Re: Repeatable OOPS with containers and netfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alexey,
--On 9 September 2011 19:16:41 +0300 Alexey Dobriyan <adobriyan@xxxxxxxxx> wrote: 


net->nfnl = NULL


Is this as simple as in ctnetlink_conntrack_event,

       net = nf_ct_net(ct);
       if (!item->report && !nfnetlink_has_listeners(net, group))
               return 0;

the if should also check net->nfnl is non-NULL?

Or does it indicate something wider wrong?

Alex


On Fri, Sep 9, 2011 at 6:33 PM, Alex Bligh <alex@xxxxxxxxxxx> wrote:

We are seeing a repeatable kernel oops (quite a deadly one) when
destroying containers which are or have been passing forwarded IPv4
traffic and have (or have had) a netfilter conntrack rule installed.

To repeat, you need to have
a) a container
b) which is forwarding IPv4 traffic from one interface in the container
to  another (2 veth interfaces in this case) - one ping packet per
second  will do
c) iptables with an IP conntrack rule.
d) delete the container (it doesn't matter if you delete the iptables
 rule first and sleep for a couple of seconds).

An OOPS like the one below results.

This one is from Ubuntu kernel
3.0.0-10-server #16-Ubuntu SMP Fri Sep 2 18:51:05 UTC 2011 x86_64
GNU/Linux



RIP: 0010:[<ffffffff81511959>]  [<ffffffff81511959>]
netlink_has_listeners+0x9/0x50 [<ffffffffa048f145>]
nfnetlink_has_listeners+0x15/0x20 [nfnetlink] [<ffffffffa049943b>]
ctnetlink_conntrack_event+0x5cb/0x890 [nf_conntrack_netlink]
[<ffffffff814e34d0>] ? net_drop_ns+0x50/0x50
[<ffffffffa04062d8>] death_by_timeout+0xc8/0x1c0 [nf_conntrack]
[<ffffffffa0405270>] ? nf_conntrack_attach+0x50/0x50 [nf_conntrack]
[<ffffffffa0406448>] nf_ct_iterate_cleanup+0x78/0x90 [nf_conntrack]
[<ffffffffa0406491>] nf_conntrack_cleanup_net+0x31/0x100 [nf_conntrack]
[<ffffffffa0407f97>] nf_conntrack_cleanup+0x27/0x60 [nf_conntrack]
[<ffffffffa04081f0>] nf_conntrack_net_exit+0x60/0x80 [nf_conntrack]
[<ffffffff814e2d28>] ops_exit_list.isra.1+0x38/0x60
[<ffffffff814e35e2>] cleanup_net+0x112/0x1b0







--
Alex Bligh
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux