Bug #269358 “Kernel Panic when using ebtables redirect in broute...” : Bugs : linux package : Ubuntu

laurent (laurent-bourdin) on 2008-09-12

description:

updated

Revision history for this message

Rebollo (rebollo) wrote on 2008-09-16:

#1

dmesg, lspci, lsmod Edit (38.0 KiB, text/plain)

Download full text (5.1 KiB)

Same problem here. I have reproduced the bug in 3 different PCs (all running 8.04.1 server, one i686, two AMD64). Here is the summary of one of them:

arch: x86_64
kernel: 2.6.24-19-server
OS: Ubuntu Server 8.04.1 (AMD64)
software RAID1, reiserfs at the root, xfs at an archive partition

after a clean install:
  apt-get update
  apt-get upgrade
  apt-get install acpid smartmontools bridge-utils ebtables screen

/etc/network/interfaces:
-----
#
auto lo
iface lo inet loopback
#
auto eth2
iface eth2 inet static
        address 192.168.1.200
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 208.67.222.222 208.67.220.220
        dns-search local.lan
#
auto br0
iface br0 inet manual
        bridge_ports eth0 eth1
        bridge_stp on
        bridge_maxwait 0
#
-----
reboot
-----
ebtables -t broute -F
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT

as soon as the traffic starts, the kernel crashes, with or without complementing the ebtables rules with iptables:

iptables -t nat -F
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8888
-----
[ 1752.817491] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP:
[ 1752.833900] [<ffffffff883c33d8>] :ebtables:ebt_do_table+0x4e8/0x5e0
[ 1752.860264] PGD 1d1e4067 PUD 1d1e5067 PMD 0
[ 1752.873185] Oops: 0002 [1] SMP
[ 1752.882684] CPU 0
[ 1752.888754] Modules linked in: ebt_redirect ebt_ip video output battery container sbs sbshc dock ac iptable_filter ip_tables x_tables xfs ebtable_broute bridge ebtable_nat ebtable_filter ebtables sbp2 lp loop evdev parport_pc parport psmouse serio_raw pcspkr ipv6 k8temp snd_hda_intel button snd_pcm snd_timer snd_page_alloc snd_hwdep snd soundcore i2c_nforce2 i2c_core reiserfs sg sr_mod cdrom sd_mod ata_generic pata_amd ohci1394 forcedeth sata_nv pata_acpi ieee1394 sundance mii ehci_hcd ohci_hcd libata scsi_mod usbcore raid10 raid456 async_xor async_memcpy async_tx xor raid1 raid0 multipath linear md_mod thermal processor fan fbcon tileblit font bitblit softcursor fuse
[ 1753.069697] Pid: 0, comm: swapper Not tainted 2.6.24-19-server #1
[ 1753.087919] RIP: 0010:[<ffffffff883c33d8>] [<ffffffff883c33d8>] :ebtables:ebt_do_table+0x4e8/0x5e0
[ 1753.115013] RSP: 0018:ffffffff80687d80 EFLAGS: 00010246
[ 1753.130896] RAX: 0000000000000001 RBX: ffffc200003250a0 RCX: 0000000000000000
[ 1753.152233] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff81001d07ae00
[ 1753.173563] RBP: ffffc20000325030 R08: ffffc20000325110 R09: 0000000000000008
[ 1753.194907] R10: 00000000000000b8 R11: ffffffff802204e0 R12: ffffc20000325000
[ 1753.216240] R13: ffff81001e52d000 R14: 0000000000000000 R15: 0000000000000001
[ 1753.237574] FS: 00007f7641f3f700(0000) GS:ffffffff805c4000(0000) knlGS:0000000000000000
[ 1753.261769] CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
[ 1753.278966] CR2: 0000000000000000 CR3: 000000001d898000 CR4: 00000000000006e0
[ 1753.300299] DR0: 0000000000000000 DR1: 0000000000000000 DR2...

Same problem here. I have reproduced the bug in 3 different PCs (all running 8.04.1 server, one i686, two AMD64). Here is the summary of one of them:

arch: x86_64
kernel: 2.6.24-19-server
OS: Ubuntu Server 8.04.1 (AMD64)
software RAID1, reiserfs at the root, xfs at an archive partition

after a clean install:
  apt-get update
  apt-get upgrade
  apt-get install acpid smartmontools bridge-utils ebtables screen

/etc/network/interfaces:
-----
#
auto lo
iface lo inet loopback
#
auto eth2
iface eth2 inet static
        address 192.168.1.200
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 208.67.222.222 208.67.220.220
        dns-search local.lan
#
auto br0
iface br0 inet manual
        bridge_ports eth0 eth1
        bridge_stp on
        bridge_maxwait 0
#
-----
reboot
-----
ebtables -t broute -F
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT

as soon as the traffic starts, the kernel crashes, with or without complementing the ebtables rules with iptables:

iptables -t nat -F
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8888
-----
[ 1752.817491] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP:
[ 1752.833900]  [<ffffffff883c33d8>] :ebtables:ebt_do_table+0x4e8/0x5e0
[ 1752.860264] PGD 1d1e4067 PUD 1d1e5067 PMD 0
[ 1752.873185] Oops: 0002 [1] SMP
[ 1752.882684] CPU 0
[ 1752.888754] Modules linked in: ebt_redirect ebt_ip video output battery container sbs sbshc dock ac iptable_filter ip_tables x_tables xfs ebtable_broute bridge ebtable_nat ebtable_filter ebtables sbp2 lp loop evdev parport_pc parport psmouse serio_raw pcspkr ipv6 k8temp snd_hda_intel button snd_pcm snd_timer snd_page_alloc snd_hwdep snd soundcore i2c_nforce2 i2c_core reiserfs sg sr_mod cdrom sd_mod ata_generic pata_amd ohci1394 forcedeth sata_nv pata_acpi ieee1394 sundance mii ehci_hcd ohci_hcd libata scsi_mod usbcore raid10 raid456 async_xor async_memcpy async_tx xor raid1 raid0 multipath linear md_mod thermal processor fan fbcon tileblit font bitblit softcursor fuse
[ 1753.069697] Pid: 0, comm: swapper Not tainted 2.6.24-19-server #1
[ 1753.087919] RIP: 0010:[<ffffffff883c33d8>]  [<ffffffff883c33d8>] :ebtables:ebt_do_table+0x4e8/0x5e0
[ 1753.115013] RSP: 0018:ffffffff80687d80  EFLAGS: 00010246
[ 1753.130896] RAX: 0000000000000001 RBX: ffffc200003250a0 RCX: 0000000000000000
[ 1753.152233] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff81001d07ae00
[ 1753.173563] RBP: ffffc20000325030 R08: ffffc20000325110 R09: 0000000000000008
[ 1753.194907] R10: 00000000000000b8 R11: ffffffff802204e0 R12: ffffc20000325000
[ 1753.216240] R13: ffff81001e52d000 R14: 0000000000000000 R15: 0000000000000001
[ 1753.237574] FS:  00007f7641f3f700(0000) GS:ffffffff805c4000(0000) knlGS:0000000000000000
[ 1753.261769] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
[ 1753.278966] CR2: 0000000000000000 CR3: 000000001d898000 CR4: 00000000000006e0
[ 1753.300299] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1753.321633] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1753.342967] Process swapper (pid: 0, threadinfo ffffffff80626000, task ffffffff8058a620)
[ 1753.367162] Stack:  ffff81001c920500 0000000000000070 0000000000000000 ffff81001d07ae00
[ 1753.391361]  0000000500000000 ffffffff883e569c ffffc20000323080 ffffc20000323080
[ 1753.413680]  0000000001009900 0000000000000000 ffffc20000325000 ffff81001d07ae00
[ 1753.435431] Call Trace:
[ 1753.443320]  <IRQ>  [<ffffffff883e502e>] :ebtable_broute:ebt_broute+0x1e/0x30
[ 1753.464716]  [<ffffffff883d3e0c>] :bridge:br_handle_frame+0xcc/0x200
[ 1753.483714]  [<ffffffff803ef02a>] netif_receive_skb+0x1aa/0x490
[ 1753.501410]  [<ffffffff803f1ee5>] process_backlog+0x75/0xe0
[ 1753.518070]  [<ffffffff803f1868>] net_rx_action+0x128/0x230
[ 1753.534734]  [<ffffffff80243e25>] __do_softirq+0x75/0xe0
[ 1753.550615]  [<ffffffff8020d50c>] call_softirq+0x1c/0x30
[ 1753.566495]  [<ffffffff8020ed25>] do_softirq+0x35/0x90
[ 1753.581860]  [<ffffffff80243da8>] irq_exit+0x88/0x90
[ 1753.596704]  [<ffffffff8020ef70>] do_IRQ+0x80/0x100
[ 1753.611288]  [<ffffffff8020b390>] default_idle+0x0/0x40
[ 1753.626912]  [<ffffffff8020b390>] default_idle+0x0/0x40
[ 1753.642537]  [<ffffffff8020c891>] ret_from_intr+0x0/0xa
[ 1753.658157]  <EOI>  [<ffffffff802204e0>] lapic_next_event+0x0/0x10
[ 1753.676692]  [<ffffffff8020b3b9>] default_idle+0x29/0x40
[ 1753.692573]  [<ffffffff8020b43f>] cpu_idle+0x6f/0xc0
[ 1753.707420]  [<ffffffff80630bd5>] start_kernel+0x2c5/0x350
[ 1753.723822]  [<ffffffff8063012e>] _sinittext+0x12e/0x140
[ 1753.739703]
[ 1753.744161]
[ 1753.744161] Code: 4c 89 22 89 42 10 8b 45 6c 48 8d 44 05 00 48 89 42 08 48 8b
[ 1753.771305] RIP  [<ffffffff883c33d8>] :ebtables:ebt_do_table+0x4e8/0x5e0
[ 1753.791397]  RSP <ffffffff80687d80>
[ 1753.801829] CR2: 0000000000000000
[ 1753.812382] ---[ end trace cf18989df8dee195 ]---
[ 1753.826239] Kernel panic - not syncing: Aiee, killing interrupt handler!

Revision history for this message

Kevin_Traas (kevin-traas) wrote on 2008-09-17:

#2

Hi folks,

I'm running into the same problem, but have found some additional information online. Specifically, the following bug...

http://bugzilla.kernel.org/show_bug.cgi?id=9920

... identifies the source of the problem, a patch, and that it's been applied and, therefore, should be resolved in some kernel newer than that included with Hardy.

Possible to backport this patch into the Hardy kernel?

Revision history for this message

Kevin_Traas (kevin-traas) wrote on 2008-09-17:

#3

Hmmm... Should have also mentioned....

Based on the information above (this being a kernel bug, and not a problem with ebtables), this bug could/should likely be moved to linux-image?

Revision history for this message

laurent (laurent-bourdin) wrote on 2008-09-17:

#4

Yes it could moved to kernel-image. I Have build a kernel 2.6.24-5 from kernel.org with the ubuntu .config (without modification except virtualisation support removed) and it works as usual.

Bug Watch Updater (bug-watch-updater) on 2008-09-22

Changed in linux:
status:	Unknown → Fix Released

Bug Watch Updater (bug-watch-updater) on 2011-02-03

Changed in linux:
importance:	Unknown → Medium

Chuck Short (zulcss) on 2011-06-09

affects:

ebtables (Ubuntu) → linux (Ubuntu)

Revision history for this message

Seth Forshee (sforshee) wrote on 2011-06-13:

#5

The fix identified in the upstream bugzilla was included in hardy in kernel version Ubuntu-2.6.24-23.46. Please test a newer hardy kernel to verify that the issue has been fixed. Thanks!

Changed in linux (Ubuntu):
assignee:	nobody → Seth Forshee (sforshee)
importance:	Undecided → Medium
status:	New → Incomplete

Revision history for this message

laurent (laurent-bourdin) wrote on 2011-06-13:

#6

2 years after, i didn't have the material to test it again.

For me you can close the bug.

Revision history for this message

Seth Forshee (sforshee) wrote on 2011-06-13:

#7

Yeah, unfortunately it must not have caught the attention of the kernel team until just recently when the affected task was changed from eptables to linux. But the fix has been released in hardy for over 2 years, it's just that the status of this bug was never updated.

Moving this bug to Fix Released.

Changed in linux (Ubuntu):
status:	Incomplete → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	Linux	Fix Released	Medium	linux-kernel-bugs #9920
	linux (Ubuntu)	Fix Released	Medium	Seth Forshee

Ubuntu
linux package

Kernel Panic when using ebtables redirect in brouter mode

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntulinux package

Kernel Panic when using ebtables redirect in brouter mode

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package