From e92669badd3f1b17fd3f6247b45f3de129bc108f Mon Sep 17 00:00:00 2001 From: Joe Stringer Date: Tue, 12 Jul 2016 15:26:18 -0700 Subject: [PATCH] compat: Fix IPv6 frag expiry crash. If a user sends some fragments of an IPv6 message through OVS, but OVS fails to assemble the IPv6 message and the OVS module is then unloaded before the fragments expire, it could lead to a kernel panic like the following: Call Trace: [] ? call_timer_fn+0x39/0x130 [] run_timer_softirq+0x20e/0x2c0 [] __do_softirq+0xdd/0x290 [] do_softirq_own_stack+0x1c/0x30 [] do_softirq+0x4f/0x60 [] __local_bh_enable_ip+0x85/0x90 [] inet_frags_exit_net+0x6f/0xc0 [] nf_ct_net_exit+0x43/0x50 [nf_defrag_ipv6] [] ops_exit_list.isra.4+0x38/0x60 [] unregister_pernet_operations+0x96/0xe0 [] unregister_pernet_subsys+0x25/0x40 [] nf_ct_frag6_cleanup+0x15/0x23 [nf_defrag_ipv6] [] nf_defrag_fini+0x1a/0xcdd [nf_defrag_ipv6] [] SyS_delete_module+0x18d/0x220 [] entry_SYSCALL_64_fastpath+0x16/0x75 Code: Bad RIP value. RIP [] 0xffffffffc030f990 RSP CR2: ffffffffc030f990 ---[ end trace 3bd8c1bbc4478fe2 ]--- Kernel panic - not syncing: Fatal exception in interrupt Fixes: 73b09aff14c7 ("compat: Backport IPv6 reassembly.") Reported-by: Jarno Rajahalme Signed-off-by: Joe Stringer Acked-by: Pravin B Shelar --- datapath/linux/compat/nf_conntrack_reasm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datapath/linux/compat/nf_conntrack_reasm.c b/datapath/linux/compat/nf_conntrack_reasm.c index 5000351e966..ca19a9ff9d5 100644 --- a/datapath/linux/compat/nf_conntrack_reasm.c +++ b/datapath/linux/compat/nf_conntrack_reasm.c @@ -581,7 +581,7 @@ static int nf_ct_net_init(struct net *net) static void nf_ct_net_exit(struct net *net) { - inet_frags_exit_net(&net->ipv6.frags, &nf_frags); + inet_frags_exit_net(&net->nf_frag.frags, &nf_frags); } static struct pernet_operations nf_ct_net_ops = {