Bug 770709

Summary: Kernel stack corruption regarding use of netfilter on bridges
Product: Red Hat Enterprise Linux 6 Reporter: Steve Hill <steve>
Component: kernelAssignee: Herbert Xu <herbert.xu>
Status: CLOSED DUPLICATE QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: j.s.peatfield, mishu, mleitner
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-11 04:32:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Kernel stack trace
none
bridge: Reset IPCB when entering IP stack on NF_FORWARD
none
bridge: Reset IPCB when entering IP stack none

Description Steve Hill 2011-12-28 14:02:32 UTC 
Created attachment 549825 [details]
Kernel stack trace

Description of problem:
With the following sysctl options enabled:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
Bridged network traffic will be filtered by iptables.  One of the iptables rules may be a REJECT rule, which causes an ICMP message to be produced (e.g. port unreachable).  Triggering the REJECT rule will often cause the kernel to panic after stack corruption.  I am seeing this problem when running KVM virtual machines in bridged network mode with the host machine running iptables to filter traffic to the virtual machines.

Version-Release number of selected component (if applicable):
This is a Scientific Linux 6.1 machine, but as this issue will affect Red Hat machines equally I am filing it in this Bugzilla.
2.6.32-220.2.1.el6.x86_64
2.6.32-131.21.1.el6.x86_64
2.6.32-131.17.1.el6.x86_64
2.6.32-131.6.1.el6.x86_64

How reproducible:
Frequently breaks, but not always.

Steps to Reproduce:
1. Configure KVM with a virtual machine running on a bridged network.
2. Enable the following sysctl options:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
3. Configure an iptables rule with "-j REJECT --reject-with icmp-port-unreachable" on the host machine to filter some of the bridged traffic.
4. Send some traffic from a remote host to the virtual machine that will trigger the host's REJECT rule.
  
Actual results:
Kernel stack corruption and kernel panic.

Expected results:
ICMP port unreachable packet should be transmitted to the remote machine.

Additional info:
This appears to be a similar bug to: http://www.spinics.net/lists/netdev/msg139436.html
The stack trace I have attached to this report indicates that iptable_filter is calling icmp_send during the bridge processing and this is blowing up.
Comment 2 Jonathan Peatfield 2011-12-29 20:32:54 UTC 
Might this be related to the similar effects seen in recent el5 kernels (as reported in #749813) ?
Comment 4 Herbert Xu 2012-01-11 04:32:12 UTC 
Please test the patch posted in 717407.  Thanks!

*** This bug has been marked as a duplicate of bug 717407 ***
Comment 5 Jonathan Peatfield 2012-01-11 06:27:39 UTC 
Hmm https://bugzilla.redhat.com/show_bug.cgi?id=717407 seems not to be public at the moment so it s hard to test a patch mentioned there.
Comment 6 Herbert Xu 2012-01-11 06:39:08 UTC 
Created attachment 552017 [details]
bridge: Reset IPCB when entering IP stack on NF_FORWARD

I have reattached the patch here.
Comment 7 Herbert Xu 2012-01-11 07:15:31 UTC 
Created attachment 552024 [details]
bridge: Reset IPCB when entering IP stack

Updated patch to include local_out.