]>
Commit | Line | Data |
---|---|---|
8002656c GKH |
1 | From bb765e4e02251f185577f65240c7882b0b1bf482 Mon Sep 17 00:00:00 2001 |
2 | From: Eric Dumazet <edumazet@google.com> | |
3 | Date: Wed, 6 Mar 2013 11:02:37 +0000 | |
4 | Subject: tun: add a missing nf_reset() in tun_net_xmit() | |
5 | ||
6 | ||
7 | From: Eric Dumazet <edumazet@google.com> | |
8 | ||
9 | [ Upstream commit f8af75f3517a24838a36eb5797a1a3e60bf9e276 ] | |
10 | ||
11 | Dave reported following crash : | |
12 | ||
13 | general protection fault: 0000 [#1] SMP | |
14 | CPU 2 | |
15 | Pid: 25407, comm: qemu-kvm Not tainted 3.7.9-205.fc18.x86_64 #1 Hewlett-Packard HP Z400 Workstation/0B4Ch | |
16 | RIP: 0010:[<ffffffffa0399bd5>] [<ffffffffa0399bd5>] destroy_conntrack+0x35/0x120 [nf_conntrack] | |
17 | RSP: 0018:ffff880276913d78 EFLAGS: 00010206 | |
18 | RAX: 50626b6b7876376c RBX: ffff88026e530d68 RCX: ffff88028d158e00 | |
19 | RDX: ffff88026d0d5470 RSI: 0000000000000011 RDI: 0000000000000002 | |
20 | RBP: ffff880276913d88 R08: 0000000000000000 R09: ffff880295002900 | |
21 | R10: 0000000000000000 R11: 0000000000000003 R12: ffffffff81ca3b40 | |
22 | R13: ffffffff8151a8e0 R14: ffff880270875000 R15: 0000000000000002 | |
23 | FS: 00007ff3bce38a00(0000) GS:ffff88029fc40000(0000) knlGS:0000000000000000 | |
24 | CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b | |
25 | CR2: 00007fd1430bd000 CR3: 000000027042b000 CR4: 00000000000027e0 | |
26 | DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 | |
27 | DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 | |
28 | Process qemu-kvm (pid: 25407, threadinfo ffff880276912000, task ffff88028c369720) | |
29 | Stack: | |
30 | ffff880156f59100 ffff880156f59100 ffff880276913d98 ffffffff815534f7 | |
31 | ffff880276913db8 ffffffff8151a74b ffff880270875000 ffff880156f59100 | |
32 | ffff880276913dd8 ffffffff8151a5a6 ffff880276913dd8 ffff88026d0d5470 | |
33 | Call Trace: | |
34 | [<ffffffff815534f7>] nf_conntrack_destroy+0x17/0x20 | |
35 | [<ffffffff8151a74b>] skb_release_head_state+0x7b/0x100 | |
36 | [<ffffffff8151a5a6>] __kfree_skb+0x16/0xa0 | |
37 | [<ffffffff8151a666>] kfree_skb+0x36/0xa0 | |
38 | [<ffffffff8151a8e0>] skb_queue_purge+0x20/0x40 | |
39 | [<ffffffffa02205f7>] __tun_detach+0x117/0x140 [tun] | |
40 | [<ffffffffa022184c>] tun_chr_close+0x3c/0xd0 [tun] | |
41 | [<ffffffff8119669c>] __fput+0xec/0x240 | |
42 | [<ffffffff811967fe>] ____fput+0xe/0x10 | |
43 | [<ffffffff8107eb27>] task_work_run+0xa7/0xe0 | |
44 | [<ffffffff810149e1>] do_notify_resume+0x71/0xb0 | |
45 | [<ffffffff81640152>] int_signal+0x12/0x17 | |
46 | Code: 00 00 04 48 89 e5 41 54 53 48 89 fb 4c 8b a7 e8 00 00 00 0f 85 de 00 00 00 0f b6 73 3e 0f b7 7b 2a e8 10 40 00 00 48 85 c0 74 0e <48> 8b 40 28 48 85 c0 74 05 48 89 df ff d0 48 c7 c7 08 6a 3a a0 | |
47 | RIP [<ffffffffa0399bd5>] destroy_conntrack+0x35/0x120 [nf_conntrack] | |
48 | RSP <ffff880276913d78> | |
49 | ||
50 | This is because tun_net_xmit() needs to call nf_reset() | |
51 | before queuing skb into receive_queue | |
52 | ||
53 | Reported-by: Dave Jones <davej@redhat.com> | |
54 | Signed-off-by: Eric Dumazet <edumazet@google.com> | |
55 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
56 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
57 | --- | |
58 | drivers/net/tun.c | 2 ++ | |
59 | 1 file changed, 2 insertions(+) | |
60 | ||
61 | --- a/drivers/net/tun.c | |
62 | +++ b/drivers/net/tun.c | |
63 | @@ -748,6 +748,8 @@ static netdev_tx_t tun_net_xmit(struct s | |
64 | goto drop; | |
65 | skb_orphan(skb); | |
66 | ||
67 | + nf_reset(skb); | |
68 | + | |
69 | /* Enqueue packet */ | |
70 | skb_queue_tail(&tfile->socket.sk->sk_receive_queue, skb); | |
71 |