[Bug 714] Kernel panics in same_src()

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Sep 9 04:48:19 CEST 2013 

https://bugzilla.netfilter.org/show_bug.cgi?id=714

lizhao09 at huawei.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |lizhao09 at huawei.com

--- Comment #15 from lizhao09 at huawei.com 2013-09-09 04:48:17 CEST ---
Here is another case related to this issue.
version: 2.6.32.43-0.4-default
hardware: X86_64

[10542399.515396] BUG: unable to handle kernel NULL pointer dereference at
000000000000003e
[10542399.523469] IP: [<ffffffffa1491a4b>] find_appropriate_src+0xdb/0x1a0
[nf_nat]
[10542399.530843] PGD 17f55ec067 PUD 17fba37067 PMD 0
[10542399.535727] Oops: 0000 [#1] SMP
[10542399.539220] last sysfs file:
/sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map
[10542399.547355] CPU 8
[10542399.647544] Supported: Yes, External
[10542399.651361] Pid: 0, comm: swapper Tainted: P          NX
2.6.32.43-0.4-default #1 Thurley
[10542399.659755] RIP: 0010:[<ffffffffa1491a4b>]  [<ffffffffa1491a4b>]
find_appropriate_src+0xdb/0x1a0 [nf_nat]
[10542399.669552] RSP: 0018:ffff88002c3039f0  EFLAGS: 00010286
[10542399.675095] RAX: 0000000000000000 RBX: ffff8817814beb90 RCX:
0000000024852261
[10542399.682454] RDX: 0000000000000000 RSI: 00000000327c4d71 RDI:
ffffffff81cd4dc0
[10542399.689812] RBP: ffff88002c303ad0 R08: 0000000000000011 R09:
0000000000000002
[10542399.697170] R10: 0000000000004000 R11: ffffffffa14726e0 R12:
ffff88002c303aa0
[10542399.704529] R13: ffff88002c303b40 R14: ffff88002c303b4c R15:
ffff88002c303b4e
[10542399.711888] FS:  0000000000000000(0000) GS:ffff88002c300000(0000)
knlGS:0000000000000000
[10542399.720199] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
[10542399.726175] CR2: 000000000000003e CR3: 00000017f67f1000 CR4:
00000000000006e0
[10542399.733534] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[10542399.740893] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[10542399.748254] Process swapper (pid: 0, threadinfo ffff881810db2000, task
ffff881810db0080)
[10542399.756560] Stack:
[10542399.758821]  00000000ffffffff ffff88002c303aa0 ffff88002c303ad0
ffff88002c303b40
[10542399.766301] <0> 0000000000000000 ffff8817f7d639e8 0000000000000100
ffffffffa1491beb
[10542399.774237] <0> ffff88002c303ad0 ffff8817f7d639e8 ffff88002c303b40
ffff88002c303aa0
[10542399.782365] Call Trace:
[10542399.785085]  [<ffffffffa1491beb>] get_unique_tuple+0xdb/0x240 [nf_nat]
[10542399.791847]  [<ffffffffa1491de9>] nf_nat_setup_info+0x99/0x350 [nf_nat]
[10542399.798697]  [<ffffffffa149e162>] alloc_null_binding+0x52/0x90
[iptable_nat]
[10542399.805977]  [<ffffffffa149e519>] nf_nat_fn+0x1e9/0x280 [iptable_nat]
[10542399.812654]  [<ffffffff81318d18>] nf_iterate+0x68/0xa0
[10542399.818031]  [<ffffffff81318db2>] nf_hook_slow+0x62/0xf0
[10542399.823582]  [<ffffffff813214a1>] ip_local_deliver+0x51/0x80
[10542399.829477]  [<ffffffff81320a59>] ip_rcv_finish+0x1b9/0x440
[10542399.835288]  [<ffffffff812f5f89>] netif_receive_skb+0x599/0x6a0
[10542399.841454]  [<ffffffffa0ea4837>] ixgbe_clean_rx_irq+0x3d7/0xe50 [ixgbe]
[10542399.848397]  [<ffffffffa0ea53e4>] ixgbe_clean_rxtx_many+0x134/0x270
[ixgbe]
[10542399.855595]  [<ffffffff812f6863>] net_rx_action+0xe3/0x1a0
[10542399.861318]  [<ffffffff810533ef>] __do_softirq+0xbf/0x170
[10542399.866956]  [<ffffffff810040bc>] call_softirq+0x1c/0x30
[10542399.872506]  [<ffffffff81005cfd>] do_softirq+0x4d/0x80
[10542399.877883]  [<ffffffff81053275>] irq_exit+0x85/0x90
[10542399.883087]  [<ffffffff8100525e>] do_IRQ+0x6e/0xe0
[10542399.888120]  [<ffffffff81003913>] ret_from_intr+0x0/0xa
[10542399.893582]  [<ffffffff8100ae42>] mwait_idle+0x62/0x70
[10542399.898957]  [<ffffffff8100204a>] cpu_idle+0x5a/0xb0
[10542399.904159] Code: 00 00 00 4d 8d 7d 0e 4d 8d 75 0c 48 89 c3 eb 14 48 8b
03 48 85 c0 0f 84 84 00 00 00 44 0f b6 45 26 48 89 c3 48 8b 53 20 48 8b 03 <44>
38 42 3e 0f 18 08 75 dc 8b 42 18 3b 45 00 75 d4 0f b7 42 28

>From the vmcore,we found that: 

1 OOPS occured at the statement 't->dst.protonum == tuple->dst.protonum' in
inline function same_src. 

2 The first parameter of same_src "ct" is NULL,The value of 'ct' came from 'ct
= nat->ct'.

3 Read the content of the 'nat', all member's value are zero. The 'nat' has
been freed ?  

static void nf_nat_cleanup_conntrack(struct nf_conn *ct)
{
    struct nf_conn_nat *nat = nf_ct_ext_find(ct, NF_CT_EXT_NAT);

    if (nat == NULL || nat->ct == NULL)
        return;

    NF_CT_ASSERT(nat->ct->status & IPS_NAT_DONE_MASK);

    spin_lock_bh(&nf_nat_lock);
    hlist_del_rcu(&nat->bysource); 
    spin_unlock_bh(&nf_nat_lock);
         //no synchronize_rcu here
}

void nf_conntrack_free(struct nf_conn *ct)
{
  struct net *net = nf_ct_net(ct);
  nf_ct_ext_destroy(ct); //For NAT,it will call nf_nat_cleanup_conntrack
  atomic_dec(&net->ct.count);    
  nf_ct_ext_free(ct);  // Free nat-extention memory by kfree; is it possible
that the extention was still used in a RCU read side (same_src)?
  kmem_cache_free(net->ct.nf_conntrack_cachep, ct);
}

Is it safe to call function 'synchronize_rcu' at the end of function
nf_nat_cleanup_conntrack 
or
replace rcu_read_lock with spin_lock_bh(&nf_nat_lock) in RCU read side
(same_src)?


the output of "iptables -t nat -nvL" :

JINLUB017_01:~ # iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 22M packets, 2590M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  pubeth9 *       0.0.0.0/0            0.0.0.0/0 
         udp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       tcp  --  pubeth9 *       0.0.0.0/0            0.0.0.0/0 
         tcp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       udp  --  pubeth4 *       0.0.0.0/0            0.0.0.0/0 
         udp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       tcp  --  pubeth4 *       0.0.0.0/0            0.0.0.0/0 
         tcp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       udp  --  pubeth3 *       0.0.0.0/0            0.0.0.0/0 
         udp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       tcp  --  pubeth3 *       0.0.0.0/0            0.0.0.0/0 
         tcp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       udp  --  pubeth2 *       0.0.0.0/0            0.0.0.0/0 
         udp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       tcp  --  pubeth2 *       0.0.0.0/0            0.0.0.0/0 
         tcp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       udp  --  pubeth10 *       0.0.0.0/0            0.0.0.0/0
          udp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       tcp  --  pubeth10 *       0.0.0.0/0            0.0.0.0/0
          tcp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       udp  --  pubeth1 *       0.0.0.0/0            0.0.0.0/0 
         udp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       tcp  --  pubeth1 *       0.0.0.0/0            0.0.0.0/0 
         tcp dpt:4045 to:172.17.136.2:4045
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            172.18.53.1
        tcp dpt:80 to:172.18.53.1:8080

Chain POSTROUTING (policy ACCEPT 88090 packets, 6081K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  *      priveth0  0.0.0.0/0           
172.17.136.2        tcp dpt:4045 to:172.17.136.153
    0     0 SNAT       tcp  --  *      *       172.18.53.1          0.0.0.0/0  
        tcp spt:8080 to:172.18.53.1:80

Chain OUTPUT (policy ACCEPT 88090 packets, 6081K bytes)
pkts bytes target     prot opt in     out     source               destination

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list