Public bug reported: * Explain the bug(s) When using OVS with tc to offload connection tracking flows, sending udp/icmp fragmented traffic will cause call trace with NULL dereference.
[ 7229.433005] Modules linked in: act_tunnel_key act_csum act_pedit xt_nat netconsole rpcsec_gss_krb5 act_ct nf_flow_table xt_conntrack xt_MASQUERADE nf_conntrack_netlink xt_addrtype iptable_filter iptable_nat bpfilter br_netfilter bridge overlay sbsa_gwdt xfrm_user xfrm_algo target_core_mod ipmi_devintf ipmi_msghandler mst_pciconf(OE) 8021q garp stp mrp llc act_skbedit act_mirred ib_ipoib(OE) geneve ip6_udp_tunnel udp_tunnel nfnetlink_cttimeout nfnetlink act_gact cls_flower sch_ingress openvswitch nsh nf_conncount nf_nat ib_umad(OE) binfmt_misc dm_multipath mlx5_ib(OE) uio_pdrv_genirq uio mlxbf_pmc mlxbf_pka mlx_trio bluefield_edac mlx_bootctl(OE) sch_fq_codel rdma_ucm(OE) ib_uverbs(OE) rdma_cm(OE) iw_cm(OE) ib_cm(OE) ib_core(OE) ip_tables ipv6 crc_ccitt btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq raid1 raid0 mlx5_core(OE) crct10dif_ce mlxfw(OE) psample mlxdevm(OE) auxiliary(OE) mlx_compat(OE) i2c_mlxbf(OE) [ 7229.433074] gpio_mlxbf2(OE) mlxbf_gige(OE) aes_neon_bs aes_neon_blk [last unloaded: mst_pci] [ 7229.433083] CPU: 4 PID: 1602 Comm: handler6 Tainted: G OE 5.4.0-1017-bluefield #20-Ubuntu [ 7229.433085] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.7.1-7-g9964f06 Aug 5 2021 [ 7229.433087] pstate: 60000005 (nZCv daif -PAN -UAO) [ 7229.433101] pc : inet_frag_rbtree_purge+0x58/0x88 [ 7229.433103] lr : inet_frag_rbtree_purge+0x6c/0x88 [ 7229.433104] sp : ffff800013273500 [ 7229.433105] x29: ffff800013273500 x28: ffff00037b899e80 [ 7229.433107] x27: 0000000000000018 x26: ffff0003b6da2228 [ 7229.433109] x25: ffff0003b6da2200 x24: ffff80001191e140 [ 7229.433111] x23: ffff80001191e140 x22: ffff00037d6a56a8 [ 7229.433113] x21: 0000000000000000 x20: 0000000000000300 [ 7229.433114] x19: 0000000100000000 x18: 0000000000000000 [ 7229.433116] x17: 0000000000000000 x16: 0000000000000000 [ 7229.433118] x15: 0000000000000000 x14: ffff80000944e960 [ 7229.433119] x13: 0000000000000001 x12: ffff80000944e5e0 [ 7229.433121] x11: 0000000000000008 x10: 0000000000000000 [ 7229.433123] x9 : 0000000000000000 x8 : ffff0003b97ab3c0 [ 7229.433124] x7 : 0000000000000000 x6 : 000000005464ccee [ 7229.433126] x5 : ffff800010be50a8 x4 : fffffe000dd9d820 [ 7229.433127] x3 : 0000000080200005 x2 : fffffe000dd9d820 [ 7229.433129] x1 : 0000000000000000 x0 : 0000000000000000 [ 7229.433131] Call trace: [ 7229.433134] inet_frag_rbtree_purge+0x58/0x88 [ 7229.433138] ip_frag_queue+0x2d0/0x610 [ 7229.433139] ip_defrag+0xd0/0x170 [ 7229.433156] ovs_ct_execute+0x3f8/0x720 [openvswitch] [ 7229.433160] Unable to handle kernel paging request at virtual address 00000001000000d0 [ 7229.433166] do_execute_actions+0x7b4/0xa80 [openvswitch] [ 7229.433167] Mem abort info: [ 7229.433172] ovs_execute_actions+0x74/0x188 [openvswitch] [ 7229.433173] ESR = 0x96000004 [ 7229.433178] ovs_packet_cmd_execute+0x228/0x2a8 [openvswitch] [ 7229.433180] EC = 0x25: DABT (current EL), IL = 32 bits [ 7229.433183] genl_family_rcv_msg+0x1a4/0x3d8 [ 7229.433184] SET = 0, FnV = 0 [ 7229.433186] genl_rcv_msg+0x64/0xd8 * brief explanation of fixes The series contains 7 patches from upstream which fix act_ct handling of fragmented Packets. * How to test Create OVS bridge with 2 representors (uplink and BlueField representor for example). Enable HW offload and configure connection tracking OpenFlow rules. Send udp/icmp traffic from the VF with packet size larger then MTU. Without the commits, call trace will appear in dmesg. * What it could break. Bug fix, doesn't break other functionality ** Affects: linux-bluefield (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1940872 Title: Fix fragmentation support for TC connection tracking To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1940872/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
