On Tue, 2015-07-14 at 17:20 +0900, Simon Horman wrote:
> [Cc Hannes]
>
> On Fri, Jun 26, 2015 at 03:18:45AM -0700, Alex Gartrell wrote:
> > Previously there was a trivial panic
> >
> > unshare -n /bin/bash <<EOF
> > ip addr add dev lo face::1/128
> > ipvsadm -A -t [face::1]:15213
> > ipvsadm -a -t [face::1]:15213 -r b00c::1
> > echo boom | nc face::1 15213
> > EOF
> >
> > This patch allows us to replicate the net logic above and simply
> > capture
> > the skb_dst(skb)->dev and use that for the purpose of the
> > invocation.
> >
> > Signed-off-by: Alex Gartrell <agartrell@xxxxxx>
> > ---
> > net/netfilter/ipvs/ip_vs_xmit.c | 7 +++++++
> > 1 file changed, 7 insertions(+)
> >
> > diff --git a/net/netfilter/ipvs/ip_vs_xmit.c
> > b/net/netfilter/ipvs/ip_vs_xmit.c
> > index bf66a86..b99d806 100644
> > --- a/net/netfilter/ipvs/ip_vs_xmit.c
> > +++ b/net/netfilter/ipvs/ip_vs_xmit.c
> > @@ -505,6 +505,13 @@ err_put:
> > return -1;
> >
> > err_unreach:
> > + /* The ip6_link_failure function requires the dev field to
> > be set
> > + * in order to get the net (further for the sake of fwmark
> > + * reflection).
> > + */
> > + if (!skb->dev)
> > + skb->dev = skb_dst(skb)->dev;
> > +
> > dst_link_failure(skb);
> > return -1;
> > }
>
>
> My reading of this is that the above:
>
> Fixes: 1eb4f7582868 ("ipv6: in case of link failure remove route
> directly instead of letting it expire")
>
> As it seems to me that it is that patch that causes ip6_link_failure
> to
> require the dev field to be set.
>
> Does that seem sane?
>From what dst_link_failure -> ip6_link_failure expects the patch does
make sense.
But the Fixes tag is wrong, because the panic should be triggered during
dereferencing dev_net(skb->dev) in icmp6_send. This part was not touched
by my patch.
Bye,
Hannes
--
To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
