Red Hat Bugzilla – Bug 430663
kernel crash in nf_nat_move_storage
Last modified: 2008-02-11 17:39:30 EST
Description of problem:
Using port forwarding from 80 to 21 with nf_conntrack_ftp loaded results in a
kernel crash, when connecting to port 80.
Version-Release number of selected component (if applicable):
Affected are kernels > 2.6.18 in F-7, F-8 and rawhide including
kernel-2.6.24-2.fc9. The RHEL-5 kernel is not crashing.
Steps to Reproduce:
1. Set up port forwarding from port 80 to 21
2. Load nf_conntrack_ftp
3. Use telnet to connect to port 80 from remote.
Please have a look at the attachment, all necesssary files are included:
Created attachment 293255 [details]
All necessary files to reproduce the problem
The oops report is truncated at column 80 and is incomplete.
Please post the complete oops report from 220.127.116.11
This was supposedly fixed in 18.104.22.168 and 2.6.24.
It is not fixed in 2.6.24, please see comment #0
After several attempts to get a crash dump over serial console, which is longer
than 2 to 5 lines, I was able to get the one which is already attached. I tried
to get a more complete one, but failed. It seems that the kernel is dying too
fast to get the dump out.
Steps to reproduce:
host1> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to :21
host1> iptables -t filter -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp
--dport 21 -j ACCEPT
host1> modprobe ip_conntrack_ftp
host2> telnet host1 80
When you are opening the telnet connection to port 80 the kernel on host1 is
Created attachment 293422 [details]
x86_64 crash log for 22.214.171.124-107.fc8
Here is the crash log of kernel 126.96.36.199-107.fc8 on my x86_64 system. The i386
system seems to be ok, but on x86_64 there is still a problem after starting
the ftp server and using 'echo "quit" | telnet test-system 80' several times.
The 2.6.24-7.fc9 seems to be ok on i686, but not on x86_64. The first telnet to
port 80 is reulting in a crash. Should I open another bug for this one against
huh, #SS fault:
0: 48 f7 45 78 80 01 00 testq $0x180,0x78(%rbp)
8: 74 4c je 0x56
a: 48 c7 c7 e0 18 28 88 mov $0xffffffff882818e0,%rdi
%rbp has a bogus (non-canonical) address. On i386 there is no such test possible
so it will just dereference the address if it is mapped.
The register contains 8 valid ASCII chars: "salcf x\"
Fixed in 188.8.131.52-134
kernel-184.108.40.206-137.fc8 has been submitted as an update for Fedora 8
kernel-220.127.116.11-137.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.