Bug 770709 - Kernel stack corruption regarding use of netfilter on bridges
Summary: Kernel stack corruption regarding use of netfilter on bridges
Keywords:
Status: CLOSED DUPLICATE of bug 717407
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.1
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Herbert Xu
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-28 14:02 UTC by Steve Hill
Modified: 2012-01-11 07:15 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-11 04:32:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Kernel stack trace (45.75 KB, image/png)
2011-12-28 14:02 UTC, Steve Hill 		no flags Details
bridge: Reset IPCB when entering IP stack on NF_FORWARD (526 bytes, patch)
2012-01-11 06:39 UTC, Herbert Xu 		no flags Details | Diff
bridge: Reset IPCB when entering IP stack (877 bytes, patch)
2012-01-11 07:15 UTC, Herbert Xu 		no flags Details | Diff
Show Obsolete (1) View All

Description Steve Hill 2011-12-28 14:02:32 UTC 
Created attachment 549825 [details]
Kernel stack trace

Description of problem:
With the following sysctl options enabled:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
Bridged network traffic will be filtered by iptables.  One of the iptables rules may be a REJECT rule, which causes an ICMP message to be produced (e.g. port unreachable).  Triggering the REJECT rule will often cause the kernel to panic after stack corruption.  I am seeing this problem when running KVM virtual machines in bridged network mode with the host machine running iptables to filter traffic to the virtual machines.

Version-Release number of selected component (if applicable):
This is a Scientific Linux 6.1 machine, but as this issue will affect Red Hat machines equally I am filing it in this Bugzilla.
2.6.32-220.2.1.el6.x86_64
2.6.32-131.21.1.el6.x86_64
2.6.32-131.17.1.el6.x86_64
2.6.32-131.6.1.el6.x86_64

How reproducible:
Frequently breaks, but not always.

Steps to Reproduce:
1. Configure KVM with a virtual machine running on a bridged network.
2. Enable the following sysctl options:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
3. Configure an iptables rule with "-j REJECT --reject-with icmp-port-unreachable" on the host machine to filter some of the bridged traffic.
4. Send some traffic from a remote host to the virtual machine that will trigger the host's REJECT rule.
  
Actual results:
Kernel stack corruption and kernel panic.

Expected results:
ICMP port unreachable packet should be transmitted to the remote machine.

Additional info:
This appears to be a similar bug to: http://www.spinics.net/lists/netdev/msg139436.html
The stack trace I have attached to this report indicates that iptable_filter is calling icmp_send during the bridge processing and this is blowing up.
Comment 2 Jonathan Peatfield 2011-12-29 20:32:54 UTC 
Might this be related to the similar effects seen in recent el5 kernels (as reported in #749813) ?
Comment 4 Herbert Xu 2012-01-11 04:32:12 UTC 
Please test the patch posted in 717407.  Thanks!

*** This bug has been marked as a duplicate of bug 717407 ***
Comment 5 Jonathan Peatfield 2012-01-11 06:27:39 UTC 
Hmm https://bugzilla.redhat.com/show_bug.cgi?id=717407 seems not to be public at the moment so it s hard to test a patch mentioned there.
Comment 6 Herbert Xu 2012-01-11 06:39:08 UTC 
Created attachment 552017 [details]
bridge: Reset IPCB when entering IP stack on NF_FORWARD

I have reattached the patch here.
Comment 7 Herbert Xu 2012-01-11 07:15:31 UTC 
Created attachment 552024 [details]
bridge: Reset IPCB when entering IP stack

Updated patch to include local_out.
Note You need to log in before you can comment on or make changes to this bug.