[ovs-dev] [PATCH] datapath: Fix IPv6 fragment expiry crash.

pravin shelar pshelar at ovn.org
Fri Jan 29 00:03:12 UTC 2016 

On Thu, Jan 28, 2016 at 3:08 PM, Joe Stringer <joe at ovn.org> wrote:
> On 27 January 2016 at 16:01, pravin shelar <pshelar at ovn.org> wrote:
>> On Tue, Jan 26, 2016 at 5:57 PM, Joe Stringer <joe at ovn.org> wrote:
>>> Fixes the following kernel oops on kernels < 3.17 when IPv6 fragments
>>> are expired without reassembling the frame.
>>>
>>> BUG: unable to handle kernel paging request at 00000006845d69a8
>>> IP: [<ffffffff8172c09e>] _raw_spin_lock+0xe/0x50
>>> ...
>>> Call Trace:
>>>  <IRQ>
>>>  [<ffffffff816a32d3>] inet_frag_kill+0x63/0x100
>>>  [<ffffffff816ead93>] ip6_expire_frag_queue+0x63/0x110
>>>  [<ffffffffa01130e6>] nf_ct_frag6_expire+0x26/0x30 [openvswitch]
>>>  [<ffffffff810744f6>] call_timer_fn+0x36/0x100
>>>  [<ffffffffa01130c0>] ? nf_ct_net_init+0x20/0x20 [openvswitch]
>>>  [<ffffffff8107548f>] run_timer_softirq+0x1ef/0x2f0
>>>  [<ffffffff8106cccc>] __do_softirq+0xec/0x2c0
>>>  [<ffffffff8106d215>] irq_exit+0x105/0x110
>>>  [<ffffffff81737095>] smp_apic_timer_interrupt+0x45/0x60
>>>  [<ffffffff81735a1d>] apic_timer_interrupt+0x6d/0x80
>>>  <EOI>
>>>  [<ffffffff8104f596>] ? native_safe_halt+0x6/0x10
>>>  [<ffffffff8101cb2f>] default_idle+0x1f/0xc0
>>>  [<ffffffff8101d406>] arch_cpu_idle+0x26/0x30
>>>  [<ffffffff810bf3a5>] cpu_startup_entry+0xc5/0x290
>>>  [<ffffffff817122e7>] rest_init+0x77/0x80
>>>  [<ffffffff81d34f70>] start_kernel+0x438/0x443
>>>
>> I am not sure what exactly is the issue. Can you expand the commit msg
>> and add upstream commit ref which fixes the issue?
>
> Prior to a series of commits in 3.17 like the following, the model
> used to manage and expire fragments was different. We already backport
> several of these functions (See datapath/compat/inet_fragment.c) to do
> things like allocate/evict/destroy frags and frag queues. In the IPv4
> code, we use these. In most of the IPv6 cases, we already reuse these
> also. However, for timed frag expiration we instead call the upstream
> version of the function, which proceeds to use the upstream versions
> of the functions we backport in inet_fragment.c. There is some
> discrepancy between the offsets used in these upstream compiled
> versions vs. the backport versions, so if you mix/match them then it
> leads to these kinds of dereference errors.
>
> b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue")
> ab1c724f6330 ("inet: frag: use seqlock for hash rebuild")
>
> I can fold this description into the commit message.

Looks good.

Acked-by: Pravin B Shelar <pshelar at ovn.org>

More information about the dev mailing list