NULL pointer dereference in netfilter

[Mihai Moldovan]

Hi

earlier today, I experienced a kernel panic due to a NULL pointer dereference
somewhere in the netfilter subsystem.

Full kernel output (may contain typos):

[360412.114033] BUG: unable to handle kernel NULL pointer dereference at
0000000000000010
[360412.115643] IP: [<ffffffff81865efe>] nf_nat_setup_info+0x56e/0x900
[360412.117244] PGD: 0
[360412.117337] Oops: 0002 [#3] SMP
[360412.117337] Modules linked in: ath9k ath9k_common ath9k_hw ath mac80211
cfg80211 xt_conntrack xt_dscp kvm_intel kvm hfcsusb mISDN_core e1000e cp210x
i915 rfkil ptp video pps_core drm_kms_helper backlight [last unloaded: cfg80211]
[360412.117337] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G       D    O
3.14.2-OSS4.2 #2
[360412.117337] Hardware name:                  /DQ45CB, BIOS
CBQ4510H.86A.0133.2011.0810.1010 08/10/2011
[360412.117337] task: ffff8802321c5540 ti: ffff8802321f4000 task.ti:
ffff8802321f40000
[360412.117337] RIP: 0010:[<ffffffff81865efe>]  [<ffffffff81865efe>]
nf_nat_setup_info+0x56e/0x900
[360412.117337] RSP: 0018:ffff88023bd03668   EFLAGS: 000010246
[360412.117337] RAX: 0000000000000000 RBX: ffff8800b073d380 RCX: 000000000ae3d87f
[360412.117337] RDX: ffff88021cdc9800 RSI: 00000000b8061897 RDI: ffffffff824808b8
[360412.117337] RBP: ffff88023bd03748 R08: ffff88003773e000 R09: ffffffff820ac780
[360412.117337] R10: ffff88021cdc9800 R11: ffff88021cdc98e0 R12: 000000000000235d
[360412.117337] R13: 0000000000000000 R14: ffff88023bd03698 R15: ffff88023bd036c0
[360412.117337] FS:  0000000000000000(0000) GS:ffff88023bd00000(0000)
knlGS:0000000000000000
[360412.117337] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[360412.117337] CR2: 0000000000000010 CR3: 000000000200b000 CR4: 00000000000407e0
[360412.117337] Stack:
[360412.117337]  ffffffff820ac780 ffffffff81d905b0 ffff88023bd036c0 ffffffff820ac780
[360412.117337]  ffffffff81d964e0 ffffffff81d906a0 00000000df8e782a 0000000000000000
[360412.117337]  8343b75500027f96 0000000000000000 0006bb0600000000 000000008343b755
[360412.117337] Call Trace:
[360412.117337]  <IRQ>
[360412.117337]  [<ffffffff81874e9f>] xt_snat_target_v0+0x6f/0x90
[360412.117337]  [<ffffffff818e0453>] ipt_do_table+0x2c3/0x6c0
[360412.117337]  [<ffffffff818e04b6>] ? ipt_do_table+0x326/0x6c0
[360412.117337]  [<ffffffff818e0d07>] nf_nat_ipv6_fn+0x1d7/0x330
[360412.117337]  [<ffffffff81888e20>] ? __ip_append_data.isra.43+0xa30/0xa30
[360412.117337]  [<ffffffff818e1068>] nf_nat_ipv4_out+0x58/0x100
[360412.117337]  [<ffffffff81888e20>] ? __ip_append_data.isra.43+0xa30/0xa30
[360412.117337]  [<ffffffff81846b75>] nf_iterate+0x85/0xb0
[360412.117337]  [<ffffffff81888e20>] ? __ip_append_data.isra.43+0xa30/0xa30
[360412.117337]  [<ffffffff81846c0c>] nf_hook_slow+0x6c/0x130
[360412.117337]  [<ffffffff81888e20>] ? __ip_append_data.isra.43+0xa30/0xa30
[360412.117337]  [<ffffffff81889bb2>] ip_output+0x82/0x90
[360412.117337]  [<ffffffff81889314>] ip_local_out+0x24/0x30
[360412.117337]  [<ffffffff818e2182>] reject_tg+0x4d2/0x4e0
[360412.117337]  [<ffffffff818e0453>] ipt_do_table+0x2c3/0x6c0
[360412.117337]  [<ffffffff81883f30>] ? ip_rcv_finish+0x360/0x360
[360412.117337]  [<ffffffff818e0924>] iptable_filter_hook+0x34/0x70
[360412.117337]  [<ffffffff81846b75>] nf_iterate+0x85/0xb0
[360412.117337]  [<ffffffff81883f30>] ? ip_rcv_finish+0x360/0x360
[360412.117337]  [<ffffffff81846c0c>] nf_hook_slow+0x6c/0x130
[360412.117337]  [<ffffffff81883f30>] ? ip_rcv_finish+0x360/0x360
[360412.117337]  [<ffffffff81884303>] ip_local_deliver+0x73/0x80
[360412.117337]  [<ffffffff81883c53>] ip_rcv_finish+0x83/0x360
[360412.117337]  [<ffffffff818845b8>] ip_rcv+0x2a8/0x3e0
[360412.117337]  [<ffffffff817e7bb2>] __netif_receive_skb_core+0x632/0x7a0
[360412.117337]  [<ffffffff817e7d3c>] __netif_receive_skb+0x1c/0x70
[360412.117337]  [<ffffffff817e7e2c>] process_backlog+0x9c/0x170
[360412.117337]  [<ffffffff817e823b>] net_rx_action+0xfb/0x1a0
[360412.117337]  [<ffffffff810c3e65>] __do_softirq+0xd5/0x1f0
[360412.117337]  [<ffffffff810c4185>] irq_exit+0x95/0xa0
[360412.117337]  [<ffffffff81003d82>] do_IRQ+0x62/0x110
[360412.117337]  [<ffffffff81a20d67>] common_interrupt_0x67/0x67
[360412.117337]  <EOI>
[360412.117337]  [<ffffffff81791ce6>] ? cpuidle_enter_state+0x56/0xd0
[360412.117337]  [<ffffffff81791ce2>] ? cpuidle_enter_state+0x52/0xd0
[360412.117337]  [<ffffffff81791dfa>] cpuidle_idle_call+0x9a/0x140
[360412.117337]  [<ffffffff8100afe9>] arch_cpu_idle+0x9/0x20
[360412.117337]  [<ffffffff8110a81a>] cpu_startup_entry+0xda/0x1c0
[360412.117337]  [<ffffffff8102a1ad>] start_secondary+0x20d/0x2c0
[360412.117337] Code: e0 e8 a7 a9 1b 00 48 8b 93 e0 00 00 00 49 c1 ec 20 48 85
d2 74 0c 0f b6 42 11 84 c0 0f 85 93 02 00 00 31 c0 4c 8b 8d 38 ff ff ff <48> 89
58 10 49 8b 91 70 0b 00 00 4a 8d 14 e2 48 8b 0a 48 89 50
[360412.117337] RIP  [<ffffffff81865efe>] nf_nat_setup_info+0x56e/0x900
[360412.117337]  RSP <ffff88023bd03668>
[360412.117337] CR2: 0000000000000010
[360412.117337] - - -[ end trace 691638412d73c338 ]- - -
[360412.117337] Kernel panic - not syncing: Fatal exception in interrupt
[360412.117337] Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range:
0xffffffff80000000-0xffffffff9fffffff)
[360412.117337] drm_kms_helper: panic occurred, switching back to text console


decodecode:

All code
========
   0:    e0 e8                    loopne 0xffffffffffffffea
   2:    a7                       cmpsl  %es:(%rdi),%ds:(%rsi)
   3:    a9 1b 00 48 8b           test   $0x8b48001b,%eax
   8:    93                       xchg   %eax,%ebx
   9:    e0 00                    loopne 0xb
   b:    00 00                    add    %al,(%rax)
   d:    49 c1 ec 20              shr    $0x20,%r12
  11:    48 85 d2                 test   %rdx,%rdx
  14:    74 0c                    je     0x22
  16:    0f b6 42 11              movzbl 0x11(%rdx),%eax
  1a:    84 c0                    test   %al,%al
  1c:    0f 85 93 02 00 00        jne    0x2b5
  22:    31 c0                    xor    %eax,%eax
  24:    4c 8b 8d 38 ff ff ff     mov    -0xc8(%rbp),%r9
  2b:*    48 89 58 10              mov    %rbx,0x10(%rax)        <-- trapping
instruction
  2f:    49 8b 91 70 0b 00 00     mov    0xb70(%r9),%rdx
  36:    4a 8d 14 e2              lea    (%rdx,%r12,8),%rdx
  3a:    48 8b 0a                 mov    (%rdx),%rcx
  3d:    48                       rex.W
  3e:    89                       .byte 0x89
  3f:    50                       push   %rax

Code starting with the faulting instruction
===========================================
   0:    48 89 58 10              mov    %rbx,0x10(%rax)
   4:    49 8b 91 70 0b 00 00     mov    0xb70(%r9),%rdx
   b:    4a 8d 14 e2              lea    (%rdx,%r12,8),%rdx
   f:    48 8b 0a                 mov    (%rdx),%rcx
  12:    48                       rex.W
  13:    89                       .byte 0x89
  14:    50                       push   %rax


And, if it's of any interest (at least I've seen snat in there, so I'm going
ahead with this), one of the many rules in iptables:

Chain POSTROUTING (policy ACCEPT 1836 packets, 89722 bytes)
2189  157K SNAT       all  --  *      ppp0    0.0.0.0/0           
0.0.0.0/0            to:85.183.67.131


Can/should I provide any more information?

Unfortunately, I don't have a full packet log of my network when the issue
happened. It came pretty much out of the blue.


Best regards,


Mihai

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature