Hi, We are now evaluating ovs 2.6.0 and found some kernel crash, after review the code ,it seems in vxlan_gro_receive in compat code, with 3.18.29 kernel, the following PSed code will trigger NULL dereference, which make kernel crashed.
I have also checked the code of ovs 2.5.0, it does not have the same issue because it will check 'vs' variable and then check the remote csum receive flag. This seems introduced by commit f2252c6105a32bada26949fa65ec146c4ac30697 which try to sync compat vxlan and geneve with upstream kernel. The code that trigger the crash: #ifndef HAVE_UDP_OFFLOAD_ARG_UOFF static struct sk_buff **vxlan_gro_receive(struct sk_buff **head, struct sk_buff *skb) #else static struct sk_buff **vxlan_gro_receive(struct sk_buff **head, struct sk_buff *skb, struct udp_offload *uoff) #endif { #ifdef HAVE_UDP_OFFLOAD_ARG_UOFF struct vxlan_sock *vs = container_of(uoff, struct vxlan_sock, udp_offloads); #else struct vxlan_sock *vs = NULL; #endif struct sk_buff *p, **pp = NULL; struct vxlanhdr *vh, *vh2; unsigned int hlen, off_vx; int flush = 1; __be32 flags; struct gro_remcsum grc; skb_gro_remcsum_init(&grc); off_vx = skb_gro_offset(skb); hlen = off_vx + sizeof(*vh); vh = skb_gro_header_fast(skb, off_vx); if (skb_gro_header_hard(skb, hlen)) { vh = skb_gro_header_slow(skb, hlen, off_vx); if (unlikely(!vh)) goto out; } skb_gro_postpull_rcsum(skb, vh, sizeof(struct vxlanhdr)); flags = vh->vx_flags; if ((flags & VXLAN_HF_RCO) && (vs->flags & VXLAN_F_REMCSUM_RX)) { // vs is NULL! vh = vxlan_gro_remcsum(skb, off_vx, vh, sizeof(struct vxlanhdr), vh->vx_vni, &grc, !!(vs->flags & VXLAN_F_REMCSUM_NOPARTIAL));
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss