lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5481B944.2000002@smart-weblications.de>
Date:	Fri, 05 Dec 2014 14:55:16 +0100
From:	Smart Weblications GmbH - Florian Wiessner 
	<f.wiessner@...rt-weblications.de>
To:	Julian Anastasov <ja@....bg>
CC:	Steffen Klassert <steffen.klassert@...unet.com>,
	netdev@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>,
	stable@...r.kernel.org, Simon Horman <horms@...ge.net.au>,
	lvs-devel@...r.kernel.org
Subject: Re: 3.12.33 - BUG xfrm_selector_match+0x25/0x2f6

Hi,

Am 05.12.2014 10:55, schrieb Julian Anastasov:

> 
> On Fri, 5 Dec 2014, Smart Weblications GmbH - Florian Wiessner wrote:
> 
>> i tried with 3.12.33 without any XFRM and now got this one (which is reproducable):
>>
>> [  233.956012] BUG: unable to handle kernel NULL pointer dereference at 00000000
>>                                    00000014
>> [  233.956218] IP: [<ffffffffa013a470>] nf_ct_seqadj_set+0x60/0x90 [nf_conntrack
> 
> 	It seems fix from 3.13 was not sent to 3.12 stable:
> 
> commit b25adce1606427fd8 ("ipvs: correct usage/allocation of seqadj ext in 
> ipvs")
> 
> 	There was related change but it is not needed
> for stable kernels:
> 
> commit db12cf27435356017e ("netfilter: WARN about wrong usage of sequence 
> number adjustments"
> 
> 	Simon, can we try commit b25adce1606427fd8 for 3.12?


>> setup is like this:
>>
>>
>> #virtual=<myVIP>:21
>> #       real=10.10.1.20:21 masq
[...]
>> #       service=ftp
>> #       scheduler=rr
>> #       protocol=tcp
>> #       checktype=connect
>>
>> ( i remarked it to prevent fruther crashes...)
>>
>> when ip_vs_ftp is loaded and someone trying to make a ftp connection, the system
>> panics instantly.
>>
>> 10.10.1.20 - 10.10.1.23 are lxc-containers using veth connected to the bridge
>> running on 4 different nodes. The node running ldirector/ipvsadm has also one of
>> those containers running (don't know if that matters)
> 
> 	It is always good to know the setup. Do you access VIP
> from local clients (from director)?
> 

Not for ftp, but we have mail as well in the same setup, and yes, there we do
access it from local client.

>> brctl show
>> bridge name     bridge id               STP enabled     interfaces
>> br0             8000.00259052bbf4       no              bond0
>>                                                         vethMKELUc

[...]

> 	Before I create patch to avoid rerouting for
> LOCAL_IN you can try to set IPVS sysctl var "snat_reroute" to 0
> or even to change ip_vs_route_me_harder() function just to return 0.
> snat_reroute=1 (a default value) is needed if you have
> multiple links to clients and use ip rules to select
> correct route by src ip (after SNAT). If you have single
> uplink snat_reroute can be 0.
> 


ip rule show

0:      from all lookup local
32765:  from all to 10.10.0.0/16 lookup 200

I use ip rules, but this is not for source but destination. I need this to
enable clients from the local net to connect to some VIPs so they get there
correct route back.

I have also seen "b25adce1606427fd8 ipvs: correct usage/allocation of seqadj ext
in ipvs" in the net while googling, but i thought that it would be included in
3.12.33 as the patch is over a year old and since this is marked as stable i did
not expect any issues.

Maybe i would not have stubmled accross this if the ocfs2 devs were as fast as
the netdev-devs! But to my ocfs2 isseu/bug i still have no reply until today. So
thank you for the fast responses! I would like to test any patch for 3.12.

If i understand correctly, i set:

echo 0 > /proc/sys/net/ipv4/vs/snat_reroute
modprobe ip_vs_ftp

and reenable ftp ipvs?

It does not crash, but ftp is not working with neither PASV nor PORT:


[14:47:42] [R] Verbindung herstellen zu 192.168.10.62 -> IP=192.168.10.62 PORT=21
[14:47:42] [R] Verbunden mit 192.168.10.62
[14:47:43] [R] 220 (vsFTPd 3.0.2)
[14:47:43] [R] USER (hidden)
[14:47:43] [R] 331 Please specify the password.
[14:47:43] [R] PASS (hidden)
[14:47:43] [R] 230 Login successful.
[14:47:43] [R] SYST
[14:47:43] [R] 215 UNIX Type: L8
[14:47:43] [R] FEAT
[14:47:43] [R] 211-Features:
[14:47:43] [R]  EPRT
[14:47:43] [R]  EPSV
[14:47:43] [R]  MDTM
[14:47:43] [R]  PASV
[14:47:43] [R]  REST STREAM
[14:47:43] [R]  SIZE
[14:47:43] [R]  TVFS
[14:47:43] [R]  UTF8
[14:47:43] [R] 211 End
[14:47:43] [R] PWD
[14:47:43] [R] 257 "/"
[14:47:43] [R] CWD /
[14:47:43] [R] 250 Directory successfully changed.
[14:47:43] [R] PWD
[14:47:43] [R] 257 "/"
[14:47:43] [R] TYPE A
[14:47:43] [R] 200 Switching to ASCII mode.
[14:47:43] [R] PASV
[14:47:43] [R] 227 Entering Passive Mode (10,10,1,23,251,6).
[14:47:43] [R] Datenkanal-IP öffnen: 192.168.10.62 PORT: 64262
[14:47:44] [R] Datensocket-Fehler: Verbindung abgewiesen
[14:47:44] [R] List Fehler
[14:47:44] [R] PASV
[14:47:44] [R] 227 Entering Passive Mode (10,10,1,23,250,144).
[14:47:44] [R] Datenkanal-IP öffnen: 192.168.10.62 PORT: 64144
[14:47:45] [R] Datensocket-Fehler: Verbindung abgewiesen
[14:47:45] [R] List Fehler
[14:47:45] [R] PASV-Modus fehlgeschlagen, PORT -Modus versuchen...
[14:47:45] [R] Auf PORT: 62505 warten, Verbindung erwarten.
[14:47:45] [R] PORT 192,168,200,13,244,41
[14:47:45] [R] 500 Illegal PORT command.
[14:47:45] [R] List Fehler
[14:48:14] [R] QUIT
[14:48:14] [R] 221 Goodbye.
[14:48:14] [R] Ausgeloggt: 192.168.10.62


-- 

Mit freundlichen Grüßen,

Florian Wiessner

Smart Weblications GmbH
Martinsberger Str. 1
D-95119 Naila

fon.: +49 9282 9638 200
fax.: +49 9282 9638 205
24/7: +49 900 144 000 00 - 0,99 EUR/Min*
http://www.smart-weblications.de

--
Sitz der Gesellschaft: Naila
Geschäftsführer: Florian Wiessner
HRB-Nr.: HRB 3840 Amtsgericht Hof
*aus dem dt. Festnetz, ggf. abweichende Preise aus dem Mobilfunknetz
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ