linux/net/openvswitch
Jesse Gross ae5f2fb1d5 openvswitch: Zero flows on allocation.
When support for megaflows was introduced, OVS needed to start
installing flows with a mask applied to them. Since masking is an
expensive operation, OVS also had an optimization that would only
take the parts of the flow keys that were covered by a non-zero
mask. The values stored in the remaining pieces should not matter
because they are masked out.

While this works fine for the purposes of matching (which must always
look at the mask), serialization to netlink can be problematic. Since
the flow and the mask are serialized separately, the uninitialized
portions of the flow can be encoded with whatever values happen to be
present.

In terms of functionality, this has little effect since these fields
will be masked out by definition. However, it leaks kernel memory to
userspace, which is a potential security vulnerability. It is also
possible that other code paths could look at the masked key and get
uninitialized data, although this does not currently appear to be an
issue in practice.

This removes the mask optimization for flows that are being installed.
This was always intended to be the case as the mask optimizations were
really targetting per-packet flow operations.

Fixes: 03f0d916 ("openvswitch: Mega flow implementation")
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: Pravin B Shelar <pshelar@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-09-22 17:33:41 -07:00
..
actions.c ip-tunnel: Use API to access tunnel metadata options. 2015-08-31 12:28:56 -07:00
conntrack.c openvswitch: Fix IPv6 exthdr handling with ct helpers. 2015-09-17 15:31:49 -07:00
conntrack.h openvswitch: Remove conntrack Kconfig option. 2015-09-06 23:48:33 -07:00
datapath.c openvswitch: Zero flows on allocation. 2015-09-22 17:33:41 -07:00
datapath.h ip-tunnel: Use API to access tunnel metadata options. 2015-08-31 12:28:56 -07:00
dp_notify.c openvswitch: Move dev pointer into vport itself 2015-07-21 10:39:07 -07:00
flow_netlink.c openvswitch: Fix mask generation for nested attributes. 2015-09-15 16:25:41 -07:00
flow_netlink.h ip-tunnel: Use API to access tunnel metadata options. 2015-08-31 12:28:56 -07:00
flow_table.c openvswitch: Zero flows on allocation. 2015-09-22 17:33:41 -07:00
flow_table.h openvswitch: Zero flows on allocation. 2015-09-22 17:33:41 -07:00
flow.c ip-tunnel: Use API to access tunnel metadata options. 2015-08-31 12:28:56 -07:00
flow.h openvswitch: Allow matching on conntrack label 2015-08-27 11:40:43 -07:00
Kconfig openvswitch: Fix dependency on IPv6 defrag. 2015-09-11 15:39:04 -07:00
Makefile openvswitch: Remove conntrack Kconfig option. 2015-09-06 23:48:33 -07:00
vport-geneve.c ip-tunnel: Use API to access tunnel metadata options. 2015-08-31 12:28:56 -07:00
vport-gre.c ip-tunnel: Use API to access tunnel metadata options. 2015-08-31 12:28:56 -07:00
vport-internal_dev.c openvswitch: Remove vport stats. 2015-08-29 19:07:15 -07:00
vport-internal_dev.h openvswitch: introduce rtnl ops stub 2014-07-01 14:40:17 -07:00
vport-netdev.c openvswitch: Remove vport stats. 2015-08-29 19:07:15 -07:00
vport-netdev.h openvswitch: Remove vport stats. 2015-08-29 19:07:15 -07:00
vport-vxlan.c ip-tunnel: Use API to access tunnel metadata options. 2015-08-31 12:28:56 -07:00
vport.c ip-tunnel: Use API to access tunnel metadata options. 2015-08-31 12:28:56 -07:00
vport.h ip-tunnel: Use API to access tunnel metadata options. 2015-08-31 12:28:56 -07:00