On Sun, Aug 13, 2017 at 12:04 AM, Liping Zhang <[email protected]> wrote:
> From: Liping Zhang <[email protected]>
>
> For sw_flow_actions, the actions_len only represents the kernel part's
> size, and when we dump the actions to the userspace, we will do the
> convertions, so it's true size may become bigger than the actions_len.
>
> But unfortunately, for OVS_PACKET_ATTR_ACTIONS, we use the actions_len
> to alloc the skbuff, so the user_skb's size may become insufficient and
> oops will happen like this:
> skbuff: skb_over_panic: text:ffffffff8148fabf len:1749 put:157 head:
> ffff881300f39000 data:ffff881300f39000 tail:0x6d5 end:0x6c0 dev:<NULL>
> ------------[ cut here ]------------
> kernel BUG at net/core/skbuff.c:129!
> [...]
> Call Trace:
> <IRQ>
> [<ffffffff8148be82>] skb_put+0x43/0x44
> [<ffffffff8148fabf>] skb_zerocopy+0x6c/0x1f4
> [<ffffffffa0290d36>] queue_userspace_packet+0x3a3/0x448 [openvswitch]
> [<ffffffffa0292023>] ovs_dp_upcall+0x30/0x5c [openvswitch]
> [<ffffffffa028d435>] output_userspace+0x132/0x158 [openvswitch]
> [<ffffffffa01e6890>] ? ip6_rcv_finish+0x74/0x77 [ipv6]
> [<ffffffffa028e277>] do_execute_actions+0xcc1/0xdc8 [openvswitch]
> [<ffffffffa028e3f2>] ovs_execute_actions+0x74/0x106 [openvswitch]
> [<ffffffffa0292130>] ovs_dp_process_packet+0xe1/0xfd [openvswitch]
> [<ffffffffa0292b77>] ? key_extract+0x63c/0x8d5 [openvswitch]
> [<ffffffffa029848b>] ovs_vport_receive+0xa1/0xc3 [openvswitch]
> [...]
>
> Also we can find that the actions_len is much little than the orig_len:
> crash> struct sw_flow_actions 0xffff8812f539d000
> struct sw_flow_actions {
> rcu = {
> next = 0xffff8812f5398800,
> func = 0xffffe3b00035db32
> },
> orig_len = 1384,
> actions_len = 592,
> actions = 0xffff8812f539d01c
> }
>
> So as a quick fix, use the orig_len instead of the actions_len to alloc
> the user_skb.
>
> Last, this oops happened on our system running a relative old kernel, but
> the same risk still exists on the mainline, since we use the wrong
> actions_len from the beginning.
>
Thanks for fixing it.
> Fixes: ccea74457bbd ("openvswitch: include datapath actions with
> sampled-packet upcall to userspace")
> Cc: Neil McKee <[email protected]>
> Signed-off-by: Liping Zhang <[email protected]>
> ---
> net/openvswitch/actions.c | 39 +++++++++++++++++++++++++--------------
> net/openvswitch/datapath.c | 2 +-
> net/openvswitch/datapath.h | 1 +
> 3 files changed, 27 insertions(+), 15 deletions(-)
>
> diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
> index e4610676299b..799a22dfb89e 100644
> --- a/net/openvswitch/actions.c
> +++ b/net/openvswitch/actions.c
> @@ -48,6 +48,7 @@ struct deferred_action {
> struct sk_buff *skb;
> const struct nlattr *actions;
> int actions_len;
> + int actions_attrlen;
>
Have you considered passing this value using struct ovs_skb_cb? That
would save passing this parameter in all these functions.
