lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <dd7a713a-1c16-47dc-83f1-967e2b1054c6@intel.com>
Date: Mon, 22 Apr 2024 16:43:54 -0700
From: Jacob Keller <jacob.e.keller@...el.com>
To: Asbjørn Sloth Tønnesen <ast@...erby.net>,
	<netdev@...r.kernel.org>
CC: <linux-kernel@...r.kernel.org>, "David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, "Paolo
 Abeni" <pabeni@...hat.com>, Sunil Goutham <sgoutham@...vell.com>, "Geetha
 sowjanya" <gakula@...vell.com>, Subbaraya Sundeep <sbhatta@...vell.com>,
	hariprasad <hkelam@...vell.com>, Suman Ghosh <sumang@...vell.com>
Subject: Re: [PATCH net-next] octeontx2-pf: flower: check for unsupported
 control flags



On 4/22/2024 4:41 PM, Jacob Keller wrote:
> 
> 
> On 4/22/2024 8:27 AM, Asbjørn Sloth Tønnesen wrote:
>> Use flow_rule_is_supp_control_flags() to reject filters with
>> unsupported control flags.
>>
>> In case any unsupported control flags are masked,
>> flow_rule_is_supp_control_flags() sets a NL extended
>> error message, and we return -EOPNOTSUPP.
>>
>> Remove FLOW_DIS_FIRST_FRAG specific error message,
>> and treat it as any other unsupported control flag.
>>
>> Only compile-tested.
>>
>> Signed-off-by: Asbjørn Sloth Tønnesen <ast@...erby.net>
>> ---
>>  drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 8 ++++----
>>  1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
>> index 6d4ce2ece8d0..e63cc1eb6d89 100644
>> --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
>> +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
>> @@ -700,10 +700,6 @@ static int otx2_tc_prepare_flow(struct otx2_nic *nic, struct otx2_tc_flow *node,
>>  		u32 val;
>>  
>>  		flow_rule_match_control(rule, &match);
>> -		if (match.mask->flags & FLOW_DIS_FIRST_FRAG) {
>> -			NL_SET_ERR_MSG_MOD(extack, "HW doesn't support frag first/later");
>> -			return -EOPNOTSUPP;
>> -		}
>>  
>>  		if (match.mask->flags & FLOW_DIS_IS_FRAGMENT) {
>>  			val = match.key->flags & FLOW_DIS_IS_FRAGMENT;
>> @@ -721,6 +717,10 @@ static int otx2_tc_prepare_flow(struct otx2_nic *nic, struct otx2_tc_flow *node,
>>  				return -EOPNOTSUPP;
>>  			}
>>  		}
>> +
>> +		if (!flow_rule_is_supp_control_flags(FLOW_DIS_IS_FRAGMENT,
>> +						     match.mask->flags, extack))
>> +			return -EOPNOTSUPP;
> 
> This confuses me since you pass FLOW_DIS_IS_FRAGMENT here, but you
> removed the check for FLOW_DIS_FIRST_FRAG??
> 
> Am I misunderstanding how flow_rule_is_supp_control_flags works?
> 
> The code just above this appears to support FLOW_DIS_IS_FRAGMENT.
> 
> Here is the implementation of flow_rule_is_supp_control_flags for reference:
> 
>> /**
>>  * flow_rule_is_supp_control_flags() - check for supported control flags
>>  * @supp_flags: control flags supported by driver
>>  * @ctrl_flags: control flags present in rule
>>  * @extack: The netlink extended ACK for reporting errors.
>>  *
>>  * Return: true if only supported control flags are set, false otherwise.
>>  */
>> static inline bool flow_rule_is_supp_control_flags(const u32 supp_flags,
>>                                                    const u32 ctrl_flags,
>>                                                    struct netlink_ext_ack *extack)
>> {
>>         if (likely((ctrl_flags & ~supp_flags) == 0))
>>                 return true;
>>
>>         NL_SET_ERR_MSG_FMT_MOD(extack,
>>                                "Unsupported match on control.flags %#x",
>>                                ctrl_flags);
>>
>>         return false;
>> }
>>
> 
> This seems to me that it you accidentally passed FLOW_DIS_IS_FRAGMENT
> when you meant FLOW_DIS_FIRST_FRAG??
> 
> I also think its a bit strange that you moved the placement of the check
> instead of replacing in the same location as where the previous check was.
> 
> 

Ah, I see what I missed. This takes the list of supported flags and
inverts it, and checks if any other flags were passed.

This is better since it guarantees future flags or other unknown flags
are rejected.

Ok. Sorry for the confusion.

Reviewed-by: Jacob Keller <jacob.e.keller@...el.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ