From patchwork Wed Mar  6 21:02:37 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 225653
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 014DA2C038F
	for <patchwork-incoming@ozlabs.org>;
	Thu,  7 Mar 2013 08:02:46 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755197Ab3CFVCm (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 6 Mar 2013 16:02:42 -0500
Received: from mail-pb0-f49.google.com ([209.85.160.49]:58548 "EHLO
	mail-pb0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752971Ab3CFVCl (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 6 Mar 2013 16:02:41 -0500
Received: by mail-pb0-f49.google.com with SMTP id xa12so6585954pbc.36
	for <netdev@vger.kernel.org>; Wed, 06 Mar 2013 13:02:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=x-received:message-id:subject:from:to:cc:date:in-reply-to
	:references:content-type:x-mailer:content-transfer-encoding
	:mime-version;
	bh=N26iq+tQlBssz79YKKXcUmhzCwz/DSdIGHmhw0Hdl/U=;
	b=q51ximQZ8XYDbw1CtguctCwbMVslqK3ubylXGSq9+TBcN8VSQrVHrd6MAyrlXoAeRo
	RqsvLGMH/xkcck0sXCbu1Pz2qEcLNTgEMrm6+6qNN9raH+S3DMSD7xOJ/cEC5qoRdf+u
	KyVBhjBxpl8DAA1YSIGhd2IHdLkcJY/bBabStK7m3YDnQSWp24WW5xxRWKVtuEVVxTUB
	vVnCR4oggyk/NxLENiFsNs4qCZTckfGSUgQYEFh4MznNyfmGolNxufRInGy3GX0/5Tpq
	bhpIXVhOee02+qcuB5S7CDvwukd8C+7P3KbUAtAtHz5RSGWn2koAmsJRQRjgCmudsuit
	mp9w==
X-Received: by 10.68.204.68 with SMTP id kw4mr37771431pbc.76.1362603760817;
	Wed, 06 Mar 2013 13:02:40 -0800 (PST)
Received: from [172.19.246.78] ([172.19.246.78])
	by mx.google.com with ESMTPS id
	rr14sm32792907pbb.34.2013.03.06.13.02.38
	(version=SSLv3 cipher=RC4-SHA bits=128/128);
	Wed, 06 Mar 2013 13:02:39 -0800 (PST)
Message-ID: <1362603757.15793.186.camel@edumazet-glaptop>
Subject: [PATCH] tun: add a missing nf_reset() in tun_net_xmit()
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: davej@redhat.com, netdev@vger.kernel.org, kernel-team@fedoraproject.org
Date: Wed, 06 Mar 2013 13:02:37 -0800
In-Reply-To: <20130306.154641.1893414808816499940.davem@davemloft.net>
References: <20130306155955.GA24215@redhat.com>
	<1362588847.15793.180.camel@edumazet-glaptop>
	<20130306.154641.1893414808816499940.davem@davemloft.net>
X-Mailer: Evolution 3.2.3-0ubuntu6 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

Dave reported following crash :

general protection fault: 0000 [#1] SMP 
CPU 2 
Pid: 25407, comm: qemu-kvm Not tainted 3.7.9-205.fc18.x86_64 #1 Hewlett-Packard HP Z400 Workstation/0B4Ch
RIP: 0010:[<ffffffffa0399bd5>]  [<ffffffffa0399bd5>] destroy_conntrack+0x35/0x120 [nf_conntrack]
RSP: 0018:ffff880276913d78  EFLAGS: 00010206
RAX: 50626b6b7876376c RBX: ffff88026e530d68 RCX: ffff88028d158e00
RDX: ffff88026d0d5470 RSI: 0000000000000011 RDI: 0000000000000002
RBP: ffff880276913d88 R08: 0000000000000000 R09: ffff880295002900
R10: 0000000000000000 R11: 0000000000000003 R12: ffffffff81ca3b40
R13: ffffffff8151a8e0 R14: ffff880270875000 R15: 0000000000000002
FS:  00007ff3bce38a00(0000) GS:ffff88029fc40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007fd1430bd000 CR3: 000000027042b000 CR4: 00000000000027e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process qemu-kvm (pid: 25407, threadinfo ffff880276912000, task ffff88028c369720)
Stack:
 ffff880156f59100 ffff880156f59100 ffff880276913d98 ffffffff815534f7
 ffff880276913db8 ffffffff8151a74b ffff880270875000 ffff880156f59100
 ffff880276913dd8 ffffffff8151a5a6 ffff880276913dd8 ffff88026d0d5470
Call Trace:
 [<ffffffff815534f7>] nf_conntrack_destroy+0x17/0x20
 [<ffffffff8151a74b>] skb_release_head_state+0x7b/0x100
 [<ffffffff8151a5a6>] __kfree_skb+0x16/0xa0
 [<ffffffff8151a666>] kfree_skb+0x36/0xa0
 [<ffffffff8151a8e0>] skb_queue_purge+0x20/0x40
 [<ffffffffa02205f7>] __tun_detach+0x117/0x140 [tun]
 [<ffffffffa022184c>] tun_chr_close+0x3c/0xd0 [tun]
 [<ffffffff8119669c>] __fput+0xec/0x240
 [<ffffffff811967fe>] ____fput+0xe/0x10
 [<ffffffff8107eb27>] task_work_run+0xa7/0xe0
 [<ffffffff810149e1>] do_notify_resume+0x71/0xb0
 [<ffffffff81640152>] int_signal+0x12/0x17
Code: 00 00 04 48 89 e5 41 54 53 48 89 fb 4c 8b a7 e8 00 00 00 0f 85 de 00 00 00 0f b6 73 3e 0f b7 7b 2a e8 10 40 00 00 48 85 c0 74 0e <48> 8b 40 28 48 85 c0 74 05 48 89 df ff d0 48 c7 c7 08 6a 3a a0 
RIP  [<ffffffffa0399bd5>] destroy_conntrack+0x35/0x120 [nf_conntrack]
 RSP <ffff880276913d78>

This is because tun_net_xmit() needs to call nf_reset()
before queuing skb into receive_queue

Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 drivers/net/tun.c |    2 ++
 1 file changed, 2 insertions(+)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 2c6a22e..b7c457a 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -747,6 +747,8 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev)
 		goto drop;
 	skb_orphan(skb);
 
+	nf_reset(skb);
+
 	/* Enqueue packet */
 	skb_queue_tail(&tfile->socket.sk->sk_receive_queue, skb);