v3.10-rc1 regression notice. (bug #818: NULL pointer dereference ipt_log_packet+0x2e/0x2b0)

v3.10-rc1 regression notice. (bug #818: NULL pointer dereference ipt_log_packet+0x2e/0x2b0)

[Ronald]

Dear netfilter developers,

Since v3.10-rc1 I get kernel panics on two entirely different
machines. They seem to be related to netfilter. I posted a bugreport
[1], but have not seen any reply.

If I did something (incredibly) wrong, please let me know. Otherwise,
sorry for my impatience.

                    Ronald

[1]: https://bugzilla.netfilter.org/show_bug.cgi?id=818

Re: v3.10-rc1 regression notice. (bug #818: NULL pointer dereference ipt_log_packet+0x2e/0x2b0)

[Hans Schillstrom]

[-- Attachment #1: Type: text/plain, Size: 1765 bytes --]



On Tue, 2013-05-14 at 19:21 +0200, Ronald wrote:
> Dear netfilter developers,
> 
> Since v3.10-rc1 I get kernel panics on two entirely different
> machines. They seem to be related to netfilter. I posted a bugreport
> [1], but have not seen any reply.

a quick look says that both net_device *in and *out is NULL
Why is another question...

static void
ipt_log_packet(u_int8_t pf,
	       unsigned int hooknum,
	       const struct sk_buff *skb,
	       const struct net_device *in,
	       const struct net_device *out,
	       const struct nf_loginfo *loginfo,
	       const char *prefix)
{
	struct sbuff *m;
	struct net *net = dev_net(in ? in : out);
   0x00000d23 <+35>:    test   %edi,%edi
   0x00000d25 <+37>:    mov    %edi,%eax
   0x00000d27 <+39>:    mov    0x44(%esp),%ebx
   0x00000d2b <+43>:    cmove  %ebp,%eax

	/* FIXME: Disabled from containers until syslog ns is supported */
	if (!net_eq(net, &init_net))
Here is the crash.
-> 0x00000d2e <+46>:    cmpl   $0x0,0x20c(%eax)
   0x00000d38 <+56>:    je     0xd50 <ipt_log_packet+80>
   0x00000d3a <+58>:    mov    0x28(%esp),%ebx
   0x00000d3e <+62>:    mov    0x2c(%esp),%esi
   0x00000d42 <+66>:    mov    0x30(%esp),%edi
   0x00000d46 <+70>:    mov    0x34(%esp),%ebp
   0x00000d4a <+74>:    add    $0x38,%esp
   0x00000d4d <+77>:    ret    


> If I did something (incredibly) wrong, please let me know. Otherwise,
> sorry for my impatience.
> 
>                     Ronald
> 
> [1]: https://bugzilla.netfilter.org/show_bug.cgi?id=818
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 6177 bytes --]

Re: v3.10-rc1 regression notice. (bug #818: NULL pointer dereference ipt_log_packet+0x2e/0x2b0)

[Florian Westphal]

Hans Schillstrom <hans@schillstrom.com> wrote:
> > Since v3.10-rc1 I get kernel panics on two entirely different
> > machines. They seem to be related to netfilter. I posted a bugreport
> > [1], but have not seen any reply.
> 
> a quick look says that both net_device *in and *out is NULL
> Why is another question...

Yes.  Bug added in commit 69b34fb996b2eee3970548cf6eb516d3ecb5eeed
(netfilter: xt_LOG: add net namespace support for xt_LOG)

The oops trace shows we're being invoked from conntrack and not the
ruleset.  Both in and out are NULL in this case.