On Tue, Jul 12, 2016 at 3:26 PM, Joe Stringer <j...@ovn.org> wrote:
> If a user sends some fragments of an IPv6 message through OVS, but OVS
> fails to assemble the IPv6 message and the OVS module is then unloaded
> before the fragments expire, it could lead to a kernel panic like the
> following:
>
> Call Trace:
> <IRQ>
> [<ffffffff810e1919>] ? call_timer_fn+0x39/0x130
> [<ffffffff810e31fe>] run_timer_softirq+0x20e/0x2c0
> [<ffffffff8107dd0d>] __do_softirq+0xdd/0x290
> [<ffffffff817c5bdc>] do_softirq_own_stack+0x1c/0x30
> <EOI>
> [<ffffffff8107df5f>] do_softirq+0x4f/0x60
> [<ffffffff8107dff5>] __local_bh_enable_ip+0x85/0x90
> [<ffffffff8173994f>] inet_frags_exit_net+0x6f/0xc0
> [<ffffffffc00c02a3>] nf_ct_net_exit+0x43/0x50 [nf_defrag_ipv6]
> [<ffffffff816ae528>] ops_exit_list.isra.4+0x38/0x60
> [<ffffffff816ae656>] unregister_pernet_operations+0x96/0xe0
> [<ffffffff816ae6c5>] unregister_pernet_subsys+0x25/0x40
> [<ffffffffc00c1315>] nf_ct_frag6_cleanup+0x15/0x23 [nf_defrag_ipv6]
> [<ffffffffc00c133d>] nf_defrag_fini+0x1a/0xcdd [nf_defrag_ipv6]
> [<ffffffff810fbedd>] SyS_delete_module+0x18d/0x220
> [<ffffffff817c40b2>] entry_SYSCALL_64_fastpath+0x16/0x75
> Code: Bad RIP value.
> RIP [<ffffffffc030f990>] 0xffffffffc030f990
> RSP <ffff88007a043e90>
> CR2: ffffffffc030f990
> ---[ end trace 3bd8c1bbc4478fe2 ]---
> Kernel panic - not syncing: Fatal exception in interrupt
>
> Fixes: 73b09aff14c7 ("compat: Backport IPv6 reassembly.")
> Reported-by: Jarno Rajahalme <ja...@ovn.org>
> Signed-off-by: Joe Stringer <j...@ovn.org>
Acked-by: Pravin B Shelar <pshe...@ovn.org>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
