From: Oliver Francke <Oliver.Francke@filoo.de>
To: Florian Lohoff <f@zz.de>, netdev@vger.kernel.org
Subject: Re: Crash in skb_segment / KVM GSO GRE IPV6
Date: Thu, 26 Nov 2015 16:40:00 +0100 [thread overview]
Message-ID: <565727D0.9040303@filoo.de> (raw)
In-Reply-To: <20151114095326.GC3958@pax.zz.de>
Hi,
well, I think this is a serious bug, as I can crash a complete linux
host running hundreds of VMs from within a QEMU-guest only.
All I can add here is a test-setup where I can try out possible fixes
without disturbing others.
The only things that helps out ATM is switch all eth-offloading off, but
that cannot be a long-term solution.
Please help and let's get this fixed,
Oliver.
On 11/14/2015 10:53 AM, Florian Lohoff wrote:
>
> Hi,
>
> we experienced a reproducible crash on a KVM/qemu Host running
> Kernel 4.3.0 in skb_segment. (Setup is kvm guest, openvswitch 1.9 up to
> 2.something, host on 4.3.0). User in the guest kvm with virtio reportedly tried
> to set up an v4 GRE tunnel with IPv6 Addresses and as soon as he started a simple
> wget the host crashed.
>
> I couldnt catch the full backtrace on the Host (IPMI redirect)
> here is what i typed from the video:
>
> NULL pointer dereference at 00000000084
>
> IP skb_segment+0x487/0x970
>
> RIP skb_segment+0x487/0x970
>
> ? __enqueue_entity
> tcp_gso_segment+0x11d/0x4a0
> ? debug_smp_processor_id
> tcp6_gso_segment
> ipv6_gso_segment
> ? default_wake_function
> skb_mac_gso_segment
> gre_gso_segment
> ? __wake_up_sync_key
> inet_gso_segment
>
> Using gdb on skbuff.o i find this:
>
> 3120 if (i >= nfrags) {
> 0x0000000000005492 <+1154>: cmp %r15d,%r11d
> 0x0000000000005495 <+1157>: jg 0x54d5 <skb_segment+1221>
>
> 3121 BUG_ON(skb_headlen(list_skb));
> 0x0000000000005497 <+1159>: mov 0x84(%r13),%eax
> 0x000000000000549e <+1166>: cmp %eax,0x80(%r13)
> 0x00000000000054a5 <+1173>: jne 0x5962 <skb_segment+2386>
> 0x0000000000005962 <+2386>: ud2
>
> Where 0x84 is skb->data_len - So skb_headlen(list_skb) hits
> an NULL list_skb.
>
> Flo
>
--
Oliver Francke
filoo GmbH
Moltkestraße 25a
33330 Gütersloh
HRB4355 AG Gütersloh
Geschäftsführer: J.Rehpöhler | C.Kunz
Folgen Sie uns auf Twitter: http://twitter.com/filoogmbh
prev parent reply other threads:[~2015-11-26 15:47 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-14 9:53 Crash in skb_segment / KVM GSO GRE IPV6 Florian Lohoff
2015-11-26 15:40 ` Oliver Francke [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=565727D0.9040303@filoo.de \
--to=oliver.francke@filoo.de \
--cc=f@zz.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).