This bug was fixed in the package linux-bluefield - 5.4.0-1045.50
---------------
linux-bluefield (5.4.0-1045.50) focal; urgency=medium
* focal/linux-bluefield: 5.4.0-1045.50 -proposed tracker (LP:
#1983921)
* pwr-mlxbf.c: Improve driver dependencies and fix zero allocating memory size
(LP: #1980750)
- SAUCE: pwr-mlxbf.c: Improve driver dependencies
- SAUCE: pwr-mlxbf.c: Fix zero allocating memory size
- SAUCE: pwr-mlxbf.c: Update driver version to 1.1
* store the last executed chain also for clsact egress (LP: #1982980)
- net/sched: store the last executed chain also for clsact egress
* i2c-mlxbf.c: support lock mechanism (LP: #1981105)
- SAUCE: i2c-mlxbf.c: support lock mechanism
* i2c-mlxbf.c: fix wrong variable name (LP: #1982357)
- SAUCE: i2c-mlxbf.c: fix wrong variable name
[ Ubuntu: 5.4.0-125.141 ]
* focal/linux: 5.4.0-125.141 -proposed tracker (LP: #1983947)
* nbd: requests can become stuck when disconnecting from server with qemu-nbd
(LP: #1896350)
- blk-mq: blk-mq: provide forced completion method
- blk-mq: move failure injection out of blk_mq_complete_request
- nbd: don't handle response without a corresponding request message
- nbd: make sure request completion won't concurrent
- nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed
- nbd: fix io hung while disconnecting device
* CVE-2021-33656
- vt: drop old FONT ioctls
* CVE-2021-33061
- ixgbe: add the ability for the PF to disable VF link state
- ixgbe: add improvement for MDD response functionality
- ixgbevf: add disable link state
-- Zachary Tahenakos <zachary.tahena...@canonical.com> Thu, 11 Aug
2022 15:11:51 -0400
** Changed in: linux-bluefield (Ubuntu)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33061
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-33656
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1982980
Title:
store the last executed chain also for clsact egress
Status in linux-bluefield package in Ubuntu:
Fix Released
Bug description:
* Explain the bug(s)
Misses on multi chain tc egress rules that are offloaded from ovs datapath
rules (ct rules on ovs' internal port devices)
will restart from recirc_id(0) again in OvS dp, instead of recirc_id that
matches where we left off
in tc (ovs recirc_id should be equal tc chain).
* brief explanation of fixes
Set the tc skb extension that stores the last executed tc chain which ovs
reads on misses to
set the starting recirc_id from.
* How to test
Setup ovs with ovs offload enabled, and add ip to internal port, example
with veth device:
function config_veth() {
local ns=$1
local ip=$2
local peer=${ns}_peer
local veth=${ns}_veth
echo "Create namespace $ns, veths: hv $veth <-> ns $peer ($ip)"
ip netns add $ns
ip link del $veth &>/dev/null
ip link add $veth type veth peer name $peer
ip link set $veth up
ip link set $peer netns $ns
ip netns exec $ns ifconfig $peer $ip/24 mtu 1400 up
}
IP1="7.7.7.1"
IP2="7.7.7.2"
config_veth ns0 $IP1
ifconfig ovs-br $IP2
ovs-vsctl add-br ovs-br
ovs-vsctl add-port ovs-br ns0_veth
ovs-vsctl add-port ovs-br ns1_veth
Add openflow rules and check if packets arriving to table=0 (default table
that corrosponds to recirc_id(0))
have ct mark that was only set if a later table was executed. Add a
unsupported offload action (in this case group), so we
will have miss from offloaded tc rules to ovs dp:
ovs-ofctl del-flows ovs-br
ovs-ofctl -O OpenFlow12 add-group ovs-br
'group_id=2,type=select,bucket=ct(commit,zone=1,table=2)'
ovs-ofctl add-flow ovs-br "table=0, arp, action=normal"
ovs-ofctl add-flow ovs-br "table=0, ip, +trk, actions=drop"
#bad flow
ovs-ofctl add-flow ovs-br "table=0, ip, -trk, actions=ct(commit,table=1)"
#good flow
ovs-ofctl add-flow ovs-br "table=1, in_port=1, actions=group:2"
ovs-ofctl add-flow ovs-br "table=2, ip, actions=normal"
run udp/tcp traffic from default ns 7.7.7.1 to ns1 7.7.7.2 and
check ovs-appctl dpctl/dump-flows
if bug occurs there should be a drop rule, because we got to recirc_id(0)
after missing in tc, and tc
already did the -trk ct(commit...) rule, so packet should be tracked
(+trk) when missed to ovs.
* What it could break.
Running the wrong datapath rules in OvS datapath.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1982980/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
