Bug 430663 - kernel crash in nf_nat_move_storage
kernel crash in nf_nat_move_storage
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
8
All Linux
high Severity high
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-29 06:37 EST by Thomas Woerner
Modified: 2008-02-11 17:39 EST (History)
0 users

See Also:
Fixed In Version: 2.6.23.15-137.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-11 17:39:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
All necessary files to reproduce the problem (20.00 KB, application/x-tar)
2008-01-29 06:37 EST, Thomas Woerner
no flags Details
x86_64 crash log for 2.6.23.14-107.fc8 (3.71 KB, text/plain)
2008-01-30 10:57 EST, Thomas Woerner
no flags Details

  None (edit)
Description Thomas Woerner 2008-01-29 06:37:59 EST
Description of problem:
Using port forwarding from 80 to 21 with nf_conntrack_ftp loaded results in a
kernel crash, when connecting to port 80.

Version-Release number of selected component (if applicable):
2.6.23.9-85.fc8PAE
Affected are kernels > 2.6.18 in F-7, F-8 and rawhide including
kernel-2.6.24-2.fc9. The RHEL-5 kernel is not crashing.

How reproducible:
Always

Steps to Reproduce:
1. Set up port forwarding from port 80 to 21
2. Load nf_conntrack_ftp
3. Use telnet to connect to port 80 from remote.
  
Actual results:
Kernel crash

Expected results:
No crash

Additional info:
Please have a look at the attachment, all necesssary files are included:

kernel-ftp-forward-oups/
kernel-ftp-forward-oups/etc/
kernel-ftp-forward-oups/etc/sysconfig/
kernel-ftp-forward-oups/etc/sysconfig/iptables-config
kernel-ftp-forward-oups/etc/sysconfig/iptables
kernel-ftp-forward-oups/tmp/
kernel-ftp-forward-oups/tmp/kernel-oups
kernel-ftp-forward-oups/tmp/uname-a.out
kernel-ftp-forward-oups/tmp/lsmod.out
Comment 1 Thomas Woerner 2008-01-29 06:37:59 EST
Created attachment 293255 [details]
All necessary files to reproduce the problem
Comment 2 Chuck Ebbert 2008-01-29 12:09:15 EST
The oops report is truncated at column 80 and is incomplete.
Comment 3 Chuck Ebbert 2008-01-29 12:31:41 EST
Please post the complete oops report from 2.6.24.2
Comment 4 Chuck Ebbert 2008-01-29 12:50:00 EST
This was supposedly fixed in 2.6.23.10 and 2.6.24.
Comment 5 Thomas Woerner 2008-01-30 06:42:14 EST
It is not fixed in 2.6.24, please see comment #0

After several attempts to get a crash dump over serial console, which is longer
than 2 to 5 lines, I was able to get the one which is already attached. I tried
to get a more complete one, but failed. It seems that the kernel is dying too
fast to get the dump out.

Steps to reproduce:
host1> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to :21
host1> iptables -t filter -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp
--dport 21 -j ACCEPT
host1> modprobe ip_conntrack_ftp
host2> telnet host1 80

When you are opening the telnet connection to port 80 the kernel on host1 is
crashing immediately.
Comment 6 Thomas Woerner 2008-01-30 10:57:13 EST
Created attachment 293422 [details]
x86_64 crash log for 2.6.23.14-107.fc8

Here is the crash log of kernel 2.6.23.14-107.fc8 on my x86_64 system. The i386
system seems to be ok, but on x86_64 there is still a problem after starting
the ftp server and using 'echo "quit" | telnet test-system 80' several times.
Comment 7 Thomas Woerner 2008-01-30 11:19:30 EST
The 2.6.24-7.fc9 seems to be ok on i686, but not on x86_64. The first telnet to
port 80 is reulting in a crash. Should I open another bug for this one against
rawhide?
Comment 8 Chuck Ebbert 2008-01-30 20:21:06 EST
huh, #SS fault:

   0:   48 f7 45 78 80 01 00    testq  $0x180,0x78(%rbp)
   7:   00
   8:   74 4c                   je     0x56
   a:   48 c7 c7 e0 18 28 88    mov    $0xffffffff882818e0,%rdi

%rbp has a bogus (non-canonical) address. On i386 there is no such test possible
so it will just dereference the address if it is mapped.

The register contains 8 valid ASCII chars: "salcf x\"


Comment 9 Chuck Ebbert 2008-02-06 13:20:18 EST
Fixed in 2.6.23.14-134
Comment 10 Fedora Update System 2008-02-10 22:34:19 EST
kernel-2.6.23.15-137.fc8 has been submitted as an update for Fedora 8
Comment 11 Fedora Update System 2008-02-11 17:39:05 EST
kernel-2.6.23.15-137.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.