[BUG][3.10.15] reading from /proc/sys/net/netfilter/nf_log/*

[BUG][3.10.15] reading from /proc/sys/net/netfilter/nf_log/*

[Steven Rostedt]

I'm trying to trace down a bug in 3.10.15 that our -rt patch is based
on. It happens in our complex test environment and I'm having trouble
reproducing it on my box.

When the test suite runs nfs-connectathon (I believe from LTP), then
runs a module-load test (randomly loads and unloads modules), one of
the files in  /proc/sys/net/netfilter/nf_log/ becomes corrupted and we
get this crash:

BUG: unable to handle kernel paging request at ffffffffa06189f0 
IP: [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
PGD 1a0d067 PUD 1a0e063 PMD 127d71067 PTE 0 
Oops: 0000 [#1] PREEMPT SMP  
Modules linked in: ts_kmp nf_conntrack_ipv4 nf_defrag_ipv4 nls_koi8_u nls_cp932 rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 nfsv3 nfs_acl nfsv2 nfs lockd sunrpc nfnetlink_queue nfnetlink bluetooth cpufreq_ondemand ipv6 ppdev gpio_ich iTCO_wdt iTCO_vendor_support hp_wmi sparse_keymap rfkill coretemp acpi_cpufreq freq_table mperf microcode parport_pc parport pcspkr serio_raw lpc_ich sg snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc i5k_amb i5000_edac edac_core shpchp tg3 ptp pps_core ext4 jbd2 mbcache sd_mod crc_t10dif sr_mod cdrom firewire_ohci firewire_core crc_itu_t mptsas mptscsih mptbase scsi_transport_sas ahci libahci pata_acpi ata_generic ata_piix floppy nouveau ttm drm_kms_helper drm hwmon i2c_algo_
 bit i2c_core mxm_wmi video wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: rmd128] 
CPU: 7 PID: 22196 Comm: cat Not tainted 3.10.15-rt11.4.vanilla.el6rt.x86_64 #1 
Hardware name: Hewlett-Packard HP xw8400 Workstation/0A08h, BIOS 786D5 v02.35 11/25/2008 
task: ffff88012544ae20 ti: ffff880124f8e000 task.ti: ffff880124f8e000 
RIP: 0010:[<ffffffff814b7904>]  [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
RSP: 0018:ffff880124f8fdd8  EFLAGS: 00010282 
RAX: ffffffffa06189e0 RBX: ffffffff81cb7c80 RCX: ffff880124f8fe90 
RDX: 00000000006ca000 RSI: 0000000000000000 RDI: ffffffff81ab2b00 
RBP: ffff880124f8fe68 R08: ffff880124f8ff40 R09: 0000000000000000 
R10: 0000000000008fff R11: 0000000000000246 R12: 0000000000000002 
R13: ffffffff81aaef00 R14: 0000000000000002 R15: 00000000006ca000 
FS:  00007fe090b5a700(0000) GS:ffff88012fdc0000(0000) knlGS:0000000000000000 
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
CR2: ffffffffa06189f0 CR3: 0000000124e2e000 CR4: 00000000000007e0 
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 
Stack: 
 ffff880124f8ff40 ffff880124f8fe90 ffffffff81cb7c80 0000000000000000 
 ffff880124f8fe08 ffffffff81216788 ffff880124f8fe28 ffffffff81059270 
 ffff880124be5440 ffffffff81cb7c80 ffff880124f8fe48 00000000190b4935 
Call Trace: 
 [<ffffffff81216788>] ? security_capable+0x18/0x20 
 [<ffffffff81059270>] ? ns_capable+0x30/0x60 
 [<ffffffff811eb1a2>] proc_sys_call_handler+0x92/0xd0 
 [<ffffffff811eb211>] proc_sys_read+0x11/0x20 
 [<ffffffff81179221>] vfs_read+0xb1/0x130 
 [<ffffffff811796bf>] SyS_read+0x5f/0xa0 
 [<ffffffff810ca5d6>] ? __audit_syscall_exit+0x236/0x2e0 
 [<ffffffff81567399>] system_call_fastpath+0x16/0x1b 
Code: 78 ff ff ff 4c 89 85 70 ff ff ff e8 b7 3d 0a 00 4b 8b 84 f5 d8 07 00 00 48 8b 8d 78 ff ff ff 4c 8b 85 70 ff ff ff 48 85 c0 74 54 <48> 8b 40 10 48 89 43 08 4c 89 fa 48 89 df 31 f6 e8 d7 08 ba ff  
RIP  [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
 RSP <ffff880124f8fdd8> 
CR2: ffffffffa06189f0 
---[ end trace cae5dc9f8f8299f7 ]--- 


We added to the test suite code that reads the nf_log before and after
the module-load test, and before we have this:

# cat /proc/sys/net/netfilter/nf_log/*
NONE
NONE
NONE
NONE
NONE
nfnetlink_log
NONE
NONE
NONE
NONE
NONE
NONE
NONE

And after the module-load test, it crashes when reading those files.

I'm not very familiar with netfilters, net namespaces or the
netlink_log, so my question to you is, what does one do to get that
"nfnetlink_log" to show up in the nf_log/* files? Loading nfnetlink_log
module is not enough.

Unfortunately, the test suite that triggers this is all automated and
has a complex set up, so trying to figure it out from that is a huge
undertaking, which is why I'm writing this email. Maybe someone here
can see this and say, "Oh, to get that all you need to do is this ..."

:-)

Thanks, any help would be much appreciated.

-- Steve

Re: [BUG][3.10.15] reading from /proc/sys/net/netfilter/nf_log/*

[Gao feng]

On 12/14/2013 11:10 PM, Steven Rostedt wrote:
> I'm trying to trace down a bug in 3.10.15 that our -rt patch is based
> on. It happens in our complex test environment and I'm having trouble
> reproducing it on my box.
> 
> When the test suite runs nfs-connectathon (I believe from LTP), then
> runs a module-load test (randomly loads and unloads modules), one of
> the files in  /proc/sys/net/netfilter/nf_log/ becomes corrupted and we
> get this crash:
> 
> BUG: unable to handle kernel paging request at ffffffffa06189f0 
> IP: [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
> PGD 1a0d067 PUD 1a0e063 PMD 127d71067 PTE 0 
> Oops: 0000 [#1] PREEMPT SMP  
> Modules linked in: ts_kmp nf_conntrack_ipv4 nf_defrag_ipv4 nls_koi8_u nls_cp932 rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 nfsv3 nfs_acl nfsv2 nfs lockd sunrpc nfnetlink_queue nfnetlink bluetooth cpufreq_ondemand ipv6 ppdev gpio_ich iTCO_wdt iTCO_vendor_support hp_wmi sparse_keymap rfkill coretemp acpi_cpufreq freq_table mperf microcode parport_pc parport pcspkr serio_raw lpc_ich sg snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc i5k_amb i5000_edac edac_core shpchp tg3 ptp pps_core ext4 jbd2 mbcache sd_mod crc_t10dif sr_mod cdrom firewire_ohci firewire_core crc_itu_t mptsas mptscsih mptbase scsi_transport_sas ahci libahci pata_acpi ata_generic ata_piix floppy nouveau ttm drm_kms_helper drm hwmon i2c_alg
 o_bit i2c_core mxm_wmi video wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: rmd128] 
> CPU: 7 PID: 22196 Comm: cat Not tainted 3.10.15-rt11.4.vanilla.el6rt.x86_64 #1 
> Hardware name: Hewlett-Packard HP xw8400 Workstation/0A08h, BIOS 786D5 v02.35 11/25/2008 
> task: ffff88012544ae20 ti: ffff880124f8e000 task.ti: ffff880124f8e000 
> RIP: 0010:[<ffffffff814b7904>]  [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
> RSP: 0018:ffff880124f8fdd8  EFLAGS: 00010282 
> RAX: ffffffffa06189e0 RBX: ffffffff81cb7c80 RCX: ffff880124f8fe90 
> RDX: 00000000006ca000 RSI: 0000000000000000 RDI: ffffffff81ab2b00 
> RBP: ffff880124f8fe68 R08: ffff880124f8ff40 R09: 0000000000000000 
> R10: 0000000000008fff R11: 0000000000000246 R12: 0000000000000002 
> R13: ffffffff81aaef00 R14: 0000000000000002 R15: 00000000006ca000 
> FS:  00007fe090b5a700(0000) GS:ffff88012fdc0000(0000) knlGS:0000000000000000 
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
> CR2: ffffffffa06189f0 CR3: 0000000124e2e000 CR4: 00000000000007e0 
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 
> Stack: 
>  ffff880124f8ff40 ffff880124f8fe90 ffffffff81cb7c80 0000000000000000 
>  ffff880124f8fe08 ffffffff81216788 ffff880124f8fe28 ffffffff81059270 
>  ffff880124be5440 ffffffff81cb7c80 ffff880124f8fe48 00000000190b4935 
> Call Trace: 
>  [<ffffffff81216788>] ? security_capable+0x18/0x20 
>  [<ffffffff81059270>] ? ns_capable+0x30/0x60 
>  [<ffffffff811eb1a2>] proc_sys_call_handler+0x92/0xd0 
>  [<ffffffff811eb211>] proc_sys_read+0x11/0x20 
>  [<ffffffff81179221>] vfs_read+0xb1/0x130 
>  [<ffffffff811796bf>] SyS_read+0x5f/0xa0 
>  [<ffffffff810ca5d6>] ? __audit_syscall_exit+0x236/0x2e0 
>  [<ffffffff81567399>] system_call_fastpath+0x16/0x1b 
> Code: 78 ff ff ff 4c 89 85 70 ff ff ff e8 b7 3d 0a 00 4b 8b 84 f5 d8 07 00 00 48 8b 8d 78 ff ff ff 4c 8b 85 70 ff ff ff 48 85 c0 74 54 <48> 8b 40 10 48 89 43 08 4c 89 fa 48 89 df 31 f6 e8 d7 08 ba ff  
> RIP  [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
>  RSP <ffff880124f8fdd8> 
> CR2: ffffffffa06189f0 
> ---[ end trace cae5dc9f8f8299f7 ]--- 
> 
> 
> We added to the test suite code that reads the nf_log before and after
> the module-load test, and before we have this:
> 
> # cat /proc/sys/net/netfilter/nf_log/*
> NONE
> NONE
> NONE
> NONE
> NONE
> nfnetlink_log
> NONE
> NONE
> NONE
> NONE
> NONE
> NONE
> NONE
> 
> And after the module-load test, it crashes when reading those files.
> 

Oops, I forgot to unset the nf_loggers of net namespace when unload module nfnetlink_log.
I will send a patch, please have a try.

Thanks for your report!

[PATCH] nfnetlink_log: unset nf_loggers for net namespace when unload nfnetlink_log

[Gao feng]

Steven Rostedt and Arnaldo Carvalho de Melo reported a panic
when access the files /proc/sys/net/netfilter/nf_log/*.

This problem will occur when we do
echo nfnetlink_log > /proc/sys/net/netfilter/nf_log/any_file
,rmmod nfnetlink_log, and then access the files.

Since the nf_loggers of netns hasn't been unset, it will point
to the memory that has been freed.

This bug is introduced by commit 9368a53c471b42a1bd99117d590ce2ccdc8dc3c2
"netfilter: nfnetlink_log: add net namespace support for nfnetlink_log"

[17261.822047] BUG: unable to handle kernel paging request at ffffffffa0d49090
[17261.822056] IP: [<ffffffff8157aba0>] nf_log_proc_dostring+0xf0/0x1d0
[17261.822065] PGD 1c0f067 PUD 1c10063 PMD 2a8615067 PTE 0
[17261.822071] Oops: 0000 [#1] SMP
[17261.822076] Modules linked in: nfnetlink netlink_diag af_packet_diag udp_diag tcp_diag inet_diag unix_diag vhost_net vhost macvtap macvlan ipheth fuse xt_CHECKSUM tun bnep bluetooth rfkill nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE ip6t_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw nvidia(POF) coretemp kvm_intel kvm crc32c_intel drm iTCO_wdt iTCO_vendor_support e1000e snd_hda_codec_hdmi lpc_ich ptp pps_core mfd_core mei_me mei shpchp snd_hda_codec_realtek snd_hda_intel snd_hda_cod
 ec snd_hwdep
[17261.822140]  snd_seq snd_seq_device snd_pcm serio_raw microcode i7core_edac i2c_i801 edac_core i2c_core snd_page_alloc snd_timer snd soundcore tpm_tis tpm tpm_bios acpi_cpufreq mperf uinput binfmt_misc wmi [last unloaded: nfnetlink_log]
[17261.822164] CPU: 0 PID: 28872 Comm: cat Tainted: PF          O 3.11.6-200.fc19.x86_64 #1
[17261.822167] Hardware name: LENOVO ThinkCentre M8200T/  , BIOS 5JKT51AUS 11/02/2010
[17261.822171] task: ffff880223de2620 ti: ffff880274d3e000 task.ti: ffff880274d3e000
[17261.822173] RIP: 0010:[<ffffffff8157aba0>]  [<ffffffff8157aba0>] nf_log_proc_dostring+0xf0/0x1d0
[17261.822179] RSP: 0018:ffff880274d3fe28  EFLAGS: 00010282
[17261.822182] RAX: ffffffffa0d49080 RBX: ffffffff81fd7d60 RCX: ffff880274d3fec0
[17261.822185] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81cc1f00
[17261.822187] RBP: ffff880274d3fea0 R08: ffff880274d3ff50 R09: 0000000000000000
[17261.822190] R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000004
[17261.822192] R13: ffffffff81cbdfc0 R14: 0000000002009000 R15: ffff8802b0ed8000
[17261.822196] FS:  00007f8a9cd53740(0000) GS:ffff8802bfc00000(0000) knlGS:0000000000000000
[17261.822199] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[17261.822202] CR2: ffffffffa0d49090 CR3: 00000001dae7a000 CR4: 00000000000027e0
[17261.822205] DR0: 00000000000000a0 DR1: 0000000000000000 DR2: 0000000000000003
[17261.822208] DR3: 00000000000000b0 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[17261.822209] Stack:
[17261.822211]  ffff880274d3ff50 ffff880274d3fec0 0000000074d3fe50 ffff880274d3fe50
[17261.822217]  ffffffff81297b98 ffff880274d3fe68 ffffffff8106fa09 ffffffff81fd7d60
[17261.822222]  ffff880274d3fe80 ffffffff8163d25f 0000000027c6e5aa 0000000000000000
[17261.822226] Call Trace:
[17261.822235]  [<ffffffff81297b98>] ? security_capable+0x18/0x20
[17261.822240]  [<ffffffff8106fa09>] ? ns_capable+0x29/0x50
[17261.822247]  [<ffffffff8163d25f>] ? net_ctl_permissions+0x1f/0x90
[17261.822254]  [<ffffffff81216613>] proc_sys_call_handler+0xb3/0xc0
[17261.822258]  [<ffffffff81216651>] proc_sys_read+0x11/0x20
[17261.822265]  [<ffffffff811a80de>] vfs_read+0x9e/0x170
[17261.822270]  [<ffffffff811a8c09>] SyS_read+0x49/0xa0
[17261.822276]  [<ffffffff810e6496>] ? __audit_syscall_exit+0x1f6/0x2a0
[17261.822283]  [<ffffffff81656e99>] system_call_fastpath+0x16/0x1b
[17261.822285] Code: cc 81 4d 63 e4 4c 89 45 88 48 89 4d 90 e8 19 03 0d 00 4b 8b 84 e5 28 08 00 00 48 8b 4d 90 4c 8b 45 88 48 85 c0 0f 84 a8 00 00 00 <48> 8b 40 10 48 89 43 08 48 89 df 4c 89 f2 31 f6 e8 4b 35 af ff
[17261.822329] RIP  [<ffffffff8157aba0>] nf_log_proc_dostring+0xf0/0x1d0
[17261.822334]  RSP <ffff880274d3fe28>
[17261.822336] CR2: ffffffffa0d49090
[17261.822340] ---[ end trace a14ce54c0897a90d ]---

Reported-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
---
 net/netfilter/nfnetlink_log.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 3c4b69e..a155d19 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -1053,6 +1053,7 @@ static void __net_exit nfnl_log_net_exit(struct net *net)
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
 #endif
+	nf_log_unset(net, &nfulnl_logger);
 }
 
 static struct pernet_operations nfnl_log_net_ops = {
-- 
1.8.3.1

Re: [BUG][3.10.15] reading from /proc/sys/net/netfilter/nf_log/*

[Steven Rostedt]

On Mon, 16 Dec 2013 14:55:50 +0800
Gao feng <gaofeng@cn.fujitsu.com> wrote:

> On 12/14/2013 11:10 PM, Steven Rostedt wrote:
> > I'm trying to trace down a bug in 3.10.15 that our -rt patch is based
> > on. It happens in our complex test environment and I'm having trouble
> > reproducing it on my box.
> > 
> > When the test suite runs nfs-connectathon (I believe from LTP), then
> > runs a module-load test (randomly loads and unloads modules), one of
> > the files in  /proc/sys/net/netfilter/nf_log/ becomes corrupted and we
> > get this crash:
> > 
> > BUG: unable to handle kernel paging request at ffffffffa06189f0 
> > IP: [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
> > PGD 1a0d067 PUD 1a0e063 PMD 127d71067 PTE 0 
> > Oops: 0000 [#1] PREEMPT SMP  
> > Modules linked in: ts_kmp nf_conntrack_ipv4 nf_defrag_ipv4 nls_koi8_u nls_cp932 rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 nfsv3 nfs_acl nfsv2 nfs lockd sunrpc nfnetlink_queue nfnetlink bluetooth cpufreq_ondemand ipv6 ppdev gpio_ich iTCO_wdt iTCO_vendor_support hp_wmi sparse_keymap rfkill coretemp acpi_cpufreq freq_table mperf microcode parport_pc parport pcspkr serio_raw lpc_ich sg snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc i5k_amb i5000_edac edac_core shpchp tg3 ptp pps_core ext4 jbd2 mbcache sd_mod crc_t10dif sr_mod cdrom firewire_ohci firewire_core crc_itu_t mptsas mptscsih mptbase scsi_transport_sas ahci libahci pata_acpi ata_generic ata_piix floppy nouveau ttm drm_kms_helper drm hwmon i2c_a
 lgo_bit i2c_core mxm_wmi video wmi dm_mirror dm_region_hash dm_log dm_mod [last unloaded: rmd128] 
> > CPU: 7 PID: 22196 Comm: cat Not tainted 3.10.15-rt11.4.vanilla.el6rt.x86_64 #1 
> > Hardware name: Hewlett-Packard HP xw8400 Workstation/0A08h, BIOS 786D5 v02.35 11/25/2008 
> > task: ffff88012544ae20 ti: ffff880124f8e000 task.ti: ffff880124f8e000 
> > RIP: 0010:[<ffffffff814b7904>]  [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
> > RSP: 0018:ffff880124f8fdd8  EFLAGS: 00010282 
> > RAX: ffffffffa06189e0 RBX: ffffffff81cb7c80 RCX: ffff880124f8fe90 
> > RDX: 00000000006ca000 RSI: 0000000000000000 RDI: ffffffff81ab2b00 
> > RBP: ffff880124f8fe68 R08: ffff880124f8ff40 R09: 0000000000000000 
> > R10: 0000000000008fff R11: 0000000000000246 R12: 0000000000000002 
> > R13: ffffffff81aaef00 R14: 0000000000000002 R15: 00000000006ca000 
> > FS:  00007fe090b5a700(0000) GS:ffff88012fdc0000(0000) knlGS:0000000000000000 
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
> > CR2: ffffffffa06189f0 CR3: 0000000124e2e000 CR4: 00000000000007e0 
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 
> > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 
> > Stack: 
> >  ffff880124f8ff40 ffff880124f8fe90 ffffffff81cb7c80 0000000000000000 
> >  ffff880124f8fe08 ffffffff81216788 ffff880124f8fe28 ffffffff81059270 
> >  ffff880124be5440 ffffffff81cb7c80 ffff880124f8fe48 00000000190b4935 
> > Call Trace: 
> >  [<ffffffff81216788>] ? security_capable+0x18/0x20 
> >  [<ffffffff81059270>] ? ns_capable+0x30/0x60 
> >  [<ffffffff811eb1a2>] proc_sys_call_handler+0x92/0xd0 
> >  [<ffffffff811eb211>] proc_sys_read+0x11/0x20 
> >  [<ffffffff81179221>] vfs_read+0xb1/0x130 
> >  [<ffffffff811796bf>] SyS_read+0x5f/0xa0 
> >  [<ffffffff810ca5d6>] ? __audit_syscall_exit+0x236/0x2e0 
> >  [<ffffffff81567399>] system_call_fastpath+0x16/0x1b 
> > Code: 78 ff ff ff 4c 89 85 70 ff ff ff e8 b7 3d 0a 00 4b 8b 84 f5 d8 07 00 00 48 8b 8d 78 ff ff ff 4c 8b 85 70 ff ff ff 48 85 c0 74 54 <48> 8b 40 10 48 89 43 08 4c 89 fa 48 89 df 31 f6 e8 d7 08 ba ff  
> > RIP  [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
> >  RSP <ffff880124f8fdd8> 
> > CR2: ffffffffa06189f0 
> > ---[ end trace cae5dc9f8f8299f7 ]--- 
> > 
> > 
> > We added to the test suite code that reads the nf_log before and after
> > the module-load test, and before we have this:
> > 
> > # cat /proc/sys/net/netfilter/nf_log/*
> > NONE
> > NONE
> > NONE
> > NONE
> > NONE
> > nfnetlink_log
> > NONE
> > NONE
> > NONE
> > NONE
> > NONE
> > NONE
> > NONE
> > 
> > And after the module-load test, it crashes when reading those files.
> > 
> 
> Oops, I forgot to unset the nf_loggers of net namespace when unload module nfnetlink_log.
> I will send a patch, please have a try.

Hi Gao,

I haven't seen a patch. Was one sent?

Thanks,

-- Steve

> 
> Thanks for your report!

Re: [BUG][3.10.15] reading from /proc/sys/net/netfilter/nf_log/*

[Florian Westphal]

Steven Rostedt <rostedt@goodmis.org> wrote:
> On Mon, 16 Dec 2013 14:55:50 +0800
> Gao feng <gaofeng@cn.fujitsu.com> wrote:
> > On 12/14/2013 11:10 PM, Steven Rostedt wrote:
[..]
> > > BUG: unable to handle kernel paging request at ffffffffa06189f0 
> > > IP: [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
[..]

> > > And after the module-load test, it crashes when reading those files.
> > > 
> > 
> > Oops, I forgot to unset the nf_loggers of net namespace when unload module nfnetlink_log.
> > I will send a patch, please have a try.
> 
> Hi Gao,
> 
> I haven't seen a patch. Was one sent?

Yes, submitted to netfilter-devel, see http://patchwork.ozlabs.org/patch/301485/

Re: [BUG][3.10.15] reading from /proc/sys/net/netfilter/nf_log/*

[Steven Rostedt]

On Wed, 18 Dec 2013 22:08:17 +0100
Florian Westphal <fw@strlen.de> wrote:

> Steven Rostedt <rostedt@goodmis.org> wrote:
> > On Mon, 16 Dec 2013 14:55:50 +0800
> > Gao feng <gaofeng@cn.fujitsu.com> wrote:
> > > On 12/14/2013 11:10 PM, Steven Rostedt wrote:
> [..]
> > > > BUG: unable to handle kernel paging request at ffffffffa06189f0 
> > > > IP: [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
> [..]
> 
> > > > And after the module-load test, it crashes when reading those files.
> > > > 
> > > 
> > > Oops, I forgot to unset the nf_loggers of net namespace when unload module nfnetlink_log.
> > > I will send a patch, please have a try.
> > 
> > Hi Gao,
> > 
> > I haven't seen a patch. Was one sent?
> 
> Yes, submitted to netfilter-devel, see http://patchwork.ozlabs.org/patch/301485/

Thanks, someone else pointed it to me on netdev list. I wasn't on the
Cc, so I missed it.

-- Steve

Re: [BUG][3.10.15] reading from /proc/sys/net/netfilter/nf_log/*

[Gao feng]

On 12/19/2013 05:11 AM, Steven Rostedt wrote:
> On Wed, 18 Dec 2013 22:08:17 +0100
> Florian Westphal <fw@strlen.de> wrote:
> 
>> Steven Rostedt <rostedt@goodmis.org> wrote:
>>> On Mon, 16 Dec 2013 14:55:50 +0800
>>> Gao feng <gaofeng@cn.fujitsu.com> wrote:
>>>> On 12/14/2013 11:10 PM, Steven Rostedt wrote:
>> [..]
>>>>> BUG: unable to handle kernel paging request at ffffffffa06189f0 
>>>>> IP: [<ffffffff814b7904>] nf_log_proc_dostring+0x94/0x1a0 
>> [..]
>>
>>>>> And after the module-load test, it crashes when reading those files.
>>>>>
>>>>
>>>> Oops, I forgot to unset the nf_loggers of net namespace when unload module nfnetlink_log.
>>>> I will send a patch, please have a try.
>>>
>>> Hi Gao,
>>>
>>> I haven't seen a patch. Was one sent?
>>
>> Yes, submitted to netfilter-devel, see http://patchwork.ozlabs.org/patch/301485/
> 
> Thanks, someone else pointed it to me on netdev list. I wasn't on the
> Cc, so I missed it.
> 

Sorry, I thought git send-mail will send the patch to the Reported-by.
but now I know, it didn't. :(

Re: [PATCH] nfnetlink_log: unset nf_loggers for net namespace when unload nfnetlink_log

[Pablo Neira Ayuso]

On Mon, Dec 16, 2013 at 02:59:22PM +0800, Gao feng wrote:
> Steven Rostedt and Arnaldo Carvalho de Melo reported a panic
> when access the files /proc/sys/net/netfilter/nf_log/*.
> 
> This problem will occur when we do
> echo nfnetlink_log > /proc/sys/net/netfilter/nf_log/any_file
> ,rmmod nfnetlink_log, and then access the files.
> 
> Since the nf_loggers of netns hasn't been unset, it will point
> to the memory that has been freed.
> 
> This bug is introduced by commit 9368a53c471b42a1bd99117d590ce2ccdc8dc3c2
> "netfilter: nfnetlink_log: add net namespace support for nfnetlink_log"

Applied, thanks.