netfilter buglog - Oct 2011 - [Bug 759] New: "iptables -m recent" crashes a LXC host on lxc-stop

http://bugzilla.netfilter.org/show_bug.cgi?id=759

           Summary: "iptables -m recent" crashes a LXC host on
lxc-stop
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: x86_64
        OS/Version: Ubuntu
            Status: NEW
          Severity: critical
          Priority: P5
         Component: ip_tables (kernel)
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: framstag at rus.uni-stuttgart.de
   Estimated Hours: 0.0


Created an attachment (id=369)
 --> (http://bugzilla.netfilter.org/attachment.cgi?id=369)
kernel crash traceback screenshot

I first reported this bug on the LXC (*) mailing list, but the folks there
say it is a netfilter bug and I should report it to you:

vms1 is an Ubuntu 10.04 based LXC host system (4 * Xeon 64bit) with:

root at vms1:/lxc# uname -a; lxc-version
Linux vms1 2.6.38-11-server #50~lucid1-Ubuntu SMP Tue Sep 13 22:10:53 UTC 2011
x86_64 GNU/Linux
lxc version: 0.7.5

I can start an Ubuntu 10.04 container (fex) without problems:

root at vms1:/lxc# lxc-start -f fex.cfg -n fex -d -o fex.log

root at vms1:/lxc# lxc-info -n fex
state:   RUNNING
pid:      4073


But when I try to stop this container with:

root at vms1:/lxc# lxc-stop -n fex

the host (vms1) crashes with a kernel traceback.

After reboot of vms1 no crash traces are found in /var/log/

I have attached vms1 to a console server, where I can make screenshots:

http://fex.rus.uni-stuttgart.de/tmp/vms1-crash.png

It's a pity, but this console server (HP IP console) cannot log ASCII
based, it is GUI only. I can make only screenshots and cannot scroll back,
so the beginning of the kernel crash message is missing.

But kernel 2.6.35 also crashes on lxc-stop and it writes something to
/var/log/kern.log :

2011-10-24 19:34:40 [  318.526208] br0: port 2(veth2WqDOb) entering forwarding
state
2011-10-24 19:34:40 [  318.675038] br0: port 2(veth2WqDOb) entering disabled
state
2011-10-24 19:34:40 [  318.703903] ------------[ cut here ]------------
2011-10-24 19:34:40 [  318.703960] kernel BUG at
/build/buildd/linux-lts-backport-maverick-2.6.35/net/netfilter/xt_recent.c:609!
2011-10-24 19:34:40 [  318.704017] invalid opcode: 0000 [#1] SMP 
2011-10-24 19:34:40 [  318.704137] last sysfs file:
/sys/devices/system/cpu/cpu3/cache/index1/shared_cpu_map
2011-10-24 19:34:40 [  318.704189] CPU 3 
2011-10-24 19:34:40 [  318.704231] Modules linked in: xt_recent veth btrfs
zlib_deflate crc32c libcrc32c ufs qnx4 hfsplus hfs minix ntfs vfat msdos fat
jfs xfs reiserfs nfs fscache pci_stub vboxpci vboxnetadp vboxnetflt vboxdrv
nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs ipt_MASQUERADE iptable_nat
nf_nat ipt_REJECT kvm_intel kvm nf_conntrack_ipv4 nf_defrag_ipv4 xt_state
nf_conntrack ipt_LOG xt_tcpudp iptable_filter ip_tables x_tables bridge 8021q
garp stp ppdev parport_pc i5000_edac edac_core i5k_amb psmouse serio_raw shpchp
lp parport tg3 floppy megaraid_sas
2011-10-24 19:34:40 [  318.706762] 
2011-10-24 19:34:40 [  318.706806] Pid: 21, comm: netns Not tainted
2.6.35-30-server #60~lucid1-Ubuntu D2119/PRIMERGY RX300 S3   
2011-10-24 19:34:40 [  318.706861] RIP: 0010:[<ffffffffa08eb0ac>] 
[<ffffffffa08eb0ac>] recent_net_exit+0x3c/0x40 [xt_recent]
2011-10-24 19:34:40 [  318.706960] RSP: 0018:ffff880236d67d90  EFLAGS: 00010283
2011-10-24 19:34:40 [  318.707008] RAX: ffff88022c0a46e0 RBX: ffffffffa08ec860
RCX: 0200000000000081
2011-10-24 19:34:40 [  318.707059] RDX: ffff880235ba5200 RSI: ffff880236d67dd0
RDI: ffff88022a6b8880
2011-10-24 19:34:40 [  318.707124] RBP: ffff880236d67d90 R08: fffff000fffff000
R09: 0000000000000000
2011-10-24 19:34:40 [  318.707189] R10: ffff88022a6c4000 R11: ffffffc8ffffffc8
R12: ffff88022a6b8880
2011-10-24 19:34:40 [  318.707253] R13: ffff880236d67dd0 R14: ffff880001e18dc0
R15: ffff880236d67fd8
2011-10-24 19:34:40 [  318.707319] FS:  0000000000000000(0000)
GS:ffff880001f80000(0000) knlGS:0000000000000000
2011-10-24 19:34:40 [  318.707400] CS:  0010 DS: 0000 ES: 0000 CR0:
000000008005003b
2011-10-24 19:34:40 [  318.707463] CR2: 00007f0c32bf61e0 CR3: 0000000232f69000
CR4: 00000000000006e0
2011-10-24 19:34:40 [  318.707528] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
2011-10-24 19:34:40 [  318.707593] DR3: 0000000000000000 DR6: 00000000ffff0ff0
DR7: 0000000000000400
2011-10-24 19:34:40 [  318.707659] Process netns (pid: 21, threadinfo
ffff880236d66000, task ffff880236d5c4d0)
2011-10-24 19:34:40 [  318.707738] Stack:
2011-10-24 19:34:40 [  318.707793]  ffff880236d67dc0 ffffffff814ac4a6
ffff880236d67da0 ffff880236d67dd0
2011-10-24 19:34:40 [  318.707970] <0> ffffffffa08ec860 ffffffff814ac780
ffff880236d67e00 ffffffff814ac88b
2011-10-24 19:34:40 [  318.708234] <0> ffff88022a6b88a8 ffff88022a6b88a8
ffff88022a6b8898 ffff88022a6b8898
2011-10-24 19:34:40 [  318.708547] Call Trace:
2011-10-24 19:34:40 [  318.708613]  [<ffffffff814ac4a6>]
ops_exit_list+0x36/0x70
2011-10-24 19:34:40 [  318.708677]  [<ffffffff814ac780>] ?
cleanup_net+0x0/0x1c0
2011-10-24 19:34:40 [  318.708741]  [<ffffffff814ac88b>]
cleanup_net+0x10b/0x1c0
2011-10-24 19:34:40 [  318.708808]  [<ffffffff8107b2a5>]
run_workqueue+0xc5/0x1a0
2011-10-24 19:34:40 [  318.708872]  [<ffffffff8107b423>]
worker_thread+0xa3/0x110
2011-10-24 19:34:40 [  318.708936]  [<ffffffff810800d0>] ?
autoremove_wake_function+0x0/0x40
2011-10-24 19:34:40 [  318.709002]  [<ffffffff8107b380>] ?
worker_thread+0x0/0x110
2011-10-24 19:34:40 [  318.709066]  [<ffffffff8107fb56>] kthread+0x96/0xa0
2011-10-24 19:34:40 [  318.709131]  [<ffffffff8100aee4>]
kernel_thread_helper+0x4/0x10
2011-10-24 19:34:40 [  318.709195]  [<ffffffff8107fac0>] ?
kthread+0x0/0xa0
2011-10-24 19:34:40 [  318.709257]  [<ffffffff8100aee0>] ?
kernel_thread_helper+0x0/0x10
2011-10-24 19:34:40 [  318.709320] Code: 97 48 08 00 00 85 c0 74 1e 3b 02 77 1a
48 98 48 8b 44 c2 10 48 3b 00 75 12 48 c7 c6 52 c6 8e a0 e8 8a b3 8c e0 c9 c3
0f 0b eb fe <0f> 0b eb fe 55 48 89 e5 53 48 83 ec 08 0f 1f 44 00 00 8b 05
74
2011-10-24 19:34:40 [  318.711821] RIP  [<ffffffffa08eb0ac>]
recent_net_exit+0x3c/0x40 [xt_recent]
2011-10-24 19:34:40 [  318.711924]  RSP <ffff880236d67d90>
2011-10-24 19:34:40 [  318.711984] ---[ end trace 20014711382a5389 ]---


Next hint: the container fex uses iptables. When I comment out the config
lines containing "iptables -m recent" and reboot there is no host
crash on
lxc-stop any more!

Everyting is reproducable, with both kernels: 2.6.35 and 2.6.38
Ubuntu packages:
linux-image-server-lts-backport-maverick
linux-image-server-lts-backport-natty


(*) Linux Container Virtualization http://lxc.sourceforge.net/

-- 
Ullrich Horlacher              Server- und Arbeitsplatzsysteme
Rechenzentrum                  E-Mail: horlacher at rus.uni-stuttgart.de
Universitaet Stuttgart         Tel:    ++49-711-685-65868
Allmandring 30                 Fax:    ++49-711-682357
70550 Stuttgart (Germany)      WWW:    http://www.rus.uni-stuttgart.de/


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=759


Ulli horlacher <framstag at rus.uni-stuttgart.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |framstag at rus.uni-
                   |                            |stuttgart.de




-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=759

Frieder Buerzele <evermind at tuxfamily.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |evermind at tuxfamily.org

--- Comment #1 from Frieder Buerzele <evermind at tuxfamily.org>
2012-07-20 10:43:48 CEST ---
Hi,

have the same bug reported on launchpad:

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/869068

Basically the bug appears if iptables are set in the container and the
container is shutdown without calling iptables -F flushing the table.

static void __exit recent_mt_exit(void)
{
        BUG_ON(!list_empty(&tables));
        xt_unregister_match(&recent_mt_reg)
...
}

I've no glue about this module or netfilter developing in general, but why
the
module won't clean the list here on exit? I know the exit assumes it should
be
empty but of course it is not empty as it was not flushed from userland.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=759

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |pablo at netfilter.org
         Resolution|                            |FIXED

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-02-14
16:51:17 CET ---
This bug is fixed since Linux 3.7.5. I plan to pass this also to -stable
starting 3.0. You can obtain this patch from:

https://patchwork.kernel.org/patch/2080541/

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.