Trusty - Null pointer dereference at queue_userspace_packet+0x1f/0x2d0 [openvswitch]
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Medium
|
Dave Chiluk | ||
Trusty |
Fix Released
|
Medium
|
Dave Chiluk |
Bug Description
[Impact]
* With certain complicated network configurations as occur in Openstack clouds the kernel crashes with the below stack trace.
* We have observed kernel panics when an openvswitch bridge is
populated with virtual devices (veth, for example) that have expansive
feature sets that include NETIF_F_GSO_GRE.
The failure occurs when foreign GRE encapsulated traffic
(explicitly not including the initial packets of a connection) arrives at
the system (likely via a switch flood event). The packets are GRO
accumulated, and passed to the OVS receive processing. As the connection
is not in the OVS kernel datapath table, the call path is:
ovs_dp_upcall ->
queue_gso_packets ->
__skb_
Without 1e16aa3ddf863c6
[Test Case]
* We have no easy reproduce procedure.
[Regression Potential]
* Both patches are pulled from upstream, but not accepted nor rejected as stable patches.
Stable threads
http://
http://
* This patch has been in place in a large cloud where the issue used to occur frequently now for 50 days without related incident.
[Other Info]
* 330966e501ffe28
_______
[415165.417759] IP: [<ffffffffa015e
[415165.418073] PGD 0
[415165.418161] Oops: 0000 [#1] SMP
[415165.418299] Modules linked in: l2tp_eth l2tp_netlink l2tp_core vhost_net vhost macvtap macvlan xt_conntrack ipt_REJECT dccp_diag dccp tcp_diag udp_diag inet_diag unix_diag veth xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_tcpudp ip6table_filter ip6_tables iptable_filter ip_tables x_tables nbd ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_
[415165.421570] aesni_intel ixgbe igb aes_x86_64 lrw dca gf128mul glue_helper ptp ablk_helper usbhid cryptd megaraid_sas pps_core hid mdio i2c_algo_bit wmi
[415165.427942] CPU: 7 PID: 0 Comm: swapper/7 Not tainted 3.13.0-53-generic #89-Ubuntu
[415165.440183] Hardware name: Cisco Systems Inc UCSC-C240-
[415165.452693] task: ffff882012d01800 ti: ffff882012cfc000 task.ti: ffff882012cfc000
[415165.465847] RIP: 0010:[<
[415165.480003] RSP: 0018:ffff88203f
[415165.487411] RAX: 0000000000000000 RBX: ffff88203fce3ce8 RCX: ffff88203fce3ce8
[415165.502430] RDX: 0000000000000000 RSI: 000000000000000e RDI: ffffffff81cdab00
[415165.517448] RBP: ffff88203fce3bc8 R08: 0000000000000001 R09: 0000000000000000
[415165.532701] R10: 0000000000410000 R11: 000000000f9365e3 R12: ffff88203fce3ce8
[415165.548698] R13: 0000000000000000 R14: 0000000000000000 R15: 000000000000000e
[415165.564653] FS: 000000000000000
[415165.580681] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[415165.588725] CR2: 00000000000000a3 CR3: 0000000001c0e000 CR4: 00000000000427e0
[415165.604495] Stack:
[415165.612127] ffffffff81d1ca68 ffff881fbd6c6c00 0000000000000009 0000000000000000
[415165.627360] ffff88203fce3ce8 0000000000000000 000000000000000e 0000000000000000
[415165.642642] ffff88203fce3cb8 ffffffffa015e5a1 0000000000000010 ffffffff81cdab00
[415165.657955] Call Trace:
[415165.665405] <IRQ>
[415165.665500]
[415165.672684] [<ffffffffa015e
[415165.680015] [<ffffffffa015d
[415165.694425] [<ffffffffa0160
[415165.701807] [<ffffffffa0160
[415165.716228] [<ffffffffa0166
[415165.723591] [<ffffffffa0167
[415165.730799] [<ffffffff81626
[415165.737909] [<ffffffff81626
[415165.744824] [<ffffffff81627
[415165.751644] [<ffffffff81627
[415165.758248] [<ffffffff8106c
[415165.764694] [<ffffffff8106d
[415165.770968] [<ffffffff81735
[415165.777058] [<ffffffff8172b
[415165.783041] <EOI>
[415165.783127]
[415165.788840] [<ffffffff815d5
[415165.794659] [<ffffffff815d5
[415165.800468] [<ffffffff8101d
[415165.806126] [<ffffffff810bf
[415165.811862] [<ffffffff81041
[415165.817479] Code: 32 74 04 48 89 71 08 5b 5d c3 66 90 66 66 66 66 90 55 48 89 e5 41 57 41 89 f7 41 56 49 89 d6 41 55 41 54 53 48 89 cb 48 83 ec 18 <f6> 82 a3 00 00 00 10 48 89 7d c8 48 c7 45 d0 00 00 00 00 0f 85
[415165.834611] RIP [<ffffffffa015e
[415165.845643] RSP <ffff88203fce3b88>
[415165.851171] CR2: 00000000000000a3
_______
After analysis we provided a 3.13 kernel patched with commit 1e16aa3ddf863c6
330966e501ffe28
We attempted to push the patch through the stable process here
http://
and again
http://
Unfortunately upstream stable has yet to accept these upstream.
CVE References
description: | updated |
Changed in linux (Ubuntu): | |
status: | Incomplete → In Progress |
importance: | Undecided → Medium |
Changed in linux (Ubuntu): | |
status: | In Progress → Invalid |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Trusty): | |
assignee: | nobody → Dave Chiluk (chiluk) |
tags: |
added: verification-done-trusty removed: verification-needed-trusty |
Changed in linux (Ubuntu Trusty): | |
milestone: | none → trusty-updates |
Changed in linux (Ubuntu): | |
milestone: | trusty-updates → none |
Changed in linux (Ubuntu Trusty): | |
importance: | Undecided → Medium |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1497048
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.