Bug 430663 - kernel crash in nf_nat_move_storage
Summary: kernel crash in nf_nat_move_storage
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 8
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-29 11:37 UTC by Thomas Woerner
Modified: 2008-02-11 22:39 UTC (History)
0 users

Fixed In Version: 2.6.23.15-137.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-11 22:39:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
All necessary files to reproduce the problem (20.00 KB, application/x-tar)
2008-01-29 11:37 UTC, Thomas Woerner
no flags Details
x86_64 crash log for 2.6.23.14-107.fc8 (3.71 KB, text/plain)
2008-01-30 15:57 UTC, Thomas Woerner
no flags Details

Description Thomas Woerner 2008-01-29 11:37:59 UTC
Description of problem:
Using port forwarding from 80 to 21 with nf_conntrack_ftp loaded results in a
kernel crash, when connecting to port 80.

Version-Release number of selected component (if applicable):
2.6.23.9-85.fc8PAE
Affected are kernels > 2.6.18 in F-7, F-8 and rawhide including
kernel-2.6.24-2.fc9. The RHEL-5 kernel is not crashing.

How reproducible:
Always

Steps to Reproduce:
1. Set up port forwarding from port 80 to 21
2. Load nf_conntrack_ftp
3. Use telnet to connect to port 80 from remote.
  
Actual results:
Kernel crash

Expected results:
No crash

Additional info:
Please have a look at the attachment, all necesssary files are included:

kernel-ftp-forward-oups/
kernel-ftp-forward-oups/etc/
kernel-ftp-forward-oups/etc/sysconfig/
kernel-ftp-forward-oups/etc/sysconfig/iptables-config
kernel-ftp-forward-oups/etc/sysconfig/iptables
kernel-ftp-forward-oups/tmp/
kernel-ftp-forward-oups/tmp/kernel-oups
kernel-ftp-forward-oups/tmp/uname-a.out
kernel-ftp-forward-oups/tmp/lsmod.out

Comment 1 Thomas Woerner 2008-01-29 11:37:59 UTC
Created attachment 293255 [details]
All necessary files to reproduce the problem

Comment 2 Chuck Ebbert 2008-01-29 17:09:15 UTC
The oops report is truncated at column 80 and is incomplete.

Comment 3 Chuck Ebbert 2008-01-29 17:31:41 UTC
Please post the complete oops report from 2.6.24.2

Comment 4 Chuck Ebbert 2008-01-29 17:50:00 UTC
This was supposedly fixed in 2.6.23.10 and 2.6.24.

Comment 5 Thomas Woerner 2008-01-30 11:42:14 UTC
It is not fixed in 2.6.24, please see comment #0

After several attempts to get a crash dump over serial console, which is longer
than 2 to 5 lines, I was able to get the one which is already attached. I tried
to get a more complete one, but failed. It seems that the kernel is dying too
fast to get the dump out.

Steps to reproduce:
host1> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to :21
host1> iptables -t filter -A INPUT -i eth0 -m state --state NEW -m tcp -p tcp
--dport 21 -j ACCEPT
host1> modprobe ip_conntrack_ftp
host2> telnet host1 80

When you are opening the telnet connection to port 80 the kernel on host1 is
crashing immediately.

Comment 6 Thomas Woerner 2008-01-30 15:57:13 UTC
Created attachment 293422 [details]
x86_64 crash log for 2.6.23.14-107.fc8

Here is the crash log of kernel 2.6.23.14-107.fc8 on my x86_64 system. The i386
system seems to be ok, but on x86_64 there is still a problem after starting
the ftp server and using 'echo "quit" | telnet test-system 80' several times.

Comment 7 Thomas Woerner 2008-01-30 16:19:30 UTC
The 2.6.24-7.fc9 seems to be ok on i686, but not on x86_64. The first telnet to
port 80 is reulting in a crash. Should I open another bug for this one against
rawhide?

Comment 8 Chuck Ebbert 2008-01-31 01:21:06 UTC
huh, #SS fault:

   0:   48 f7 45 78 80 01 00    testq  $0x180,0x78(%rbp)
   7:   00
   8:   74 4c                   je     0x56
   a:   48 c7 c7 e0 18 28 88    mov    $0xffffffff882818e0,%rdi

%rbp has a bogus (non-canonical) address. On i386 there is no such test possible
so it will just dereference the address if it is mapped.

The register contains 8 valid ASCII chars: "salcf x\"




Comment 9 Chuck Ebbert 2008-02-06 18:20:18 UTC
Fixed in 2.6.23.14-134

Comment 10 Fedora Update System 2008-02-11 03:34:19 UTC
kernel-2.6.23.15-137.fc8 has been submitted as an update for Fedora 8

Comment 11 Fedora Update System 2008-02-11 22:39:05 UTC
kernel-2.6.23.15-137.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.