From patchwork Thu Mar 26 19:58:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yifeng Sun X-Patchwork-Id: 1262244 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=LLdlIiap; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48pG5C3kGgz9sSH for ; Fri, 27 Mar 2020 06:58:39 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 9CBBC891C8; Thu, 26 Mar 2020 19:58:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XCBaKo8Dp9MF; Thu, 26 Mar 2020 19:58:34 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id 70545891A7; Thu, 26 Mar 2020 19:58:33 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 54C11C1831; Thu, 26 Mar 2020 19:58:33 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0A99FC0177 for ; Thu, 26 Mar 2020 19:58:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 248DF805D8 for ; Thu, 26 Mar 2020 19:58:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rFJ6ZeMwSVqQ for ; Thu, 26 Mar 2020 19:58:30 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194]) by whitealder.osuosl.org (Postfix) with ESMTPS id 96E33886E9 for ; Thu, 26 Mar 2020 19:58:30 +0000 (UTC) Received: by mail-pf1-f194.google.com with SMTP id 23so3348313pfj.1 for ; Thu, 26 Mar 2020 12:58:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=+cjXP01YAxijz1yxAeyTFYEgCF9J0p4oGcqkuMCQEjQ=; b=LLdlIiapOTYMhbBUHlihQ3/+zdkIdhYIRbmfmhEz8ZOEkdXWNICti3xHoIQ+i2T7BV b74IyDr1ZK0YS4iLHUeoSf/wGCg60zboxhcwwi964DEyA4n4vUB0437gbf7PRUv5YuLF sMSmKB4/k/KdFEJbw9frui/lOphMsqBCaYdA0Z99ibmecMXWU3M9J66/t2mR5Hu9rLcm Jk80AD6QbttVJDqpqm1CX8D2UfktnDrAjYMCWzArj+0e0ErpGlVeoXGEy+NMtILGFM1o PQy0ayErGVYRHpcLdR7UqW2J9xP8xft0qw6K7lv9eT4JLyVellUzvAarHs9Lczx2UylS HyiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=+cjXP01YAxijz1yxAeyTFYEgCF9J0p4oGcqkuMCQEjQ=; b=Mqp8GhVrYHXtXdztl/sgyg+VeWn3B4i3Cs5CjtGf9YUpu+HndBJmnVKn7X0VDFkluH neibXLT5i+7Unpj+uMpzPTX+IixmzPG58pCQEY6s5maSQQdUnFPpuUKsBqENccpeiu4U mnu9JKSl+4tlVLIqSkmh4VPVAg5ZUvO5wl8t+tbhKh+h7DPLZ1g8hAE/GUyvMDZaM0lX mgfv9iVQcAAwd0vNv5JOAOQpNWgytyKfo2OY4F7R4vjRSVVxZAJfxzfPAIKzLtvijUdB xU8+xZntTmR5G6lNgH5Q6ISDX952JUcWovkYxPCp71jhjNA9NRyLRldu0r4ZwSdmOzIC rLDg== X-Gm-Message-State: ANhLgQ25yuL9j5uK9QgRYAneBTfefFMQzw6au6pK571sWbRKeUFCURmB xJiyK1U+DK/2Ba7CkFiLDcuMoKqJISw= X-Google-Smtp-Source: ADFU+vts1e8c/WwBqWes/og9y3Usnnxxg3SkCMUtHfer8MxXy19Nk+9+UkE853JkKPNe4XUFw8NPlg== X-Received: by 2002:aa7:8ec1:: with SMTP id b1mr10597138pfr.125.1585252709833; Thu, 26 Mar 2020 12:58:29 -0700 (PDT) Received: from kern417.eng.vmware.com ([66.170.99.1]) by smtp.gmail.com with ESMTPSA id u41sm2320043pgn.8.2020.03.26.12.58.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Mar 2020 12:58:29 -0700 (PDT) From: Yifeng Sun To: dev@openvswitch.org Date: Thu, 26 Mar 2020 12:58:22 -0700 Message-Id: <1585252702-8649-2-git-send-email-pkusunyifeng@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1585252702-8649-1-git-send-email-pkusunyifeng@gmail.com> References: <1585252702-8649-1-git-send-email-pkusunyifeng@gmail.com> Subject: [ovs-dev] [PATCH 2/2] system-traffic: Check frozen state handling with TLV map change X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This patch enhances a system traffic test to prevent regression on the tunnel metadata table (tun_table) handling with frozen state. Without a proper fix this test can crash ovs-vswitchd due to a use-after-free bug on tun_table. These are the timed sequence of how this bug is triggered: - Adds an OpenFlow rule in OVS that matches Geneve tunnel metadata that contains a controller action. - When the first packet matches the aforementioned OpenFlow rule, during the miss upcall, OVS stores a pointer to the tun_table (that decodes the Geneve tunnel metadata) in a frozen state and pushes down a datapath flow into kernel datapath. - Issues a add-tlv-map command to reprogram the tun_table on OVS. OVS frees the old tun_table and create a new tun_table. - A subsequent packet hits the kernel datapath flow again. Since there is a controller action associated with that flow, it triggers slow path controller upcall. - In the slow path controller upcall, OVS derives the tun_table from the frozen state, which points to the old tun_table that is already being freed at this time point. - In order to access the tunnel metadata, OVS uses the invalid pointer that points to the old tun_table and triggers the core dump. Signed-off-by: Yi-Hung Wei Signed-off-by: Yifeng Sun Co-authored-by: Yi-Hung Wei --- tests/system-traffic.at | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 4a39c929c207..992de8546c41 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -611,6 +611,20 @@ NS_CHECK_EXEC([at_ns0], [ping -q -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl 3 packets transmitted, 3 received, 0% packet loss, time 0ms ]) +dnl Test OVS handles TLV map modifictions properly when restores frozen state. +NS_CHECK_EXEC([at_ns0], [ping 10.1.1.100 > ping.out &]) + +sleep 2 + +AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0x88,len=4}->tun_metadata1"]) +sleep 1 +AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0x99,len=4}->tun_metadata2"]) +sleep 1 +AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0xaa,len=4}->tun_metadata3"]) +sleep 1 + +dnl At this point, ovs-vswitchd will either crash or everything is OK. + OVS_APP_EXIT_AND_WAIT([ovs-ofctl]) OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP