]> git.proxmox.com Git - mirror_ovs.git/commit
projects / mirror_ovs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 72ef85e) | patch
datapath: fix skb_panic due to the incorrect actions attrlen
authorGreg Rose <gvrose8192@gmail.com>
Mon, 11 Sep 2017 21:10:59 +0000 (14:10 -0700)
committerAndy Zhou <azhou@ovn.org>
Fri, 22 Sep 2017 19:32:54 +0000 (12:32 -0700)
commit6b330a6060586cb4dce5c17c99568d8aaa71740f
tree36fdf1a43c5c34e7f0dbc4a98edf5e987c5f1895tree
parent72ef85ed5862b71c5936d43b8844d4fd26efe5accommit | diff
datapath: fix skb_panic due to the incorrect actions attrlen

Upstream commit:
    commit 494bea39f3201776cdfddc232705f54a0bd210c4
    Author: Liping Zhang <zlpnobody@gmail.com>
    Date:   Wed Aug 16 13:30:07 2017 +0800

    openvswitch: fix skb_panic due to the incorrect actions attrlen

    For sw_flow_actions, the actions_len only represents the kernel part's
    size, and when we dump the actions to the userspace, we will do the
    convertions, so it's true size may become bigger than the actions_len.

    But unfortunately, for OVS_PACKET_ATTR_ACTIONS, we use the actions_len
    to alloc the skbuff, so the user_skb's size may become insufficient and
    oops will happen like this:
      skbuff: skb_over_panic: text:ffffffff8148fabf len:1749 put:157 head:
      ffff881300f39000 data:ffff881300f39000 tail:0x6d5 end:0x6c0 dev:<NULL>
      ------------[ cut here ]------------
      kernel BUG at net/core/skbuff.c:129!
      [...]
      Call Trace:
       <IRQ>
       [<ffffffff8148be82>] skb_put+0x43/0x44
       [<ffffffff8148fabf>] skb_zerocopy+0x6c/0x1f4
       [<ffffffffa0290d36>] queue_userspace_packet+0x3a3/0x448 [openvswitch]
       [<ffffffffa0292023>] ovs_dp_upcall+0x30/0x5c [openvswitch]
       [<ffffffffa028d435>] output_userspace+0x132/0x158 [openvswitch]
       [<ffffffffa01e6890>] ? ip6_rcv_finish+0x74/0x77 [ipv6]
       [<ffffffffa028e277>] do_execute_actions+0xcc1/0xdc8 [openvswitch]
       [<ffffffffa028e3f2>] ovs_execute_actions+0x74/0x106 [openvswitch]
       [<ffffffffa0292130>] ovs_dp_process_packet+0xe1/0xfd [openvswitch]
       [<ffffffffa0292b77>] ? key_extract+0x63c/0x8d5 [openvswitch]
       [<ffffffffa029848b>] ovs_vport_receive+0xa1/0xc3 [openvswitch]
      [...]

    Also we can find that the actions_len is much little than the orig_len:
      crash> struct sw_flow_actions 0xffff8812f539d000
      struct sw_flow_actions {
        rcu = {
          next = 0xffff8812f5398800,
          func = 0xffffe3b00035db32
        },
        orig_len = 1384,
        actions_len = 592,
        actions = 0xffff8812f539d01c
      }

    So as a quick fix, use the orig_len instead of the actions_len to alloc
    the user_skb.

    Last, this oops happened on our system running a relative old kernel, but
    the same risk still exists on the mainline, since we use the wrong
    actions_len from the beginning.

Fixes: ccea74457bbd ("openvswitch: include datapath actions with sampled-pac
Cc: Neil McKee <neil.mckee@inmon.com>
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixes: 0e469d3b380c ("datapath: Include datapath actions with sampled-packet upcall to userspace.")
Signed-off-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: Andy Zhou <azhou@ovn.org>
datapath/actions.c diff | blob | blame | history
datapath/datapath.c diff | blob | blame | history
datapath/datapath.h diff | blob | blame | history
openvswitch mirror