From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: 2.6.25-rc: Null dereference in ip_defrag Date: Mon, 17 Mar 2008 18:43:32 +0100 Message-ID: <47DEADC4.4010609@trash.net> References: <20080317170008.GA30338@linuxace.com> <47DEACF7.10202@openvz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: Phil Oester , netdev@vger.kernel.org To: Pavel Emelyanov Return-path: Received: from viefep31-int.chello.at ([62.179.121.49]:57512 "EHLO viefep31-int.chello.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752184AbYCQRwL (ORCPT ); Mon, 17 Mar 2008 13:52:11 -0400 In-Reply-To: <47DEACF7.10202@openvz.org> Sender: netdev-owner@vger.kernel.org List-ID: Pavel Emelyanov wrote: > Phil Oester wrote: >> And the packets causing the problem are all multicast fragments being >> generated by Quagga's OSPFD (see debug output below). Tried manually generating >> some multicast fragments with iperf, but couldn't reproduce it. >> >> Any ideas? > > This is the same as the problem fixed here: > > commit 4136cd523eb0c0bd53173e16fd7406d31d05824f > [IPV4]: route: fix crash ip_route_input > > The sk_buff does not have a valid dev sometimes in ip_defrag() :( > and you have to setup conntrack rules to make packets go this way. > But unlike the above problem we cannot even trust the skb->dst to > be not NULL... We can on output. Usually we don't even see fragments in conntrack on output since we've defer fragmentation until all netfilter hooks have been processed. Quagga is generating fragments using raw sockets and IP_HDRINCL though. > Can you check with this patch, please (untested, but should work)? This is getting pretty ugly. Shouldn't int ip_defrag(struct sk_buff *skb, u32 user) { ... - net = skb->dev->nd_net; + net = skb->dev ? skb->dev->nd_net : skb->dst->dev->nd_net; work as well?