lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <459D322F.5010707@birkenwald.de>
Date:	Thu, 04 Jan 2007 17:58:23 +0100
From:	Bernhard Schmidt <berni@...kenwald.de>
To:	netfilter-devel@...ts.netfilter.org
CC:	linux-kernel@...r.kernel.org
Subject: [Bug] OOPS with nf_conntrack_ipv6, probably fragmented UDPv6

Hi,

I've hit another kernel oops with 2.6.20-rc3 on i386 platform. It is 
reproducible, as soon as I load nf_conntrack_ipv6 and try to send 
something large (scp or so) inside an OpenVPN tunnel on my client 
(patched with UDPv6 transport) the router (another box) OOPSes.

tcpdump suggests the problem appears as soon as my client sends 
fragmented UDPv6 packets towards the destination. It does not happen 
when nf_conntrack_ipv6 is not loaded. This is the OOPS as dumped from 
the serial console:

heimdall login: Oops: 0000 [#1]
Modules linked in: sit sch_red sch_htb pppoe pppox ppp_generic slhc 
xt_CLASSIFY ipt_TOS xt_length ipt_tos ipt_TCPMSS xt_tcpudp 
ipt_MASQUERADE xt_state iptable_mangle iptable_filter
  iptable_nat nf_nat nf_conntrack_ipv4 ip_tables x_tables 
nf_conntrack_ipv6 nf_conntrack nfnetlink
CPU:    0
EIP:    0060:[<00000001>]    Not tainted VLI
EFLAGS: 00010246   (2.6.20-rc3 #2)
EIP is at 0x1
eax: cd215bc0   ebx: cd1f3160   ecx: cc59002a   edx: cd215bc0
esi: cd215bc0   edi: cd215bc0   ebp: 00000000   esp: c030bd3c
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 0, ti=c030a000 task=c02e93a0 task.ti=c030a000)
Stack: c0212cc4 00000004 cc83f160 cd2130c0 cd215bc0 cd2130c0 cd215bc0 
c021734b
        c030bdb4 c0307a60 0000000a cceee800 cceee800 cd215bc0 cd1f3160 
00000000
        c021896b c0307a60 cd215bc0 cd215bc0 cceee800 cd1f3160 c025f1c6 
00000000
Call Trace:
  [<c0212cc4>] __kfree_skb+0x84/0xe0
  [<c021734b>] dev_hard_start_xmit+0x1bb/0x1d0
  [<c021896b>] dev_queue_xmit+0x11b/0x1b0
  [<c025f1c6>] ip6_output2+0x276/0x2b0
  [<c025ed30>] ip6_output_finish+0x0/0xf0
  [<c025fc0a>] ip6_output+0x90a/0x940
  [<c013e9e5>] cache_alloc_refill+0x2c5/0x3f0
  [<c0212eed>] pskb_expand_head+0xdd/0x130
  [<c02608d5>] ip6_forward+0x465/0x4b0
  [<c02618c6>] ip6_rcv_finish+0x16/0x30
  [<ce81a056>] nf_ct_frag6_output+0x86/0xb0 [nf_conntrack_ipv6]
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<ce81911b>] ipv6_defrag+0x3b/0x50 [nf_conntrack_ipv6]
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<c022c618>] nf_iterate+0x38/0x70
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<c022c75d>] nf_hook_slow+0x4d/0xc0
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<c0261ac0>] ipv6_rcv+0x1e0/0x250
  [<c02618b0>] ip6_rcv_finish+0x0/0x30
  [<c0217068>] netif_receive_skb+0x1a8/0x200
  [<c021868e>] process_backlog+0x6e/0xe0
  [<c0218752>] net_rx_action+0x52/0xd0
  [<c0113885>] __do_softirq+0x35/0x80
  [<c01138f2>] do_softirq+0x22/0x30
  [<c010453e>] do_IRQ+0x5e/0x70
  [<c0102b33>] common_interrupt+0x23/0x30
  [<c0101820>] default_idle+0x0/0x40
  [<c0101847>] default_idle+0x27/0x40
  [<c0101017>] cpu_idle+0x37/0x50
  [<c030c676>] start_kernel+0x266/0x270
  [<c030c200>] unknown_bootoption+0x0/0x210
  =======================
Code:  Bad EIP value.
EIP: [<00000001>] 0x1 SS:ESP 0068:c030bd3c
  <0>Kernel panic - not syncing: Fatal exception in interrupt
  <0>Rebooting in 20 seconds..<4>atkbd.c: Spurious ACK on 
isa0060/serio0. Some program might be trying access hardware directly.

Do you need more information?

Regards,
Bernhard
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ