| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <be744430-0fb4-5a08-b634-ad75533ef6dd@fkie.fraunhofer.de> Date: Thu, 28 Mar 2019 11:55:51 +0100 From: Henning Rogge <henning.rogge@...e.fraunhofer.de> To: <netdev@...r.kernel.org> Subject: Kernel BUG in mm/sub.c:294 while forwarding fragmented IPv4 multicast traffic Hi, we encountered a reproducable kernel bug while forwarding small amounts (<10 packets) of fragmented (2500 bytes original size) IPv4 UDP multicast. Non-fragmented traffic does not trigger the behavior. We are using Debian Buster on virtual machine (VMWare ESXI). We are using smcroute to setup static kernel multicast forwarding routes. While SLUB is creating the BUG event, it might easily also be a network related bug, so feel free to point me at someone else. [ 70.889167] ------------[ cut here ]------------ [ 70.889952] kernel BUG at mm/slub.c:294! [ 70.890623] invalid opcode: 0000 [#1] SMP PTI [ 70.891351] CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.19.0-2-amd64 #1 Debian 4.19.16-1 [ 70.892714] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/03/2018 [ 70.894452] RIP: 0010:__slab_free+0x18a/0x370 [ 70.895174] Code: fa 66 0f 1f 44 00 00 f0 49 0f ba 2c 24 00 0f 82 94 00 00 00 4d 3b 6c 24 20 74 11 49 0f ba 34 24 00 57 9d 0f 1f 44 00 00 eb 9c <0f> 0b 49 3b 54 24 28 75 e8 49 89 5c 24 20 49 89 4c 24 28 49 0f ba [ 70.898225] RSP: 0018:ffffb9d2803b7b40 EFLAGS: 00010246 [ 70.899089] RAX: ffff9c0bfbdc5f00 RBX: ffff9c0bfbdc5f00 RCX: ffff9c0bfbdc5f00 [ 70.900259] RDX: 000000008010000f RSI: ffffe215c1ef7140 RDI: ffff9c0bfcd1f380 [ 70.901429] RBP: ffffb9d2803b7be0 R08: 0000000000000001 R09: ffffffffa32587cc [ 70.902599] R10: ffff9c0bfbdc5f00 R11: 0000000000000001 R12: ffffe215c1ef7140 [ 70.903769] R13: ffff9c0bfbdc5f00 R14: ffff9c0bfcd1f380 R15: 00000000000009d8 [ 70.904939] FS: 0000000000000000(0000) GS:ffff9c0bfdb00000(0000) knlGS:0000000000000000 [ 70.906263] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 70.907209] CR2: 00005581a36ce4d8 CR3: 000000000880a004 CR4: 00000000007606e0 [ 70.908433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 70.909606] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 70.910777] PKRU: 55555554 [ 70.911235] Call Trace: [ 70.911659] ? __kmalloc_node_track_caller+0x1d9/0x290 [ 70.912510] ? pskb_expand_head+0x71/0x2f0 [ 70.913193] ? lock_timer_base+0x67/0x80 [ 70.913848] kmem_cache_free+0x1a7/0x1d0 [ 70.914503] __udp4_lib_rcv+0x1dc/0xb90 [ 70.915151] ? nft_do_chain_ipv4+0x66/0x80 [nf_tables] [ 70.916001] ip_local_deliver_finish+0x5f/0x1e0 [ 70.916754] ip_local_deliver+0x6b/0xe0 [ 70.917396] ? nf_hook.constprop.25+0xf0/0xf0 [ 70.918138] ip_mr_input+0x13c/0x370 [ 70.918738] ip_rcv+0x52/0xd0 [ 70.919239] ? ip_sublist_rcv+0x260/0x260 [ 70.919909] __netif_receive_skb_one_core+0x52/0x70 [ 70.920718] process_backlog+0xa6/0x160 [ 70.921358] net_rx_action+0x149/0x3a0 [ 70.921987] __do_softirq+0xde/0x2d8 [ 70.922588] ? sort_range+0x20/0x20 [ 70.923172] run_ksoftirqd+0x26/0x40 [ 70.923774] smpboot_thread_fn+0xc5/0x160 [ 70.924445] kthread+0x112/0x130 [ 70.924988] ? kthread_bind+0x30/0x30 [ 70.925601] ret_from_fork+0x35/0x40 [ 70.926199] Modules linked in: ipip tunnel4 ip_tunnel cls_u32 nft_counter sch_prio xt_comment xt_mark xt_dscp sch_htb nft_compat nft_chain_route_ipv6 nft_chain_route_ipv4 nf_tables nfnetlink vmw_vsock_vmci_transport vsock nfit libnvdimm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_rapl_perf vmw_balloon vmwgfx evdev joydev ttm serio_raw pcspkr drm_kms_helper sg drm vmw_vmci ac button ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb sr_mod cdrom ata_generic crc32c_intel sd_mod aesni_intel aes_x86_64 crypto_simd cryptd glue_helper psmouse ata_piix libata vmw_pvscsi vmxnet3 i2c_piix4 scsi_mod [ 70.935206] ---[ end trace 5720c455c743e2d1 ]--- [ 70.935972] RIP: 0010:__slab_free+0x18a/0x370 [ 70.936697] Code: fa 66 0f 1f 44 00 00 f0 49 0f ba 2c 24 00 0f 82 94 00 00 00 4d 3b 6c 24 20 74 11 49 0f ba 34 24 00 57 9d 0f 1f 44 00 00 eb 9c <0f> 0b 49 3b 54 24 28 75 e8 49 89 5c 24 20 49 89 4c 24 28 49 0f ba [ 70.939749] RSP: 0018:ffffb9d2803b7b40 EFLAGS: 00010246 [ 70.940613] RAX: ffff9c0bfbdc5f00 RBX: ffff9c0bfbdc5f00 RCX: ffff9c0bfbdc5f00 [ 70.941781] RDX: 000000008010000f RSI: ffffe215c1ef7140 RDI: ffff9c0bfcd1f380 [ 70.942956] RBP: ffffb9d2803b7be0 R08: 0000000000000001 R09: ffffffffa32587cc [ 70.944125] R10: ffff9c0bfbdc5f00 R11: 0000000000000001 R12: ffffe215c1ef7140 [ 70.945292] R13: ffff9c0bfbdc5f00 R14: ffff9c0bfcd1f380 R15: 00000000000009d8 [ 70.946461] FS: 0000000000000000(0000) GS:ffff9c0bfdb00000(0000) knlGS:0000000000000000 [ 70.947798] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 70.948744] CR2: 00005581a36ce4d8 CR3: 000000000880a004 CR4: 00000000007606e0 [ 70.949932] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 70.951108] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 70.952280] PKRU: 55555554 [ 70.952740] Kernel panic - not syncing: Fatal exception in interrupt [ 70.953807] Kernel Offset: 0x21c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 70.957199] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Henning Rogge -- Diplom-Informatiker Henning Rogge , Fraunhofer-Institut für Kommunikation, Informationsverarbeitung und Ergonomie FKIE Kommunikationssysteme (KOM) Zanderstrasse 5, 53177 Bonn, Germany Telefon +49 228 50212-469 mailto:henning.rogge@...e.fraunhofer.de http://www.fkie.fraunhofer.de
Powered by blists - more mailing lists