Re: [Xen-devel] Re: Panic in ipt_do_table with 220.127.116.11-xen
From: Gerd Hoffmann
Date: Wed May 24 2006 - 03:16:15 EST
>> As the concerned user, what does this mean to me? It will only affect
>> SMP systems? It is a bug in Xen or netfilter?
> Probably a Xen bug, but if so then it's basically a memory corruption.
Might also be a netfilter bug which is simply triggered by the way how
xen manages the memory. Due to ballooning you can have holes in memory,
so out-of-range access may fault with xen whereas it will go unnoticed
with normal kernels.
One such beast is in bridging netfilter code, additionally it triggers
with certain ethernet cards only, patch below. Pinned down last week ;)
Subject: nf_bridge: ethernet header is 14 not 16 bytes
The bridge netfilter code saves two more bytes that it should.
In most cases it doesn't hurt because many drivers use NET_IP_ALIGN
to make the IP header aligned, so there are two extra bytes head room
Some drivers don't do that though (sky2 for example), so copying
accesses data outside the skbuff data allocation. On xen kernels
this can kill the machine with a page fault due to the way how
skbuffs are allocated and the memory is managed.
@@ -73,14 +73,14 @@ void nf_bridge_maybe_copy_header(struct
memcpy(skb->data - 18, skb->nf_bridge->data, 18);
- memcpy(skb->data - 16, skb->nf_bridge->data, 16);
+ memcpy(skb->data - 14, skb->nf_bridge->data, 14);
void nf_bridge_save_header(struct sk_buff *skb)
- int header_size = 16;
+ int header_size = 14;
if (skb->protocol == __constant_htons(ETH_P_8021Q))
header_size = 18;