From: Patrick McHardy <kaber@trash.net>
To: Brad Campbell <brad@fnarfbargle.com>
Cc: Bart De Schuymer <bdschuym@pandora.be>,
kvm@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org
Subject: Re: KVM induced panic on 2.6.38[2367] & 2.6.39
Date: Tue, 07 Jun 2011 17:35:20 +0200 [thread overview]
Message-ID: <4DEE4538.1020404@trash.net> (raw)
In-Reply-To: <4DEE3859.6070808@fnarfbargle.com>
On 07.06.2011 16:40, Brad Campbell wrote:
> On 07/06/11 21:30, Patrick McHardy wrote:
>> On 07.06.2011 05:33, Brad Campbell wrote:
>>> On 07/06/11 04:10, Bart De Schuymer wrote:
>>>> Hi Brad,
>>>>
>>>> This has probably nothing to do with ebtables, so please rmmod in case
>>>> it's loaded.
>>>> A few questions I didn't directly see an answer to in the threads I
>>>> scanned...
>>>> I'm assuming you actually use the bridging firewall functionality. So,
>>>> what iptables modules do you use? Can you reduce your iptables rules to
>>>> a core that triggers the bug?
>>>> Or does it get triggered even with an empty set of firewall rules?
>>>> Are you using a stock .35 kernel or is it patched?
>>>> Is this something I can trigger on a poor guy's laptop or does it
>>>> require specialized hardware (I'm catching up on qemu/kvm...)?
>>>
>>> Not specialised hardware as such, I've just not been able to reproduce
>>> it outside of this specific operating scenario.
>>
>> The last similar problem we've had was related to the 32/64 bit compat
>> code. Are you running 32 bit userspace on a 64 bit kernel?
>
> No, 32 bit Guest OS, but a completely 64 bit userspace on a 64 bit kernel.
>
> Userspace is current Debian Stable. Kernel is Vanilla and qemu-kvm is
> current git
>
>
>>> I can't trigger it with empty firewall rules as it relies on a DNAT to
>>> occur. If I try it directly to the internal IP address (as I have to
>>> without netfilter loaded) then of course nothing fails.
>>>
>>> It's a pain in the bum as a fault, but it's one I can easily reproduce
>>> as long as I use the same set of circumstances.
>>>
>>> I'll try using 3.0-rc2 (current git) tonight, and if I can reproduce it
>>> on that then I'll attempt to pare down the IPTABLES rules to a bare
>>> minimum.
>>>
>>> It is nothing to do with ebtables as I don't compile it. I'm not really
>>> sure about "bridging firewall" functionality. I just use a couple of
>>> hand coded bash scripts to set the tables up.
>>
>> From one of your previous mails:
>>
>>> # CONFIG_BRIDGE_NF_EBTABLES is not set
>>
>> How about CONFIG_BRIDGE_NETFILTER?
>>
>
> It was compiled in.
>
> With the following table set I was able to reproduce the problem on
> 3.0-rc2. Replaced my IP with xxx.xxx.xxx.xxx, but otherwise unmodified
Which kernel was the last version without this problem?
> root@srv:~# iptables-save
> # Generated by iptables-save v1.4.10 on Tue Jun 7 22:11:30 2011
> *filter
> :INPUT ACCEPT [978:107619]
> :FORWARD ACCEPT [142:7068]
> :OUTPUT ACCEPT [1659:291870]
> -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT ! -i ppp0 -m state --state NEW -j ACCEPT
> -A INPUT -i ppp0 -j DROP
> COMMIT
> # Completed on Tue Jun 7 22:11:30 2011
> # Generated by iptables-save v1.4.10 on Tue Jun 7 22:11:30 2011
> *nat
> :PREROUTING ACCEPT [813:49170]
> :INPUT ACCEPT [91:7090]
> :OUTPUT ACCEPT [267:20731]
> :POSTROUTING ACCEPT [296:22281]
> -A PREROUTING -d xxx.xxx.xxx.xxx/32 ! -i ppp0 -p tcp -m tcp --dport 443
> -j DNAT --to-destination 192.168.253.198
> COMMIT
> # Completed on Tue Jun 7 22:11:30 2011
> # Generated by iptables-save v1.4.10 on Tue Jun 7 22:11:30 2011
> *mangle
> :PREROUTING ACCEPT [2729:274392]
> :INPUT ACCEPT [2508:262976]
> :FORWARD ACCEPT [142:7068]
> :OUTPUT ACCEPT [1674:293701]
> :POSTROUTING ACCEPT [2131:346411]
> -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
> 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
> COMMIT
> # Completed on Tue Jun 7 22:11:30 2011
The main suspects would be NAT and TCPMSS. Did you also try whether
the crash occurs with only one of these these rules?
> I've just compiled out CONFIG_BRIDGE_NETFILTER and can no longer access
> the address the way I was doing it, so that's a no-go for me.
That's really weird since you're apparently not using any bridge
netfilter features. It shouldn't have any effect besides changing
at which point ip_tables is invoked. How are your network devices
configured (specifically any bridges)?
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Patrick McHardy <kaber@trash.net>
To: Brad Campbell <brad@fnarfbargle.com>
Cc: Bart De Schuymer <bdschuym@pandora.be>,
kvm@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org
Subject: Re: KVM induced panic on 2.6.38[2367] & 2.6.39
Date: Tue, 07 Jun 2011 17:35:20 +0200 [thread overview]
Message-ID: <4DEE4538.1020404@trash.net> (raw)
In-Reply-To: <4DEE3859.6070808@fnarfbargle.com>
On 07.06.2011 16:40, Brad Campbell wrote:
> On 07/06/11 21:30, Patrick McHardy wrote:
>> On 07.06.2011 05:33, Brad Campbell wrote:
>>> On 07/06/11 04:10, Bart De Schuymer wrote:
>>>> Hi Brad,
>>>>
>>>> This has probably nothing to do with ebtables, so please rmmod in case
>>>> it's loaded.
>>>> A few questions I didn't directly see an answer to in the threads I
>>>> scanned...
>>>> I'm assuming you actually use the bridging firewall functionality. So,
>>>> what iptables modules do you use? Can you reduce your iptables rules to
>>>> a core that triggers the bug?
>>>> Or does it get triggered even with an empty set of firewall rules?
>>>> Are you using a stock .35 kernel or is it patched?
>>>> Is this something I can trigger on a poor guy's laptop or does it
>>>> require specialized hardware (I'm catching up on qemu/kvm...)?
>>>
>>> Not specialised hardware as such, I've just not been able to reproduce
>>> it outside of this specific operating scenario.
>>
>> The last similar problem we've had was related to the 32/64 bit compat
>> code. Are you running 32 bit userspace on a 64 bit kernel?
>
> No, 32 bit Guest OS, but a completely 64 bit userspace on a 64 bit kernel.
>
> Userspace is current Debian Stable. Kernel is Vanilla and qemu-kvm is
> current git
>
>
>>> I can't trigger it with empty firewall rules as it relies on a DNAT to
>>> occur. If I try it directly to the internal IP address (as I have to
>>> without netfilter loaded) then of course nothing fails.
>>>
>>> It's a pain in the bum as a fault, but it's one I can easily reproduce
>>> as long as I use the same set of circumstances.
>>>
>>> I'll try using 3.0-rc2 (current git) tonight, and if I can reproduce it
>>> on that then I'll attempt to pare down the IPTABLES rules to a bare
>>> minimum.
>>>
>>> It is nothing to do with ebtables as I don't compile it. I'm not really
>>> sure about "bridging firewall" functionality. I just use a couple of
>>> hand coded bash scripts to set the tables up.
>>
>> From one of your previous mails:
>>
>>> # CONFIG_BRIDGE_NF_EBTABLES is not set
>>
>> How about CONFIG_BRIDGE_NETFILTER?
>>
>
> It was compiled in.
>
> With the following table set I was able to reproduce the problem on
> 3.0-rc2. Replaced my IP with xxx.xxx.xxx.xxx, but otherwise unmodified
Which kernel was the last version without this problem?
> root@srv:~# iptables-save
> # Generated by iptables-save v1.4.10 on Tue Jun 7 22:11:30 2011
> *filter
> :INPUT ACCEPT [978:107619]
> :FORWARD ACCEPT [142:7068]
> :OUTPUT ACCEPT [1659:291870]
> -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT ! -i ppp0 -m state --state NEW -j ACCEPT
> -A INPUT -i ppp0 -j DROP
> COMMIT
> # Completed on Tue Jun 7 22:11:30 2011
> # Generated by iptables-save v1.4.10 on Tue Jun 7 22:11:30 2011
> *nat
> :PREROUTING ACCEPT [813:49170]
> :INPUT ACCEPT [91:7090]
> :OUTPUT ACCEPT [267:20731]
> :POSTROUTING ACCEPT [296:22281]
> -A PREROUTING -d xxx.xxx.xxx.xxx/32 ! -i ppp0 -p tcp -m tcp --dport 443
> -j DNAT --to-destination 192.168.253.198
> COMMIT
> # Completed on Tue Jun 7 22:11:30 2011
> # Generated by iptables-save v1.4.10 on Tue Jun 7 22:11:30 2011
> *mangle
> :PREROUTING ACCEPT [2729:274392]
> :INPUT ACCEPT [2508:262976]
> :FORWARD ACCEPT [142:7068]
> :OUTPUT ACCEPT [1674:293701]
> :POSTROUTING ACCEPT [2131:346411]
> -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
> 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
> COMMIT
> # Completed on Tue Jun 7 22:11:30 2011
The main suspects would be NAT and TCPMSS. Did you also try whether
the crash occurs with only one of these these rules?
> I've just compiled out CONFIG_BRIDGE_NETFILTER and can no longer access
> the address the way I was doing it, so that's a no-go for me.
That's really weird since you're apparently not using any bridge
netfilter features. It shouldn't have any effect besides changing
at which point ip_tables is invoked. How are your network devices
configured (specifically any bridges)?
next prev parent reply other threads:[~2011-06-07 15:35 UTC|newest]
Thread overview: 111+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-31 1:24 KVM induced panic on 2.6.38[2367] & 2.6.39 Brad Campbell
2011-05-31 5:47 ` Borislav Petkov
2011-05-31 5:47 ` Borislav Petkov
2011-05-31 9:26 ` Brad Campbell
2011-05-31 9:26 ` Brad Campbell
2011-05-31 10:38 ` Borislav Petkov
2011-05-31 10:38 ` Borislav Petkov
2011-05-31 14:24 ` Brad Campbell
2011-05-31 14:24 ` Brad Campbell
2011-05-31 14:24 ` Brad Campbell
2011-05-31 22:31 ` Hugh Dickins
2011-05-31 22:31 ` Hugh Dickins
2011-06-01 0:18 ` Brad Campbell
2011-06-01 0:18 ` Brad Campbell
2011-06-01 0:37 ` Brad Campbell
2011-06-01 0:37 ` Brad Campbell
2011-06-01 1:15 ` Andrea Arcangeli
2011-06-01 1:15 ` Andrea Arcangeli
2011-06-01 2:03 ` Brad Campbell
2011-06-01 2:03 ` Brad Campbell
2011-06-01 4:52 ` Hugh Dickins
2011-06-01 4:52 ` Hugh Dickins
2011-06-01 6:31 ` Brad Campbell
2011-06-01 6:31 ` Brad Campbell
2011-06-01 6:56 ` Avi Kivity
2011-06-01 6:56 ` Avi Kivity
2011-06-01 9:29 ` Brad Campbell
2011-06-01 9:29 ` Brad Campbell
2011-06-01 9:29 ` Brad Campbell
2011-06-01 9:40 ` Avi Kivity
2011-06-01 9:40 ` Avi Kivity
2011-06-01 9:41 ` Avi Kivity
2011-06-01 9:41 ` Avi Kivity
2011-06-01 10:53 ` Brad Campbell
2011-06-01 10:53 ` Brad Campbell
2011-06-01 11:09 ` Avi Kivity
2011-06-01 11:09 ` Avi Kivity
2011-06-01 11:18 ` CaT
2011-06-01 11:18 ` CaT
2011-06-01 11:52 ` Brad Campbell
2011-06-01 11:52 ` Brad Campbell
2011-06-01 23:03 ` CaT
2011-06-01 23:03 ` CaT
2011-06-03 13:38 ` Brad Campbell
2011-06-03 13:38 ` Brad Campbell
2011-06-03 15:50 ` Bernhard Held
2011-06-03 15:50 ` Bernhard Held
2011-06-03 15:50 ` Bernhard Held
2011-06-03 16:07 ` Brad Campbell
2011-06-03 16:07 ` Brad Campbell
2011-06-06 20:10 ` Bart De Schuymer
2011-06-06 20:10 ` Bart De Schuymer
2011-06-06 20:23 ` Eric Dumazet
2011-06-06 20:23 ` Eric Dumazet
2011-06-06 20:23 ` Eric Dumazet
2011-06-07 3:33 ` Brad Campbell
2011-06-07 3:33 ` Brad Campbell
2011-06-07 13:30 ` Patrick McHardy
2011-06-07 13:30 ` Patrick McHardy
2011-06-07 14:40 ` Brad Campbell
2011-06-07 14:40 ` Brad Campbell
2011-06-07 15:35 ` Patrick McHardy [this message]
2011-06-07 15:35 ` Patrick McHardy
2011-06-07 18:31 ` Eric Dumazet
2011-06-07 18:31 ` Eric Dumazet
2011-06-07 18:31 ` Eric Dumazet
2011-06-07 22:57 ` Patrick McHardy
2011-06-07 22:57 ` Patrick McHardy
2011-06-07 22:57 ` Patrick McHardy
2011-06-08 0:18 ` Brad Campbell
2011-06-08 0:18 ` Brad Campbell
2011-06-08 0:18 ` Brad Campbell
2011-06-08 3:59 ` Eric Dumazet
2011-06-08 3:59 ` Eric Dumazet
2011-06-08 3:59 ` Eric Dumazet
2011-06-08 17:02 ` Brad Campbell
2011-06-08 17:02 ` Brad Campbell
2011-06-08 17:02 ` Brad Campbell
2011-06-08 21:22 ` Eric Dumazet
2011-06-08 21:22 ` Eric Dumazet
2011-06-08 21:22 ` Eric Dumazet
2011-06-10 2:52 ` Simon Horman
2011-06-10 2:52 ` Simon Horman
2011-06-10 12:37 ` Mark Lord
2011-06-10 12:37 ` Mark Lord
2011-06-10 16:43 ` Henrique de Moraes Holschuh
2011-06-10 16:43 ` Henrique de Moraes Holschuh
2011-06-12 15:38 ` Avi Kivity
2011-06-12 15:38 ` Avi Kivity
2011-06-07 23:43 ` Brad Campbell
2011-06-07 23:43 ` Brad Campbell
2011-06-07 18:04 ` Bart De Schuymer
2011-06-07 18:04 ` Bart De Schuymer
2011-06-08 0:15 ` Brad Campbell
2011-06-08 0:15 ` Brad Campbell
2011-06-05 8:14 ` Avi Kivity
2011-06-05 8:14 ` Avi Kivity
2011-06-05 13:45 ` Brad Campbell
2011-06-05 13:45 ` Brad Campbell
2011-06-05 13:58 ` Avi Kivity
2011-06-05 13:58 ` Avi Kivity
2011-06-06 20:22 ` Eric Dumazet
2011-06-06 20:22 ` Eric Dumazet
2011-06-06 20:22 ` Eric Dumazet
2011-06-07 13:27 ` Brad Campbell
2011-06-07 13:37 ` Eric Dumazet
2011-06-07 15:15 ` Brad Campbell
2011-08-20 13:16 ` Brad Campbell
2011-08-22 6:36 ` Avi Kivity
2011-08-22 6:45 ` Eric Dumazet
2011-08-22 11:45 ` Brad Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DEE4538.1020404@trash.net \
--to=kaber@trash.net \
--cc=bdschuym@pandora.be \
--cc=brad@fnarfbargle.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.