Bug 1411127

Summary: Segfault /usr/sbin/tc
Product: [Fedora] Fedora Reporter: redhat
Component: iprouteAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 25CC: psimerda, psutter, rvokal, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: iproute-4.6.0-6.fc25 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-16 19:52:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description redhat 2017-01-08 15:28:29 UTC 
Description of problem:
/usr/sbin/tc produces segfault

Version-Release number of selected component (if applicable):
iproute-tc-4.6.0-5.fc25.x86_64

How reproducible:
Use tc to configure traffic shaping on ppp0

tc qdisc add dev ppp0 handle ffff: ingress
tc filter add dev ppp0 parent ffff: protocol ip prio 110 u32 match ip src 0.0.0.0/0 flowid :1 police rate 16056kbit burst 6k linklay atm conform-exceed continue/ok
tc filter add dev ppp0 parent ffff: protocol ip prio 111 u32 match u32 0 0 flowid :1 action xt -j MARK --set-mark 20 action continue
(Speicherabzug geschrieben) tc filter add dev ppp0 parent ffff: protocol ip prio 111 u32 match u32 0 0 flowid :1 action xt -j MARK --set-mark 20 action continue


Steps to Reproduce:
1. run the four commands mentioned above
2.
3.

Actual results:
tc[7808]: segfault at 0 ip           (null) sp 00007ffde2adf898 error 14 in tc[400000+56000]


Expected results:
No segfault

Additional info:
I've set the core limit to unlimited (ulimit -c unlimited) but can't find a core file. Where is it?
Comment 1 redhat 2017-01-10 15:14:49 UTC 
Reading symbols from /usr/sbin/tc...Reading symbols from /usr/lib/debug/usr/sbin/tc.debug...done.
done.
(gdb) run filter add dev ppp0 parent ffff: protocol ip prio 111 u32 match u32 0 0 flowid :1 action xt -j MARK --set-mark 20 action continue
Starting program: /usr/sbin/tc filter add dev ppp0 parent ffff: protocol ip prio 111 u32 match u32 0 0 flowid :1 action xt -j MARK --set-mark 20 action continue

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff6cc9174 in compatible_target_revision (revision=<optimized out>, name=<optimized out>) at xtables.c:833
#2  xtables_fully_register_pending_target (me=0x7ffff6a800c0 <mark_tg_reg+192>) at xtables.c:1068
#3  xtables_find_target (name=0x7ffff687f2bf "MARK", tryload=tryload@entry=XTF_DURING_LOAD) at xtables.c:732
#4  0x00007ffff6cc90ee in xtables_fully_register_pending_target (me=0x7ffff6a80000 <mark_tg_reg>) at xtables.c:1053
#5  xtables_find_target (name=name@entry=0x7fffffffe208 "MARK", tryload=tryload@entry=XTF_DONT_LOAD) at xtables.c:732
#6  0x00007ffff6cc9526 in load_extension (search_path=<optimized out>, af_prefix=0x7ffff6ccdcff "libipt_", name=name@entry=0x7fffffffe208 "MARK", is_target=is_target@entry=true) at xtables.c:588
#7  0x00007ffff6cc9097 in xtables_find_target (name=0x7fffffffe208 "MARK", tryload=tryload@entry=XTF_TRY_LOAD) at xtables.c:745
#8  0x00007ffff6ed34a4 in parse_ipt (a=<optimized out>, argc_p=0x7fffffff92f4, argv_p=0x7fffffff92f8, tca_id=2, n=0x7fffffff9cb0) at m_xt.c:161
#9  0x0000000000413aaf in parse_action (argc_p=argc_p@entry=0x7fffffff939c, argv_p=argv_p@entry=0x7fffffff9390, tca_id=tca_id@entry=7, n=n@entry=0x7fffffff9cb0) at m_action.c:219
#10 0x0000000000424555 in u32_parse_opt (qu=<optimized out>, handle=<optimized out>, argc=<optimized out>, argv=<optimized out>, n=0x7fffffff9cb0) at f_u32.c:1137
#11 0x000000000040b7e5 in tc_filter_modify (cmd=<optimized out>, flags=<optimized out>, argc=<optimized out>, argv=<optimized out>) at tc_filter.c:154
#12 0x0000000000407982 in main (argc=<optimized out>, argv=<optimized out>) at tc.c:346
Comment 2 Phil Sutter 2017-01-12 14:47:42 UTC 
Hi,

Thanks for reporting the issue!

While reproducing, I found an even simpler reproducer:

# ip link add d0 type dummy
# ip link set d0 up
# tc qdisc add dev d0 ingress
# tc filter add dev d0 parent ffff: u32 match u32 0 0 action xt -j MARK --set-mark 20

Culprit found and patch sent upstream:
https://www.mail-archive.com/netdev@vger.kernel.org/msg147377.html

Thanks, Phil
Comment 3 Fedora Update System 2017-01-13 14:13:21 UTC 
iproute-4.6.0-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8de07e8699
Comment 4 Fedora Update System 2017-01-14 06:21:48 UTC 
iproute-4.6.0-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8de07e8699
Comment 5 redhat 2017-01-15 20:24:11 UTC 
Looks good to me.
Comment 6 Fedora Update System 2017-01-16 19:52:16 UTC 
iproute-4.6.0-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.