Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3425890pxf; Mon, 29 Mar 2021 01:44:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzwexNM37cd6mG81q2TNyIbtIezICvQozTsJ4ajJ4thNZSiA8sqThiMO5P7qQctU9OCI9IT X-Received: by 2002:a50:ee10:: with SMTP id g16mr26842724eds.215.1617007462400; Mon, 29 Mar 2021 01:44:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617007462; cv=none; d=google.com; s=arc-20160816; b=XbKftATJNxG242XeNhgD7AwXAUxjenT+1qKASwQIbgqiJUCXeXfRGc/7Ze56qYg3JK 4j9RnVNmYUVyt1dfLCk/dcU2sxUh+rdaEVMQYxCY1okL/oDj+R/b0A/nFQy+7jvyCkiw BbQWu7LtrrS//Zbj2OutCYB/ILvOetfZlRwjhVy19lSVWmh5vhRboFUN7wpck22rral3 tAeIXlO7Fp4fkIs3dRr8utNkNOz/ZsZGxe76tb/N3/dey2PH6V1A2ztGjdhA1Y73HLYS wL8hk5ny5XMQ7FddtvNw5FgQU/8y9Dw8qQ0Wz2b5pTiFyo4SEO5kHT6chNA/WqEHAm8C tuDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pU7hZi+yDIZy89HwcXMtJlNoLFmr3hKxjxg20ocXPo4=; b=cuihI7GTPs9HuzJHpxP+BecP3j7DFeLqHP3MkgQv5gNtJ3pNdiHsGK/cXcw2eVer8o vewNVYkUJpF7ACBZV4HfuUE4ZxGMNouoOVr5XnMKBVDgAbPNrtDDY95LgiivjTYzWmjj 4kl3ijgzwO702UOAwVKMYinfAKW9gW3+QAwncNnfjecrQL+7FB0g+KjnLAkv1w3MJ6pf SE4zbVm6ckpjyqo1/KBi1wkgeSJs1iJD7nBrWoczTz7Du1/ePp0n6FVPTuv5pzgIHaHS x1cjfLcuTQj7Gn/HdqzTiaLbm7+cxggwG03J508mXyf2aqENLZsbVTIzZufZymiOFazQ 4Gig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=llVyUlwP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j22si12728805edq.584.2021.03.29.01.44.00; Mon, 29 Mar 2021 01:44:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=llVyUlwP; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235261AbhC2Img (ORCPT + 99 others); Mon, 29 Mar 2021 04:42:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:41192 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233176AbhC2IYX (ORCPT ); Mon, 29 Mar 2021 04:24:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CD810619D1; Mon, 29 Mar 2021 08:24:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617006263; bh=6GlC2+1Kik4I1fN3VDmxXUiskJCS6rKSVODO2sGCz2Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=llVyUlwP7y8hV84mIi+qgLazcsQx5YLQoRP2GdTcvOFtFCfGr5Y17Stgo2oYoaZYy SUvRbLsJGnCIUfIlxVApXUvyfa14v3YH68b+NWrQe1XF491npMgLhencrCyj8hfRxv TIpJa3E20c+n4qJGQaI9wVXuS8qEn7b9d2RcG6OY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, wenxu , Marcelo Ricardo Leitner , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 142/221] net/sched: cls_flower: fix only mask bit check in the validate_ct_state Date: Mon, 29 Mar 2021 09:57:53 +0200 Message-Id: <20210329075633.914203344@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210329075629.172032742@linuxfoundation.org> References: <20210329075629.172032742@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: wenxu [ Upstream commit afa536d8405a9ca36e45ba035554afbb8da27b82 ] The ct_state validate should not only check the mask bit and also check mask_bit & key_bit.. For the +new+est case example, The 'new' and 'est' bits should be set in both state_mask and state flags. Or the -new-est case also will be reject by kernel. When Openvswitch with two flows ct_state=+trk+new,action=commit,forward ct_state=+trk+est,action=forward A packet go through the kernel and the contrack state is invalid, The ct_state will be +trk-inv. Upcall to the ovs-vswitchd, the finally dp action will be drop with -new-est+trk. Fixes: 1bcc51ac0731 ("net/sched: cls_flower: Reject invalid ct_state flags rules") Fixes: 3aed8b63336c ("net/sched: cls_flower: validate ct_state for invalid and reply flags") Signed-off-by: wenxu Reviewed-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sched/cls_flower.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index 46c1b3e9f66a..14316ba9b3b3 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -1432,7 +1432,7 @@ static int fl_set_key_ct(struct nlattr **tb, &mask->ct_state, TCA_FLOWER_KEY_CT_STATE_MASK, sizeof(key->ct_state)); - err = fl_validate_ct_state(mask->ct_state, + err = fl_validate_ct_state(key->ct_state & mask->ct_state, tb[TCA_FLOWER_KEY_CT_STATE_MASK], extack); if (err) -- 2.30.1