bugzilla-daemon@netfilter.org
2003-Mar-04 22:10 UTC
[Bug 22] Linux kernel crashes when incoming/outgoing interfaces differ
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=22
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bowles@ambisys.com
Component|unknown |ip_tables (kernel)
OS/Version|other |All
Platform|other |All
------- Additional Comments From laforge@netfilter.org 2003-03-04 23:10 -------
I have now tried to reproduce this bug by creating the same test setup.
Unfortunately I'm not able to reproduce it.
However, your claim is definitely vaild, at least in the --reject-with tcp-reset
case. The new skb is allocated prior to the routing decision, and we thus might
run out of headroom in the skb.
When sending an ICMP unreachable, we first make the routing decision and then
allocate the new skb according to the hh_len of the outgoing interface. I
don't
see how your problem can ever happen when you reject with an ICMP packet.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Mar-04 22:40 UTC
[Bug 22] Linux kernel crashes when incoming/outgoing interfaces differ
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=22 ------- Additional Comments From laforge@netfilter.org 2003-03-04 23:40 ------- ah, I see. The problem didn' happen with my openvpn setup, since I was using the 'tap' device, which actually has the same hh_len than ethernet. Using the 'tun' device, I could reproduce the problem - but only for the tcp-reset case. I'll attach the proposed fix. Please try this patch and report back to me. Thanks. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Mar-04 22:57 UTC
[Bug 22] Linux kernel crashes when incoming/outgoing interfaces differ
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=22
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From laforge@netfilter.org 2003-03-04 23:46 -------
Created an attachment (id=11)
proposed fix for ipt_REJECT skb_headroom() issue with TCP RST
------- Additional Comments From laforge@netfilter.org 2003-03-04 23:57 -------
closing this bug, please reopen if the problem persists.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Mar-05 01:15 UTC
[Bug 22] Linux kernel crashes when incoming/outgoing interfaces differ
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=22
bowles@ambisys.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
------- Additional Comments From bowles@ambisys.com 2003-03-05 02:15 -------
The patch didn't apply cleanly to 2.4.21-pre5 (one reject). I tried
manually
adding the rejected part, but the compile failed with "unknown field
nl_u".
Can your patch be backported to 2.4? Thanks,
ipt_REJECT.c: In function `send_reset':
ipt_REJECT.c:69: variable `fl' has initializer but incomplete type
ipt_REJECT.c:69: unknown field `nl_u' specified in initializer
ipt_REJECT.c:69: extra brace group at end of initializer
ipt_REJECT.c:69: (near initialization for `fl')
ipt_REJECT.c:70: extra brace group at end of initializer
ipt_REJECT.c:70: (near initialization for `fl')
ipt_REJECT.c:75: warning: excess elements in struct initializer
ipt_REJECT.c:75: warning: (near initialization for `fl')
ipt_REJECT.c:69: storage size of `fl' isn't known
ipt_REJECT.c:69: warning: unused variable `fl'
make[3]: *** [ipt_REJECT.o] Error 1
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Mar-05 07:54 UTC
[Bug 22] Linux kernel crashes when incoming/outgoing interfaces differ
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=22
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |FIXED
------- Additional Comments From laforge@netfilter.org 2003-03-05 08:53 -------
Created an attachment (id=13)
proposed patch for 2.4.x kernels
------- Additional Comments From laforge@netfilter.org 2003-03-05 08:54 -------
sorry, I've now created a 2.4.x patch (attachment #13), also in
patch-o-matic.
Please test.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Mar-07 08:09 UTC
[Bug 22] Linux kernel crashes when incoming/outgoing interfaces differ
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=22
bowles@ambisys.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |
------- Additional Comments From bowles@ambisys.com 2003-03-07 09:09 -------
Hmm... I'm getting a different kernel oops when the 2.4 patch is applied.
This time my setup is simple: an ADSL PPPoE connection with MSS clamping at 1412
bytes. The default iptables policy is REJECT. Telnetting to the box will cause
a TCP reset to be generated, and this causes the OOPS.
I tried the same procedure using an unpatched kernel and the OOPS didn't
occur.
Kernel: 2.4.21-pre5
iptables patch-o-matic 20030112 with "23_REJECT-headroom-tcprst.patch"
---
Unable to handle kernel paging request at virtual address 5a5a5a6a
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<d01ad12a>] Not tainted
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010246
eax: 5a5a5a5a ebx: 00000000 ecx: c13c9e08 edx: 5a5a5a5a
esi: 00000000 edi: c8e7db14 ebp: c02ebd68 esp: c02ebd24
ds: 0018 es: 0018 ss: 0018
Process swapper (pid: 0, stackpage=c02eb000)
Stack: c02ebd48 0000001c d01bd9a6 c13c9e08 c13c9e08 00000001 d01d28f4 cc0ee200
cc0ee200 c02ebd78 d01bd796 d01bdae3 d01d2914 c13c9df4 d01d3cbc d01d3c4c
00000002 c02ebd78 d01ad918 c8e7db14 00000000 c02ebddc d0068398 c02ebe70
Call Trace: [<d01bd9a6>] [<d01bd796>] [<d01bdae3>]
[<d01ad918>] [<d0068398>]
[<d006b138>] [<d006b138>] [<d006d638>] [<d006d07f>]
[<d006d5e0>] [<c022035b>]
[<c022d2c0>] [<c02206aa>] [<c022d2c0>] [<d006d638>]
[<c022d25c>] [<c022d2c0>]
[<c022c51d>] [<c02206eb>] [<c022c16e>] [<c022c350>]
[<c021a34c>] [<c021a473>]
[<c021a593>] [<c011c16a>] [<c010a35c>] [<c0107140>]
[<c010c7f8>] [<c0107140>]
[<c0107167>] [<c01071e2>] [<c0105000>]
Code: 8b 4a 10 74 03 8b 5a 0c 8a 40 01 89 5d d8 83 e0 1e 89 4d d4
>>EIP; d01ad12a <[ipt_REJECT]send_reset+aa/3f0> <====
>>ecx; c13c9e08 <_end+109c150/fcdf3a8>
>>edi; c8e7db14 <_end+8b4fe5c/fcdf3a8>
>>ebp; c02ebd68 <init_task_union+1d68/2000>
>>esp; c02ebd24 <init_task_union+1d24/2000>
Trace; d01bd9a6 <[ipt_LOG].text.end+b6/204>
Trace; d01bd796 <[ipt_LOG]ipt_log_target+d6/1b0>
Trace; d01bdae3 <[ipt_LOG].text.end+1f3/204>
Trace; d01ad918 <[ipt_REJECT]reject+68/70>
Trace; d0068398 <[ip_tables]ipt_do_table+308/430>
Trace; d006b138 <[ip_tables]__kstrtab_ipt_register_table+0/0>
Trace; d006b138 <[ip_tables]__kstrtab_ipt_register_table+0/0>
Trace; d006d638 <[iptable_filter]ipt_ops+18/48>
Trace; d006d07f <[iptable_filter]ipt_hook+1f/30>
Trace; d006d5e0 <[iptable_filter]packet_filter+0/40>
Trace; c022035b <nf_iterate+4b/a0>
Trace; c022d2c0 <ip_forward_finish+0/50>
Trace; c02206aa <nf_hook_slow+8a/1a0>
Trace; c022d2c0 <ip_forward_finish+0/50>
Trace; d006d638 <[iptable_filter]ipt_ops+18/48>
Trace; c022d25c <ip_forward+1ac/210>
Trace; c022d2c0 <ip_forward_finish+0/50>
Trace; c022c51d <ip_rcv_finish+1cd/230>
Trace; c02206eb <nf_hook_slow+cb/1a0>
Trace; c022c16e <ip_rcv+16e/1f0>
Trace; c022c350 <ip_rcv_finish+0/230>
Trace; c021a34c <netif_receive_skb+11c/1d0>
Trace; c021a473 <process_backlog+73/130>
Trace; c021a593 <net_rx_action+63/110>
Trace; c011c16a <do_softirq+aa/b0>
Trace; c010a35c <do_IRQ+bc/e0>
Trace; c0107140 <default_idle+0/40>
Trace; c010c7f8 <call_do_IRQ+5/d>
Trace; c0107140 <default_idle+0/40>
Trace; c0107167 <default_idle+27/40>
Trace; c01071e2 <cpu_idle+42/60>
Trace; c0105000 <_stext+0/0>
Code; d01ad12a <[ipt_REJECT]send_reset+aa/3f0>
00000000 <_EIP>:
Code; d01ad12a <[ipt_REJECT]send_reset+aa/3f0> <==== 0: 8b 4a 10
mov 0x10(%edx),%ecx <====Code; d01ad12d
<[ipt_REJECT]send_reset+ad/3f0>
3: 74 03 je 8 <_EIP+0x8> d01ad132
<[ipt_REJECT]send
_reset+b2/3f0>
Code; d01ad12f <[ipt_REJECT]send_reset+af/3f0>
5: 8b 5a 0c mov 0xc(%edx),%ebx
Code; d01ad132 <[ipt_REJECT]send_reset+b2/3f0>
8: 8a 40 01 mov 0x1(%eax),%al
Code; d01ad135 <[ipt_REJECT]send_reset+b5/3f0>
b: 89 5d d8 mov %ebx,0xffffffd8(%ebp)
Code; d01ad138 <[ipt_REJECT]send_reset+b8/3f0>
e: 83 e0 1e and $0x1e,%eax
Code; d01ad13b <[ipt_REJECT]send_reset+bb/3f0>
11: 89 4d d4 mov %ecx,0xffffffd4(%ebp)
<0>Kernel panic: Aiee, killing interrupt handler!
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon@netfilter.org
2003-Mar-11 12:38 UTC
[Bug 22] Linux kernel crashes when incoming/outgoing interfaces differ
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=22
laforge@netfilter.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |ASSIGNED
------- Additional Comments From laforge@netfilter.org 2003-03-11 13:38 -------
Created an attachment (id=15)
proposed patch for kernel 2.4.x (CVS version 1.3)
------- Additional Comments From laforge@netfilter.org 2003-03-11 13:38 -------
sorry, it was a stupid cut&paste mistake during the 2.5.x -> 2.4.x port.
please
try with Attachment 15 (CVS version 1.3)
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.