From: Scot Doyle <lkml@scotdoyle.com>
To: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>,
Stephen Hemminger <shemminger@vyatta.com>
Cc: netdev@vger.kernel.org,
Sebastian Nickel <Sebastian.Nickel@hetzner.de>,
Pallai Roland <pallair@magex.hu>
Subject: Re: Kernel panic when using bridge
Date: Mon, 11 Apr 2011 18:48:00 -0500 [thread overview]
Message-ID: <4DA39330.2030102@scotdoyle.com> (raw)
In-Reply-To: <20110409161908.a2aca120.shimoda.hiroaki@gmail.com>
On 04/09/2011 02:19 AM, Hiroaki SHIMODA wrote:
>
> It seems that the bug trap is occurred in ip_options_compile() due to
> rt is NULL.
>
> 8b 96 cc 00 00 00 mov 0xcc(%rsi),%edx
> rsi is rt, and 0xcc means rt->rt_spec_dst. So I think below code hit
> the bug trap.
>
> 332 if (skb) {
> 333 memcpy(&optptr[optptr[2]-1],&rt->rt_spec_dst, 4);<- here
> 334 opt->is_changed = 1;
> 335 }
>
> And call trace seems as follows.
> __netif_receive_skb()
> -> br_handle_frame()
> -> NF_HOOK()
> -> br_nf_pre_routing()
> -> br_parse_ip_options()
> -> ip_options_compile()
>
> br_parse_ip_options() was introduced at 462fb2a (bridge : Sanitize
> skb before it enters the IP stack) but ip_options_compile() or
> ip_options_rcv_srr() seems to be called with no rt info.
Thanks to a tip from Sebastian, I can now reproduce this panic by
running "IP Stack Integrity Checker v0.07" from another machine on the
same subnet with command "icmpsic -s x.y.z.a -d x.y.z.b" where "x.y.z.a"
is IP address of the other machine and "x.y.z.b" is the IP address of
the target. When I enable iptables logging on the target machine, no
panic occurs. When I disable iptables logging (but otherwise leave the
same iptables rules) a panic occurs within a few seconds.
Thanks Hiroaki for the analysis of the kernel panic output. I've
confirmed that you are correct by placing a printk just before those two
lines. In every panic, the printk was triggered on line 333 of
net/ipv4/ip_options.c
The kernel panic does not occur after applying the following patch.
# diff net/ipv4/ip_options.c.original net/ipv4/ip_options.c.fix
332c332
< if (skb) {
---
> if (skb && rt) {
374c374
< if (skb) {
---
> if (skb && rt) {
What do you all think? Will it cause other problems?
next prev parent reply other threads:[~2011-04-11 23:48 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-08 1:20 Kernel panic when using bridge Scot Doyle
2011-04-08 13:49 ` Sebastian Nickel
2011-04-08 14:57 ` Scot Doyle
2011-04-08 19:12 ` Pallai Roland
2011-04-08 19:17 ` Stephen Hemminger
2011-04-09 4:51 ` Scot Doyle
2011-04-09 7:19 ` Hiroaki SHIMODA
2011-04-11 23:48 ` Scot Doyle [this message]
2011-04-12 1:31 ` Stephen Hemminger
2011-04-12 3:47 ` Scot Doyle
2011-04-12 4:09 ` Eric Dumazet
2011-04-12 4:22 ` Eric Dumazet
2011-04-12 5:17 ` Scot Doyle
2011-04-12 5:51 ` Eric Dumazet
2011-04-12 7:02 ` Scot Doyle
2011-04-12 7:31 ` Eric Dumazet
2011-04-12 8:39 ` [PATCH] inetpeer: reduce stack usage Eric Dumazet
2011-04-12 14:51 ` Hiroaki SHIMODA
2011-04-12 14:55 ` Eric Dumazet
2011-04-12 20:58 ` David Miller
2011-04-12 11:49 ` Kernel panic when using bridge Eric Dumazet
2011-04-12 13:02 ` Jan Lübbe
2011-04-12 13:15 ` Eric Dumazet
2011-04-12 14:19 ` Jan Lübbe
2011-04-12 14:49 ` Eric Dumazet
2011-04-12 15:13 ` Jan Lübbe
2011-04-12 16:14 ` Eric Dumazet
2011-04-12 16:20 ` Stephen Hemminger
2011-04-12 16:35 ` Eric Dumazet
2011-04-12 16:45 ` Bandan Das
2011-04-12 16:54 ` Eric Dumazet
2011-04-12 17:18 ` [PATCH] bridge: reset IPCB in br_parse_ip_options Eric Dumazet
2011-04-12 20:39 ` David Miller
2011-04-12 23:55 ` Scot Doyle
2011-04-13 4:12 ` Scot Doyle
2011-04-13 15:10 ` Scot Doyle
2011-04-13 15:24 ` Stephen Hemminger
2011-04-13 15:54 ` Scot Doyle
2011-04-13 15:28 ` Eric Dumazet
2011-04-13 21:48 ` David Miller
2011-04-14 0:03 ` Stephen Hemminger
2011-04-14 0:05 ` David Miller
2011-04-14 0:08 ` Stephen Hemminger
2011-04-14 2:31 ` Eric Dumazet
2011-04-14 2:54 ` Stephen Hemminger
2011-04-14 3:03 ` [PATCH] ip: ip_options_compile() resilient to NULL skb route Eric Dumazet
2011-04-14 3:30 ` Hiroaki SHIMODA
2011-04-14 3:37 ` Eric Dumazet
2011-04-14 4:15 ` Hiroaki SHIMODA
2011-04-14 13:34 ` Scot Doyle
2011-04-14 15:55 ` [PATCH v2] " Eric Dumazet
2011-04-14 22:02 ` Scot Doyle
2011-04-14 22:04 ` David Miller
2011-04-14 23:20 ` Hiroaki SHIMODA
2011-04-15 6:26 ` David Miller
2011-04-12 16:32 ` Kernel panic when using bridge Bandan Das
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DA39330.2030102@scotdoyle.com \
--to=lkml@scotdoyle.com \
--cc=Sebastian.Nickel@hetzner.de \
--cc=netdev@vger.kernel.org \
--cc=pallair@magex.hu \
--cc=shemminger@vyatta.com \
--cc=shimoda.hiroaki@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.