On Wed, Jan 20, 2016 at 12:41 PM, Joe Stringer <j...@ovn.org> wrote:
> The entire OVS_GSO_CB was not preserved when performing fragmentation,
> leading to the following NULL pointer dereference in ovs_stt_xmit(). Fix
> this in the fragmentation handling code by preserving the whole CB.
>
> BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
> IP: [<ffffffffa0cfc5b1>] ovs_stt_xmit+0x61/0x260 [openvswitch]
> Call Trace:
> [<ffffffff815f682e>] ? __alloc_skb+0x7e/0x2b0
> [<ffffffffa0cf1134>] ovs_vport_send+0x44/0xb0 [openvswitch]
> [<ffffffffa0ce241f>] ovs_vport_output+0x10f/0x190 [openvswitch]
> [<ffffffff8163fe98>] ip_fragment+0x238/0x870
> [<ffffffffa0ce2310>] ? do_output.isra.35+0x120/0x120 [openvswitch]
> [<ffffffffa0d02093>] ovs_fragment+0x283/0x292 [openvswitch]
> [<ffffffff81073ff7>] ? mod_timer_pending+0x67/0x1b0
> [<ffffffff8160e2d0>] ? dst_ifdown+0x90/0x90
> [<ffffffff8160e2d0>] ? dst_ifdown+0x90/0x90
> [<ffffffffa0b30165>] ? nfnetlink_has_listeners+0x15/0x20 [nfnetlink]
> [<ffffffffa0cdb164>] ? ctnetlink_conntrack_event+0x74/0x7ee
> [nf_conntrack_netlink]
> [<ffffffffa0b873cd>] ? nf_ct_deliver_cached_events+0xad/0xf0 [nf_conntrack]
> [<ffffffff81360331>] ? csum_partial+0x11/0x20
> [<ffffffffa0ce2747>] ? execute_masked_set_action+0x2a7/0xa60 [openvswitch]
> [<ffffffffa0ce22a8>] do_output.isra.35+0xb8/0x120 [openvswitch]
> [<ffffffffa0ce2ff4>] do_execute_actions+0xf4/0x7f0 [openvswitch]
> [<ffffffffa0ce3730>] ovs_execute_actions+0x40/0x130 [openvswitch]
> [<ffffffffa0ce7c69>] ovs_packet_cmd_execute+0x2b9/0x2e0 [openvswitch]
> [<ffffffff81634fad>] genl_family_rcv_msg+0x18d/0x370
> [<ffffffff81635190>] ? genl_family_rcv_msg+0x370/0x370
> [<ffffffff81635221>] genl_rcv_msg+0x91/0xd0
> [<ffffffff816332c9>] netlink_rcv_skb+0xa9/0xc0
> [<ffffffff816337c8>] genl_rcv+0x28/0x40
> [<ffffffff816329b5>] netlink_unicast+0xd5/0x1b0
> [<ffffffff81632d9e>] netlink_sendmsg+0x30e/0x680
> [<ffffffff8162fc84>] ? netlink_rcv_wake+0x44/0x60
> [<ffffffff81630d12>] ? netlink_recvmsg+0x1a2/0x3a0
> [<ffffffff815ed7fb>] sock_sendmsg+0x8b/0xc0
> [<ffffffff8114d06d>] ? __alloc_pages_nodemask+0x16d/0xac0
> [<ffffffff8101c4b9>] ? sched_clock+0x9/0x10
> [<ffffffff815edbc9>] ___sys_sendmsg+0x349/0x360
> [<ffffffff811f8a39>] ? ep_scan_ready_list.isra.7+0x199/0x1c0
> [<ffffffff8110705c>] ? acct_account_cputime+0x1c/0x20
> [<ffffffff811cd90f>] ? fget_light+0x8f/0xf0
> [<ffffffff815ee922>] __sys_sendmsg+0x42/0x80
> [<ffffffff815ee972>] SyS_sendmsg+0x12/0x20
> [<ffffffff8170f22f>] tracesys+0xe1/0xe6
>
> VMware-BZ: #1587324
> Fixes: a94ebc39996b ("datapath: Add conntrack action")
> Signed-off-by: Joe Stringer <j...@ovn.org>
Thanks for the fix.
> ---
> datapath/actions.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/datapath/actions.c b/datapath/actions.c
> index 6917d5169197..20413c950f3c 100644
> --- a/datapath/actions.c
> +++ b/datapath/actions.c
> @@ -60,7 +60,7 @@ struct deferred_action {
> struct ovs_frag_data {
> unsigned long dst;
> struct vport *vport;
> - struct ovs_skb_cb cb;
> + struct ovs_gso_cb cb;
> __be16 inner_protocol;
> __u16 vlan_tci;
> __be16 vlan_proto;
> @@ -637,7 +637,7 @@ static int ovs_vport_output(OVS_VPORT_OUTPUT_PARAMS)
> }
>
> __skb_dst_copy(skb, data->dst);
> - *OVS_CB(skb) = data->cb;
> + *OVS_GSO_CB(skb) = data->cb;
> ovs_skb_set_inner_protocol(skb, data->inner_protocol);
> skb->vlan_tci = data->vlan_tci;
> skb->vlan_proto = data->vlan_proto;
> @@ -674,7 +674,7 @@ static void prepare_frag(struct vport *vport, struct
> sk_buff *skb)
> data = get_pcpu_ptr(ovs_frag_data_storage);
> data->dst = (unsigned long) skb_dst(skb);
> data->vport = vport;
> - data->cb = *OVS_CB(skb);
> + data->cb = *OVS_GSO_CB(skb);
> data->inner_protocol = ovs_skb_get_inner_protocol(skb);
> data->vlan_tci = skb->vlan_tci;
> data->vlan_proto = skb->vlan_proto;
It is safer to do the same while de-fragmenting packets (handle_fragments()).
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
