From 7b1cb1b460dddf9d7a46afce3764af41351f6849 Mon Sep 17 00:00:00 2001
From: Ilya Maximets <i.maximets@ovn.org>
Date: Wed, 13 Jul 2022 16:35:31 +0200
Subject: tc: Fix misaligned access while creating pedit actions.

calc_offsets() function returns 'data' and 'mask' pointers, which
are pointers somewhere inside struct tc_flower_key, and they are not
aligned, causing misaligned memory access.  For example:

  ipv6.rewrite_hlimit is at 148 byte offset inside the struct
  tc_flower_key.  While the actual field is in the 7th byte of
  the IPv6 header in the actual packet.  So, pedit will need
  to write the last byte of the [4-7] range to the actual packet.
  So, data pointer is positioned to 145th byte inside the tc_flower_key
  with the 000000FF mask.  Obviously, 145th byte inside the structure
  is not 4-byte aligned.

 lib/tc.c:2879:34: runtime error:
   load of misaligned address 0x7f2802eaa321 for type 'ovs_be32' (aka
   'unsigned int'), which requires 4 byte alignment
   0x7f2802eaa321: note: pointer points here
     00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ...
                  ^
     0 0xd7f2fb in nl_msg_put_flower_rewrite_pedits lib/tc.c:2879:34
     1 0xd7f2fb in nl_msg_put_flower_acts lib/tc.c:3141:25
     2 0xd6ae5a in nl_msg_put_flower_options lib/tc.c:3445:12
     3 0xd6a2be in tc_replace_flower lib/tc.c:3712:17
     4 0xd2bf25 in netdev_tc_flow_put lib/netdev-offload-tc.c:2224:11
     5 0x94f6b7 in netdev_flow_put lib/netdev-offload.c:316:14
     6 0xcbd19e in parse_flow_put lib/dpif-netlink.c:2289:11
     7 0xcbd19e in try_send_to_netdev lib/dpif-netlink.c:2376:15
     8 0xcbd19e in dpif_netlink_operate lib/dpif-netlink.c:2447:23
     9 0x86536e in dpif_operate lib/dpif.c:1372:13
    10 0x6bc289 in handle_upcalls ofproto/ofproto-dpif-upcall.c:1654:5
    11 0x6bc289 in recv_upcalls ofproto/ofproto-dpif-upcall.c:892:9
    12 0x6b766a in udpif_upcall_handler ofproto/ofproto-dpif-upcall.c:792:13
    13 0xb5015a in ovsthread_wrapper lib/ovs-thread.c:422:12
    14 0x7f280b2081ce in start_thread (/lib64/libpthread.so.0+0x81ce)
    15 0x7f2809e39dd2 in clone (/lib64/libc.so.6+0x39dd2)

Fix misaligned read by using appropriate functions.

Fixes: 8ada482bbe19 ("tc: Add header rewrite using tc pedit action")
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Simon Horman <simon.horman@corigine.com>
---
 lib/tc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/tc.c b/lib/tc.c
index 211393431..751ad14ab 100644
--- a/lib/tc.c
+++ b/lib/tc.c
@@ -2452,8 +2452,8 @@ nl_msg_put_flower_rewrite_pedits(struct ofpbuf *request,
                      &first_word_mask, &mask, &data);
 
         for (j = 0; j < cnt; j++,  mask++, data++, cur_offset += 4) {
-            ovs_be32 mask_word = *mask;
-            ovs_be32 data_word = *data;
+            ovs_be32 mask_word = get_unaligned_be32(mask);
+            ovs_be32 data_word = get_unaligned_be32(data);
 
             if (j == 0) {
                 mask_word &= first_word_mask;
-- 
cgit v1.2.1