From patchwork Tue May 24 15:39:03 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 97175 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3D33AB6F88 for ; Wed, 25 May 2011 01:39:21 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754384Ab1EXPjL (ORCPT ); Tue, 24 May 2011 11:39:11 -0400 Received: from mail-ww0-f44.google.com ([74.125.82.44]:42266 "EHLO mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752297Ab1EXPjI (ORCPT ); Tue, 24 May 2011 11:39:08 -0400 Received: by wwa36 with SMTP id 36so7469112wwa.1 for ; Tue, 24 May 2011 08:39:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:from:to:cc:in-reply-to:references :content-type:date:message-id:mime-version:x-mailer :content-transfer-encoding; bh=fdiIrdvfcR2fvpBDJYHoib9m2ugkDoVZtFOqVFKtgdE=; b=hmZJP1PEVH39z135TCmbmp24f3hZ9VdcghvYeTxpUNtAaUzw0lBMH5/z1jhNObz5ik osOKsgOXFrglKPvenhLs8j+MJ3nMwT42XCRwfg3m/EaCBPiYm7m2OrpATOxUx2aq4Kky a92n9/VFV1FDG4fVII3Vohg9P0a/hwyvTrrH0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=fTNvIGjFQzuBmElStFSDR4vYMGuK7e7Mx4iMPYayoO1Si7b1LNr3qlS1rZ5yJJFG4v J0wXvIGgrPEjw+UXwpsNCdbFFjoxJ2r3MHkL1Dlf24qdwhNTZx4zeq0IP4AlZV20emJL /sebu6uE3z/vmJexZD6GJogS0FO9Q28MH2Qzo= Received: by 10.227.57.148 with SMTP id c20mr3661324wbh.54.1306251546320; Tue, 24 May 2011 08:39:06 -0700 (PDT) Received: from [10.150.51.215] (gw0.net.jmsp.net [212.23.165.14]) by mx.google.com with ESMTPS id k12sm4581882wby.33.2011.05.24.08.39.04 (version=SSLv3 cipher=OTHER); Tue, 24 May 2011 08:39:05 -0700 (PDT) Subject: Re: bridge netfilter output bug on 2.6.39 From: Eric Dumazet To: Stephen Hemminger , David Miller Cc: Herbert Xu , netdev@vger.kernel.org In-Reply-To: <20110524074156.58eb30f8@nehalam> References: <20110524074156.58eb30f8@nehalam> Date: Tue, 24 May 2011 17:39:03 +0200 Message-ID: <1306251543.3026.57.camel@edumazet-laptop> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Le mardi 24 mai 2011 à 07:41 -0700, Stephen Hemminger a écrit : > Got this bug report against 2.6.39. Looks like ip_fragment() is now > getting confused when called from bridge netfilter. Probably related to > the changes to do ip_options_compile for the bridge input path. > > https://bugzilla.kernel.org/show_bug.cgi?id=35672 > > May 23 02:04:24 lxc kernel: [99498.329036] BUG: unable to handle kernel NULL > pointer dereference at 00000004 > May 23 02:04:24 lxc kernel: [99498.330017] IP: [] dst_mtu+0xb/0x1c > May 23 02:04:24 lxc kernel: [99498.330017] *pdpt = 000000001fb55001 *pde = > 0000000000000000 > May 23 02:04:24 lxc kernel: [99498.330017] Oops: 0000 [#1] SMP > May 23 02:04:24 lxc kernel: [99498.330017] last sysfs file: > /sys/devices/virtual/vc/vcsa8/uevent > May 23 02:04:24 lxc kernel: [99498.330017] Modules linked in: lp ppdev > parport_pc parport fuse firewire_ohci firewire_core crc_itu_t intel_agp > intel_gtt > May 23 02:04:24 lxc kernel: [99498.330017] > May 23 02:04:24 lxc kernel: [99498.330017] Pid: 0, comm: swapper Not tainted > 2.6.39-lxc #2 . . /IP35 Pro XE(Intel P35-ICH9R) > May 23 02:04:24 lxc kernel: [99498.330017] EIP: 0060:[] EFLAGS: > 00010246 CPU: 0 > May 23 02:04:24 lxc kernel: [99498.330017] EIP is at dst_mtu+0xb/0x1c > May 23 02:04:24 lxc kernel: [99498.330017] EAX: 00000000 EBX: e90b6b40 ECX: > effc981c EDX: effc9000 > May 23 02:04:24 lxc kernel: [99498.330017] ESI: c1a0d84e EDI: dda6331e EBP: > f080bb44 ESP: f080bb44 > May 23 02:04:24 lxc kernel: [99498.330017] DS: 007b ES: 007b FS: 00d8 GS: 0000 > SS: 0068 > May 23 02:04:24 lxc kernel: [99498.330017] Process swapper (pid: 0, ti=f080a000 > task=c172b7e0 task.ti=c1724000) > May 23 02:04:24 lxc kernel: [99498.330017] Stack: > May 23 02:04:24 lxc kernel: [99498.330017] f080bb8c c143e20d 00000004 f080bb88 > c141aab2 c14b46db effc9000 00000014 > May 23 02:04:24 lxc kernel: [99498.330017] c14b8a44 effc9000 e90b6b40 00000014 > effc981c e90b6b58 cd472800 e90b6b40 > May 23 02:04:24 lxc kernel: [99498.330017] c14b8a44 dda6331e f080bb98 c14b8aa0 > e90b6b40 f080bba8 c14b881a e90b6b40 > May 23 02:04:24 lxc kernel: [99498.330017] Call Trace: > May 23 02:04:24 lxc kernel: [99498.330017] [] ip_fragment+0xb5/0x66c > May 23 02:04:24 lxc kernel: [99498.330017] [] ? > nf_hook_slow+0x43/0xd1 > May 23 02:04:24 lxc kernel: [99498.330017] [] ? br_flood+0x83/0x83 > May 23 02:04:24 lxc kernel: [99498.330017] [] ? > br_parse_ip_options+0x1b0/0x1b0 > May 23 02:04:24 lxc kernel: [99498.330017] [] ? > br_parse_ip_options+0x1b0/0x1b0 > May 23 02:04:24 lxc kernel: [99498.330017] [] > br_nf_dev_queue_xmit+0x5c/0x68 > -- I would say its more likely a problem with dst metrics changes In this crash, we dereference a NULL dst->_metrics 'pointer' in dst_metric_raw(dst, RTAX_MTU); Hmm, it seems __dst_destroy_metrics_generic() doesnt add the DST_METRICS_READ_ONLY flag ? [PATCH] net: fix __dst_destroy_metrics_generic() dst_default_metrics is readonly, we dont want to kfree() it later. Signed-off-by: Eric Dumazet CC: Stephen Hemminger CC: Herbert Xu --- net/core/dst.c | 2 +- 1 files changed, 1 insertion(+), 1 deletion(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/core/dst.c b/net/core/dst.c index 81a4fa1..1badc98 100644 --- a/net/core/dst.c +++ b/net/core/dst.c @@ -315,7 +315,7 @@ void __dst_destroy_metrics_generic(struct dst_entry *dst, unsigned long old) { unsigned long prev, new; - new = (unsigned long) dst_default_metrics; + new = ((unsigned long) dst_default_metrics) | DST_METRICS_READ_ONLY; prev = cmpxchg(&dst->_metrics, old, new); if (prev == old) kfree(__DST_METRICS_PTR(old));