[ovs-git] [openvswitch/ovs] f11120: datapath: fix panic with multiple vlan headers

GitHub noreply at github.com
Mon Sep 8 17:44:30 UTC 2014


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: f1112037df05e70f92abe7e2f25ece9f6d766003
      https://github.com/openvswitch/ovs/commit/f1112037df05e70f92abe7e2f25ece9f6d766003
  Author: Jiri Benc <jbenc at redhat.com>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M datapath/actions.c

  Log Message:
  -----------
  datapath: fix panic with multiple vlan headers

When there are multiple vlan headers present in a received frame, the
first one is put into vlan_tci and protocol is set to ETH_P_8021Q.
Anything in the skb beyond the VLAN TPID may be still non-linear,
including the inner TCI and ethertype. While ovs_flow_extract takes
care of IP and IPv6 headers, it does nothing with ETH_P_8021Q. Later,
if OVS_ACTION_ATTR_POP_VLAN is executed, __pop_vlan_tci pulls the
next vlan header into vlan_tci.

This leads to two things:

1. Part of the resulting ethernet header is in the non-linear part of
   the skb. When eth_type_trans is called later as the result of
   OVS_ACTION_ATTR_OUTPUT, kernel BUGs in __skb_pull. Also,
   __pop_vlan_tci is in fact accessing random data when it reads
   past the TPID.

2. network_header points into the ethernet header instead of behind it.
   mac_len is set to a wrong value (10), too.

Reported-by: Yulong Pei <ypei at redhat.com>
Signed-off-by: Jiri Benc <jbenc at redhat.com>

I have dropped second change. Since it assumes inner mac header is of
ETH_HLEN len which is not always true.
Signed-off-by: Pravin B Shelar <pshelar at nicira.com>


  Commit: a7d607c58dcc2a58b39b49f06257744c8ac0da82
      https://github.com/openvswitch/ovs/commit/a7d607c58dcc2a58b39b49f06257744c8ac0da82
  Author: Li RongQing <roy.qing.li at gmail.com>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M datapath/datapath.c

  Log Message:
  -----------
  datapath: distinguish between the dropped and consumed skb

distinguish between the dropped and consumed skb, not assume the skb
is consumed always

Cc: Thomas Graf <tgraf at noironetworks.com>
Cc: Pravin Shelar <pshelar at nicira.com>
Signed-off-by: Li RongQing <roy.qing.li at gmail.com>
Signed-off-by: Pravin B Shelar <pshelar at nicira.com>


  Commit: 800711c3c2c79464d837872f681ab3d257e8fdd6
      https://github.com/openvswitch/ovs/commit/800711c3c2c79464d837872f681ab3d257e8fdd6
  Author: Pravin B Shelar <pshelar at nicira.com>
  Date:   2014-09-08 (Mon, 08 Sep 2014)

  Changed paths:
    M datapath/datapath.c

  Log Message:
  -----------
  datapath: Set packet egress_tun_info.

packet execute is setting egress_tun_info in skb->cb, rather
than packet->cb. skb is netlink msg skb. This causes corruption
in netlink skb state stored in skb->cb (NETLINK_CB) which
results in following deadlock in netlink code.

=============================================
[ INFO: possible recursive locking detected ]
3.2.62 #2
---------------------------------------------
handler55/22851 is trying to acquire lock:
 (genl_mutex){+.+.+.}, at: [<ffffffff81471ad7>] genl_lock+0x17/0x20

but task is already holding lock:
 (genl_mutex){+.+.+.}, at: [<ffffffff81471ad7>] genl_lock+0x17/0x20

other info that might help us debug this:
 Possible unsafe locking scenario:
  CPU0
       ----
  lock(genl_mutex);
  lock(genl_mutex);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

1 lock held by handler55/22851:
 #0:  (genl_mutex){+.+.+.}, at: [<ffffffff81471ad7>] genl_lock+0x17/0x20

stack backtrace:
Pid: 22851, comm: handler55 Tainted: G           O 3.2.62 #2
Call Trace:
 [<ffffffff81097bb2>] print_deadlock_bug+0xf2/0x100
 [<ffffffff81099b99>] validate_chain+0x579/0x860
 [<ffffffff8109a17c>] __lock_acquire+0x2fc/0x4f0
 [<ffffffff8109aab0>] lock_acquire+0xa0/0x180
 [<ffffffff81519070>] __mutex_lock_common+0x60/0x420
 [<ffffffff8151959a>] mutex_lock_nested+0x4a/0x60
 [<ffffffff81471ad7>] genl_lock+0x17/0x20
 [<ffffffff81471af6>] genl_rcv+0x16/0x40
 [<ffffffff8146ff72>] netlink_unicast+0x2f2/0x310
 [<ffffffff81470159>] netlink_ack+0x109/0x1f0
 [<ffffffff8147030b>] netlink_rcv_skb+0xcb/0xd0
 [<ffffffff81471b05>] genl_rcv+0x25/0x40
 [<ffffffff8146ff72>] netlink_unicast+0x2f2/0x310
 [<ffffffff8147134c>] netlink_sendmsg+0x28c/0x3d0
 [<ffffffff8143375f>] sock_sendmsg+0xef/0x120
 [<ffffffff81435766>] ___sys_sendmsg+0x416/0x430
 [<ffffffff81435949>] __sys_sendmsg+0x49/0x90
 [<ffffffff814359a9>] sys_sendmsg+0x19/0x20
 [<ffffffff8152432b>] system_call_fastpath+0x16/0x1b

Reported-by: Joe Stringer <joestringer at nicira.com>
Signed-off-by: Pravin B Shelar <pshelar at nicira.com>
Acked-by: Joe Stringer <joestringer at nicira.com>


Compare: https://github.com/openvswitch/ovs/compare/2c8c4fb7ff82...800711c3c2c7


More information about the git mailing list