Re: Repeatable OOPS with containers and netfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alexey,

--On 9 September 2011 19:16:41 +0300 Alexey Dobriyan <adobriyan@xxxxxxxxx> 
wrote:

> net->nfnl = NULL

Is this as simple as in ctnetlink_conntrack_event,

        net = nf_ct_net(ct);
        if (!item->report && !nfnetlink_has_listeners(net, group))
                return 0;

the if should also check net->nfnl is non-NULL?

Or does it indicate something wider wrong?

Alex

> On Fri, Sep 9, 2011 at 6:33 PM, Alex Bligh <alex@xxxxxxxxxxx> wrote:
>> We are seeing a repeatable kernel oops (quite a deadly one) when
>> destroying containers which are or have been passing forwarded IPv4
>> traffic and have (or have had) a netfilter conntrack rule installed.
>>
>> To repeat, you need to have
>> a) a container
>> b) which is forwarding IPv4 traffic from one interface in the container
>> to  another (2 veth interfaces in this case) - one ping packet per
>> second  will do
>> c) iptables with an IP conntrack rule.
>> d) delete the container (it doesn't matter if you delete the iptables
>>  rule first and sleep for a couple of seconds).
>>
>> An OOPS like the one below results.
>>
>> This one is from Ubuntu kernel
>> 3.0.0-10-server #16-Ubuntu SMP Fri Sep 2 18:51:05 UTC 2011 x86_64
>> GNU/Linux
>
>> RIP: 0010:[<ffffffff81511959>]  [<ffffffff81511959>]
>> netlink_has_listeners+0x9/0x50 [<ffffffffa048f145>]
>> nfnetlink_has_listeners+0x15/0x20 [nfnetlink] [<ffffffffa049943b>]
>> ctnetlink_conntrack_event+0x5cb/0x890 [nf_conntrack_netlink]
>> [<ffffffff814e34d0>] ? net_drop_ns+0x50/0x50
>> [<ffffffffa04062d8>] death_by_timeout+0xc8/0x1c0 [nf_conntrack]
>> [<ffffffffa0405270>] ? nf_conntrack_attach+0x50/0x50 [nf_conntrack]
>> [<ffffffffa0406448>] nf_ct_iterate_cleanup+0x78/0x90 [nf_conntrack]
>> [<ffffffffa0406491>] nf_conntrack_cleanup_net+0x31/0x100 [nf_conntrack]
>> [<ffffffffa0407f97>] nf_conntrack_cleanup+0x27/0x60 [nf_conntrack]
>> [<ffffffffa04081f0>] nf_conntrack_net_exit+0x60/0x80 [nf_conntrack]
>> [<ffffffff814e2d28>] ops_exit_list.isra.1+0x38/0x60
>> [<ffffffff814e35e2>] cleanup_net+0x112/0x1b0
>
>



-- 
Alex Bligh
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux