Re: ip_defrag is broken (was: Re: test12 lockups -- need feedback)

From: Tom Leete (tleete@mountain.net)
Date: Thu Dec 14 2000 - 21:25:48 EST

"David S. Miller" wrote:
>
> Date: Thu, 14 Dec 2000 15:35:48 -0500 (EST)
> From: "Mohammad A. Haque" <mhaque@haque.net>
>
> I'll be trying in a few hours.
>
> Meanwhile for people wanting the crashes to be fixed, please
> apply this patch.
>
> This was _always_ broken, and really what netfilter is doing
> should have never worked. The only theory I have right now
> is that people using netfilter never had IP fragments timeout.
> :-)
>
> So the patch below restores previous behavior exactly.
> Ie. netfilter sources fragments cannot send ICMP errors
> on frag queue timeout :-)
>

Hello,

I posted one of these generated by nfs earlier. This one is from
$ ping -c 1 -s 1478 <2.4.0-t12-host>
from peer.

kdb over serial console -- the module addresses are accurate. Lightly edited
for readability.

Hope this helps,
Tom

Unable to handle kernel NULL pointer dereference at virtual address 0000003c
 printing eip:
c01c0c32
*pde = 00000000

Entering kdb (current=0xc02c0000, pid 0) Panic: Oops
due to panic @ 0xc01c0c32
eax = 0x00000000 ebx = 0x00000000 ecx = 0xc11a6fa0 edx = 0x00000006
esi = 0xc1376be0 edi = 0x00000000 esp = 0xc02c1bac eip = 0xc01c0c32
ebp = 0xc02c1bc8 xss = 0x00000018 xcs = 0xc11a0010 eflags = 0x00010246
xds = 0x31010018 xes = 0x00000018 origeax = 0xffffffff &regs = 0xc02c1b78
kdb> bt
    EBP EIP Function(args)
0xc02c1bc8 0xc01c0c32 ip_frag_queue+0x222 (0xc11a6fa0, 0xc1376be0)
                               kernel .text 0xc0100000 0xc01c0a10 0xc01c0c90
0xc02c1bf4 0xc01c1004 ip_defrag+0xc4 (0xc1376be0)
                               kernel .text 0xc0100000 0xc01c0f40 0xc01c1070
0xc02c1c0c 0xc4093365 [ip_conntrack]ip_ct_gather_frags+0x25 (0xc1376be0)
                               ip_conntrack .text 0xc4091060 0xc4093340
0xc40933e0
0xc02c1c54 0xc40924cd [ip_conntrack]ip_conntrack_in+0x3d (0x3, 0xc02c1cdc,
0x0, 0xc3104800, 0xc01c3560)
                               ip_conntrack .text 0xc4091060 0xc4092490
0xc40927b0
0xc02c1c70 0xc4094666 [ip_conntrack]ip_conntrack_local+0x56 (0x3,
0xc02c1cdc, 0x0, 0xc3104800, 0xc01c3560)
                               ip_conntrack .text 0xc4091060 0xc4094610
0xc4094670
0xc02c1c98 0xc01b2d98 nf_iterate+0x28 (0xc0320cd8, 0xc02c1cdc, 0x3, 0x0,
0xc3104800)
                               kernel .text 0xc0100000 0xc01b2d70 0xc01b2e00
0xc02c1ccc 0xc01b3001 nf_hook_slow+0x71 (0x2, 0x3, 0xc1376be0, 0x0,
0xc3104800)
                               kernel .text 0xc0100000 0xc01b2f90 0xc01b3080
0xc02c1d3c 0xc01c2c27 ip_build_xmit_slow+0x387 (0xc11d2730, 0xc01d9a00,
0xc02c1dfc, 0x5e2, 0xc02c1de0)
                               kernel .text 0xc0100000 0xc01c28a0 0xc01c2d00
0xc02c1d7c 0xc01c2d4b ip_build_xmit+0x4b (0xc11d2730, 0xc01d9a00,
0xc02c1dfc, 0x5e2, 0xc02c1de0)
                               kernel .text 0xc0100000 0xc01c2d00 0xc01c2ff0
0xc02c1dec 0xc01d9c03 icmp_reply+0x173 (0xc02c1dfc, 0xc136aab0)
                               kernel .text 0xc0100000 0xc01d9a90 0xc01d9c20
0xc02c1e44 0xc01da1aa icmp_echo+0x3a (0xc0aad824, 0xc136aab0, 0x5c6)
more>
                               kernel .text 0xc0100000 0xc01da170 0xc01da1b0
0xc02c1e68 0xc01da459 icmp_rcv+0xa9 (0xc136aab0, 0x5ce)
                               kernel .text 0xc0100000 0xc01da3b0 0xc01da490
0xc02c1e88 0xc01c04a4 ip_local_deliver_finish+0x94 (0xc136aab0, 0xc136aab0)
                               kernel .text 0xc0100000 0xc01c0410 0xc01c0520
0xc02c1ea4 0xc01b3048 nf_hook_slow+0xb8 (0x2, 0x1, 0xc136aab0, 0xc3104800,
0x0)
                               kernel .text 0xc0100000 0xc01b2f90 0xc01b3080
0xc02c1ec4 0xc01c02d5 ip_local_deliver+0x45 (0xc136aab0)
                               kernel .text 0xc0100000 0xc01c0290 0xc01c02e0
0xc02c1ee8 0xc01c06dc ip_rcv_finish+0x1bc (0xc136aab0, 0xc08bd210)
                               kernel .text 0xc0100000 0xc01c0520 0xc01c0710
0xc02c1f04 0xc01b3048 nf_hook_slow+0xb8 (0x2, 0x0, 0xc136aab0, 0xc3104800,
0x0)
                               kernel .text 0xc0100000 0xc01b2f90 0xc01b3080
0xc02c1f38 0xc01c03dc ip_rcv+0xfc (0xc08bd210, 0xc3104800, 0xc02bca84)
                               kernel .text 0xc0100000 0xc01c02e0 0xc01c0410
0xc02c1f68 0xc01b703d net_rx_action+0x12d (0xc02facf0)
                               kernel .text 0xc0100000 0xc01b6f10 0xc01b7160
0xc02c1f80 0xc011bd7e do_softirq+0x4e
                               kernel .text 0xc0100000 0xc011bd30 0xc011bdb0
0xc02c1f98 0xc010ad13 do_IRQ+0xa3 (0xc01074f0, 0xc2532260, 0xc02c0000,
0xc02c0000, 0xc02c0000)
                               kernel .text 0xc0100000 0xc010ac70 0xc010ad30
           0xc01093f0 ret_from_intr
                               kernel .text 0xc0100000 0xc01093f0 0xc0109410
Interrupt registers:
eax = 0x00000000 ebx = 0xc01074f0 ecx = 0xc2532260 edx = 0xc02c0000
esi = 0xc02c0000 edi = 0xc02c0000 esp = 0xc02c1fd4 eip = 0xc0107516
ebp = 0xc02c1fd4 xss = 0x00000018 xcs = 0x00000010 eflags = 0x00000246
xds = 0xc0100018 xes = 0xc02c0018 origeax = 0xffffff0c &regs = 0xc02c1fa0
           0xc0107516 default_idle+0x26
                               kernel .text 0xc0100000 0xc01074f0 0xc0107520
0xc02c1fe8 0xc0107585 cpu_idle+0x35
                               kernel .text 0xc0100000 0xc0107550 0xc01075a0
#
#
kdb> mds 0xc11a6fa0
0xc11a6fa0 00000000 ....
0xc11a6fa4 0101a8c0 ˬ..
0xc11a6fa8 3101a8c0 ˬ.1
0xc11a6fac 0101cc28 (Ì..
0xc11a6fb0 c1376be0 àk7Á
0xc11a6fb4 000005ce Î...
0xc11a6fb8 00000000 ....
0xc11a6fbc 00000000 ....
#
#
kdb> mds 0xc1376be0
0xc1376be0 00000000 ....
0xc1376be4 00000000 ....
0xc1376be8 00000000 ....
0xc1376bec c11d2730 0'.Á
0xc1376bf0 00000000 ....
0xc1376bf4 0009bfa7 §¿..
0xc1376bf8 00000000 ....
0xc1376bfc c3063f50 P?.Ã
#
#
kdb> mds 0xc02c1cdc
0xc02c1cdc c1376be0 àk7Á
0xc02c1ce0 00000000 ....
0xc02c1ce4 c3104800 .H.Ã
0xc02c1ce8 c01c3560 output_maybe_reroute
                       kernel .text 0xc0100000 0xc01c3560 0xc01c3580
0xc02c1cec 00000000 ....
0xc02c1cf0 c02c1dfc init_task_union+0x1dfc
                       kernel .data.init_task 0xc02c0000 0xc02c0000
0xc02c2000
0xc02c1cf4 00000040 @...
0xc02c1cf8 c3063f40 @?.Ã
#
#
kdb> mds 0xc0320cd8
0xc0320cd8 c4095f08 [ip_conntrack]ip_conntrack_local_out_ops
                       ip_conntrack .data 0xc4095a40 0xc4095f08 0xc4095f20
0xc0320cdc c40ae668 [iptable_filter]ipt_ops+0x30
                       iptable_filter .data 0xc40ae320 0xc40ae638 0xc40ae680
0xc0320ce0 c409ec98 [iptable_nat]ip_nat_out_ops
                       iptable_nat .data 0xc409ec80 0xc409ec98 0xc409ecb0
0xc0320ce4 c4095f20 [ip_conntrack]ip_conntrack_out_ops
                       ip_conntrack .data 0xc4095a40 0xc4095f20 0xc4095f38
0xc0320ce8 c0320ce8 nf_hooks+0xa8
                       kernel .bss 0xc02f4620 0xc0320c40 0xc0321440
0xc0320cec c0320ce8 nf_hooks+0xa8
                       kernel .bss 0xc02f4620 0xc0320c40 0xc0321440
0xc0320cf0 c0320cf0 nf_hooks+0xb0
                       kernel .bss 0xc02f4620 0xc0320c40 0xc0321440
0xc0320cf4 c0320cf0 nf_hooks+0xb0
                       kernel .bss 0xc02f4620 0xc0320c40 0xc0321440
#
#
kdb> mds 0xc3104800
0xc3104800 30687465 eth0
0xc3104804 00000000 ....
0xc3104808 00000000 ....
0xc310480c 00000000 ....
0xc3104810 00000000 ....
0xc3104814 00000000 ....
0xc3104818 00000000 ....
0xc310481c 00000000 ....
#
#
kdb> mds 0xc11d2730
0xc11d2730 00000000 ....
0xc11d2734 00000000 ....
0xc11d2738 00010000 ....
0xc11d273c 00000000 ....
0xc11d2740 00000000 ....
0xc11d2744 00000000 ....
0xc11d2748 00000000 ....
0xc11d274c 00000000 ....
#
#
kdb> mds 0xc40927b0
0xc40927b0 56e58955 U.åV
0xc40927b4 8b53c031 1ÀS.
0xc40927b8 758b0c5d ]..u
0xc40927bc 0e438a08 ..C.
0xc40927c0 e93ae850 Pè:é
0xc40927c4 5350ffff ÿÿPS
0xc40927c8 e9e2e856 Vèâé
0xc40927cc 658dffff ÿÿ.e
#
#
kdb> mds 0xc4094670
0xc4094670 53e58955 U.åS
0xc4094674 7d83db31 1Û.}
0xc4094678 840f0008 ....
0xc409467c 000000b0 °...
0xc4094680 fff16be8 èkñÿ
0xc4094684 85c389ff ÿ.Ã.
0xc4094688 ed8c0fdb Û..í
0xc409468c a1000000 ...¡
#
#
kdb> md ip_frag_queue
0xc01c0a10 83e58955 565710ec 0c4d8b53 8b08758b U.å.ì.WVS.M..u..
0xc01c0a20 4d892049 0f5e8af0 f6fb5d88 850f04c3 I .Mð.^..]ûöÃ...
0xc01c0a30 0000022c 06418b66 c931c486 89c18966 ,...f.A..Ä1Éf.Á.
0xc01c0a40 ca89fc4d e000e281 e181ffff 00001fff Mü.Ê.â.àÿÿ.áÿ...
0xc01c0a50 8b03e1c1 4d89f075 24068afc 00ff250f Áá..uð.Mü..$.%ÿ.
0xc01c0a60 3c8d0000 00000085 468b6600 25c48602 ...<.....f.F..Ä%
0xc01c0a70 0000ffff c801f829 f6f04589 307520c6 ÿÿ..)ø.È.EðöÆ u0
0xc01c0a80 8b084d8b 45391441 d18c0ff0 f6000001 .M..A.9Eð..Ñ...ö
#
#
kdb> mds 0xc11d2730
0xc11d2730 00000000 ....
0xc11d2734 00000000 ....
0xc11d2738 00010000 ....
0xc11d273c 00000000 ....
0xc11d2740 00000000 ....
0xc11d2744 00000000 ....
0xc11d2748 00000000 ....
0xc11d274c 00000000 ....
#
#
kdb> mds 0xc02c1dfc
0xc02c1dfc c0aad82c ,ت0xc02c1e00 000005c6 Æ...
0xc02c1e04 00000000 ....
0xc02c1e08 000069d6 Öi..
0xc02c1e0c c3c38784 ..ÃÃ
0xc02c1e10 00000000 ....
0xc02c1e14 00000000 ....
0xc02c1e18 00000002 ....
#
#
kdb> mds 0xc01d9a00
0xc01d9a00 57e58955 U.åW
0xc01d9a04 758b5356 VS.u
0xc01d9a08 0c7d8b08 ..}.
0xc01d9a0c 8510458b .E..
0xc01d9a10 8b4d75c0 ÀuM.
0xc01d9a14 006a1046 F.j.
0xc01d9a18 6a50006a j.Pj
0xc01d9a1c 568d5708 .W.V
#
#
kdb> mds 0xc02c1de0
0xc02c1de0 3101a8c0 ˬ.1
0xc02c1de4 c02c1df4 init_task_union+0x1df4
                       kernel .data.init_task 0xc02c0000 0xc02c0000
0xc02c2000
0xc02c1de8 00000000 ....
0xc02c1dec c02c1e44 init_task_union+0x1e44
                       kernel .data.init_task 0xc02c0000 0xc02c0000
0xc02c2000
0xc02c1df0 c01da1aa icmp_echo+0x3a
                       kernel .text 0xc0100000 0xc01da170 0xc01da1b0
0xc02c1df4 c02c1dfc init_task_union+0x1dfc
                       kernel .data.init_task 0xc02c0000 0xc02c0000
0xc02c2000
0xc02c1df8 c136aab0 °ª6Á
0xc02c1dfc c0aad82c ,ت#
#
kdb> mds 0xc136aab0
0xc136aab0 00000000 ....
0xc136aab4 00000000 ....
0xc136aab8 00000000 ....
0xc136aabc 00000000 ....
0xc136aac0 00000000 ....
0xc136aac4 000c30a7 §0..
0xc136aac8 c3104800 .H.Ã
0xc136aacc c0aad824 $ت#
# Let it die now
#
kdb> go
Oops: 0000
CPU: 0
EIP: 0010:[<c01c0c32>]
EFLAGS: 00010246
eax: 00000000 ebx: 00000000 ecx: c11a6fa0 edx: 00000006
esi: c1376be0 edi: 00000000 ebp: c02c1bc8 esp: c02c1bac
ds: 0018 es: 0018 ss: 0018
Process swapper (pid: 0, stackpage=c02c1000)
Stack: c11a6fa0 00000000 0000cc28 000005ce 00000015 001a6fa0 000005c8
c02c1bf4
       c01c1004 c11a6fa0 c1376be0 c11d2730 c1376be0 00000008 3000fc28
0117158a
       0101a8c0 00000000 c02c1c0c c4093365 c1376be0 c4095f08 c02c1cdc
00000003
Call Trace: [<c01c1004>] [<c4093365>] [<c4095f08>] [<c40924cd>] [<c4095f08>]
[<c409b2ac>] [<c4094666>]
       [<c01c3560>] [<c01b2d98>] [<c01c3560>] [<c01b3001>] [<c01c3560>]
[<c4095f08>] [<c01c2c27>] [<c01c3560>]
       [<c403de76>] [<cc281d80>] [<c01c2d4b>] [<c01d9a00>] [<c01d9c03>]
[<c01d9a00>] [<c01da1aa>] [<c409197c>]
       [<c4095f38>] [<c01da459>] [<c01c04a4>] [<c01b3048>] [<c01c02d5>]
[<c01c0410>] [<c01c06dc>] [<c01b3048>]
       [<c01c03dc>] [<c01c0520>] [<c01b703d>] [<c011bd7e>] [<c010ad13>]
[<c01074f0>] [<c01093f0>] [<c01074f0>]
       [<c0100018>] [<c0107516>] [<c0107585>] [<c0105000>] [<c0100191>]
Code: 8b 40 3c 89 41 3c c7 46 18 00 00 00 00 8b 46 5c 01 41 18 8b
Aiee, killing interrupt handler
Kernel panic: Attempted to kill the idle task!
In interrupt handler - not syncing
# DOA
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Fri Dec 15 2000 - 21:00:31 EST