Re: [Xen-devel] Re: Panic in ipt_do_table with 2.6.16.13-xen

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Gerd Hoffmann <kraxel@suse.de>
To: Keir Fraser <Keir.Fraser@cl.cam.ac.uk>
Cc: Matt Ayres <matta@tektonic.net>,
	Patrick McHardy <kaber@trash.net>,
	James Morris <jmorris@namei.org>,
	"xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>,
	Netfilter Development Mailinglist 
	<netfilter-devel@lists.netfilter.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [Xen-devel] Re: Panic in ipt_do_table with 2.6.16.13-xen
Date: Wed, 24 May 2006 09:16:37 +0200	[thread overview]
Message-ID: <44740855.4090409@suse.de> (raw)
In-Reply-To: <5e589307bfef58553bfda1d7ab47f9f3@cl.cam.ac.uk>

[-- Attachment #1: Type: text/plain, Size: 599 bytes --]

>> As the concerned user, what does this mean to me?  It will only affect
>> SMP systems?  It is a bug in Xen or netfilter?
> 
> Probably a Xen bug, but if so then it's basically a memory corruption.

Might also be a netfilter bug which is simply triggered by the way how
xen manages the memory.  Due to ballooning you can have holes in memory,
so out-of-range access may fault with xen whereas it will go unnoticed
with normal kernels.

One such beast is in bridging netfilter code, additionally it triggers
with certain ethernet cards only, patch below.  Pinned down last week ;)

cheers,

  Gerd

[-- Attachment #2: nf_bridge-header-size --]
[-- Type: text/plain, Size: 1279 bytes --]

Subject: nf_bridge: ethernet header is 14 not 16 bytes
From: jbeulich@novell.com
Acked-by: kraxel@suse.de
References: 150410

The bridge netfilter code saves two more bytes that it should.
In most cases it doesn't hurt because many drivers use NET_IP_ALIGN
to make the IP header aligned, so there are two extra bytes head room
available.

Some drivers don't do that though (sky2 for example), so copying
accesses data outside the skbuff data allocation.  On xen kernels
this can kill the machine with a page fault due to the way how
skbuffs are allocated and the memory is managed.

Index: linux-2.6.16/include/linux/netfilter_bridge.h
===================================================================
--- linux-2.6.16.orig/include/linux/netfilter_bridge.h
+++ linux-2.6.16/include/linux/netfilter_bridge.h
@@ -73,14 +73,14 @@ void nf_bridge_maybe_copy_header(struct 
 			memcpy(skb->data - 18, skb->nf_bridge->data, 18);
 			skb_push(skb, 4);
 		} else
-			memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+			memcpy(skb->data - 14, skb->nf_bridge->data, 14);
 	}
 }

 static inline
 void nf_bridge_save_header(struct sk_buff *skb)
 {
-        int header_size = 16;
+        int header_size = 14;

 	if (skb->protocol == __constant_htons(ETH_P_8021Q))
 		header_size = 18;

     prev parent reply	other threads:[~2006-05-24  7:16 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-05-15 17:46 Panic in ipt_do_table with 2.6.16.13-xen Matt Ayres
2006-05-15 19:27 ` Patrick McHardy
2006-05-16  0:01   ` Matt Ayres
2006-05-16  3:31     ` James Morris
2006-05-16 13:49       ` [Xen-devel] " Matt Ayres
2006-05-16 15:28         ` James Morris
2006-05-18 23:58           ` Matt Ayres
2006-05-19  0:05             ` James Morris
2006-05-19  0:16               ` Matt Ayres
2006-05-19  0:45                 ` Matt Ayres
2006-05-21 17:43                   ` Patrick McHardy
2006-05-22 14:31                     ` Matt Ayres
2006-05-22 14:42                       ` Keir Fraser
2006-05-22 14:43                       ` Patrick McHardy
2006-05-23  9:54                         ` Keir Fraser
2006-05-23 12:03                           ` Matt Ayres
2006-05-23 21:15                         ` Keir Fraser
2006-05-23 21:23                           ` Matt Ayres
2006-05-23 21:27                             ` Keir Fraser
2006-05-24  7:16                               ` Gerd Hoffmann [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44740855.4090409@suse.de \
    --to=kraxel@suse.de \
    --cc=Keir.Fraser@cl.cam.ac.uk \
    --cc=jmorris@namei.org \
    --cc=kaber@trash.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=matta@tektonic.net \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox