[ovs-discuss] Kernel Crash with linux 3.18.29 + ovs 2.6.0 when received malformed or RCOed VXLAN packet.

Pravin Shelar pshelar at ovn.org
Fri Nov 11 16:06:54 UTC 2016 

On Thu, Nov 10, 2016 at 7:15 PM, 张东亚 <fortitude.zhang at gmail.com> wrote:
> Hi,
>
> We are now evaluating ovs 2.6.0 and found some kernel crash, after review
> the code ,it seems in vxlan_gro_receive in compat code, with 3.18.29 kernel,
> the following PSed code will trigger NULL dereference, which make kernel
> crashed.
>
> I have also checked the code of ovs 2.5.0, it does not have the same issue
> because it will check 'vs' variable and then check the remote csum receive
> flag.
>
Thanks for bug report and analysis. Can you send patch that does
similar check on 2.6 and master?

> This seems introduced by commit f2252c6105a32bada26949fa65ec146c4ac30697
> which try to sync compat vxlan and geneve with upstream kernel.
>
> The code that trigger the crash:
>
> #ifndef HAVE_UDP_OFFLOAD_ARG_UOFF
> static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,
>                                           struct sk_buff *skb)
> #else
> static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,
>                                           struct sk_buff *skb,
>                                           struct udp_offload *uoff)
> #endif
> {
> #ifdef HAVE_UDP_OFFLOAD_ARG_UOFF
>         struct vxlan_sock *vs = container_of(uoff, struct vxlan_sock,
>                         udp_offloads);
> #else
>         struct vxlan_sock *vs = NULL;
> #endif
>         struct sk_buff *p, **pp = NULL;
>         struct vxlanhdr *vh, *vh2;
>         unsigned int hlen, off_vx;
>         int flush = 1;
>         __be32 flags;
>         struct gro_remcsum grc;
>
>         skb_gro_remcsum_init(&grc);
>
>         off_vx = skb_gro_offset(skb);
>         hlen = off_vx + sizeof(*vh);
>         vh   = skb_gro_header_fast(skb, off_vx);
>         if (skb_gro_header_hard(skb, hlen)) {
>                 vh = skb_gro_header_slow(skb, hlen, off_vx);
>                 if (unlikely(!vh))
>                         goto out;
>         }
>
>         skb_gro_postpull_rcsum(skb, vh, sizeof(struct vxlanhdr));
>
>         flags = vh->vx_flags;
>
>         if ((flags & VXLAN_HF_RCO) && (vs->flags & VXLAN_F_REMCSUM_RX)) { //
> vs is NULL!
>                 vh = vxlan_gro_remcsum(skb, off_vx, vh, sizeof(struct
> vxlanhdr),
>                                        vh->vx_vni, &grc,
>                                        !!(vs->flags &
>                                           VXLAN_F_REMCSUM_NOPARTIAL));
>
>
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>

More information about the discuss mailing list