From: Alex Bligh <alex-rWA27mgs/Jz10XsdtD+oqA@public.gmane.org>
To: Alexey Dobriyan <adobriyan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org,
netfilter-devel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: Repeatable OOPS with containers and netfilter
Date: Fri, 09 Sep 2011 17:39:21 +0100 [thread overview]
Message-ID: <741FE3C10A343399D6F2A8BB@nimrod.local> (raw)
In-Reply-To: <CACVxJT8rK9941N0MYOC8RQFSEXpPHL5XoTLJC2JU8269jkEbMQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Alexey,
--On 9 September 2011 19:16:41 +0300 Alexey Dobriyan <adobriyan@gmail.com>
wrote:
> net->nfnl = NULL
Is this as simple as in ctnetlink_conntrack_event,
net = nf_ct_net(ct);
if (!item->report && !nfnetlink_has_listeners(net, group))
return 0;
the if should also check net->nfnl is non-NULL?
Or does it indicate something wider wrong?
Alex
> On Fri, Sep 9, 2011 at 6:33 PM, Alex Bligh <alex@alex.org.uk> wrote:
>> We are seeing a repeatable kernel oops (quite a deadly one) when
>> destroying containers which are or have been passing forwarded IPv4
>> traffic and have (or have had) a netfilter conntrack rule installed.
>>
>> To repeat, you need to have
>> a) a container
>> b) which is forwarding IPv4 traffic from one interface in the container
>> to another (2 veth interfaces in this case) - one ping packet per
>> second will do
>> c) iptables with an IP conntrack rule.
>> d) delete the container (it doesn't matter if you delete the iptables
>> rule first and sleep for a couple of seconds).
>>
>> An OOPS like the one below results.
>>
>> This one is from Ubuntu kernel
>> 3.0.0-10-server #16-Ubuntu SMP Fri Sep 2 18:51:05 UTC 2011 x86_64
>> GNU/Linux
>
>> RIP: 0010:[<ffffffff81511959>] [<ffffffff81511959>]
>> netlink_has_listeners+0x9/0x50 [<ffffffffa048f145>]
>> nfnetlink_has_listeners+0x15/0x20 [nfnetlink] [<ffffffffa049943b>]
>> ctnetlink_conntrack_event+0x5cb/0x890 [nf_conntrack_netlink]
>> [<ffffffff814e34d0>] ? net_drop_ns+0x50/0x50
>> [<ffffffffa04062d8>] death_by_timeout+0xc8/0x1c0 [nf_conntrack]
>> [<ffffffffa0405270>] ? nf_conntrack_attach+0x50/0x50 [nf_conntrack]
>> [<ffffffffa0406448>] nf_ct_iterate_cleanup+0x78/0x90 [nf_conntrack]
>> [<ffffffffa0406491>] nf_conntrack_cleanup_net+0x31/0x100 [nf_conntrack]
>> [<ffffffffa0407f97>] nf_conntrack_cleanup+0x27/0x60 [nf_conntrack]
>> [<ffffffffa04081f0>] nf_conntrack_net_exit+0x60/0x80 [nf_conntrack]
>> [<ffffffff814e2d28>] ops_exit_list.isra.1+0x38/0x60
>> [<ffffffff814e35e2>] cleanup_net+0x112/0x1b0
>
>
--
Alex Bligh
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
next prev parent reply other threads:[~2011-09-09 16:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <72F3F43BCA987119E04694FA@nimrod.local>
[not found] ` <72F3F43BCA987119E04694FA-PdXK6nMiYlGE+EvaaNYduQ@public.gmane.org>
2011-09-09 16:16 ` Repeatable OOPS with containers and netfilter Alexey Dobriyan
[not found] ` <CACVxJT8rK9941N0MYOC8RQFSEXpPHL5XoTLJC2JU8269jkEbMQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2011-09-09 16:39 ` Alex Bligh [this message]
2011-09-09 18:30 ` Alex Bligh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=741FE3C10A343399D6F2A8BB@nimrod.local \
--to=alex-rwa27mgs/jz10xsdtd+oqa@public.gmane.org \
--cc=adobriyan-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=netfilter-devel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).