Hi,
We are now evaluating ovs 2.6.0 and found some kernel crash, after review
the code ,it seems in vxlan_gro_receive in compat code, with 3.18.29
kernel, the following PSed code will trigger NULL dereference, which make
kernel crashed.
I have also checked the code of ovs 2.5.0, it does not have the same issue
because it will check 'vs' variable and then check the remote csum receive
flag.
This seems introduced by commit f2252c6105a32bada26949fa65ec146c4ac30697
which try to sync compat vxlan and geneve with upstream kernel.
The code that trigger the crash:
#ifndef HAVE_UDP_OFFLOAD_ARG_UOFF
static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,
struct sk_buff *skb)
#else
static struct sk_buff **vxlan_gro_receive(struct sk_buff **head,
struct sk_buff *skb,
struct udp_offload *uoff)
#endif
{
#ifdef HAVE_UDP_OFFLOAD_ARG_UOFF
struct vxlan_sock *vs = container_of(uoff, struct vxlan_sock,
udp_offloads);
#else
struct vxlan_sock *vs = NULL;
#endif
struct sk_buff *p, **pp = NULL;
struct vxlanhdr *vh, *vh2;
unsigned int hlen, off_vx;
int flush = 1;
__be32 flags;
struct gro_remcsum grc;
skb_gro_remcsum_init(&grc);
off_vx = skb_gro_offset(skb);
hlen = off_vx + sizeof(*vh);
vh = skb_gro_header_fast(skb, off_vx);
if (skb_gro_header_hard(skb, hlen)) {
vh = skb_gro_header_slow(skb, hlen, off_vx);
if (unlikely(!vh))
goto out;
}
skb_gro_postpull_rcsum(skb, vh, sizeof(struct vxlanhdr));
flags = vh->vx_flags;
if ((flags & VXLAN_HF_RCO) && (vs->flags & VXLAN_F_REMCSUM_RX)) {
// vs is NULL!
vh = vxlan_gro_remcsum(skb, off_vx, vh, sizeof(struct
vxlanhdr),
vh->vx_vni, &grc,
!!(vs->flags &
VXLAN_F_REMCSUM_NOPARTIAL));
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
