<div dir="ltr">Hi Pravin Shelar,<div><br></div><div>I have test the fix with linux 3.18.29 and sent the patch to the dev maillist, I think it&#39;s a obvious fix so I do not test all the kernel branches.</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-11-12 0:06 GMT+08:00 Pravin Shelar <span dir="ltr">&lt;<a href="mailto:pshelar@ovn.org" target="_blank">pshelar@ovn.org</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Thu, Nov 10, 2016 at 7:15 PM, 张东亚 &lt;<a href="mailto:fortitude.zhang@gmail.com">fortitude.zhang@gmail.com</a>&gt; wrote:<br>
&gt; Hi,<br>
&gt;<br>
&gt; We are now evaluating ovs 2.6.0 and found some kernel crash, after review<br>
&gt; the code ,it seems in vxlan_gro_receive in compat code, with 3.18.29 kernel,<br>
&gt; the following PSed code will trigger NULL dereference, which make kernel<br>
&gt; crashed.<br>
&gt;<br>
&gt; I have also checked the code of ovs 2.5.0, it does not have the same issue<br>
&gt; because it will check &#39;vs&#39; variable and then check the remote csum receive<br>
&gt; flag.<br>
&gt;<br>
</span>Thanks for bug report and analysis. Can you send patch that does<br>
similar check on 2.6 and master?<br>
<div><div class="h5"><br>
&gt; This seems introduced by commit f2252c6105a32bada26949fa65ec14<wbr>6c4ac30697<br>
&gt; which try to sync compat vxlan and geneve with upstream kernel.<br>
&gt;<br>
&gt; The code that trigger the crash:<br>
&gt;<br>
&gt; #ifndef HAVE_UDP_OFFLOAD_ARG_UOFF<br>
&gt; static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,<br>
&gt;                                           struct sk_buff *skb)<br>
&gt; #else<br>
&gt; static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,<br>
&gt;                                           struct sk_buff *skb,<br>
&gt;                                           struct udp_offload *uoff)<br>
&gt; #endif<br>
&gt; {<br>
&gt; #ifdef HAVE_UDP_OFFLOAD_ARG_UOFF<br>
&gt;         struct vxlan_sock *vs = container_of(uoff, struct vxlan_sock,<br>
&gt;                         udp_offloads);<br>
&gt; #else<br>
&gt;         struct vxlan_sock *vs = NULL;<br>
&gt; #endif<br>
&gt;         struct sk_buff *p, **pp = NULL;<br>
&gt;         struct vxlanhdr *vh, *vh2;<br>
&gt;         unsigned int hlen, off_vx;<br>
&gt;         int flush = 1;<br>
&gt;         __be32 flags;<br>
&gt;         struct gro_remcsum grc;<br>
&gt;<br>
&gt;         skb_gro_remcsum_init(&amp;grc);<br>
&gt;<br>
&gt;         off_vx = skb_gro_offset(skb);<br>
&gt;         hlen = off_vx + sizeof(*vh);<br>
&gt;         vh   = skb_gro_header_fast(skb, off_vx);<br>
&gt;         if (skb_gro_header_hard(skb, hlen)) {<br>
&gt;                 vh = skb_gro_header_slow(skb, hlen, off_vx);<br>
&gt;                 if (unlikely(!vh))<br>
&gt;                         goto out;<br>
&gt;         }<br>
&gt;<br>
&gt;         skb_gro_postpull_rcsum(skb, vh, sizeof(struct vxlanhdr));<br>
&gt;<br>
&gt;         flags = vh-&gt;vx_flags;<br>
&gt;<br>
&gt;         if ((flags &amp; VXLAN_HF_RCO) &amp;&amp; (vs-&gt;flags &amp; VXLAN_F_REMCSUM_RX)) { //<br>
&gt; vs is NULL!<br>
&gt;                 vh = vxlan_gro_remcsum(skb, off_vx, vh, sizeof(struct<br>
&gt; vxlanhdr),<br>
&gt;                                        vh-&gt;vx_vni, &amp;grc,<br>
&gt;                                        !!(vs-&gt;flags &amp;<br>
&gt;                                           VXLAN_F_REMCSUM_NOPARTIAL));<br>
&gt;<br>
&gt;<br>
</div></div>&gt; ______________________________<wbr>_________________<br>
&gt; discuss mailing list<br>
&gt; <a href="mailto:discuss@openvswitch.org">discuss@openvswitch.org</a><br>
&gt; <a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" rel="noreferrer" target="_blank">https://mail.openvswitch.org/<wbr>mailman/listinfo/ovs-discuss</a><br>
&gt;<br>
</blockquote></div><br></div>