Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp6134940iog; Thu, 23 Jun 2022 12:04:51 -0700 (PDT) X-Google-Smtp-Source: AGRyM1ue2uOUmt4osTj8OlruH3XO+yGit24VBTiFN94UbBmrXftghvH8nN0t45J9I4417f8xdzzt X-Received: by 2002:a63:3fce:0:b0:40c:23a5:2827 with SMTP id m197-20020a633fce000000b0040c23a52827mr8673968pga.314.1656011091369; Thu, 23 Jun 2022 12:04:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1656011091; cv=none; d=google.com; s=arc-20160816; b=OEn7BAnBF5Y/togyoiWmHEJn5ReLUKSRa0xmI1LDA2H5ppOVOtcLhKnYWIvlD+tE0o s+xxH1gJZ5wnUMeKe/LQZb8DMlAfW/lRKgeIjD6Y9NGDTUT6ckQ6BUmxx5wRfOwRpO/r wHOHC2HiaNB3XXjvOVIXLb3AvQobCUvK7ijR0kPVf6bAQYEyZAFfnwfW/FTq5Z957Sdl wFWeWJOB+URs3BrtrOAFGr8iJtPkMbBsXDp2ojzPtLkMQidEkhQKgIoSjNnoJtiX9zBY FmcJKP159znOOe6DIvi9qLw9LXgkAHucOvC2iQ0HmCojMpZZCER3QhJgT2FYlDteaByl L+Ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ErvqPhjboLxpV/Dv/ocTsCeMsnqvQ3uMCwqVmqaEPao=; b=qrbzuslHjCef/u7o445s6tq8AyW9Mvkv1k4NIiz6UBRPbyt+6cVnPTb1I6LfhDap8v HrBXjI9DwZXw+B7eH1zRS2y1bVhD0yXuMlllTOm70WwLXeeHY2SsKkhI+2wiRUo8F9F/ In5Jud1EcKmRP+OqfUmkNYa+kcB7kdwRYnEyEidHAitlwViuDbLpQrkKNAvx4Bz/MsJB ulUOFrzZ2gf+Qs1SJILmvttrbysAXCUcZkDdgbB/rZJVHjOH2FFhtyNvifsVPi1w69Hb 78CvfcVh6AHObMprY+bOHo82va/gr6MkmTyLY9HB0sh7nswRhTl6kPHQb0dJX2CQn2Dd 5mOQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jHNIHuVk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e6-20020a170902ef4600b0016a52b34991si491178plx.113.2022.06.23.12.04.39; Thu, 23 Jun 2022 12:04:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jHNIHuVk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237026AbiFWSUG (ORCPT + 99 others); Thu, 23 Jun 2022 14:20:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41808 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236863AbiFWSQv (ORCPT ); Thu, 23 Jun 2022 14:16:51 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20DFA4EA11; Thu, 23 Jun 2022 10:23:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 78F17B82497; Thu, 23 Jun 2022 17:23:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B4489C341C6; Thu, 23 Jun 2022 17:23:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1656005004; bh=ZLCEwXffTqRU3tK4EId6tTYhofvM1aJAsm/kPMIBKcc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jHNIHuVkpbeeeYLSdyFkjLrCWhDXwMZ1xaEkGWpIHh/qpMz2/vTRq7agid5j1BaNb oRdjVgwM9fBysocA+P8CblC+nGMnCigZ2UgvHPaUbWP/oEpUYlwwVlDTrEEPYu+m+R 3f2LO0VcBoq0qj2psMcuaWbSOsZW0yfEUes1wLTU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Frode Nordahl , Ilya Maximets , Jakub Kicinski Subject: [PATCH 4.19 221/234] net: openvswitch: fix misuse of the cached connection on tuple changes Date: Thu, 23 Jun 2022 18:44:48 +0200 Message-Id: <20220623164349.303968769@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220623164343.042598055@linuxfoundation.org> References: <20220623164343.042598055@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ilya Maximets commit 2061ecfdf2350994e5b61c43e50e98a7a70e95ee upstream. If packet headers changed, the cached nfct is no longer relevant for the packet and attempt to re-use it leads to the incorrect packet classification. This issue is causing broken connectivity in OpenStack deployments with OVS/OVN due to hairpin traffic being unexpectedly dropped. The setup has datapath flows with several conntrack actions and tuple changes between them: actions:ct(commit,zone=8,mark=0/0x1,nat(src)), set(eth(src=00:00:00:00:00:01,dst=00:00:00:00:00:06)), set(ipv4(src=172.18.2.10,dst=192.168.100.6,ttl=62)), ct(zone=8),recirc(0x4) After the first ct() action the packet headers are almost fully re-written. The next ct() tries to re-use the existing nfct entry and marks the packet as invalid, so it gets dropped later in the pipeline. Clearing the cached conntrack entry whenever packet tuple is changed to avoid the issue. The flow key should not be cleared though, because we should still be able to match on the ct_state if the recirculation happens after the tuple change but before the next ct() action. Cc: stable@vger.kernel.org Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") Reported-by: Frode Nordahl Link: https://mail.openvswitch.org/pipermail/ovs-discuss/2022-May/051829.html Link: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967856 Signed-off-by: Ilya Maximets Link: https://lore.kernel.org/r/20220606221140.488984-1-i.maximets@ovn.org Signed-off-by: Jakub Kicinski [Backport to 5.10: minor rebase in ovs_ct_clear function. This version also applicable to and tested on 5.4 and 4.19.] Signed-off-by: Greg Kroah-Hartman --- net/openvswitch/actions.c | 6 ++++++ net/openvswitch/conntrack.c | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) --- a/net/openvswitch/actions.c +++ b/net/openvswitch/actions.c @@ -443,6 +443,7 @@ static void set_ip_addr(struct sk_buff * update_ip_l4_checksum(skb, nh, *addr, new_addr); csum_replace4(&nh->check, *addr, new_addr); skb_clear_hash(skb); + ovs_ct_clear(skb, NULL); *addr = new_addr; } @@ -490,6 +491,7 @@ static void set_ipv6_addr(struct sk_buff update_ipv6_checksum(skb, l4_proto, addr, new_addr); skb_clear_hash(skb); + ovs_ct_clear(skb, NULL); memcpy(addr, new_addr, sizeof(__be32[4])); } @@ -730,6 +732,7 @@ static int set_nsh(struct sk_buff *skb, static void set_tp_port(struct sk_buff *skb, __be16 *port, __be16 new_port, __sum16 *check) { + ovs_ct_clear(skb, NULL); inet_proto_csum_replace2(check, skb, *port, new_port, false); *port = new_port; } @@ -769,6 +772,7 @@ static int set_udp(struct sk_buff *skb, uh->dest = dst; flow_key->tp.src = src; flow_key->tp.dst = dst; + ovs_ct_clear(skb, NULL); } skb_clear_hash(skb); @@ -831,6 +835,8 @@ static int set_sctp(struct sk_buff *skb, sh->checksum = old_csum ^ old_correct_csum ^ new_csum; skb_clear_hash(skb); + ovs_ct_clear(skb, NULL); + flow_key->tp.src = sh->source; flow_key->tp.dst = sh->dest; --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1303,7 +1303,8 @@ int ovs_ct_clear(struct sk_buff *skb, st if (skb_nfct(skb)) { nf_conntrack_put(skb_nfct(skb)); nf_ct_set(skb, NULL, IP_CT_UNTRACKED); - ovs_ct_fill_key(skb, key); + if (key) + ovs_ct_fill_key(skb, key); } return 0;