<div dir="ltr">Hi Pravin Shelar,<div><br></div><div>I have test the fix with linux 3.18.29 and sent the patch to the dev maillist, I think it's a obvious fix so I do not test all the kernel branches.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-12 0:06 GMT+08:00 Pravin Shelar <span dir="ltr"><<a href="mailto:pshelar@ovn.org" target="_blank">pshelar@ovn.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Thu, Nov 10, 2016 at 7:15 PM, 张东亚 <<a href="mailto:fortitude.zhang@gmail.com">fortitude.zhang@gmail.com</a>> wrote:<br>
> Hi,<br>
><br>
> We are now evaluating ovs 2.6.0 and found some kernel crash, after review<br>
> the code ,it seems in vxlan_gro_receive in compat code, with 3.18.29 kernel,<br>
> the following PSed code will trigger NULL dereference, which make kernel<br>
> crashed.<br>
><br>
> I have also checked the code of ovs 2.5.0, it does not have the same issue<br>
> because it will check 'vs' variable and then check the remote csum receive<br>
> flag.<br>
><br>
</span>Thanks for bug report and analysis. Can you send patch that does<br>
similar check on 2.6 and master?<br>
<div><div class="h5"><br>
> This seems introduced by commit f2252c6105a32bada26949fa65ec14<wbr>6c4ac30697<br>
> which try to sync compat vxlan and geneve with upstream kernel.<br>
><br>
> The code that trigger the crash:<br>
><br>
> #ifndef HAVE_UDP_OFFLOAD_ARG_UOFF<br>
> static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,<br>
> struct sk_buff *skb)<br>
> #else<br>
> static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,<br>
> struct sk_buff *skb,<br>
> struct udp_offload *uoff)<br>
> #endif<br>
> {<br>
> #ifdef HAVE_UDP_OFFLOAD_ARG_UOFF<br>
> struct vxlan_sock *vs = container_of(uoff, struct vxlan_sock,<br>
> udp_offloads);<br>
> #else<br>
> struct vxlan_sock *vs = NULL;<br>
> #endif<br>
> struct sk_buff *p, **pp = NULL;<br>
> struct vxlanhdr *vh, *vh2;<br>
> unsigned int hlen, off_vx;<br>
> int flush = 1;<br>
> __be32 flags;<br>
> struct gro_remcsum grc;<br>
><br>
> skb_gro_remcsum_init(&grc);<br>
><br>
> off_vx = skb_gro_offset(skb);<br>
> hlen = off_vx + sizeof(*vh);<br>
> vh = skb_gro_header_fast(skb, off_vx);<br>
> if (skb_gro_header_hard(skb, hlen)) {<br>
> vh = skb_gro_header_slow(skb, hlen, off_vx);<br>
> if (unlikely(!vh))<br>
> goto out;<br>
> }<br>
><br>
> skb_gro_postpull_rcsum(skb, vh, sizeof(struct vxlanhdr));<br>
><br>
> flags = vh->vx_flags;<br>
><br>
> if ((flags & VXLAN_HF_RCO) && (vs->flags & VXLAN_F_REMCSUM_RX)) { //<br>
> vs is NULL!<br>
> vh = vxlan_gro_remcsum(skb, off_vx, vh, sizeof(struct<br>
> vxlanhdr),<br>
> vh->vx_vni, &grc,<br>
> !!(vs->flags &<br>
> VXLAN_F_REMCSUM_NOPARTIAL));<br>
><br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> discuss mailing list<br>
> <a href="mailto:discuss@openvswitch.org">discuss@openvswitch.org</a><br>
> <a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" rel="noreferrer" target="_blank">https://mail.openvswitch.org/<wbr>mailman/listinfo/ovs-discuss</a><br>
><br>
</blockquote></div><br></div>