1411127 – Segfault /usr/sbin/tc

Bug 1411127 - Segfault /usr/sbin/tc

Summary: Segfault /usr/sbin/tc

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	iproute
Sub Component:
Version:	25
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Phil Sutter
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-08 15:28 UTC by redhat
Modified:	2017-01-16 19:52 UTC (History)
CC List:	4 users (show)
Fixed In Version:	iproute-4.6.0-6.fc25
Clone Of:
Environment:
Last Closed:	2017-01-16 19:52:16 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description redhat 2017-01-08 15:28:29 UTC

Description of problem:
/usr/sbin/tc produces segfault

Version-Release number of selected component (if applicable):
iproute-tc-4.6.0-5.fc25.x86_64

How reproducible:
Use tc to configure traffic shaping on ppp0

tc qdisc add dev ppp0 handle ffff: ingress
tc filter add dev ppp0 parent ffff: protocol ip prio 110 u32 match ip src 0.0.0.0/0 flowid :1 police rate 16056kbit burst 6k linklay atm conform-exceed continue/ok
tc filter add dev ppp0 parent ffff: protocol ip prio 111 u32 match u32 0 0 flowid :1 action xt -j MARK --set-mark 20 action continue
(Speicherabzug geschrieben) tc filter add dev ppp0 parent ffff: protocol ip prio 111 u32 match u32 0 0 flowid :1 action xt -j MARK --set-mark 20 action continue


Steps to Reproduce:
1. run the four commands mentioned above
2.
3.

Actual results:
tc[7808]: segfault at 0 ip           (null) sp 00007ffde2adf898 error 14 in tc[400000+56000]


Expected results:
No segfault

Additional info:
I've set the core limit to unlimited (ulimit -c unlimited) but can't find a core file. Where is it?

Comment 1 redhat 2017-01-10 15:14:49 UTC

Reading symbols from /usr/sbin/tc...Reading symbols from /usr/lib/debug/usr/sbin/tc.debug...done.
done.
(gdb) run filter add dev ppp0 parent ffff: protocol ip prio 111 u32 match u32 0 0 flowid :1 action xt -j MARK --set-mark 20 action continue
Starting program: /usr/sbin/tc filter add dev ppp0 parent ffff: protocol ip prio 111 u32 match u32 0 0 flowid :1 action xt -j MARK --set-mark 20 action continue

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff6cc9174 in compatible_target_revision (revision=<optimized out>, name=<optimized out>) at xtables.c:833
#2  xtables_fully_register_pending_target (me=0x7ffff6a800c0 <mark_tg_reg+192>) at xtables.c:1068
#3  xtables_find_target (name=0x7ffff687f2bf "MARK", tryload=tryload@entry=XTF_DURING_LOAD) at xtables.c:732
#4  0x00007ffff6cc90ee in xtables_fully_register_pending_target (me=0x7ffff6a80000 <mark_tg_reg>) at xtables.c:1053
#5  xtables_find_target (name=name@entry=0x7fffffffe208 "MARK", tryload=tryload@entry=XTF_DONT_LOAD) at xtables.c:732
#6  0x00007ffff6cc9526 in load_extension (search_path=<optimized out>, af_prefix=0x7ffff6ccdcff "libipt_", name=name@entry=0x7fffffffe208 "MARK", is_target=is_target@entry=true) at xtables.c:588
#7  0x00007ffff6cc9097 in xtables_find_target (name=0x7fffffffe208 "MARK", tryload=tryload@entry=XTF_TRY_LOAD) at xtables.c:745
#8  0x00007ffff6ed34a4 in parse_ipt (a=<optimized out>, argc_p=0x7fffffff92f4, argv_p=0x7fffffff92f8, tca_id=2, n=0x7fffffff9cb0) at m_xt.c:161
#9  0x0000000000413aaf in parse_action (argc_p=argc_p@entry=0x7fffffff939c, argv_p=argv_p@entry=0x7fffffff9390, tca_id=tca_id@entry=7, n=n@entry=0x7fffffff9cb0) at m_action.c:219
#10 0x0000000000424555 in u32_parse_opt (qu=<optimized out>, handle=<optimized out>, argc=<optimized out>, argv=<optimized out>, n=0x7fffffff9cb0) at f_u32.c:1137
#11 0x000000000040b7e5 in tc_filter_modify (cmd=<optimized out>, flags=<optimized out>, argc=<optimized out>, argv=<optimized out>) at tc_filter.c:154
#12 0x0000000000407982 in main (argc=<optimized out>, argv=<optimized out>) at tc.c:346

Comment 2 Phil Sutter 2017-01-12 14:47:42 UTC

Hi,

Thanks for reporting the issue!

While reproducing, I found an even simpler reproducer:

# ip link add d0 type dummy
# ip link set d0 up
# tc qdisc add dev d0 ingress
# tc filter add dev d0 parent ffff: u32 match u32 0 0 action xt -j MARK --set-mark 20

Culprit found and patch sent upstream:
https://www.mail-archive.com/netdev@vger.kernel.org/msg147377.html

Thanks, Phil

Comment 3 Fedora Update System 2017-01-13 14:13:21 UTC

iproute-4.6.0-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8de07e8699

Comment 4 Fedora Update System 2017-01-14 06:21:48 UTC

iproute-4.6.0-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8de07e8699

Comment 5 redhat 2017-01-15 20:24:11 UTC

Looks good to me.

Comment 6 Fedora Update System 2017-01-16 19:52:16 UTC

iproute-4.6.0-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.