WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Re: Panic in ipt_do_table with 2.6.16.13-xen

To: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
Subject: Re: [Xen-devel] Re: Panic in ipt_do_table with 2.6.16.13-xen
From: Gerd Hoffmann <kraxel@xxxxxxx>
Date: Wed, 24 May 2006 09:16:37 +0200
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, Netfilter Development Mailinglist <netfilter-devel@xxxxxxxxxxxxxxxxxxx>, Linux Kernel Mailing List <linux-kernel@xxxxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, Matt Ayres <matta@xxxxxxxxxxxx>, Patrick McHardy <kaber@xxxxxxxxx>
Delivery-date: Wed, 24 May 2006 00:17:12 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <5e589307bfef58553bfda1d7ab47f9f3@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4468BE70.7030802@xxxxxxxxxxxx> <4468D613.20309@xxxxxxxxx> <44691669.4080903@xxxxxxxxxxxx> <Pine.LNX.4.64.0605152331140.10964@xxxxxxx> <4469D84F.8080709@xxxxxxxxxxxx> <Pine.LNX.4.64.0605161127030.16379@xxxxxxx> <446D0A0D.5090608@xxxxxxxxxxxx> <Pine.LNX.4.64.0605182002330.6528@xxxxxxx> <446D0E6D.2080600@xxxxxxxxxxxx> <446D151D.6030307@xxxxxxxxxxxx> <4470A6CD.5010501@xxxxxxxxx> <4471CB54.401@xxxxxxxxxxxx> <4471CE19.5070802@xxxxxxxxx> <bf76eefc5234d32440c822acd2879a8a@xxxxxxxxxxxx> <44737D53.9050006@xxxxxxxxxxxx> <5e589307bfef58553bfda1d7ab47f9f3@xxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.2 (X11/20060411)
>> As the concerned user, what does this mean to me?  It will only affect
>> SMP systems?  It is a bug in Xen or netfilter?
> 
> Probably a Xen bug, but if so then it's basically a memory corruption.

Might also be a netfilter bug which is simply triggered by the way how
xen manages the memory.  Due to ballooning you can have holes in memory,
so out-of-range access may fault with xen whereas it will go unnoticed
with normal kernels.

One such beast is in bridging netfilter code, additionally it triggers
with certain ethernet cards only, patch below.  Pinned down last week ;)

cheers,

  Gerd
Subject: nf_bridge: ethernet header is 14 not 16 bytes
From: jbeulich@xxxxxxxxxx
Acked-by: kraxel@xxxxxxx
References: 150410

The bridge netfilter code saves two more bytes that it should.
In most cases it doesn't hurt because many drivers use NET_IP_ALIGN
to make the IP header aligned, so there are two extra bytes head room
available.

Some drivers don't do that though (sky2 for example), so copying
accesses data outside the skbuff data allocation.  On xen kernels
this can kill the machine with a page fault due to the way how
skbuffs are allocated and the memory is managed.

Index: linux-2.6.16/include/linux/netfilter_bridge.h
===================================================================
--- linux-2.6.16.orig/include/linux/netfilter_bridge.h
+++ linux-2.6.16/include/linux/netfilter_bridge.h
@@ -73,14 +73,14 @@ void nf_bridge_maybe_copy_header(struct 
                        memcpy(skb->data - 18, skb->nf_bridge->data, 18);
                        skb_push(skb, 4);
                } else
-                       memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+                       memcpy(skb->data - 14, skb->nf_bridge->data, 14);
        }
 }
 
 static inline
 void nf_bridge_save_header(struct sk_buff *skb)
 {
-        int header_size = 16;
+        int header_size = 14;
 
        if (skb->protocol == __constant_htons(ETH_P_8021Q))
                header_size = 18;
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel