[ovs-dev] [PATCH] ip_tunnel: Fix bugs that could crash kernel

Yifeng Sun pkusunyifeng at gmail.com
Fri Jul 20 18:04:42 UTC 2018 

Without this patch, OVS kernel module can delete itn->fb_tunnel_dev
one more time than necessary, which causes kernel crash.

On kernel 4.4.0-116-generic, the crash can be reproduced by running
the simple test provided below through check-kernel.

  make & make modules_install
  rmmod ip_gre gre ip_tunnel
  modprobe openvswitch
  make check-kernel TESTSUITEFLAGS=x
  dmesg

Simple test:

AT_SETUP([datapath - crash test])                                              
OVS_CHECK_GRE()                                                                
ip link del gre0                                                               
OVS_TRAFFIC_VSWITCHD_START()                                                    
AT_CHECK([ovs-vsctl -- set bridge br0])                                        
ADD_BR([br-underlay], [set bridge br-underlay])                                
AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])                            
AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])                    
ADD_NAMESPACES(at_ns0)                                                         
ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")                             
AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])                      
AT_CHECK([ip link set dev br-underlay up])                                     
ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])         
tcpdump -U -i br-underlay -w underlay.pcap &                                   
sleep 1                                                                         
OVS_TRAFFIC_VSWITCHD_STOP                                                      
AT_CLEANUP

Signed-off-by: Yifeng Sun <pkusunyifeng at gmail.com>
---
 datapath/linux/compat/ip_tunnel.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/datapath/linux/compat/ip_tunnel.c b/datapath/linux/compat/ip_tunnel.c
index 54af1f178d36..d16e60fbfef0 100644
--- a/datapath/linux/compat/ip_tunnel.c
+++ b/datapath/linux/compat/ip_tunnel.c
@@ -482,8 +482,10 @@ void rpl_ip_tunnel_dellink(struct net_device *dev, struct list_head *head)
 
 	itn = net_generic(tunnel->net, tunnel->ip_tnl_net_id);
 
-	ip_tunnel_del(itn, netdev_priv(dev));
-        unregister_netdevice_queue(dev, head);
+	if (itn->fb_tunnel_dev != dev) {
+		ip_tunnel_del(itn, netdev_priv(dev));
+		unregister_netdevice_queue(dev, head);
+	}
 }
 
 int rpl_ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
@@ -642,7 +644,8 @@ void rpl_ip_tunnel_uninit(struct net_device *dev)
 	struct ip_tunnel_net *itn;
 
 	itn = net_generic(net, tunnel->ip_tnl_net_id);
-	ip_tunnel_del(itn, netdev_priv(dev));
+	if (itn->fb_tunnel_dev != dev)
+		ip_tunnel_del(itn, netdev_priv(dev));
 }
 
 /* Do least required initialization, rest of init is done in tunnel_init call */
-- 
2.7.4

More information about the dev mailing list