Fix byte count on fragmented packets in tc ct action

Bug #1946393 reported by Bodong Wang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-bluefield (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Medium
Bodong Wang

Bug Description

* Explain the bug

First fragmented packets (frag offset = 0) byte len is zeroed
when stolen by ip_defrag(). And since act_ct update the stats
only afterwards (at end of execute), bytes aren't correctly
accounted for such packets.

* How to test

Create OVS bridge with 2 devices $dev1, $dev2 (can be any devices)
Enable HW offload and configure connection tracking OpenFlow rules as below
e.g:
    ovs-ofctl del-flows br-ovs
    ovs-ofctl add-flow br-ovs arp,actions=normal
    ovs-ofctl add-flow br-ovs "table=0, ip,ct_state=-trk actions=ct(table=1)"
    ovs-ofctl add-flow br-ovs "table=1, ip,ct_state=+trk+new actions=ct(commit),normal"
    ovs-ofctl add-flow br-ovs "table=1, ip,ct_state=+trk+est, actions=normal"

Run fragmented icmp ping traffic (e.g ping -s 2000)

dump ovs rules (ovs-appctl dpctl/dump-flows), observe byte count on frag=first rule:
ct_state(-trk),recirc_id(0),in_port(2),eth_type(0x0800),ipv4(proto=1,frag=first), packets:10, bytes:13960, used:1.370s, actions:ct(zone=1),recirc(0x1)

bytes would be zero if bug occurs.

* What it could break.

NA

Changed in linux-bluefield (Ubuntu Focal):
status: New → In Progress
Stefan Bader (smb)
Changed in linux-bluefield (Ubuntu Focal):
assignee: nobody → Bodong Wang (bodong-wang)
importance: Undecided → Medium
Changed in linux-bluefield (Ubuntu):
status: New → Invalid
Changed in linux-bluefield (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-bluefield/5.4.0-1021.24 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Kelsey Skunberg (kelsey-skunberg) wrote :

Hi Bodong, may you please verify the Focal/bluefield kernel in -proposed resolves this bug? You can find more instructions in comment #1. Thank you!

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (33.5 KiB)

This bug was fixed in the package linux-bluefield - 5.4.0-1021.24

---------------
linux-bluefield (5.4.0-1021.24) focal; urgency=medium

  * focal/linux-bluefield: 5.4.0-1021.24 -proposed tracker (LP: #1947236)

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md

  * Add psample tunnel support and also two fixes for psample issues.
    (LP: #1946266)
    - net: psample: Add tunnel support
    - net: psample: fix build error when CONFIG_INET is not enabled
    - net: psample: Fix netlink skb length with tunnel info
    - psample: Fix user API breakage

  * Fix ignoring ct state match of OVS offload to TC/HW (LP: #1944390)
    - netlink: add mask validation
    - net/sched: cls_flower: Reject invalid ct_state flags rules
    - net/sched: cls_flower: validate ct_state for invalid and reply flags
    - net/sched: cls_flower: fix only mask bit check in the validate_ct_state

  * Fix byte count on fragmented packets in tc ct action (LP: #1946393)
    - net/sched: act_ct: add miss tcf_lastuse_update.
    - SAUCE: net/sched: act_ct: Fix byte count on fragmented packets

  [ Ubuntu: 5.4.0-90.101 ]

  * focal/linux: 5.4.0-90.101 -proposed tracker (LP: #1947260)
  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.10.18)
  * Add final-checks to check certificates (LP: #1947174)
    - [Packaging] Add system trusted and revocation keys final check
  * No sound on Lenovo laptop models Legion 15IMHG05, Yoga 7 14ITL5, and 13s
    Gen2 (LP: #1939052)
    - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i
      15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops.
    - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s
      Gen2
  * CVE-2020-36385
    - RDMA/cma: Add missing locking to rdma_accept()
    - RDMA/ucma: Fix the locking of ctx->file
    - RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy
  * Focal update: v5.4.148 upstream stable release (LP: #1946802)
    - rtc: tps65910: Correct driver module alias
    - btrfs: wake up async_delalloc_pages waiters after submit
    - btrfs: reset replace target device to allocation state on close
    - blk-zoned: allow zone management send operations without CAP_SYS_ADMIN
    - blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN
    - PCI/MSI: Skip masking MSI-X on Xen PV
    - powerpc/perf/hv-gpci: Fix counter value parsing
    - xen: fix setting of max_pfn in shared_info
    - include/linux/list.h: add a macro to test if entry is pointing to the head
    - 9p/xen: Fix end of loop tests for list_for_each_entry
    - tools/thermal/tmon: Add cross compiling support
    - pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast
    - pinctrl: ingenic: Fix incorrect pull up/down info
    - soc: qcom: aoss: Fix the out of bound usage of cooling_devs
    - soc: aspeed: lpc-ctrl: Fix boundary check for mmap
    - soc: aspeed: p2a-ctrl: Fix boundary check for mmap
    - arm64: head: avoid over-mapping in map_memory
    - crypto: public_key: fix overflow during implicit conversion
    - block: bfq: fix bfq_set_next_ioprio_data()
    - power: supply: max17042: handle fails of reading st...

Changed in linux-bluefield (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers