In compatable gre module, skb->cb is solely used as ovs_gso_cb. However, IPCB(skb) also points to skb->cb. IPCB(skb)->flags overlaps with ovs_gso_cb.tun_dst. As a result, this bug clears the 16-23 bit in the address of ovs_gso_cb.tun_dst and causes kernel to crash.
Signed-off-by: Yifeng Sun <[email protected]> --- v1->v2: Improved commit message and fixed __gre6_xmit, thanks Greg! datapath/linux/compat/ip6_gre.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/datapath/linux/compat/ip6_gre.c b/datapath/linux/compat/ip6_gre.c index 54a76ab..3904455 100644 --- a/datapath/linux/compat/ip6_gre.c +++ b/datapath/linux/compat/ip6_gre.c @@ -876,9 +876,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, struct tnl_ptk_info tpi; __be16 protocol; - if (dev->type == ARPHRD_ETHER) - IPCB(skb)->flags = 0; - if (dev->header_ops && dev->type == ARPHRD_IP6GRE) fl6->daddr = ((struct ipv6hdr *)skb->data)->daddr; else @@ -1146,7 +1143,6 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, goto tx_err; t->parms.o_flags &= ~TUNNEL_KEY; - IPCB(skb)->flags = 0; tun_info = ovs_skb_tunnel_info(skb); if (unlikely(!tun_info || -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
