The br_netfilter module processes packets traveling through its bridge, and while processing each skb it places a special fake dst onto the skb. When the skb leaves the bridge, it removes the fake dst and places a real dst onto it. However, it uses a hook to do this, and when the br_netfilter module is unloading it unregisters that hook. Any skbs that are currently being processed in the bridge by the br_netfilter module, but that leave the bridge after the hook is unregistered (or, during br_netfilter module load, before the hook is registered) will still have the fake dst; when other code then tries to process that dst, it causes a kernel panic because the dst is invalid.
The br_netfilter module processes packets traveling through its bridge, and while processing each skb it places a special fake dst onto the skb. When the skb leaves the bridge, it removes the fake dst and places a real dst onto it. However, it uses a hook to do this, and when the br_netfilter module is unloading it unregisters that hook. Any skbs that are currently being processed in the bridge by the br_netfilter module, but that leave the bridge after the hook is unregistered (or, during br_netfilter module load, before the hook is registered) will still have the fake dst; when other code then tries to process that dst, it causes a kernel panic because the dst is invalid.
Recent upstream discussion: /www.spinics. net/lists/ netdev/ msg416912. html
https:/
Upstream patch (not yet merged into net-next): /patchwork. ozlabs. org/patch/ 738275/
https:/
example panic report:
[ 214.518262] BUG: unable to handle kernel NULL pointer dereference at (null) M3L/UCSC- C220-M3L, BIOS C220M3. 2.0.13a. 0.0713160937 07/13/16 000000000000000 0>] [< (null)>] (null) ec3880 EFLAGS: 00010286 0(0000) GS:ffff88103fec 0000(0000) knlGS:000000000 0000000 7f9>] ? ip_rcv_ finish+ 0x99/0x320 0db>] ip_rcv+0x25b/0x370 e0b>] __netif_ receive_ skb_core+ 0x2cb/0xa20 578>] __netif_ receive_ skb+0x18/ 0x60 5e3>] netif_receive_ skb_internal+ 0x23/0x80 65c>] netif_receive_ skb+0x1c/ 0x70 439>] br_handle_ frame_finish+ 0x1b9/0x5b0 [bridge] a00>] ? ___slab_ alloc+0x1d0/ 0x440 074>] br_nf_pre_ routing_ finish+ 0x174/0x3d0 [br_netfilter] c07>] ? br_nf_pre_ routing+ 0x97/0x470 [br_netfilter] 280>] ? br_handle_ local_finish+ 0x80/0x80 [bridge] d17>] br_nf_pre_ routing+ 0x1a7/0x470 [br_netfilter] f6d>] nf_iterate+ 0x5d/0x70 fe4>] nf_hook_ slow+0x64/ 0xc0 9e9>] br_handle_ frame+0x1b9/ 0x290 [bridge] 280>] ? br_handle_ local_finish+ 0x80/0x80 [bridge] e82>] __netif_ receive_ skb_core+ 0x342/0xa20 916>] ? tcp4_gro_ receive+ 0x126/0x1d0 446>] ? inet_gro_ receive+ 0x1c6/0x250 578>] __netif_ receive_ skb+0x18/ 0x60 5e3>] netif_receive_ skb_internal+ 0x23/0x80 213>] napi_gro_ receive+ 0xc3/0x110 01f>] ixgbe_clean_ rx_irq+ 0x52f/0xa70 [ixgbe] 248>] ixgbe_poll+ 0x438/0x790 [ixgbe] a6e>] net_rx_ action+ 0x1ee/0x320 837>] ? handle_ irq_event_ percpu+ 0x167/0x1d0 3c1>] __do_softirq+ 0x101/0x280 69e>] irq_exit+0x8e/0x90 504>] do_IRQ+0x54/0xd0 a02>] common_ interrupt+ 0x82/0x82
[ 214.612199] IP: [< (null)>] (null)
[ 214.672744] PGD 0 [ 214.696887] Oops: 0010 [#1] SMP [ 214.735697] Modules linked in: br_netfilter(+) tun 8021q bridge stp llc bonding iTCO_wdt iTCO_vendor_support tpm_tis tpm kvm_intel kvm irqbypass sb_edac edac_core ixgbe mdio ipmi_si ipmi_msghandler lpc_ich mfd_core mousedev evdev igb dca procmemro(O) nokeyctl(O) noptrace(O)
[ 215.029240] CPU: 34 PID: 0 Comm: swapper/34 Tainted: G O 4.4.39 #1
[ 215.116720] Hardware name: Cisco Systems Inc UCSC-C220-
[ 215.241644] task: ffff882038fb4380 ti: ffff8810392b0000 task.ti: ffff8810392b0000
[ 215.331207] RIP: 0010:[<
[ 215.420877] RSP: 0018:ffff88103f
[ 215.484436] RAX: ffff881011631000 RBX: ffff881011067100 RCX: 0000000000000000
[ 215.569836] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff881011067100
[ 215.655234] RBP: ffff88103fec38a8 R08: 0000000000000008 R09: ffff8810116300a0
[ 215.740629] R10: 0000000000000000 R11: 0000000000000000 R12: ffff881018917dce
[ 215.826030] R13: ffffffff81c9be00 R14: ffffffff81c9be00 R15: ffff881011630078
[ 215.911432] FS: 000000000000000
[ 216.008274] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 216.077032] CR2: 0000000000000000 CR3: 0000001011b9d000 CR4: 00000000001406e0
[ 216.162430] Stack:
[ 216.186461] ffffffff8157d7f9 ffff881011067100 ffff881018917dce ffff881011630000
[ 216.275407] ffffffff81c9be00 ffff88103fec3918 ffffffff8157e0db 0000000000000000
[ 216.364352] 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 216.453301] Call Trace:
[ 216.482536] <IRQ> [ 216.505533] [<ffffffff8157d
[ 216.575442] [<ffffffff8157e
[ 216.634842] [<ffffffff81540
[ 216.712965] [<ffffffff81541
[ 216.783801] [<ffffffff81541
[ 216.861921] [<ffffffff81541
[ 216.930686] [<ffffffffa02f6
[ 217.016091] [<ffffffff81187
[ 217.084849] [<ffffffffa0584
[ 217.178568] [<ffffffffa0584
[ 217.266052] [<ffffffffa02f6
[ 217.351450] [<ffffffffa0584
[ 217.437891] [<ffffffff81572
[ 217.499367] [<ffffffff81572
[ 217.562928] [<ffffffffa02f6
[ 217.641048] [<ffffffffa02f6
[ 217.726446] [<ffffffff81540
[ 217.804566] [<ffffffff815a7
[ 217.876445] [<ffffffff815b7
[ 217.948322] [<ffffffff81541
[ 218.019161] [<ffffffff81541
[ 218.097281] [<ffffffff81542
[ 218.166051] [<ffffffffa00a8
[ 218.246255] [<ffffffffa00a9
[ 218.318131] [<ffffffff81541
[ 218.384813] [<ffffffff8109c
[ 218.463973] [<ffffffff8105c
[ 218.529608] [<ffffffff8105c
[ 218.589007] [<ffffffff816dd
[ 218.646323] [<ffffffff816db