* kernel stack trace using conntrack
@ 2010-02-16 9:11 Ramblewski David
2010-02-16 9:51 ` Eric Dumazet
0 siblings, 1 reply; 16+ messages in thread
From: Ramblewski David @ 2010-02-16 9:11 UTC (permalink / raw)
To: netfilter-devel@vger.kernel.org
Hi all,
This issue has not yet been answered. Does anyone know something about it?
We are using netfilter conntrack product on our production sites. The main goal is to deploy it to hundreds of servers but we are actually waiting for your feedback.
If anyone can help...
Thanks in advance,
David
-----Message d'origine-----
De : Ramblewski David
Envoyé : jeudi 11 février 2010 14:19
À : 'netfilter-devel@vger.kernel.org'
Objet : kernel stack trace using conntrack
Hi Guys,
I'm actually facing an issue using conntrack tools :
The following command:
conntrack -I conntrack -p udp --orig-src 10.24.230.103 --orig-dst 10.24.230.103 --reply-src 10.24.230.103 --reply-dst 10.24.230.103 --orig-port-src 20000 --orig-port-dst 20000 --reply-port-src 20000 --reply-port-dst 20000 -u ASSURED -t 10
make a kernel call trace:
Feb 11 10:01:46 obench03s kernel: WARNING: at net/netfilter/nf_conntrack_extend.c:82 __nf_ct_ext_add+0x25/0x1ef [nf_conntrack]()
Feb 11 10:01:46 obench03s kernel: Hardware name: ProLiant DL380 G5
Feb 11 10:01:46 obench03s kernel: Modules linked in: nf_conntrack_netlink nf_conntrack usbhid hpilo hpwdt bnx2 ipmi_si ipmi_msghandler rtc_cmos rtc_core rtc_lib ehci_hcd uhci_hcd usbcore dm_mod [last unloaded: ipmi_devintf]
Feb 11 10:01:46 obench03s kernel: Pid: 3786, comm: conntrack Tainted: G W 2.6.32.8 #1
Feb 11 10:01:46 obench03s kernel: Call Trace:
Feb 11 10:01:46 obench03s kernel: [<c10375b2>] warn_slowpath_common+0x60/0x77
Feb 11 10:01:46 obench03s kernel: [<c10375d6>] warn_slowpath_null+0xd/0x10
Feb 11 10:01:46 obench03s kernel: [<f805bb8e>] __nf_ct_ext_add+0x25/0x1ef [nf_conntrack]
Feb 11 10:01:46 obench03s kernel: [<f80227ff>] ctnetlink_new_conntrack+0x283/0x5ac [nf_conntrack_netlink]
Feb 11 10:01:46 obench03s kernel: [<c102a3dd>] ? __wake_up+0x31/0x3b
Feb 11 10:01:46 obench03s kernel: [<c1125bcb>] ? jbd_free_handle+0xf/0x11
Feb 11 10:01:46 obench03s kernel: [<c102105d>] ? default_spin_lock_flags+0x8/0xb
Feb 11 10:01:46 obench03s kernel: [<c1451ede>] ? _spin_lock_irqsave+0x2b/0x34
Feb 11 10:01:46 obench03s kernel: [<c139cefe>] nfnetlink_rcv_msg+0xef/0x115
Feb 11 10:01:46 obench03s kernel: [<c11e1284>] ? security_netlink_recv+0xf/0x11
Feb 11 10:01:46 obench03s kernel: [<c139ce5e>] ? nfnetlink_rcv_msg+0x4f/0x115
Feb 11 10:01:46 obench03s kernel: [<c139ce0f>] ? nfnetlink_rcv_msg+0x0/0x115
Feb 11 10:01:46 obench03s kernel: [<c1399962>] netlink_rcv_skb+0x30/0x75
Feb 11 10:01:46 obench03s kernel: [<c139ce07>] nfnetlink_rcv+0x17/0x1f
Feb 11 10:01:46 obench03s kernel: [<c139980b>] netlink_unicast+0xd2/0x127
Feb 11 10:01:46 obench03s kernel: [<c139a90b>] netlink_sendmsg+0x219/0x226
Feb 11 10:01:47 obench03s kernel: [<c137d9cc>] __sock_sendmsg+0x45/0x4e
Feb 11 10:01:47 obench03s kernel: [<c137e116>] sock_sendmsg+0xb8/0xce
Feb 11 10:01:47 obench03s kernel: [<c104778f>] ? autoremove_wake_function+0x0/0x33
Feb 11 10:01:47 obench03s kernel: [<c1027851>] ? kunmap_atomic+0x4f/0x6a
Feb 11 10:01:47 obench03s kernel: [<c1027986>] ? kmap_atomic+0x14/0x16
Feb 11 10:01:47 obench03s kernel: [<c107e511>] ? get_page_from_freelist+0x33d/0x3c6
Feb 11 10:01:47 obench03s kernel: [<c1204eb3>] ? __copy_from_user_ll+0x11/0xce
Feb 11 10:01:47 obench03s kernel: [<c137e9ec>] ? move_addr_to_kernel+0x39/0x41
Feb 11 10:01:47 obench03s kernel: [<c137ea98>] sys_sendto+0xa4/0xc0
Feb 11 10:01:47 obench03s kernel: [<c107a706>] ? unlock_page+0xe/0x10
Feb 11 10:01:47 obench03s kernel: [<c108acdd>] ? __do_fault+0x310/0x343
Feb 11 10:01:47 obench03s kernel: [<c108c634>] ? handle_mm_fault+0x317/0x73c
Feb 11 10:01:47 obench03s kernel: [<c137f1ba>] sys_socketcall+0xec/0x18e
Feb 11 10:01:47 obench03s kernel: [<c100874c>] sysenter_do_call+0x12/0x28
I'm using these tools:
libnfnetlink-1.0.0
libnetfilter_conntrack-0.0.101
conntrack-tools-0.9.14
Thanks for your feedback.
David
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 16+ messages in thread* Re: kernel stack trace using conntrack 2010-02-16 9:11 kernel stack trace using conntrack Ramblewski David @ 2010-02-16 9:51 ` Eric Dumazet 2010-02-16 10:25 ` Ramblewski David 0 siblings, 1 reply; 16+ messages in thread From: Eric Dumazet @ 2010-02-16 9:51 UTC (permalink / raw) To: Ramblewski David; +Cc: netfilter-devel@vger.kernel.org Le mardi 16 février 2010 à 10:11 +0100, Ramblewski David a écrit : > Hi all, > > This issue has not yet been answered. Does anyone know something about it? > We are using netfilter conntrack product on our production sites. The main goal is to deploy it to hundreds of servers but we are actually waiting for your feedback. > > If anyone can help... > Please post "lsmod" output, because I cannot reproduce the problem here. It is probably dependent on your netfilter config. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: kernel stack trace using conntrack 2010-02-16 9:51 ` Eric Dumazet @ 2010-02-16 10:25 ` Ramblewski David 2010-02-16 11:15 ` Eric Dumazet 0 siblings, 1 reply; 16+ messages in thread From: Ramblewski David @ 2010-02-16 10:25 UTC (permalink / raw) To: Eric Dumazet; +Cc: netfilter-devel@vger.kernel.org Here it is: [root@obench03s ~]# uname -a Linux obench03s 2.6.32.8 #1 SMP PREEMPT Wed Feb 10 17:32:16 CET 2010 i686 i686 i386 GNU/Linux [root@obench03s ~]# lsmod Module Size Used by nf_conntrack_netlink 9810 0 nf_conntrack 50283 1 nf_conntrack_netlink bonding 69153 0 usbhid 14557 0 ipmi_si 29902 0 rtc_cmos 7175 0 bnx2 53497 0 hpwdt 5548 0 rtc_core 11461 1 rtc_cmos rtc_lib 2022 1 rtc_core hpilo 6051 0 ipmi_msghandler 27670 1 ipmi_si ehci_hcd 27584 0 uhci_hcd 16357 0 usbcore 120714 4 usbhid,ehci_hcd,uhci_hcd dm_mod 49320 0 [root@obench03s ~]# [root@obench03s ~]# iptables --version iptables v1.4.0 [root@obench03s ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@obench03s ~]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@obench03s ~]# conntrack -L udp 17 27 src=10.24.230.151 dst=10.26.103.28 sport=510 dport=516 packets=5 bytes=295 [UNREPLIED] src=10.26.103.28 dst=10.24.230.151 sport=516 dport=510 packets=0 bytes=0 mark=0 secmark=0 use=2 tcp 6 299 ESTABLISHED src=10.26.103.28 dst=10.28.64.65 sport=22 dport=53497 packets=89 bytes=8628 src=10.28.64.65 dst=10.26.103.28 sport=53497 dport=22 packets=127 bytes=10396 [ASSURED] mark=0 secmark=0 use=2 udp 17 21 src=127.0.0.1 dst=127.0.0.1 sport=32070 dport=161 packets=6 bytes=492 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=161 dport=32070 packets=0 bytes=0 mark=0 secmark=0 use=2 conntrack v0.9.14 (conntrack-tools): 3 flow entries have been shown. [root@obench03s ~]# David -----Message d'origine----- De : Eric Dumazet [mailto:eric.dumazet@gmail.com] Envoyé : mardi 16 février 2010 10:51 À : Ramblewski David Cc : netfilter-devel@vger.kernel.org Objet : Re: kernel stack trace using conntrack Le mardi 16 février 2010 à 10:11 +0100, Ramblewski David a écrit : > Hi all, > > This issue has not yet been answered. Does anyone know something about it? > We are using netfilter conntrack product on our production sites. The main goal is to deploy it to hundreds of servers but we are actually waiting for your feedback. > > If anyone can help... > Please post "lsmod" output, because I cannot reproduce the problem here. It is probably dependent on your netfilter config. Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: kernel stack trace using conntrack 2010-02-16 10:25 ` Ramblewski David @ 2010-02-16 11:15 ` Eric Dumazet 2010-02-16 13:33 ` Pablo Neira Ayuso 0 siblings, 1 reply; 16+ messages in thread From: Eric Dumazet @ 2010-02-16 11:15 UTC (permalink / raw) To: Ramblewski David; +Cc: netfilter-devel@vger.kernel.org, netdev Le mardi 16 février 2010 à 11:25 +0100, Ramblewski David a écrit : > Here it is: > > [root@obench03s ~]# uname -a > Linux obench03s 2.6.32.8 #1 SMP PREEMPT Wed Feb 10 17:32:16 CET 2010 i686 i686 i386 GNU/Linux > > [root@obench03s ~]# lsmod > Module Size Used by > nf_conntrack_netlink 9810 0 > nf_conntrack 50283 1 nf_conntrack_netlink > bonding 69153 0 > usbhid 14557 0 > ipmi_si 29902 0 > rtc_cmos 7175 0 > bnx2 53497 0 > hpwdt 5548 0 > rtc_core 11461 1 rtc_cmos > rtc_lib 2022 1 rtc_core > hpilo 6051 0 > ipmi_msghandler 27670 1 ipmi_si > ehci_hcd 27584 0 > uhci_hcd 16357 0 > usbcore 120714 4 usbhid,ehci_hcd,uhci_hcd > dm_mod 49320 0 > [root@obench03s ~]# > > > [root@obench03s ~]# iptables --version > iptables v1.4.0 > [root@obench03s ~]# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > [root@obench03s ~]# iptables -L -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > [root@obench03s ~]# conntrack -L > udp 17 27 src=10.24.230.151 dst=10.26.103.28 sport=510 dport=516 packets=5 bytes=295 [UNREPLIED] src=10.26.103.28 dst=10.24.230.151 sport=516 dport=510 packets=0 bytes=0 mark=0 secmark=0 use=2 > tcp 6 299 ESTABLISHED src=10.26.103.28 dst=10.28.64.65 sport=22 dport=53497 packets=89 bytes=8628 src=10.28.64.65 dst=10.26.103.28 sport=53497 dport=22 packets=127 bytes=10396 [ASSURED] mark=0 secmark=0 use=2 > udp 17 21 src=127.0.0.1 dst=127.0.0.1 sport=32070 dport=161 packets=6 bytes=492 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=161 dport=32070 packets=0 bytes=0 mark=0 secmark=0 use=2 > conntrack v0.9.14 (conntrack-tools): 3 flow entries have been shown. > [root@obench03s ~]# > > David OK thanks David, I reproduced the problem on latest net-next-2.6 tree too. I wonder why nobody hit this before. [352468.556484] ------------[ cut here ]------------ [352468.556511] WARNING: at net/netfilter/nf_conntrack_extend.c:82 __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack]() [352468.556559] Hardware name: ProLiant BL460c G1 [352468.556582] Modules linked in: nf_defrag_ipv4 nf_conntrack_netlink nf_conntrack sch_hfsc sch_sfq ipmi_devintf ipmi_si ipmi_msghandler hpilo bonding [last unloaded: nf_conntrack_ipv4] [352468.556675] Pid: 18852, comm: conntrack Tainted: G W 2.6.33-rc5-02754-g0ea034c-dirty #545 [352468.556721] Call Trace: [352468.556742] [<c054d45f>] ? printk+0x1d/0x26 [352468.556767] [<c023bbc2>] warn_slowpath_common+0x72/0xa0 [352468.556795] [<fee75e42>] ? __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack] [352468.556825] [<fee75e42>] ? __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack] [352468.556854] [<c023bc0a>] warn_slowpath_null+0x1a/0x20 [352468.556882] [<fee75e42>] __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack] [352468.556911] [<fee70dcc>] ? nf_conntrack_alloc+0x10c/0x1a0 [nf_conntrack] [352468.556940] [<feecaf59>] ctnetlink_create_conntrack+0x339/0x360 [nf_conntrack_netlink] [352468.556987] [<feeca26b>] ? ctnetlink_parse_tuple+0x14b/0x1c0 [nf_conntrack_netlink] [352468.557039] [<fee6fd60>] ? __nf_conntrack_find+0x70/0x100 [nf_conntrack] [352468.557068] [<feecb090>] ctnetlink_new_conntrack+0x110/0x680 [nf_conntrack_netlink] [352468.557113] [<c04d93b5>] nfnetlink_rcv_msg+0x125/0x180 [352468.557140] [<c054ec57>] ? __mutex_lock_slowpath+0x197/0x230 [352468.557167] [<c04d9290>] ? nfnetlink_rcv_msg+0x0/0x180 [352468.557194] [<c04d5896>] netlink_rcv_skb+0x96/0xc0 [352468.557219] [<c04d927c>] nfnetlink_rcv+0x1c/0x30 [352468.557245] [<c04d5545>] netlink_unicast+0x255/0x2a0 [352468.557274] [<c04d5d3f>] netlink_sendmsg+0x1af/0x2b0 [352468.557300] [<c04a86ec>] sock_sendmsg+0xac/0xe0 [352468.559358] [<c029d042>] ? find_get_page+0x22/0xd0 [352468.559385] [<c029d9dc>] ? filemap_fault+0x8c/0x3c0 [352468.559410] [<c04a905a>] sys_sendto+0xaa/0xd0 [352468.559436] [<c02b3780>] ? __do_fault+0x370/0x470 [352468.559462] [<c02b54d9>] ? handle_mm_fault+0x1d9/0x7d0 [352468.559488] [<c04aa245>] sys_socketcall+0x195/0x280 [352468.559514] [<c0202c50>] sysenter_do_call+0x12/0x26 [352468.559539] ---[ end trace 6ecb842e4e35a653 ]--- Could you try following patch ? Thanks diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 0ffe689..d2657aa 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); d = ct->status ^ status; - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) + if (d & (IPS_EXPECTED|IPS_DYING)) /* unchangeable */ return -EBUSY; @@ -938,7 +938,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) /* Be careful here, modifying NAT bits can screw up things, * so don't let users modify them directly if they don't pass * nf_nat_range. */ - ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK); + ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK | IPS_CONFIRMED); return 0; } @@ -1193,7 +1193,6 @@ ctnetlink_create_conntrack(const struct nlattr * const cda[], ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); ct->timeout.expires = jiffies + ct->timeout.expires * HZ; - ct->status |= IPS_CONFIRMED; rcu_read_lock(); if (cda[CTA_HELP]) { @@ -1296,6 +1295,7 @@ ctnetlink_create_conntrack(const struct nlattr * const cda[], } add_timer(&ct->timeout); + ct->status |= IPS_CONFIRMED; nf_conntrack_hash_insert(ct); rcu_read_unlock(); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-16 11:15 ` Eric Dumazet @ 2010-02-16 13:33 ` Pablo Neira Ayuso 2010-02-16 13:45 ` Eric Dumazet 0 siblings, 1 reply; 16+ messages in thread From: Pablo Neira Ayuso @ 2010-02-16 13:33 UTC (permalink / raw) To: Eric Dumazet; +Cc: Ramblewski David, netfilter-devel@vger.kernel.org, netdev Eric Dumazet wrote: > OK thanks David, I reproduced the problem on latest net-next-2.6 tree > too. I wonder why nobody hit this before. Hmm, my config had not NETFILTER_DEBUG enabled, that's why I didn't hit that assertion. > [352468.556484] ------------[ cut here ]------------ > [352468.556511] WARNING: at net/netfilter/nf_conntrack_extend.c:82 > __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack]() > [352468.556559] Hardware name: ProLiant BL460c G1 > [352468.556582] Modules linked in: nf_defrag_ipv4 nf_conntrack_netlink > nf_conntrack sch_hfsc sch_sfq ipmi_devintf ipmi_si ipmi_msghandler hpilo > bonding [last unloaded: nf_conntrack_ipv4] > [352468.556675] Pid: 18852, comm: conntrack Tainted: G W > 2.6.33-rc5-02754-g0ea034c-dirty #545 > [352468.556721] Call Trace: > [352468.556742] [<c054d45f>] ? printk+0x1d/0x26 > [352468.556767] [<c023bbc2>] warn_slowpath_common+0x72/0xa0 > [352468.556795] [<fee75e42>] ? __nf_ct_ext_add+0x1c2/0x1e0 > [nf_conntrack] > [352468.556825] [<fee75e42>] ? __nf_ct_ext_add+0x1c2/0x1e0 > [nf_conntrack] > [352468.556854] [<c023bc0a>] warn_slowpath_null+0x1a/0x20 > [352468.556882] [<fee75e42>] __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack] > [352468.556911] [<fee70dcc>] ? nf_conntrack_alloc+0x10c/0x1a0 > [nf_conntrack] > [352468.556940] [<feecaf59>] ctnetlink_create_conntrack+0x339/0x360 > [nf_conntrack_netlink] > [352468.556987] [<feeca26b>] ? ctnetlink_parse_tuple+0x14b/0x1c0 > [nf_conntrack_netlink] > [352468.557039] [<fee6fd60>] ? __nf_conntrack_find+0x70/0x100 > [nf_conntrack] > [352468.557068] [<feecb090>] ctnetlink_new_conntrack+0x110/0x680 > [nf_conntrack_netlink] > [352468.557113] [<c04d93b5>] nfnetlink_rcv_msg+0x125/0x180 > [352468.557140] [<c054ec57>] ? __mutex_lock_slowpath+0x197/0x230 > [352468.557167] [<c04d9290>] ? nfnetlink_rcv_msg+0x0/0x180 > [352468.557194] [<c04d5896>] netlink_rcv_skb+0x96/0xc0 > [352468.557219] [<c04d927c>] nfnetlink_rcv+0x1c/0x30 > [352468.557245] [<c04d5545>] netlink_unicast+0x255/0x2a0 > [352468.557274] [<c04d5d3f>] netlink_sendmsg+0x1af/0x2b0 > [352468.557300] [<c04a86ec>] sock_sendmsg+0xac/0xe0 > [352468.559358] [<c029d042>] ? find_get_page+0x22/0xd0 > [352468.559385] [<c029d9dc>] ? filemap_fault+0x8c/0x3c0 > [352468.559410] [<c04a905a>] sys_sendto+0xaa/0xd0 > [352468.559436] [<c02b3780>] ? __do_fault+0x370/0x470 > [352468.559462] [<c02b54d9>] ? handle_mm_fault+0x1d9/0x7d0 > [352468.559488] [<c04aa245>] sys_socketcall+0x195/0x280 > [352468.559514] [<c0202c50>] sysenter_do_call+0x12/0x26 > [352468.559539] ---[ end trace 6ecb842e4e35a653 ]--- > > Could you try following patch ? > > Thanks > > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c > index 0ffe689..d2657aa 100644 > --- a/net/netfilter/nf_conntrack_netlink.c > +++ b/net/netfilter/nf_conntrack_netlink.c > @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) > unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); > d = ct->status ^ status; > > - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) > + if (d & (IPS_EXPECTED|IPS_DYING)) > /* unchangeable */ > return -EBUSY; I think that we should explicitly report if the user unsets IPS_CONFIRMED. Please, don't change this. Apart from that, the patch seems fine to me. Thanks! ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-16 13:33 ` Pablo Neira Ayuso @ 2010-02-16 13:45 ` Eric Dumazet 2010-02-18 9:37 ` Ramblewski David 0 siblings, 1 reply; 16+ messages in thread From: Eric Dumazet @ 2010-02-16 13:45 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Ramblewski David, netfilter-devel@vger.kernel.org, netdev Le mardi 16 février 2010 à 14:33 +0100, Pablo Neira Ayuso a écrit : > Eric Dumazet wrote: > > OK thanks David, I reproduced the problem on latest net-next-2.6 tree > > too. I wonder why nobody hit this before. > > Hmm, my config had not NETFILTER_DEBUG enabled, that's why I didn't hit > that assertion. > > > [352468.556484] ------------[ cut here ]------------ > > [352468.556511] WARNING: at net/netfilter/nf_conntrack_extend.c:82 > > __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack]() > > [352468.556559] Hardware name: ProLiant BL460c G1 > > [352468.556582] Modules linked in: nf_defrag_ipv4 nf_conntrack_netlink > > nf_conntrack sch_hfsc sch_sfq ipmi_devintf ipmi_si ipmi_msghandler hpilo > > bonding [last unloaded: nf_conntrack_ipv4] > > [352468.556675] Pid: 18852, comm: conntrack Tainted: G W > > 2.6.33-rc5-02754-g0ea034c-dirty #545 > > [352468.556721] Call Trace: > > [352468.556742] [<c054d45f>] ? printk+0x1d/0x26 > > [352468.556767] [<c023bbc2>] warn_slowpath_common+0x72/0xa0 > > [352468.556795] [<fee75e42>] ? __nf_ct_ext_add+0x1c2/0x1e0 > > [nf_conntrack] > > [352468.556825] [<fee75e42>] ? __nf_ct_ext_add+0x1c2/0x1e0 > > [nf_conntrack] > > [352468.556854] [<c023bc0a>] warn_slowpath_null+0x1a/0x20 > > [352468.556882] [<fee75e42>] __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack] > > [352468.556911] [<fee70dcc>] ? nf_conntrack_alloc+0x10c/0x1a0 > > [nf_conntrack] > > [352468.556940] [<feecaf59>] ctnetlink_create_conntrack+0x339/0x360 > > [nf_conntrack_netlink] > > [352468.556987] [<feeca26b>] ? ctnetlink_parse_tuple+0x14b/0x1c0 > > [nf_conntrack_netlink] > > [352468.557039] [<fee6fd60>] ? __nf_conntrack_find+0x70/0x100 > > [nf_conntrack] > > [352468.557068] [<feecb090>] ctnetlink_new_conntrack+0x110/0x680 > > [nf_conntrack_netlink] > > [352468.557113] [<c04d93b5>] nfnetlink_rcv_msg+0x125/0x180 > > [352468.557140] [<c054ec57>] ? __mutex_lock_slowpath+0x197/0x230 > > [352468.557167] [<c04d9290>] ? nfnetlink_rcv_msg+0x0/0x180 > > [352468.557194] [<c04d5896>] netlink_rcv_skb+0x96/0xc0 > > [352468.557219] [<c04d927c>] nfnetlink_rcv+0x1c/0x30 > > [352468.557245] [<c04d5545>] netlink_unicast+0x255/0x2a0 > > [352468.557274] [<c04d5d3f>] netlink_sendmsg+0x1af/0x2b0 > > [352468.557300] [<c04a86ec>] sock_sendmsg+0xac/0xe0 > > [352468.559358] [<c029d042>] ? find_get_page+0x22/0xd0 > > [352468.559385] [<c029d9dc>] ? filemap_fault+0x8c/0x3c0 > > [352468.559410] [<c04a905a>] sys_sendto+0xaa/0xd0 > > [352468.559436] [<c02b3780>] ? __do_fault+0x370/0x470 > > [352468.559462] [<c02b54d9>] ? handle_mm_fault+0x1d9/0x7d0 > > [352468.559488] [<c04aa245>] sys_socketcall+0x195/0x280 > > [352468.559514] [<c0202c50>] sysenter_do_call+0x12/0x26 > > [352468.559539] ---[ end trace 6ecb842e4e35a653 ]--- > > > > Could you try following patch ? > > > > Thanks > > > > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c > > index 0ffe689..d2657aa 100644 > > --- a/net/netfilter/nf_conntrack_netlink.c > > +++ b/net/netfilter/nf_conntrack_netlink.c > > @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) > > unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); > > d = ct->status ^ status; > > > > - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) > > + if (d & (IPS_EXPECTED|IPS_DYING)) > > /* unchangeable */ > > return -EBUSY; > > I think that we should explicitly report if the user unsets > IPS_CONFIRMED. Please, don't change this. > > Apart from that, the patch seems fine to me. Thanks! Problem is we now (I mean after my patch) enter ctnetlink_change_status() with ct->status being null (or at least, IPS_CONFIRMED not set) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: kernel stack trace using conntrack 2010-02-16 13:45 ` Eric Dumazet @ 2010-02-18 9:37 ` Ramblewski David 2010-02-18 10:34 ` Patrick McHardy 0 siblings, 1 reply; 16+ messages in thread From: Ramblewski David @ 2010-02-18 9:37 UTC (permalink / raw) To: Eric Dumazet, Pablo Neira Ayuso; +Cc: netfilter-devel@vger.kernel.org, netdev Hi Eric, The conntrack patch works successfully. Thanks for your help! David -----Message d'origine----- De : Eric Dumazet [mailto:eric.dumazet@gmail.com] Envoyé : mardi 16 février 2010 14:45 À : Pablo Neira Ayuso Cc : Ramblewski David; netfilter-devel@vger.kernel.org; netdev Objet : Re: kernel stack trace using conntrack Le mardi 16 février 2010 à 14:33 +0100, Pablo Neira Ayuso a écrit : > Eric Dumazet wrote: > > OK thanks David, I reproduced the problem on latest net-next-2.6 tree > > too. I wonder why nobody hit this before. > > Hmm, my config had not NETFILTER_DEBUG enabled, that's why I didn't hit > that assertion. > > > [352468.556484] ------------[ cut here ]------------ > > [352468.556511] WARNING: at net/netfilter/nf_conntrack_extend.c:82 > > __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack]() > > [352468.556559] Hardware name: ProLiant BL460c G1 > > [352468.556582] Modules linked in: nf_defrag_ipv4 nf_conntrack_netlink > > nf_conntrack sch_hfsc sch_sfq ipmi_devintf ipmi_si ipmi_msghandler hpilo > > bonding [last unloaded: nf_conntrack_ipv4] > > [352468.556675] Pid: 18852, comm: conntrack Tainted: G W > > 2.6.33-rc5-02754-g0ea034c-dirty #545 > > [352468.556721] Call Trace: > > [352468.556742] [<c054d45f>] ? printk+0x1d/0x26 > > [352468.556767] [<c023bbc2>] warn_slowpath_common+0x72/0xa0 > > [352468.556795] [<fee75e42>] ? __nf_ct_ext_add+0x1c2/0x1e0 > > [nf_conntrack] > > [352468.556825] [<fee75e42>] ? __nf_ct_ext_add+0x1c2/0x1e0 > > [nf_conntrack] > > [352468.556854] [<c023bc0a>] warn_slowpath_null+0x1a/0x20 > > [352468.556882] [<fee75e42>] __nf_ct_ext_add+0x1c2/0x1e0 [nf_conntrack] > > [352468.556911] [<fee70dcc>] ? nf_conntrack_alloc+0x10c/0x1a0 > > [nf_conntrack] > > [352468.556940] [<feecaf59>] ctnetlink_create_conntrack+0x339/0x360 > > [nf_conntrack_netlink] > > [352468.556987] [<feeca26b>] ? ctnetlink_parse_tuple+0x14b/0x1c0 > > [nf_conntrack_netlink] > > [352468.557039] [<fee6fd60>] ? __nf_conntrack_find+0x70/0x100 > > [nf_conntrack] > > [352468.557068] [<feecb090>] ctnetlink_new_conntrack+0x110/0x680 > > [nf_conntrack_netlink] > > [352468.557113] [<c04d93b5>] nfnetlink_rcv_msg+0x125/0x180 > > [352468.557140] [<c054ec57>] ? __mutex_lock_slowpath+0x197/0x230 > > [352468.557167] [<c04d9290>] ? nfnetlink_rcv_msg+0x0/0x180 > > [352468.557194] [<c04d5896>] netlink_rcv_skb+0x96/0xc0 > > [352468.557219] [<c04d927c>] nfnetlink_rcv+0x1c/0x30 > > [352468.557245] [<c04d5545>] netlink_unicast+0x255/0x2a0 > > [352468.557274] [<c04d5d3f>] netlink_sendmsg+0x1af/0x2b0 > > [352468.557300] [<c04a86ec>] sock_sendmsg+0xac/0xe0 > > [352468.559358] [<c029d042>] ? find_get_page+0x22/0xd0 > > [352468.559385] [<c029d9dc>] ? filemap_fault+0x8c/0x3c0 > > [352468.559410] [<c04a905a>] sys_sendto+0xaa/0xd0 > > [352468.559436] [<c02b3780>] ? __do_fault+0x370/0x470 > > [352468.559462] [<c02b54d9>] ? handle_mm_fault+0x1d9/0x7d0 > > [352468.559488] [<c04aa245>] sys_socketcall+0x195/0x280 > > [352468.559514] [<c0202c50>] sysenter_do_call+0x12/0x26 > > [352468.559539] ---[ end trace 6ecb842e4e35a653 ]--- > > > > Could you try following patch ? > > > > Thanks > > > > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c > > index 0ffe689..d2657aa 100644 > > --- a/net/netfilter/nf_conntrack_netlink.c > > +++ b/net/netfilter/nf_conntrack_netlink.c > > @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) > > unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); > > d = ct->status ^ status; > > > > - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) > > + if (d & (IPS_EXPECTED|IPS_DYING)) > > /* unchangeable */ > > return -EBUSY; > > I think that we should explicitly report if the user unsets > IPS_CONFIRMED. Please, don't change this. > > Apart from that, the patch seems fine to me. Thanks! Problem is we now (I mean after my patch) enter ctnetlink_change_status() with ct->status being null (or at least, IPS_CONFIRMED not set) Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-18 9:37 ` Ramblewski David @ 2010-02-18 10:34 ` Patrick McHardy 2010-02-18 11:02 ` Pablo Neira Ayuso 0 siblings, 1 reply; 16+ messages in thread From: Patrick McHardy @ 2010-02-18 10:34 UTC (permalink / raw) To: Ramblewski David Cc: Eric Dumazet, Pablo Neira Ayuso, netfilter-devel@vger.kernel.org, netdev Ramblewski David wrote: > Hi Eric, > > The conntrack patch works successfully. > >>> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c >>> index 0ffe689..d2657aa 100644 >>> --- a/net/netfilter/nf_conntrack_netlink.c >>> +++ b/net/netfilter/nf_conntrack_netlink.c >>> @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) >>> unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); >>> d = ct->status ^ status; >>> >>> - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) >>> + if (d & (IPS_EXPECTED|IPS_DYING)) >>> /* unchangeable */ >>> return -EBUSY; >> I think that we should explicitly report if the user unsets >> IPS_CONFIRMED. Please, don't change this. >> >> Apart from that, the patch seems fine to me. Thanks! > > Problem is we now (I mean after my patch) enter > ctnetlink_change_status() with ct->status being null (or at least, > IPS_CONFIRMED not set) Pablo, please let me know whether you want me to apply this. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-18 10:34 ` Patrick McHardy @ 2010-02-18 11:02 ` Pablo Neira Ayuso 2010-02-18 11:15 ` Patrick McHardy 0 siblings, 1 reply; 16+ messages in thread From: Pablo Neira Ayuso @ 2010-02-18 11:02 UTC (permalink / raw) To: Patrick McHardy Cc: Ramblewski David, Eric Dumazet, netfilter-devel@vger.kernel.org, netdev Patrick McHardy wrote: > Ramblewski David wrote: >> Hi Eric, >> >> The conntrack patch works successfully. >> >>>> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c >>>> index 0ffe689..d2657aa 100644 >>>> --- a/net/netfilter/nf_conntrack_netlink.c >>>> +++ b/net/netfilter/nf_conntrack_netlink.c >>>> @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) >>>> unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); >>>> d = ct->status ^ status; >>>> >>>> - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) >>>> + if (d & (IPS_EXPECTED|IPS_DYING)) >>>> /* unchangeable */ >>>> return -EBUSY; >>> I think that we should explicitly report if the user unsets >>> IPS_CONFIRMED. Please, don't change this. >>> >>> Apart from that, the patch seems fine to me. Thanks! >> Problem is we now (I mean after my patch) enter >> ctnetlink_change_status() with ct->status being null (or at least, >> IPS_CONFIRMED not set) > > Pablo, please let me know whether you want me to apply this. ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that are confirmed (in case of a helper update for an existing conntrack). That would also trigger the assertion. If we want to support helper assignation via ctnetlink for existing conntracks, we will need to add locking to the conntrack extension infrastructure to avoid races. I don't see a clear solution for this yet. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-18 11:02 ` Pablo Neira Ayuso @ 2010-02-18 11:15 ` Patrick McHardy 2010-02-18 12:18 ` Pablo Neira Ayuso 0 siblings, 1 reply; 16+ messages in thread From: Patrick McHardy @ 2010-02-18 11:15 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Ramblewski David, Eric Dumazet, netfilter-devel@vger.kernel.org, netdev Pablo Neira Ayuso wrote: > Patrick McHardy wrote: >> Ramblewski David wrote: >>> Hi Eric, >>> >>> The conntrack patch works successfully. >>> >>>>> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c >>>>> index 0ffe689..d2657aa 100644 >>>>> --- a/net/netfilter/nf_conntrack_netlink.c >>>>> +++ b/net/netfilter/nf_conntrack_netlink.c >>>>> @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) >>>>> unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); >>>>> d = ct->status ^ status; >>>>> >>>>> - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) >>>>> + if (d & (IPS_EXPECTED|IPS_DYING)) >>>>> /* unchangeable */ >>>>> return -EBUSY; >>>> I think that we should explicitly report if the user unsets >>>> IPS_CONFIRMED. Please, don't change this. >>>> >>>> Apart from that, the patch seems fine to me. Thanks! >>> Problem is we now (I mean after my patch) enter >>> ctnetlink_change_status() with ct->status being null (or at least, >>> IPS_CONFIRMED not set) >> Pablo, please let me know whether you want me to apply this. > > ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that > are confirmed (in case of a helper update for an existing conntrack). > That would also trigger the assertion. If we want to support helper > assignation via ctnetlink for existing conntracks, we will need to add > locking to the conntrack extension infrastructure to avoid races. > > I don't see a clear solution for this yet. I see, this is indeed a problem. Since the helper is known at the first event, we could restrict this to only allow manual assignment for newly created conntracks. Most helpers probably can't properly cope with connections not seen from the beginning anyways. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-18 11:15 ` Patrick McHardy @ 2010-02-18 12:18 ` Pablo Neira Ayuso 2010-02-18 12:19 ` Patrick McHardy 0 siblings, 1 reply; 16+ messages in thread From: Pablo Neira Ayuso @ 2010-02-18 12:18 UTC (permalink / raw) To: Patrick McHardy Cc: Ramblewski David, Eric Dumazet, netfilter-devel@vger.kernel.org, netdev Patrick McHardy wrote: > Pablo Neira Ayuso wrote: >> Patrick McHardy wrote: >>> Ramblewski David wrote: >>>> Hi Eric, >>>> >>>> The conntrack patch works successfully. >>>> >>>>>> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c >>>>>> index 0ffe689..d2657aa 100644 >>>>>> --- a/net/netfilter/nf_conntrack_netlink.c >>>>>> +++ b/net/netfilter/nf_conntrack_netlink.c >>>>>> @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) >>>>>> unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); >>>>>> d = ct->status ^ status; >>>>>> >>>>>> - if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) >>>>>> + if (d & (IPS_EXPECTED|IPS_DYING)) >>>>>> /* unchangeable */ >>>>>> return -EBUSY; >>>>> I think that we should explicitly report if the user unsets >>>>> IPS_CONFIRMED. Please, don't change this. >>>>> >>>>> Apart from that, the patch seems fine to me. Thanks! >>>> Problem is we now (I mean after my patch) enter >>>> ctnetlink_change_status() with ct->status being null (or at least, >>>> IPS_CONFIRMED not set) >>> Pablo, please let me know whether you want me to apply this. >> ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that >> are confirmed (in case of a helper update for an existing conntrack). >> That would also trigger the assertion. If we want to support helper >> assignation via ctnetlink for existing conntracks, we will need to add >> locking to the conntrack extension infrastructure to avoid races. >> >> I don't see a clear solution for this yet. > > I see, this is indeed a problem. Since the helper is known at the > first event, we could restrict this to only allow manual assignment > for newly created conntracks. Most helpers probably can't properly > cope with connections not seen from the beginning anyways. Indeed, changing the helper in the middle of the road doesn't make too much sense to me either. I can send you a patch for this along today, I'll find some spare time to do it. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-18 12:18 ` Pablo Neira Ayuso @ 2010-02-18 12:19 ` Patrick McHardy 2010-02-19 2:18 ` Pablo Neira Ayuso 0 siblings, 1 reply; 16+ messages in thread From: Patrick McHardy @ 2010-02-18 12:19 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Ramblewski David, Eric Dumazet, netfilter-devel@vger.kernel.org, netdev Pablo Neira Ayuso wrote: > Patrick McHardy wrote: >>>> Pablo, please let me know whether you want me to apply this. >>> ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that >>> are confirmed (in case of a helper update for an existing conntrack). >>> That would also trigger the assertion. If we want to support helper >>> assignation via ctnetlink for existing conntracks, we will need to add >>> locking to the conntrack extension infrastructure to avoid races. >>> >>> I don't see a clear solution for this yet. >> I see, this is indeed a problem. Since the helper is known at the >> first event, we could restrict this to only allow manual assignment >> for newly created conntracks. Most helpers probably can't properly >> cope with connections not seen from the beginning anyways. > > Indeed, changing the helper in the middle of the road doesn't make too > much sense to me either. I can send you a patch for this along today, > I'll find some spare time to do it. Great, thanks Pablo. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-18 12:19 ` Patrick McHardy @ 2010-02-19 2:18 ` Pablo Neira Ayuso 2010-02-19 12:33 ` Eric Dumazet 0 siblings, 1 reply; 16+ messages in thread From: Pablo Neira Ayuso @ 2010-02-19 2:18 UTC (permalink / raw) To: Patrick McHardy Cc: Ramblewski David, Eric Dumazet, netfilter-devel@vger.kernel.org, netdev [-- Attachment #1: Type: text/plain, Size: 1284 bytes --] Patrick McHardy wrote: > Pablo Neira Ayuso wrote: >> Patrick McHardy wrote: >>>>> Pablo, please let me know whether you want me to apply this. >>>> ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that >>>> are confirmed (in case of a helper update for an existing conntrack). >>>> That would also trigger the assertion. If we want to support helper >>>> assignation via ctnetlink for existing conntracks, we will need to add >>>> locking to the conntrack extension infrastructure to avoid races. >>>> >>>> I don't see a clear solution for this yet. >>> I see, this is indeed a problem. Since the helper is known at the >>> first event, we could restrict this to only allow manual assignment >>> for newly created conntracks. Most helpers probably can't properly >>> cope with connections not seen from the beginning anyways. >> Indeed, changing the helper in the middle of the road doesn't make too >> much sense to me either. I can send you a patch for this along today, >> I'll find some spare time to do it. > > Great, thanks Pablo. I have slightly tested the following patch here. I think it should fix the problem. We can revisit ctnetlink_change_helper() later, I think there's some code there that can be refactorized. Let me know if you're OK with it. [-- Attachment #2: fix-helper.patch --] [-- Type: text/x-patch, Size: 2841 bytes --] netfilter: ctnetlink: fix creation of conntrack with helpers This patch fixes a bug that triggers an assertion if you create a conntrack entry with a helper and netfilter debugging is enabled. Basically, we hit the assertion because the confirmation flag is set before the conntrack extensions are added. To fix this, we move the extension addition before the aforementioned flag is set. This patch also removes the possibility of setting a helper for existing conntracks. This operation would also trigger the assertion since we are not allowed to add new extensions for existing conntracks. We know noone that could benefit from this operation sanely. Thanks to Eric Dumazet for initial posting a preliminary patch to address this issue. Reported-by: David Ramblewski <David.Ramblewski@atosorigin.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_conntrack_netlink.c | 22 +++++++++++----------- 1 files changed, 11 insertions(+), 11 deletions(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 8b05f36..2b2af63 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1077,9 +1077,8 @@ ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[]) /* need to zero data of old helper */ memset(&help->help, 0, sizeof(help->help)); } else { - help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); - if (help == NULL) - return -ENOMEM; + /* we cannot set a helper for an existing conntrack */ + return -EOPNOTSUPP; } rcu_assign_pointer(help->helper, helper); @@ -1263,7 +1262,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone, ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); ct->timeout.expires = jiffies + ct->timeout.expires * HZ; - ct->status |= IPS_CONFIRMED; rcu_read_lock(); if (cda[CTA_HELP]) { @@ -1314,14 +1312,19 @@ ctnetlink_create_conntrack(struct net *net, u16 zone, goto err2; } - if (cda[CTA_STATUS]) { - err = ctnetlink_change_status(ct, cda); + if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { + err = ctnetlink_change_nat(ct, cda); if (err < 0) goto err2; } - if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { - err = ctnetlink_change_nat(ct, cda); + nf_ct_acct_ext_add(ct, GFP_ATOMIC); + nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); + /* we must add conntrack extensions before confirmation. */ + ct->status |= IPS_CONFIRMED; + + if (cda[CTA_STATUS]) { + err = ctnetlink_change_status(ct, cda); if (err < 0) goto err2; } @@ -1340,9 +1343,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone, goto err2; } - nf_ct_acct_ext_add(ct, GFP_ATOMIC); - nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); - #if defined(CONFIG_NF_CONNTRACK_MARK) if (cda[CTA_MARK]) ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); ^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-19 2:18 ` Pablo Neira Ayuso @ 2010-02-19 12:33 ` Eric Dumazet 2010-02-19 13:25 ` Patrick McHardy 0 siblings, 1 reply; 16+ messages in thread From: Eric Dumazet @ 2010-02-19 12:33 UTC (permalink / raw) To: Pablo Neira Ayuso Cc: Patrick McHardy, Ramblewski David, netfilter-devel@vger.kernel.org, netdev Le vendredi 19 février 2010 à 03:18 +0100, Pablo Neira Ayuso a écrit : > Patrick McHardy wrote: > > Pablo Neira Ayuso wrote: > >> Patrick McHardy wrote: > >>>>> Pablo, please let me know whether you want me to apply this. > >>>> ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that > >>>> are confirmed (in case of a helper update for an existing conntrack). > >>>> That would also trigger the assertion. If we want to support helper > >>>> assignation via ctnetlink for existing conntracks, we will need to add > >>>> locking to the conntrack extension infrastructure to avoid races. > >>>> > >>>> I don't see a clear solution for this yet. > >>> I see, this is indeed a problem. Since the helper is known at the > >>> first event, we could restrict this to only allow manual assignment > >>> for newly created conntracks. Most helpers probably can't properly > >>> cope with connections not seen from the beginning anyways. > >> Indeed, changing the helper in the middle of the road doesn't make too > >> much sense to me either. I can send you a patch for this along today, > >> I'll find some spare time to do it. > > > > Great, thanks Pablo. > > I have slightly tested the following patch here. I think it should fix > the problem. > > We can revisit ctnetlink_change_helper() later, I think there's some > code there that can be refactorized. > > Let me know if you're OK with it. I sucessfuly tested your patch Pablo, thanks. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: kernel stack trace using conntrack 2010-02-19 12:33 ` Eric Dumazet @ 2010-02-19 13:25 ` Patrick McHardy 0 siblings, 0 replies; 16+ messages in thread From: Patrick McHardy @ 2010-02-19 13:25 UTC (permalink / raw) To: Eric Dumazet Cc: Pablo Neira Ayuso, Ramblewski David, netfilter-devel@vger.kernel.org, netdev Eric Dumazet wrote: > Le vendredi 19 février 2010 à 03:18 +0100, Pablo Neira Ayuso a écrit : >> I have slightly tested the following patch here. I think it should fix >> the problem. >> >> We can revisit ctnetlink_change_helper() later, I think there's some >> code there that can be refactorized. >> >> Let me know if you're OK with it. > > I sucessfuly tested your patch Pablo, thanks. > > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Applied, thanks everyone. ^ permalink raw reply [flat|nested] 16+ messages in thread
* kernel stack trace using conntrack
@ 2010-02-11 13:18 Ramblewski David
0 siblings, 0 replies; 16+ messages in thread
From: Ramblewski David @ 2010-02-11 13:18 UTC (permalink / raw)
To: netfilter-devel@vger.kernel.org
Hi Guys,
I'm actually facing an issue using conntrack tools :
The following command:
conntrack -I conntrack -p udp --orig-src 10.24.230.103 --orig-dst 10.24.230.103 --reply-src 10.24.230.103 --reply-dst 10.24.230.103 --orig-port-src 20000 --orig-port-dst 20000 --reply-port-src 20000 --reply-port-dst 20000 -u ASSURED -t 10
make a kernel call trace:
Feb 11 10:01:46 obench03s kernel: WARNING: at net/netfilter/nf_conntrack_extend.c:82 __nf_ct_ext_add+0x25/0x1ef [nf_conntrack]()
Feb 11 10:01:46 obench03s kernel: Hardware name: ProLiant DL380 G5
Feb 11 10:01:46 obench03s kernel: Modules linked in: nf_conntrack_netlink nf_conntrack usbhid hpilo hpwdt bnx2 ipmi_si ipmi_msghandler rtc_cmos rtc_core rtc_lib ehci_hcd uhci_hcd usbcore dm_mod [last unloaded: ipmi_devintf]
Feb 11 10:01:46 obench03s kernel: Pid: 3786, comm: conntrack Tainted: G W 2.6.32.8 #1
Feb 11 10:01:46 obench03s kernel: Call Trace:
Feb 11 10:01:46 obench03s kernel: [<c10375b2>] warn_slowpath_common+0x60/0x77
Feb 11 10:01:46 obench03s kernel: [<c10375d6>] warn_slowpath_null+0xd/0x10
Feb 11 10:01:46 obench03s kernel: [<f805bb8e>] __nf_ct_ext_add+0x25/0x1ef [nf_conntrack]
Feb 11 10:01:46 obench03s kernel: [<f80227ff>] ctnetlink_new_conntrack+0x283/0x5ac [nf_conntrack_netlink]
Feb 11 10:01:46 obench03s kernel: [<c102a3dd>] ? __wake_up+0x31/0x3b
Feb 11 10:01:46 obench03s kernel: [<c1125bcb>] ? jbd_free_handle+0xf/0x11
Feb 11 10:01:46 obench03s kernel: [<c102105d>] ? default_spin_lock_flags+0x8/0xb
Feb 11 10:01:46 obench03s kernel: [<c1451ede>] ? _spin_lock_irqsave+0x2b/0x34
Feb 11 10:01:46 obench03s kernel: [<c139cefe>] nfnetlink_rcv_msg+0xef/0x115
Feb 11 10:01:46 obench03s kernel: [<c11e1284>] ? security_netlink_recv+0xf/0x11
Feb 11 10:01:46 obench03s kernel: [<c139ce5e>] ? nfnetlink_rcv_msg+0x4f/0x115
Feb 11 10:01:46 obench03s kernel: [<c139ce0f>] ? nfnetlink_rcv_msg+0x0/0x115
Feb 11 10:01:46 obench03s kernel: [<c1399962>] netlink_rcv_skb+0x30/0x75
Feb 11 10:01:46 obench03s kernel: [<c139ce07>] nfnetlink_rcv+0x17/0x1f
Feb 11 10:01:46 obench03s kernel: [<c139980b>] netlink_unicast+0xd2/0x127
Feb 11 10:01:46 obench03s kernel: [<c139a90b>] netlink_sendmsg+0x219/0x226
Feb 11 10:01:47 obench03s kernel: [<c137d9cc>] __sock_sendmsg+0x45/0x4e
Feb 11 10:01:47 obench03s kernel: [<c137e116>] sock_sendmsg+0xb8/0xce
Feb 11 10:01:47 obench03s kernel: [<c104778f>] ? autoremove_wake_function+0x0/0x33
Feb 11 10:01:47 obench03s kernel: [<c1027851>] ? kunmap_atomic+0x4f/0x6a
Feb 11 10:01:47 obench03s kernel: [<c1027986>] ? kmap_atomic+0x14/0x16
Feb 11 10:01:47 obench03s kernel: [<c107e511>] ? get_page_from_freelist+0x33d/0x3c6
Feb 11 10:01:47 obench03s kernel: [<c1204eb3>] ? __copy_from_user_ll+0x11/0xce
Feb 11 10:01:47 obench03s kernel: [<c137e9ec>] ? move_addr_to_kernel+0x39/0x41
Feb 11 10:01:47 obench03s kernel: [<c137ea98>] sys_sendto+0xa4/0xc0
Feb 11 10:01:47 obench03s kernel: [<c107a706>] ? unlock_page+0xe/0x10
Feb 11 10:01:47 obench03s kernel: [<c108acdd>] ? __do_fault+0x310/0x343
Feb 11 10:01:47 obench03s kernel: [<c108c634>] ? handle_mm_fault+0x317/0x73c
Feb 11 10:01:47 obench03s kernel: [<c137f1ba>] sys_socketcall+0xec/0x18e
Feb 11 10:01:47 obench03s kernel: [<c100874c>] sysenter_do_call+0x12/0x28
I'm using these tools:
libnfnetlink-1.0.0
libnetfilter_conntrack-0.0.101
conntrack-tools-0.9.14
Thanks for your feedback.
David
Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité du groupe Atos Origin ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 16+ messages in threadend of thread, other threads:[~2010-02-19 13:25 UTC | newest] Thread overview: 16+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-02-16 9:11 kernel stack trace using conntrack Ramblewski David 2010-02-16 9:51 ` Eric Dumazet 2010-02-16 10:25 ` Ramblewski David 2010-02-16 11:15 ` Eric Dumazet 2010-02-16 13:33 ` Pablo Neira Ayuso 2010-02-16 13:45 ` Eric Dumazet 2010-02-18 9:37 ` Ramblewski David 2010-02-18 10:34 ` Patrick McHardy 2010-02-18 11:02 ` Pablo Neira Ayuso 2010-02-18 11:15 ` Patrick McHardy 2010-02-18 12:18 ` Pablo Neira Ayuso 2010-02-18 12:19 ` Patrick McHardy 2010-02-19 2:18 ` Pablo Neira Ayuso 2010-02-19 12:33 ` Eric Dumazet 2010-02-19 13:25 ` Patrick McHardy -- strict thread matches above, loose matches on Subject: below -- 2010-02-11 13:18 Ramblewski David
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).