Kernel panic in 4.1.6 in nf_nat_redirect

Kernel panic in 4.1.6 in nf_nat_redirect

[Andrew]

Hi all.

I tried to do redirect for some users to captive portal, and for this I 
use tiny web page, which returns 302 with captive portal address + 
original URL in param to client. Traffic on it is forwarded with 
ipt_redirect. But I've got kernel crashes in this setup.

Here's NAT rules:

*nat
:PREROUTING ACCEPT [2658:343256]
:INPUT ACCEPT [319:83916]
:OUTPUT ACCEPT [468:79362]
:POSTROUTING ACCEPT [664:93083]
:UNAUTH - [0:0]
-A PREROUTING -s 10.250.128.0/20 -j UNAUTH
-A UNAUTH -d x.x.x.x/32 -j RETURN
-A UNAUTH -d 10.255.0.65/32 -j RETURN
-A UNAUTH -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 40080
COMMIT

Here's kernel crash log:

[   42.611663] BUG: unable to handle kernel NULL pointer dereference at 
00000018
[   42.612603] IP: [<f93f4024>] nf_nat_redirect_ipv4+0x24/0xb0 
[nf_nat_redirect]
[   42.612603] *pdpt = 000000002fb9e001 *pde = 0000000000000000
[   42.612603] Oops: 0000 [#1] SMP
[   42.612603] Modules linked in: act_mirred xt_REDIRECT nf_nat_redirect 
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat 
nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp iptable_filter 
xt_length xt_mark xt_dscp iptable_mangle ip_tables x_tables ipv6 ipoe(O) 
sch_sfq sch_htb cls_u32 sch_ingress sch_prio sch_tbf cls_flow cls_fw 
act_police ifb 8021q mrp garp stp llc softdog pptp pppox gre ppp_generic 
slhc parport_pc parport igb(O) asus_atk0110 powernow_k8 processor 
thermal_sys i2c_viapro dca i2c_core ptp pps_core k8temp hwmon sd_mod 
pata_acpi pata_via sata_via floppy ehci_pci pcspkr ata_generic libata 
ehci_hcd uhci_hcd scsi_mod usbcore usb_common ext4 mbcache jbd2 crc16 
vfat fat isofs
[   42.612603] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G O    4.1.6-i686 #1
[   42.612603] Hardware name: System manufacturer System Product 
Name/M2V-MX, BIOS 0201    09/22/2006
[   42.612603] task: f6c9eda0 ti: f6cde000 task.ti: f6cde000
[   42.612603] EIP: 0060:[<f93f4024>] EFLAGS: 00210286 CPU: 1
[   42.612603] EIP is at nf_nat_redirect_ipv4+0x24/0xb0 [nf_nat_redirect]
[   42.612603] EAX: 00000000 EBX: f5073cbc ECX: 00000000 EDX: f5073d78
[   42.612603] ESI: ef009360 EDI: f93fa050 EBP: f6cfbd8c ESP: f6cfbd60
[   42.612603]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[   42.612603] CR0: 8005003b CR2: 00000018 CR3: 33bc6ae0 CR4: 000006f0
[   42.612603] Stack:
[   42.612603]  fffffffe 46d6ae88 46d6ae87 00000000 c151fd00 00000000 
ef009364 ef00940c
[   42.612603]  f5073cbc ef58e840 ef58e840 f6cfbe4c f933950e 00000001 
0001d4c0 00000020
[   42.612603]  ef58e840 f24b6420 f93a9260 00000044 00200246 f397b000 
f6cfbe78 f9339561
[   42.612603] Call Trace:
[   42.612603]  [<f933950e>] ? ipt_do_table+0x28e/0x560 [ip_tables]
[   42.612603]  [<f93a9260>] ? __nf_ct_ext_add_length+0x1c0/0x230 
[nf_conntrack]
[   42.794016]  [<f9339561>] ? ipt_do_table+0x2e1/0x560 [ip_tables]
[   42.794016]  [<f93a9260>] ? __nf_ct_ext_add_length+0x1c0/0x230 
[nf_conntrack]
[   42.794016]  [<f93a205b>] ? __nf_conntrack_alloc+0xbb/0x1d0 
[nf_conntrack]
[   42.794016]  [<f93ec020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
[   42.794016]  [<f93cf762>] ? nf_nat_ipv4_fn+0x132/0x1e0 [nf_nat_ipv4]
[   42.794016]  [<f93ec020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
[   42.794016]  [<f93cf844>] ? nf_nat_ipv4_in+0x34/0x90 [nf_nat_ipv4]
[   42.794016]  [<f93ec020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
[   42.794016]  [<f93ec0a7>] ? iptable_nat_ipv4_in+0x17/0x20 [iptable_nat]
[   42.794016]  [<f93ec020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
[   42.794016]  [<c133bd71>] ? nf_iterate+0x71/0x80
[   42.794016]  [<c133be08>] ? nf_hook_slow+0x88/0xd0
[   42.794016]  [<c130cfdf>] ? netif_receive_skb_internal+0x7f/0x90
[   42.794016]  [<c1342691>] ? ip_rcv+0x311/0x420
[   42.794016]  [<f91be102>] ? ipoe_netdev_setup+0x42/0x80 [ipoe]
[   42.794016]  [<c1341e50>] ? ip_local_deliver_finish+0x210/0x210
[   42.794016]  [<c130a8af>] ? __netif_receive_skb_core+0x4ef/0x860
[   42.794016]  [<c130e7d4>] ? process_backlog+0x64/0xd0
[   42.794016]  [<c130e5d7>] ? net_rx_action+0x117/0x2b0
[   42.794016]  [<c104e683>] ? __do_softirq+0xc3/0x240
[   42.794016]  [<c13bb69c>] ? nmi_stack_correct+0x28/0x2d
[   42.794016]  [<c104e5c0>] ? __tasklet_hrtimer_trampoline+0x50/0x50
[   42.794016]  [<c104e5c0>] ? __tasklet_hrtimer_trampoline+0x50/0x50
[   42.794016]  [<c1004729>] ? do_softirq_own_stack+0x29/0x40
[   42.794016]  <IRQ>
[   42.794016]  [<c104e9ce>] ? irq_exit+0x6e/0x90
[   42.794016]  [<c13bb7eb>] ? do_IRQ+0x4b/0xe0
[   42.794016]  [<c13baf2c>] ? common_interrupt+0x2c/0x34
[   42.794016]  [<c100c0e9>] ? default_idle+0x19/0xb0
[   42.794016]  [<c100cd0e>] ? arch_cpu_idle+0xe/0x10
[   42.794016]  [<c107eb85>] ? cpu_startup_entry+0x215/0x310
[   42.794016] Code: <8b> 48 18 31 c0 85 c9 74 57 8b 42 04 89 4d d8 89 
4d e8 b9 01 00 00
[   42.794016] EIP: [<f93f4024>] nf_nat_redirect_ipv4+0x24/0xb0 
[nf_nat_redirect] SS:ESP 0068:f6cfbd60
[   42.794016] CR2: 0000000000000018
[   42.794016] ---[ end trace 943b47b10ddb0266 ]---
[   42.794016] Kernel panic - not syncing: Fatal exception in interrupt
[   42.794016] Kernel Offset: disabled
[   42.794016] Rebooting in 5 seconds..

Re: Kernel panic in 4.1.6 in nf_nat_redirect

[Pablo Neira Ayuso]

On Thu, Oct 01, 2015 at 11:55:57PM +0300, Andrew wrote:
> Hi all.
> 
> I tried to do redirect for some users to captive portal, and for this I use
> tiny web page, which returns 302 with captive portal address + original URL
> in param to client. Traffic on it is forwarded with ipt_redirect. But I've
> got kernel crashes in this setup.
> 
> Here's NAT rules:
> 
> *nat
> :PREROUTING ACCEPT [2658:343256]
> :INPUT ACCEPT [319:83916]
> :OUTPUT ACCEPT [468:79362]
> :POSTROUTING ACCEPT [664:93083]
> :UNAUTH - [0:0]
> -A PREROUTING -s 10.250.128.0/20 -j UNAUTH
> -A UNAUTH -d x.x.x.x/32 -j RETURN
> -A UNAUTH -d 10.255.0.65/32 -j RETURN
> -A UNAUTH -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 40080
> COMMIT
> 
> Here's kernel crash log:
> 
> [   42.611663] BUG: unable to handle kernel NULL pointer dereference at
> 00000018
> [   42.612603] IP: [<f93f4024>] nf_nat_redirect_ipv4+0x24/0xb0
> [nf_nat_redirect]

Could you please do the following?

$ gdb net/netfilter/nf_nat_redirect.o
$ list *nf_nat_redirect_ipv4+0x24

And post the result, thanks.

> [   42.612603] *pdpt = 000000002fb9e001 *pde = 0000000000000000
> [   42.612603] Oops: 0000 [#1] SMP
> [   42.612603] Modules linked in: act_mirred xt_REDIRECT nf_nat_redirect
> iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
> ipt_REJECT nf_reject_ipv4 xt_tcpudp iptable_filter xt_length xt_mark xt_dscp
> iptable_mangle ip_tables x_tables ipv6 ipoe(O) sch_sfq sch_htb cls_u32
> sch_ingress sch_prio sch_tbf cls_flow cls_fw act_police ifb 8021q mrp garp
> stp llc softdog pptp pppox gre ppp_generic slhc parport_pc parport igb(O)
> asus_atk0110 powernow_k8 processor thermal_sys i2c_viapro dca i2c_core ptp
> pps_core k8temp hwmon sd_mod pata_acpi pata_via sata_via floppy ehci_pci
> pcspkr ata_generic libata ehci_hcd uhci_hcd scsi_mod usbcore usb_common ext4
> mbcache jbd2 crc16 vfat fat isofs
> [   42.612603] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G O    4.1.6-i686 #1
> [   42.612603] Hardware name: System manufacturer System Product
> Name/M2V-MX, BIOS 0201    09/22/2006
> [   42.612603] task: f6c9eda0 ti: f6cde000 task.ti: f6cde000
> [   42.612603] EIP: 0060:[<f93f4024>] EFLAGS: 00210286 CPU: 1
> [   42.612603] EIP is at nf_nat_redirect_ipv4+0x24/0xb0 [nf_nat_redirect]
> [   42.612603] EAX: 00000000 EBX: f5073cbc ECX: 00000000 EDX: f5073d78
> [   42.612603] ESI: ef009360 EDI: f93fa050 EBP: f6cfbd8c ESP: f6cfbd60
> [   42.612603]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> [   42.612603] CR0: 8005003b CR2: 00000018 CR3: 33bc6ae0 CR4: 000006f0
> [   42.612603] Stack:
> [   42.612603]  fffffffe 46d6ae88 46d6ae87 00000000 c151fd00 00000000
> ef009364 ef00940c
> [   42.612603]  f5073cbc ef58e840 ef58e840 f6cfbe4c f933950e 00000001
> 0001d4c0 00000020
> [   42.612603]  ef58e840 f24b6420 f93a9260 00000044 00200246 f397b000
> f6cfbe78 f9339561
> [   42.612603] Call Trace:
> [   42.612603]  [<f933950e>] ? ipt_do_table+0x28e/0x560 [ip_tables]
> [   42.612603]  [<f93a9260>] ? __nf_ct_ext_add_length+0x1c0/0x230
> [nf_conntrack]
> [   42.794016]  [<f9339561>] ? ipt_do_table+0x2e1/0x560 [ip_tables]
> [   42.794016]  [<f93a9260>] ? __nf_ct_ext_add_length+0x1c0/0x230
> [nf_conntrack]
> [   42.794016]  [<f93a205b>] ? __nf_conntrack_alloc+0xbb/0x1d0
> [nf_conntrack]
> [   42.794016]  [<f93ec020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
> [   42.794016]  [<f93cf762>] ? nf_nat_ipv4_fn+0x132/0x1e0 [nf_nat_ipv4]
> [   42.794016]  [<f93ec020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
> [   42.794016]  [<f93cf844>] ? nf_nat_ipv4_in+0x34/0x90 [nf_nat_ipv4]
> [   42.794016]  [<f93ec020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
> [   42.794016]  [<f93ec0a7>] ? iptable_nat_ipv4_in+0x17/0x20 [iptable_nat]
> [   42.794016]  [<f93ec020>] ? iptable_nat_ipv4_fn+0x20/0x20 [iptable_nat]
> [   42.794016]  [<c133bd71>] ? nf_iterate+0x71/0x80
> [   42.794016]  [<c133be08>] ? nf_hook_slow+0x88/0xd0
> [   42.794016]  [<c130cfdf>] ? netif_receive_skb_internal+0x7f/0x90
> [   42.794016]  [<c1342691>] ? ip_rcv+0x311/0x420
> [   42.794016]  [<f91be102>] ? ipoe_netdev_setup+0x42/0x80 [ipoe]
> [   42.794016]  [<c1341e50>] ? ip_local_deliver_finish+0x210/0x210
> [   42.794016]  [<c130a8af>] ? __netif_receive_skb_core+0x4ef/0x860
> [   42.794016]  [<c130e7d4>] ? process_backlog+0x64/0xd0
> [   42.794016]  [<c130e5d7>] ? net_rx_action+0x117/0x2b0
> [   42.794016]  [<c104e683>] ? __do_softirq+0xc3/0x240
> [   42.794016]  [<c13bb69c>] ? nmi_stack_correct+0x28/0x2d
> [   42.794016]  [<c104e5c0>] ? __tasklet_hrtimer_trampoline+0x50/0x50
> [   42.794016]  [<c104e5c0>] ? __tasklet_hrtimer_trampoline+0x50/0x50
> [   42.794016]  [<c1004729>] ? do_softirq_own_stack+0x29/0x40
> [   42.794016]  <IRQ>
> [   42.794016]  [<c104e9ce>] ? irq_exit+0x6e/0x90
> [   42.794016]  [<c13bb7eb>] ? do_IRQ+0x4b/0xe0
> [   42.794016]  [<c13baf2c>] ? common_interrupt+0x2c/0x34
> [   42.794016]  [<c100c0e9>] ? default_idle+0x19/0xb0
> [   42.794016]  [<c100cd0e>] ? arch_cpu_idle+0xe/0x10
> [   42.794016]  [<c107eb85>] ? cpu_startup_entry+0x215/0x310
> [   42.794016] Code: <8b> 48 18 31 c0 85 c9 74 57 8b 42 04 89 4d d8 89 4d e8
> b9 01 00 00
> [   42.794016] EIP: [<f93f4024>] nf_nat_redirect_ipv4+0x24/0xb0
> [nf_nat_redirect] SS:ESP 0068:f6cfbd60
> [   42.794016] CR2: 0000000000000018
> [   42.794016] ---[ end trace 943b47b10ddb0266 ]---
> [   42.794016] Kernel panic - not syncing: Fatal exception in interrupt
> [   42.794016] Kernel Offset: disabled
> [   42.794016] Rebooting in 5 seconds..
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Kernel panic in 4.1.6 in nf_nat_redirect

[Andrew]

Hm, strange, gdb can't find debug info.

04.10.2015 22:05, Pablo Neira Ayuso wrote:
> Could you please do the following?
>
> $ gdb net/netfilter/nf_nat_redirect.o
> $ list *nf_nat_redirect_ipv4+0x24
>
> And post the result, thanks.

Re: Kernel panic in 4.1.6 in nf_nat_redirect

[Andrew]

Hi.

I recompiled kernel with debug info enabled; here's gdb output:

(gdb) list *nf_nat_redirect_ipv4+0x24
0x24 is in nf_nat_redirect_ipv4 
(/var/testpoint/LEAF/source/i486-unknown-linux-uclibc/linux/linux-4.1/net/netfilter/nf_nat_redirect.c:60).
55
56            rcu_read_lock();
57            indev = __in_dev_get_rcu(skb->dev);
58            if (indev != NULL) {
59                ifa = indev->ifa_list;
60                newdst = ifa->ifa_local;
61            }
62            rcu_read_unlock();
63
64            if (!newdst)


04.10.2015 22:05, Pablo Neira Ayuso wrote:
> Could you please do the following?
>
> $ gdb net/netfilter/nf_nat_redirect.o
> $ list *nf_nat_redirect_ipv4+0x24
>
> And post the result, thanks.

Re: Kernel panic in 4.1.6 in nf_nat_redirect

[Andrew]

Maybe crash happens when packet comes to interface without assigned IP?

06.10.2015 13:11, Andrew wrote:
> Hi.
>
> I recompiled kernel with debug info enabled; here's gdb output:
>
> (gdb) list *nf_nat_redirect_ipv4+0x24
> 0x24 is in nf_nat_redirect_ipv4 
> (/var/testpoint/LEAF/source/i486-unknown-linux-uclibc/linux/linux-4.1/net/netfilter/nf_nat_redirect.c:60).
> 55
> 56            rcu_read_lock();
> 57            indev = __in_dev_get_rcu(skb->dev);
> 58            if (indev != NULL) {
> 59                ifa = indev->ifa_list;
> 60                newdst = ifa->ifa_local;
> 61            }
> 62            rcu_read_unlock();
> 63
> 64            if (!newdst)
>
>
> 04.10.2015 22:05, Pablo Neira Ayuso wrote:
>> Could you please do the following?
>>
>> $ gdb net/netfilter/nf_nat_redirect.o
>> $ list *nf_nat_redirect_ipv4+0x24
>>
>> And post the result, thanks.
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Kernel panic in 4.1.6 in nf_nat_redirect

[Pablo Neira Ayuso]

On Tue, Oct 06, 2015 at 01:23:50PM +0300, Andrew wrote:
> Maybe crash happens when packet comes to interface without assigned IP?

Do this resolved the problem for you?

Not telling here this is enough, obviously we shouldn't crash here.

> 06.10.2015 13:11, Andrew wrote:
> >Hi.
> >
> >I recompiled kernel with debug info enabled; here's gdb output:
> >
> >(gdb) list *nf_nat_redirect_ipv4+0x24
> >0x24 is in nf_nat_redirect_ipv4 (/var/testpoint/LEAF/source/i486-unknown-linux-uclibc/linux/linux-4.1/net/netfilter/nf_nat_redirect.c:60).
> >55
> >56            rcu_read_lock();
> >57            indev = __in_dev_get_rcu(skb->dev);
> >58            if (indev != NULL) {
> >59                ifa = indev->ifa_list;
> >60                newdst = ifa->ifa_local;
> >61            }
> >62            rcu_read_unlock();
> >63
> >64            if (!newdst)
> >
> >
> >04.10.2015 22:05, Pablo Neira Ayuso wrote:
> >>Could you please do the following?
> >>
> >>$ gdb net/netfilter/nf_nat_redirect.o
> >>$ list *nf_nat_redirect_ipv4+0x24
> >>
> >>And post the result, thanks.
> >
> >-- 
> >To unsubscribe from this list: send the line "unsubscribe netfilter" in
> >the body of a message to majordomo@vger.kernel.org
> >More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: Kernel panic in 4.1.6 in nf_nat_redirect

[Andrew]

I switched to SNAT to avoid crashes.

I use 3rd-party software, that creates peer-to-peer pseudointerfaces on 
DHCP packet, so on pseudointerface disappearing all packets are 
processed via master interface that has no IP address, and this cause a 
crash on test box. But similar crashes can be present in other configs 
with eth interfaces w/o IP with REDIRECT rule (for ex., PPPoE BRAS).

14.10.2015 20:58, Pablo Neira Ayuso wrote:
> On Tue, Oct 06, 2015 at 01:23:50PM +0300, Andrew wrote:
>> Maybe crash happens when packet comes to interface without assigned IP?
> Do this resolved the problem for you?
>
> Not telling here this is enough, obviously we shouldn't crash here.
>
>> 06.10.2015 13:11, Andrew wrote:
>>> Hi.
>>>
>>> I recompiled kernel with debug info enabled; here's gdb output:
>>>
>>> (gdb) list *nf_nat_redirect_ipv4+0x24
>>> 0x24 is in nf_nat_redirect_ipv4 (/var/testpoint/LEAF/source/i486-unknown-linux-uclibc/linux/linux-4.1/net/netfilter/nf_nat_redirect.c:60).
>>> 55
>>> 56            rcu_read_lock();
>>> 57            indev = __in_dev_get_rcu(skb->dev);
>>> 58            if (indev != NULL) {
>>> 59                ifa = indev->ifa_list;
>>> 60                newdst = ifa->ifa_local;
>>> 61            }
>>> 62            rcu_read_unlock();
>>> 63
>>> 64            if (!newdst)
>>>
>>>
>>> 04.10.2015 22:05, Pablo Neira Ayuso wrote:
>>>> Could you please do the following?
>>>>
>>>> $ gdb net/netfilter/nf_nat_redirect.o
>>>> $ list *nf_nat_redirect_ipv4+0x24
>>>>
>>>> And post the result, thanks.
>>> -- 
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html