[ovs-discuss] Kernel Crash with linux 3.18.29 + ovs 2.6.0 when received malformed or RCOed VXLAN packet.
张东亚
fortitude.zhang at gmail.com
Mon Nov 14 03:01:21 UTC 2016
Hi Pravin Shelar,
I have test the fix with linux 3.18.29 and sent the patch to the dev
maillist, I think it's a obvious fix so I do not test all the kernel
branches.
2016-11-12 0:06 GMT+08:00 Pravin Shelar <pshelar at ovn.org>:
> On Thu, Nov 10, 2016 at 7:15 PM, 张东亚 <fortitude.zhang at gmail.com> wrote:
> > Hi,
> >
> > We are now evaluating ovs 2.6.0 and found some kernel crash, after review
> > the code ,it seems in vxlan_gro_receive in compat code, with 3.18.29
> kernel,
> > the following PSed code will trigger NULL dereference, which make kernel
> > crashed.
> >
> > I have also checked the code of ovs 2.5.0, it does not have the same
> issue
> > because it will check 'vs' variable and then check the remote csum
> receive
> > flag.
> >
> Thanks for bug report and analysis. Can you send patch that does
> similar check on 2.6 and master?
>
> > This seems introduced by commit f2252c6105a32bada26949fa65ec146c4ac30697
> > which try to sync compat vxlan and geneve with upstream kernel.
> >
> > The code that trigger the crash:
> >
> > #ifndef HAVE_UDP_OFFLOAD_ARG_UOFF
> > static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,
> > struct sk_buff *skb)
> > #else
> > static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,
> > struct sk_buff *skb,
> > struct udp_offload *uoff)
> > #endif
> > {
> > #ifdef HAVE_UDP_OFFLOAD_ARG_UOFF
> > struct vxlan_sock *vs = container_of(uoff, struct vxlan_sock,
> > udp_offloads);
> > #else
> > struct vxlan_sock *vs = NULL;
> > #endif
> > struct sk_buff *p, **pp = NULL;
> > struct vxlanhdr *vh, *vh2;
> > unsigned int hlen, off_vx;
> > int flush = 1;
> > __be32 flags;
> > struct gro_remcsum grc;
> >
> > skb_gro_remcsum_init(&grc);
> >
> > off_vx = skb_gro_offset(skb);
> > hlen = off_vx + sizeof(*vh);
> > vh = skb_gro_header_fast(skb, off_vx);
> > if (skb_gro_header_hard(skb, hlen)) {
> > vh = skb_gro_header_slow(skb, hlen, off_vx);
> > if (unlikely(!vh))
> > goto out;
> > }
> >
> > skb_gro_postpull_rcsum(skb, vh, sizeof(struct vxlanhdr));
> >
> > flags = vh->vx_flags;
> >
> > if ((flags & VXLAN_HF_RCO) && (vs->flags & VXLAN_F_REMCSUM_RX))
> { //
> > vs is NULL!
> > vh = vxlan_gro_remcsum(skb, off_vx, vh, sizeof(struct
> > vxlanhdr),
> > vh->vx_vni, &grc,
> > !!(vs->flags &
> > VXLAN_F_REMCSUM_NOPARTIAL));
> >
> >
> > _______________________________________________
> > discuss mailing list
> > discuss at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20161114/6287f80a/attachment.html>
More information about the discuss
mailing list