From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932296AbbLVJTd (ORCPT ); Tue, 22 Dec 2015 04:19:33 -0500 Received: from m97134.qiye.163.com ([220.181.97.134]:32848 "EHLO m97134.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753227AbbLVJTa (ORCPT ); Tue, 22 Dec 2015 04:19:30 -0500 From: wenxu To: pshelar@nicira.com, davem@davemloft.net, jesse@kernel.org Cc: netdev@vger.kernel.org, dev@openvswitch.org, linux-kernel@vger.kernel.org, wenxu@ucloud.cn Subject: [PATCH] [stable 4.1.y PACTH] openvswitch: fix crash cause by non-nvgre packet Date: Tue, 22 Dec 2015 17:15:59 +0800 Message-Id: <1450775759-11059-1-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.9.1 X-CM-TRANSID: huCowEB5tEFQFXlW3BwEDg--.7S3 X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUU8529EdanIXcx71UUUUU7v73 VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvj4RXjjgDUUUU X-Originating-IP: [116.228.31.18] X-CM-SenderInfo: xzhq53w6xfz0lxgou0/1tbiNB3YKFXJml4HywAAsN Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org kernel BUG at include/linux/skbuff.h:1219! invalid opcode: 0000 [#1] SMP RIP: 0010:[] ovs_flow_extract+0x8ed/0xa40 [openvswitch] Call Trace: ovs_dp_process_received_packet+0x44/0x80 [openvswitch] ovs_vport_receive+0x2e/0x30 [openvswitch] gre_rcv+0xac/0xd0 [openvswitch] gre_cisco_rcv+0x1c2/0x310 [openvswitch] gre_rcv+0x59/0x80 [openvswitch] ovs_flow_extract call __skb_pull to lead BUG_ON(skb->len < skb->data_len) if the gre header protocol is not TEB and most part of the packet is in the nolinear-spatial. 1. gre_rcv: pskb_may_pull(skb, 12) pull the 12 bytes to linear-spatial(skb->data). The gre header is 8 bytes only with key. 2. gre_cisco_rcv-->parse_gre_header-->iptunnel_pull_header { if (inner_proto == htons(ETH_P_TEB)) { struct ethhdr *eh; if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) return -ENOMEM; ...... } } The wrong inner_proto leads no pull the Mac header to linear-spatial 3. finally It made a crash in ovs_flow_extract->__skb_pull Signed-off-by: wenxu --- net/openvswitch/vport-gre.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c index f17ac96..4a993b5 100644 --- a/net/openvswitch/vport-gre.c +++ b/net/openvswitch/vport-gre.c @@ -107,6 +107,9 @@ static int gre_rcv(struct sk_buff *skb, if (unlikely(!vport)) return PACKET_REJECT; + if (unlikely(tpi->proto != htons(ETH_P_TEB))) + return PACKET_REJECT; + key = key_to_tunnel_id(tpi->key, tpi->seq); ovs_flow_tun_info_init(&tun_info, ip_hdr(skb), 0, 0, key, filter_tnl_flags(tpi->flags), NULL, 0); -- 1.9.1 From mboxrd@z Thu Jan 1 00:00:00 1970 From: wenxu Subject: [PATCH] [stable 4.1.y PACTH] openvswitch: fix crash cause by non-nvgre packet Date: Tue, 22 Dec 2015 17:15:59 +0800 Message-ID: <1450775759-11059-1-git-send-email-wenxu@ucloud.cn> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Cc: dev-yBygre7rU0TnMu66kgdUjQ@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, wenxu-t3UIVg6hrfr/PtFMR13I2A@public.gmane.org To: pshelar-l0M0P4e3n4LQT0dZR+AlfA@public.gmane.org, davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org, jesse-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces-yBygre7rU0TnMu66kgdUjQ@public.gmane.org Sender: "dev" List-Id: netdev.vger.kernel.org a2VybmVsIEJVRyBhdCBpbmNsdWRlL2xpbnV4L3NrYnVmZi5oOjEyMTkhCmludmFsaWQgb3Bjb2Rl OiAwMDAwIFsjMV0gU01QClJJUDogMDAxMDpbPGZmZmZmZmZmYTAxZGM4OWQ+XSBvdnNfZmxvd19l eHRyYWN0KzB4OGVkLzB4YTQwIFtvcGVudnN3aXRjaF0KQ2FsbCBUcmFjZToKPElSUT4Kb3ZzX2Rw X3Byb2Nlc3NfcmVjZWl2ZWRfcGFja2V0KzB4NDQvMHg4MCBbb3BlbnZzd2l0Y2hdCm92c192cG9y dF9yZWNlaXZlKzB4MmUvMHgzMCBbb3BlbnZzd2l0Y2hdCmdyZV9yY3YrMHhhYy8weGQwIFtvcGVu dnN3aXRjaF0KZ3JlX2Npc2NvX3JjdisweDFjMi8weDMxMCBbb3BlbnZzd2l0Y2hdCmdyZV9yY3Yr MHg1OS8weDgwIFtvcGVudnN3aXRjaF0KCm92c19mbG93X2V4dHJhY3QgY2FsbCBfX3NrYl9wdWxs IHRvIGxlYWQgQlVHX09OKHNrYi0+bGVuIDwgc2tiLT5kYXRhX2xlbikKaWYgdGhlIGdyZSBoZWFk ZXIgcHJvdG9jb2wgaXMgbm90IFRFQiBhbmQgbW9zdCBwYXJ0IG9mIHRoZSBwYWNrZXQgaXMgaW4K dGhlIG5vbGluZWFyLXNwYXRpYWwuCgoxLiBncmVfcmN2OiBwc2tiX21heV9wdWxsKHNrYiwgMTIp CnB1bGwgdGhlIDEyIGJ5dGVzIHRvIGxpbmVhci1zcGF0aWFsKHNrYi0+ZGF0YSkuIFRoZSBncmUg aGVhZGVyIGlzIDggYnl0ZXMKb25seSB3aXRoIGtleS4KCjIuIGdyZV9jaXNjb19yY3YtLT5wYXJz ZV9ncmVfaGVhZGVyLS0+aXB0dW5uZWxfcHVsbF9oZWFkZXIKewogICAgaWYgKGlubmVyX3Byb3Rv ID09IGh0b25zKEVUSF9QX1RFQikpIHsKICAgICAgICBzdHJ1Y3QgZXRoaGRyICplaDsKCiAgICAg ICAgaWYgKHVubGlrZWx5KCFwc2tiX21heV9wdWxsKHNrYiwgRVRIX0hMRU4pKSkKICAgICAgICAg ICAgcmV0dXJuIC1FTk9NRU07CiAgICAgICAgLi4uLi4uCiAgICB9Cn0KVGhlIHdyb25nIGlubmVy X3Byb3RvIGxlYWRzIG5vIHB1bGwgdGhlIE1hYyBoZWFkZXIgdG8gbGluZWFyLXNwYXRpYWwKCjMu IGZpbmFsbHkgSXQgbWFkZSBhIGNyYXNoIGluIG92c19mbG93X2V4dHJhY3QtPl9fc2tiX3B1bGwK ClNpZ25lZC1vZmYtYnk6IHdlbnh1IDx3ZW54dUB1Y2xvdWQuY24+Ci0tLQogbmV0L29wZW52c3dp dGNoL3Zwb3J0LWdyZS5jIHwgMyArKysKIDEgZmlsZSBjaGFuZ2VkLCAzIGluc2VydGlvbnMoKykK CmRpZmYgLS1naXQgYS9uZXQvb3BlbnZzd2l0Y2gvdnBvcnQtZ3JlLmMgYi9uZXQvb3BlbnZzd2l0 Y2gvdnBvcnQtZ3JlLmMKaW5kZXggZjE3YWM5Ni4uNGE5OTNiNSAxMDA2NDQKLS0tIGEvbmV0L29w ZW52c3dpdGNoL3Zwb3J0LWdyZS5jCisrKyBiL25ldC9vcGVudnN3aXRjaC92cG9ydC1ncmUuYwpA QCAtMTA3LDYgKzEwNyw5IEBAIHN0YXRpYyBpbnQgZ3JlX3JjdihzdHJ1Y3Qgc2tfYnVmZiAqc2ti LAogCWlmICh1bmxpa2VseSghdnBvcnQpKQogCQlyZXR1cm4gUEFDS0VUX1JFSkVDVDsKIAorCWlm ICh1bmxpa2VseSh0cGktPnByb3RvICE9IGh0b25zKEVUSF9QX1RFQikpKQorCQlyZXR1cm4gUEFD S0VUX1JFSkVDVDsKKwogCWtleSA9IGtleV90b190dW5uZWxfaWQodHBpLT5rZXksIHRwaS0+c2Vx KTsKIAlvdnNfZmxvd190dW5faW5mb19pbml0KCZ0dW5faW5mbywgaXBfaGRyKHNrYiksIDAsIDAs IGtleSwKIAkJCSAgICAgICBmaWx0ZXJfdG5sX2ZsYWdzKHRwaS0+ZmxhZ3MpLCBOVUxMLCAwKTsK LS0gCjEuOS4xCgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18KZGV2IG1haWxpbmcgbGlzdApkZXZAb3BlbnZzd2l0Y2gub3JnCmh0dHA6Ly9vcGVudnN3aXRj aC5vcmcvbWFpbG1hbi9saXN0aW5mby9kZXYK