix) with ESMTP id 27E0C820E3
 for <dev@openvswitch.org>; Mon, 19 Feb 2024 11:07:35 +0000 (UTC)
HMM_SOURCE_IP: 192.168.137.232:8365.710663218
HMM_ATTACHE_NUM: 0000
HMM_SOURCE_TYPE: SMTP
Received: from clientip-36.111.64.84 (unknown [192.168.137.232])
 by chinatelecom.cn (HERMES) with SMTP id BF2B611000161;
 Mon, 19 Feb 2024 18:59:38 +0800 (CST)
X-189-SAVE-TO-SEND: +lic121@chinatelecom.cn
Received: from  ([36.111.64.84])
 by gateway-ssl-dep-77bc75f6c8-dplxv with ESMTP id
 2686c2e720bc447eb53f2b226147dcf1 for dev@openvswitch.org;
 Mon, 19 Feb 2024 18:59:40 CST
X-Transaction-ID: 2686c2e720bc447eb53f2b226147dcf1
X-Real-From: lic121@chinatelecom.cn
X-Receive-IP: 36.111.64.84
X-MEDUSA-Status: 0
From: Cheng Li <lic121@chinatelecom.cn>
To: dev@openvswitch.org
Date: Mon, 19 Feb 2024 10:59:32 +0000
Message-Id: <20240219105932.342676-1-lic121@chinatelecom.cn>
X-Mailer: git-send-email 2.39.3
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH v2] upcall: Check flow consistant in upcall.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Ovs ko passes odp key and packet to userspace. Next packet is
extracted into flow, which is the input for xlate to generate wc.
At last, ukey(= odp_key/wc) is installed into datapath. If the
odp_key is not consistant with packet extracted flow. The ukey
will be wrong.

commit [1] was created to fix inconsistance caused by bad tcp
header. commit [2] was cretaed to fix inconsistance caused by bad
ip header. There is no guarantee of the consistance of odp_key and
packet flow. So it is necessary to make the check to prevent from
installing wrong ukey.

[1] 1f5749c790accd98dbcafdaefc40bf5e52d7c672
[2] 79349cbab0b2a755140eedb91833ad2760520a83

Signed-off-by: Cheng Li <lic121@chinatelecom.cn>
---

Notes:
    v2: Leverage avoid_caching to avoid ukey install.

 ofproto/ofproto-dpif-upcall.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ofproto/ofproto-dpif-upcall.c b/ofproto/ofproto-dpif-upcall.c
index b5cbeed87..bd93f0981 100644
--- a/ofproto/ofproto-dpif-upcall.c
+++ b/ofproto/ofproto-dpif-upcall.c
@@ -66,6 +66,7 @@ COVERAGE_DEFINE(upcall_flow_limit_reduced);
 COVERAGE_DEFINE(upcall_flow_limit_scaled);
 COVERAGE_DEFINE(upcall_ukey_contention);
 COVERAGE_DEFINE(upcall_ukey_replace);
+COVERAGE_DEFINE(upcall_packet_flow_inconsistant);
 
 /* A thread that reads upcalls from dpif, forwards each upcall's packet,
  * and possibly sets up a kernel flow as a cache. */
@@ -840,6 +841,7 @@ recv_upcalls(struct handler *handler)
     struct dpif_upcall dupcalls[UPCALL_MAX_BATCH];
     struct upcall upcalls[UPCALL_MAX_BATCH];
     struct flow flows[UPCALL_MAX_BATCH];
+    struct flow odp_key_flow;
     size_t n_upcalls, i;
 
     n_upcalls = 0;
@@ -903,6 +905,8 @@ recv_upcalls(struct handler *handler)
         upcall->out_tun_key = dupcall->out_tun_key;
         upcall->actions = dupcall->actions;
 
+        /* Save odp flow before overwrite. */
+        memcpy(&odp_key_flow, flow, sizeof odp_key_flow);
         pkt_metadata_from_flow(&dupcall->packet.md, flow);
         flow_extract(&dupcall->packet, flow);
 
@@ -912,6 +916,12 @@ recv_upcalls(struct handler *handler)
             goto cleanup;
         }
 
+        if (!flow_equal_except(&odp_key_flow, flow, &upcall->wc)) {
+            /* If odp flow is not consistant with flow extract from packet,
+             * bad ukey/mask will be installed. */
+            COVERAGE_INC(upcall_packet_flow_inconsistant);
+            upcall->xout.avoid_caching = true;
+        }
         n_upcalls++;
         continue;
 
@@ -1376,6 +1386,10 @@ should_install_flow(struct udpif *udpif, struct upcall *upcall)
         return false;
     }
 
+    if (upcall->xout.avoid_caching) {
+        return false;
+    }
+
     atomic_read_relaxed(&udpif->flow_limit, &flow_limit);
     if (udpif_get_n_flows(udpif) >= flow_limit) {
         COVERAGE_INC(upcall_flow_limit_hit);