mirror of
https://github.com/openvswitch/ovs
synced 2025-10-21 14:49:41 +00:00
ad4adec2a3
Upstream commit:
openvswitch: Zero flows on allocation.
When support for megaflows was introduced, OVS needed to start
installing flows with a mask applied to them. Since masking is an
expensive operation, OVS also had an optimization that would only
take the parts of the flow keys that were covered by a non-zero
mask. The values stored in the remaining pieces should not matter
because they are masked out.
While this works fine for the purposes of matching (which must always
look at the mask), serialization to netlink can be problematic. Since
the flow and the mask are serialized separately, the uninitialized
portions of the flow can be encoded with whatever values happen to be
present.
In terms of functionality, this has little effect since these fields
will be masked out by definition. However, it leaks kernel memory to
userspace, which is a potential security vulnerability. It is also
possible that other code paths could look at the masked key and get
uninitialized data, although this does not currently appear to be an
issue in practice.
This removes the mask optimization for flows that are being installed.
This was always intended to be the case as the mask optimizations were
really targetting per-packet flow operations.
Fixes: 03f0d916 ("openvswitch: Mega flow implementation")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Upstream: ae5f2fb1 ("openvswitch: Zero flows on allocation.")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
104 lines
3.0 KiB
C
104 lines
3.0 KiB
C
/*
|
|
* Copyright (c) 2007-2013 Nicira, Inc.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
* License as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA
|
|
*/
|
|
|
|
#ifndef FLOW_TABLE_H
|
|
#define FLOW_TABLE_H 1
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/netlink.h>
|
|
#include <linux/openvswitch.h>
|
|
#include <linux/spinlock.h>
|
|
#include <linux/types.h>
|
|
#include <linux/rcupdate.h>
|
|
#include <linux/if_ether.h>
|
|
#include <linux/in6.h>
|
|
#include <linux/jiffies.h>
|
|
#include <linux/time.h>
|
|
#include <linux/flex_array.h>
|
|
|
|
#include <net/inet_ecn.h>
|
|
#include <net/ip_tunnels.h>
|
|
|
|
#include "flow.h"
|
|
|
|
struct mask_cache_entry {
|
|
u32 skb_hash;
|
|
u32 mask_index;
|
|
};
|
|
|
|
struct mask_array {
|
|
struct rcu_head rcu;
|
|
int count, max;
|
|
struct sw_flow_mask __rcu *masks[];
|
|
};
|
|
|
|
struct table_instance {
|
|
struct flex_array *buckets;
|
|
unsigned int n_buckets;
|
|
struct rcu_head rcu;
|
|
int node_ver;
|
|
u32 hash_seed;
|
|
bool keep_flows;
|
|
};
|
|
|
|
struct flow_table {
|
|
struct table_instance __rcu *ti;
|
|
struct table_instance __rcu *ufid_ti;
|
|
struct mask_cache_entry __percpu *mask_cache;
|
|
struct mask_array __rcu *mask_array;
|
|
unsigned long last_rehash;
|
|
unsigned int count;
|
|
unsigned int ufid_count;
|
|
};
|
|
|
|
extern struct kmem_cache *flow_stats_cache;
|
|
|
|
int ovs_flow_init(void);
|
|
void ovs_flow_exit(void);
|
|
|
|
struct sw_flow *ovs_flow_alloc(void);
|
|
void ovs_flow_free(struct sw_flow *, bool deferred);
|
|
|
|
int ovs_flow_tbl_init(struct flow_table *);
|
|
int ovs_flow_tbl_count(const struct flow_table *table);
|
|
void ovs_flow_tbl_destroy(struct flow_table *table);
|
|
int ovs_flow_tbl_flush(struct flow_table *flow_table);
|
|
|
|
int ovs_flow_tbl_insert(struct flow_table *table, struct sw_flow *flow,
|
|
const struct sw_flow_mask *mask);
|
|
void ovs_flow_tbl_remove(struct flow_table *table, struct sw_flow *flow);
|
|
int ovs_flow_tbl_num_masks(const struct flow_table *table);
|
|
struct sw_flow *ovs_flow_tbl_dump_next(struct table_instance *table,
|
|
u32 *bucket, u32 *idx);
|
|
struct sw_flow *ovs_flow_tbl_lookup_stats(struct flow_table *,
|
|
const struct sw_flow_key *,
|
|
u32 skb_hash,
|
|
u32 *n_mask_hit);
|
|
struct sw_flow *ovs_flow_tbl_lookup(struct flow_table *,
|
|
const struct sw_flow_key *);
|
|
struct sw_flow *ovs_flow_tbl_lookup_exact(struct flow_table *tbl,
|
|
const struct sw_flow_match *match);
|
|
struct sw_flow *ovs_flow_tbl_lookup_ufid(struct flow_table *,
|
|
const struct sw_flow_id *);
|
|
|
|
bool ovs_flow_cmp(const struct sw_flow *, const struct sw_flow_match *);
|
|
|
|
void ovs_flow_mask_key(struct sw_flow_key *dst, const struct sw_flow_key *src,
|
|
bool full, const struct sw_flow_mask *mask);
|
|
#endif /* flow_table.h */
|