[Bug] OOPS with nf_conntrack_ipv6, probably fragmented UDPv6

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Bernhard Schmidt <berni@birkenwald.de>
To: netfilter-devel@lists.netfilter.org
Cc: linux-kernel@vger.kernel.org
Subject: [Bug] OOPS with nf_conntrack_ipv6, probably fragmented UDPv6
Date: Thu, 04 Jan 2007 17:58:23 +0100	[thread overview]
Message-ID: <459D322F.5010707@birkenwald.de> (raw)

Hi,

I've hit another kernel oops with 2.6.20-rc3 on i386 platform. It is 
reproducible, as soon as I load nf_conntrack_ipv6 and try to send 
something large (scp or so) inside an OpenVPN tunnel on my client 
(patched with UDPv6 transport) the router (another box) OOPSes.

tcpdump suggests the problem appears as soon as my client sends 
fragmented UDPv6 packets towards the destination. It does not happen 
when nf_conntrack_ipv6 is not loaded. This is the OOPS as dumped from 
the serial console:

heimdall login: Oops: 0000 [#1]
Modules linked in: sit sch_red sch_htb pppoe pppox ppp_generic slhc 
xt_CLASSIFY ipt_TOS xt_length ipt_tos ipt_TCPMSS xt_tcpudp 
ipt_MASQUERADE xt_state iptable_mangle iptable_filter
  iptable_nat nf_nat nf_conntrack_ipv4 ip_tables x_tables 
nf_conntrack_ipv6 nf_conntrack nfnetlink
CPU:    0
EIP:    0060:[<00000001>]    Not tainted VLI
EFLAGS: 00010246   (2.6.20-rc3 #2)
EIP is at 0x1
eax: cd215bc0   ebx: cd1f3160   ecx: cc59002a   edx: cd215bc0
esi: cd215bc0   edi: cd215bc0   ebp: 00000000   esp: c030bd3c
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 0, ti=c030a000 task=c02e93a0 task.ti=c030a000)
Stack: c0212cc4 00000004 cc83f160 cd2130c0 cd215bc0 cd2130c0 cd215bc0 
c021734b
        c030bdb4 c0307a60 0000000a cceee800 cceee800 cd215bc0 cd1f3160 
00000000
        c021896b c0307a60 cd215bc0 cd215bc0 cceee800 cd1f3160 c025f1c6 
00000000
Call Trace:
  [<c0212cc4>] __kfree_skb+0x84/0xe0
  [<c021734b>] dev_hard_start_xmit+0x1bb/0x1d0
  [<c021896b>] dev_queue_xmit+0x11b/0x1b0
  [<c025f1c6>] ip6_output2+0x276/0x2b0
  [<c025ed30>] ip6_output_finish+0x0/0xf0
  [<c025fc0a>] ip6_output+0x90a/0x940
  [<c013e9e5>] cache_alloc_refill+0x2c5/0x3f0
  [<c0212eed>] pskb_expand_head+0xdd/0x130
  [<c02608d5>] ip6_forward+0x465/0x4b0
  [<c02618c6>] ip6_rcv_finish+0x16/0x30
  [<ce81a056>] nf_ct_frag6_output+0x86/0xb0 [nf_conntrack_ipv6]
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<ce81911b>] ipv6_defrag+0x3b/0x50 [nf_conntrack_ipv6]
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<c022c618>] nf_iterate+0x38/0x70
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<c022c75d>] nf_hook_slow+0x4d/0xc0
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<c0261ac0>] ipv6_rcv+0x1e0/0x250
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<c0217068>] netif_receive_skb+0x1a8/0x200
  [<c021868e>] process_backlog+0x6e/0xe0
  [<c0218752>] net_rx_action+0x52/0xd0
  [<c0113885>] __do_softirq+0x35/0x80
  [<c01138f2>] do_softirq+0x22/0x30
  [<c010453e>] do_IRQ+0x5e/0x70
  [<c0102b33>] common_interrupt+0x23/0x30
  [<c0101820>] default_idle+0x0/0x40
  [<c0101847>] default_idle+0x27/0x40
  [<c0101017>] cpu_idle+0x37/0x50
  [<c030c676>] start_kernel+0x266/0x270
  [<c030c200>] unknown_bootoption+0x0/0x210
  =======================
Code:  Bad EIP value.
EIP: [<00000001>] 0x1 SS:ESP 0068:c030bd3c
  <0>Kernel panic - not syncing: Fatal exception in interrupt
  <0>Rebooting in 20 seconds..<4>atkbd.c: Spurious ACK on 
isa0060/serio0. Some program might be trying access hardware directly.

Do you need more information?

Regards,
Bernhard

next             reply	other threads:[~2007-01-04 17:05 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-01-04 16:58 Bernhard Schmidt [this message]
2007-01-04 22:57 ` [Bug] OOPS with nf_conntrack_ipv6, probably fragmented UDPv6 Andrew Morton
2007-01-11 13:36 ` Patrick McHardy
2007-01-09 11:41   ` Bernhard Schmidt
2007-01-09 11:50     ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=459D322F.5010707@birkenwald.de \
    --to=berni@birkenwald.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox