• Lin Ming's avatar
    ipvs: fix oops on NAT reply in br_nf context · 9e33ce45
    Lin Ming authored
    IPVS should not reset skb->nf_bridge in FORWARD hook
    by calling nf_reset for NAT replies. It triggers oops in
    br_nf_forward_finish.
    
    [  579.781508] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
    [  579.781669] IP: [<ffffffff817b1ca5>] br_nf_forward_finish+0x58/0x112
    [  579.781792] PGD 218f9067 PUD 0
    [  579.781865] Oops: 0000 [#1] SMP
    [  579.781945] CPU 0
    [  579.781983] Modules linked in:
    [  579.782047]
    [  579.782080]
    [  579.782114] Pid: 4644, comm: qemu Tainted: G        W    3.5.0-rc5-00006-g95e69f9 #282 Hewlett-Packard  /30E8
    [  579.782300] RIP: 0010:[<ffffffff817b1ca5>]  [<ffffffff817b1ca5>] br_nf_forward_finish+0x58/0x112
    [  579.782455] RSP: 0018:ffff88007b003a98  EFLAGS: 00010287
    [  579.782541] RAX: 0000000000000008 RBX: ffff8800762ead00 RCX: 000000000001670a
    [  579.782653] RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff8800762ead00
    [  579.782845] RBP: ffff88007b003ac8 R08: 0000000000016630 R09: ffff88007b003a90
    [  579.782957] R10: ffff88007b0038e8 R11: ffff88002da37540 R12: ffff88002da01a02
    [  579.783066] R13: ffff88002da01a80 R14: ffff88002d83c000 R15: ffff88002d82a000
    [  579.783177] FS:  0000000000000000(0000) GS:ffff88007b000000(0063) knlGS:00000000f62d1b70
    [  579.783306] CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
    [  579.783395] CR2: 0000000000000004 CR3: 00000000218fe000 CR4: 00000000000027f0
    [  579.783505] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [  579.783684] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
    [  579.783795] Process qemu (pid: 4644, threadinfo ffff880021b20000, task ffff880021aba760)
    [  579.783919] Stack:
    [  579.783959]  ffff88007693cedc ffff8800762ead00 ffff88002da01a02 ffff8800762ead00
    [  579.784110]  ffff88002da01a02 ffff88002da01a80 ffff88007b003b18 ffffffff817b26c7
    [  579.784260]  ffff880080000000 ffffffff81ef59f0 ffff8800762ead00 ffffffff81ef58b0
    [  579.784477] Call Trace:
    [  579.784523]  <IRQ>
    [  579.784562]
    [  579.784603]  [<ffffffff817b26c7>] br_nf_forward_ip+0x275/0x2c8
    [  579.784707]  [<ffffffff81704b58>] nf_iterate+0x47/0x7d
    [  579.784797]  [<ffffffff817ac32e>] ? br_dev_queue_push_xmit+0xae/0xae
    [  579.784906]  [<ffffffff81704bfb>] nf_hook_slow+0x6d/0x102
    [  579.784995]  [<ffffffff817ac32e>] ? br_dev_queue_push_xmit+0xae/0xae
    [  579.785175]  [<ffffffff8187fa95>] ? _raw_write_unlock_bh+0x19/0x1b
    [  579.785179]  [<ffffffff817ac417>] __br_forward+0x97/0xa2
    [  579.785179]  [<ffffffff817ad366>] br_handle_frame_finish+0x1a6/0x257
    [  579.785179]  [<ffffffff817b2386>] br_nf_pre_routing_finish+0x26d/0x2cb
    [  579.785179]  [<ffffffff817b2cf0>] br_nf_pre_routing+0x55d/0x5c1
    [  579.785179]  [<ffffffff81704b58>] nf_iterate+0x47/0x7d
    [  579.785179]  [<ffffffff817ad1c0>] ? br_handle_local_finish+0x44/0x44
    [  579.785179]  [<ffffffff81704bfb>] nf_hook_slow+0x6d/0x102
    [  579.785179]  [<ffffffff817ad1c0>] ? br_handle_local_finish+0x44/0x44
    [  579.785179]  [<ffffffff81551525>] ? sky2_poll+0xb35/0xb54
    [  579.785179]  [<ffffffff817ad62a>] br_handle_frame+0x213/0x229
    [  579.785179]  [<ffffffff817ad417>] ? br_handle_frame_finish+0x257/0x257
    [  579.785179]  [<ffffffff816e3b47>] __netif_receive_skb+0x2b4/0x3f1
    [  579.785179]  [<ffffffff816e69fc>] process_backlog+0x99/0x1e2
    [  579.785179]  [<ffffffff816e6800>] net_rx_action+0xdf/0x242
    [  579.785179]  [<ffffffff8107e8a8>] __do_softirq+0xc1/0x1e0
    [  579.785179]  [<ffffffff8135a5ba>] ? trace_hardirqs_off_thunk+0x3a/0x6c
    [  579.785179]  [<ffffffff8188812c>] call_softirq+0x1c/0x30
    
    The steps to reproduce as follow,
    
    1. On Host1, setup brige br0(192.168.1.106)
    2. Boot a kvm guest(192.168.1.105) on Host1 and start httpd
    3. Start IPVS service on Host1
       ipvsadm -A -t 192.168.1.106:80 -s rr
       ipvsadm -a -t 192.168.1.106:80 -r 192.168.1.105:80 -m
    4. Run apache benchmark on Host2(192.168.1.101)
       ab -n 1000 http://192.168.1.106/
    
    ip_vs_reply4
      ip_vs_out
        handle_response
          ip_vs_notrack
            nf_reset()
            {
              skb->nf_bridge = NULL;
            }
    
    Actually, IPVS wants in this case just to replace nfct
    with untracked version. So replace the nf_reset(skb) call
    in ip_vs_notrack() with a nf_conntrack_put(skb->nfct) call.
    Signed-off-by: 's avatarLin Ming <mlin@ss.pku.edu.cn>
    Signed-off-by: 's avatarJulian Anastasov <ja@ssi.bg>
    Signed-off-by: 's avatarSimon Horman <horms@verge.net.au>
    Signed-off-by: 's avatarPablo Neira Ayuso <pablo@netfilter.org>
    9e33ce45
Name
Last commit
Last update
..
9p Loading commit data...
bluetooth Loading commit data...
caif Loading commit data...
irda Loading commit data...
iucv Loading commit data...
netfilter Loading commit data...
netns Loading commit data...
nfc Loading commit data...
phonet Loading commit data...
sctp Loading commit data...
tc_act Loading commit data...
act_api.h Loading commit data...
addrconf.h Loading commit data...
af_ieee802154.h Loading commit data...
af_rxrpc.h Loading commit data...
af_unix.h Loading commit data...
ah.h Loading commit data...
arp.h Loading commit data...
atmclip.h Loading commit data...
ax25.h Loading commit data...
ax88796.h Loading commit data...
cfg80211-wext.h Loading commit data...
cfg80211.h Loading commit data...
checksum.h Loading commit data...
cipso_ipv4.h Loading commit data...
cls_cgroup.h Loading commit data...
codel.h Loading commit data...
compat.h Loading commit data...
datalink.h Loading commit data...
dcbevent.h Loading commit data...
dcbnl.h Loading commit data...
dn.h Loading commit data...
dn_dev.h Loading commit data...
dn_fib.h Loading commit data...
dn_neigh.h Loading commit data...
dn_nsp.h Loading commit data...
dn_route.h Loading commit data...
dsa.h Loading commit data...
dsfield.h Loading commit data...
dst.h Loading commit data...
dst_ops.h Loading commit data...
esp.h Loading commit data...
ethoc.h Loading commit data...
fib_rules.h Loading commit data...
flow.h Loading commit data...
flow_keys.h Loading commit data...
garp.h Loading commit data...
gen_stats.h Loading commit data...
genetlink.h Loading commit data...
gre.h Loading commit data...
icmp.h Loading commit data...
ieee80211_radiotap.h Loading commit data...
ieee802154.h Loading commit data...
ieee802154_netdev.h Loading commit data...
if_inet6.h Loading commit data...
inet6_connection_sock.h Loading commit data...
inet6_hashtables.h Loading commit data...
inet_common.h Loading commit data...
inet_connection_sock.h Loading commit data...
inet_ecn.h Loading commit data...
inet_frag.h Loading commit data...
inet_hashtables.h Loading commit data...
inet_sock.h Loading commit data...
inet_timewait_sock.h Loading commit data...
inetpeer.h Loading commit data...
ip.h Loading commit data...
ip6_checksum.h Loading commit data...
ip6_fib.h Loading commit data...
ip6_route.h Loading commit data...
ip6_tunnel.h Loading commit data...
ip_fib.h Loading commit data...
ip_vs.h Loading commit data...
ipcomp.h Loading commit data...
ipconfig.h Loading commit data...
ipip.h Loading commit data...
ipv6.h Loading commit data...
ipx.h Loading commit data...
iw_handler.h Loading commit data...
lapb.h Loading commit data...
lib80211.h Loading commit data...
llc.h Loading commit data...
llc_c_ac.h Loading commit data...
llc_c_ev.h Loading commit data...
llc_c_st.h Loading commit data...
llc_conn.h Loading commit data...
llc_if.h Loading commit data...
llc_pdu.h Loading commit data...
llc_s_ac.h Loading commit data...
llc_s_ev.h Loading commit data...
llc_s_st.h Loading commit data...
llc_sap.h Loading commit data...
mac80211.h Loading commit data...
mac802154.h Loading commit data...
mip6.h Loading commit data...
mld.h Loading commit data...
ndisc.h Loading commit data...
neighbour.h Loading commit data...
net_namespace.h Loading commit data...
net_ratelimit.h Loading commit data...
netdma.h Loading commit data...
netevent.h Loading commit data...
netlabel.h Loading commit data...
netlink.h Loading commit data...
netprio_cgroup.h Loading commit data...
netrom.h Loading commit data...
nexthop.h Loading commit data...
nl802154.h Loading commit data...
p8022.h Loading commit data...
ping.h Loading commit data...
pkt_cls.h Loading commit data...
pkt_sched.h Loading commit data...
protocol.h Loading commit data...
psnap.h Loading commit data...
raw.h Loading commit data...
rawv6.h Loading commit data...
red.h Loading commit data...
regulatory.h Loading commit data...
request_sock.h Loading commit data...
rose.h Loading commit data...
route.h Loading commit data...
rtnetlink.h Loading commit data...
sch_generic.h Loading commit data...
scm.h Loading commit data...
secure_seq.h Loading commit data...
slhc_vj.h Loading commit data...
snmp.h Loading commit data...
sock.h Loading commit data...
stp.h Loading commit data...
tcp.h Loading commit data...
tcp_memcontrol.h Loading commit data...
tcp_states.h Loading commit data...
timewait_sock.h Loading commit data...
transp_v6.h Loading commit data...
udp.h Loading commit data...
udplite.h Loading commit data...
wext.h Loading commit data...
wimax.h Loading commit data...
wpan-phy.h Loading commit data...
x25.h Loading commit data...
x25device.h Loading commit data...
xfrm.h Loading commit data...