Bug 8715 (int-155584)

Summary: iphb module dereferences NULL pointer
Product: [Maemo Official Platform] Core Reporter: Matan Ziv-Av <matan>
Component: KernelAssignee: unassigned <nobody>
Status: RESOLVED FIXED QA Contact: linux-kernel-bugs
Severity: critical    
Priority: Unspecified CC: andre_klapper, jukey, maemo
Version: 5.0/(3.2010.02-8)Keywords: crash, patch
Target Milestone: Harmattan   
Hardware: All   
OS: Maemo   

Description Matan Ziv-Av (reporter) 2010-01-31 13:27:47 UTC
SOFTWARE VERSION:

EXACT STEPS LEADING TO PROBLEM: 

1. Setup N900 as a NAT router.
2. Generate a lot of traffic from a computer behind the router.

See t.m.o thread for exact details.

EXPECTED OUTCOME:

Everything works.

ACTUAL OUTCOME:

System reboots.

REPRODUCIBILITY:

always.

EXTRA SOFTWARE INSTALLED:

Kernel and modules compiled with different config.
iptables.

OTHER COMMENTS:

Killing iphbd before starting to route seems to make the problem disappear.

The reboot seems to be a result of an oops generated due to NULL dereference in
iphb.ko module.

This patch seems to solve the problem.

diff -ur kernel-2.6.28.orig/net/ipv4/netfilter/iphb.c
kernel-2.6.28/net/ipv4/netfilter/iphb.c
--- kernel-2.6.28.orig/net/ipv4/netfilter/iphb.c    2010-01-19
06:32:06.000000000 +0100
+++ kernel-2.6.28/net/ipv4/netfilter/iphb.c    2010-01-29 19:32:34.000000000
+0100
@@ -276,6 +276,11 @@
     tsk = tcp_sk(skb->sk);
     tcp = tcp_hdr(skb);

+    if (! tcp || ! tsk) {
+        flush_keepalives(1);
+        return NF_ACCEPT;    
+    }
+
     len -= hlen;           /* ip4/6 header len     */
     len -= tcp->doff << 2; /* tcp header + options */




User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; es-ES; rv:1.9.1.6)
Gecko/20091215 Ubuntu/9.10 (karmic) Firefox/3.5.6
Comment 1 Matan Ziv-Av (reporter) 2010-01-31 14:24:28 UTC
Sorry, the thread is here: http://talk.maemo.org/showthread.php?t=30916

The OOPS from the thread:

Log Entry 9 (at position 8)
[90575.336761] Unable to handle kernel NULL pointer dereference at virtual
address 000002e4
[90575.336791] pgd = c0004000
[90575.336822] [000002e4] *pgd=00000000
[90575.336822] Internal error: Oops: 17 [#1] PREEMPT
[90575.336853] Modules linked in: ipt_MASQUERADE iptable_nat nf_nat
nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 ip_tables x_tables vfat fat
sd_mod scsi_mod iphb rfcomm sco bridge stp llc bnep l2cap unionfs ext3 jbd
omaplfb pvrsrvkm bridgedriver g_file_storage uinput board_rx51_camera
omap_previewer_hack omap34xxcam_mod isp_mod iovmm videobuf_dma_sg videobuf_core
omap3_iommu iommu2 iommu dspbridge ssi_mcsaab_imp cmt_speech phonet smc91x mii
wl12xx mmc_block omap_wdt omap_ssi mac80211 crc7 tsc2005 omap_hsmmc nokia_av
hci_h4p mmc_core bluetooth fmtx_si4713 et8ek8 ad5820 lis302dl videodev
v4l1_compat compat_ioctl32 leds_lp5523 adp1653 tsl2563 smia_sensor smiaregs
v4l2_int_device rtc_twl4030 rtc_core twl4030_wdt leds_twl4030_vibra led_class
fuse
[90575.337188] CPU: 0    Not tainted  (2.6.28-omap1 #3)
[90575.337249] PC is at net_out_hook+0xdc/0x198 [iphb]
[90575.337280] LR is at 0x0
[90575.337280] pc : [<bf2d6404>]    lr : [<00000000>]    psr: 60000113
[90575.337310] sp : cf091b98  ip : 0000001b  fp : cf091bac
[90575.337310] r10: 80000000  r9 : c023ed5c  r8 : c03bd310
[90575.337341] r7 : cc93f300  r6 : 00000004  r5 : cc93f300  r4 : cf091bfc
[90575.337341] r3 : 00404c70  r2 : 4c004c30  r1 : 00000000  r0 : c3ced650
[90575.337371] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment
kernel
[90575.337402] Control: 10c5387d  Table: 835e8018  DAC: 00000017
[90575.337402] Process omap2_mcspi (pid: 10, stack limit = 0xcf0902e0)
[90575.337432] Stack: (0xcf091b98 to 0xcf092000)
[90575.337432] 1b80:                                                      
cf091bfc 00000000 
[90575.337493] 1ba0: cf091be4 cf091bb0 c0233f94 bf2d6334 c023ed5c cf091bc0
bf3561f8 cc93f300 
[90575.337524] 1bc0: 00000004 c815bf00 c03bd310 00000000 c023ed5c 00000002
cf091c2c cf091be8 
[90575.337554] 1be0: c02342cc c0233f3c cf1bb000 cf091bfc c023ed5c 80000000
00000000 bf2d6e1c 
[90575.337615] 1c00: cf091c3c cc93f300 cf1bb000 c815bf00 cc93f324 cc93f300
cf090000 00000000 
[90575.337646] 1c20: cf091c54 cf091c30 c023f3c4 c023425c cf1bb000 c023ed5c
80000000 c02186e8 
[90575.337707] 1c40: cc93f300 c3ced650 cf091c6c cf091c58 c023be1c c023f30c
cc93f300 c3ced650 
[90575.337738] 1c60: cf091c9c cf091c70 c023c148 c023bde4 cf01dd40 c3cede30
cc93f300 c03bcc3c 
[90575.337799] 1c80: c3cede30 cc93f300 c03bcc3c cf1bb000 cf091ce4 cf091ca0
c023a844 c023be30 
[90575.337829] 1ca0: cf1bb000 cf091cb4 c023a544 80000000 c005274c c03bd2f0
c00515dc cc93f300 
[90575.337860] 1cc0: cc93f300 cc93f300 cc93f300 c03bcc3c cf1bb000 c03bcf20
cf091d14 cf091ce8 
[90575.337921] 1ce0: c023ae88 c023a550 00000000 c023a544 80000000 a0000193
cc93f300 c03bcf08 
[90575.337951] 1d00: cf1bb000 00000008 cf091d44 cf091d18 c021ec20 c023ac3c
c00515dc c004f324 
[90575.338012] 1d20: c03bce64 00000001 000099be 00000040 0000012c 000099be
cf091d64 cf091d48 
[90575.338043] 1d40: c0221560 c021e938 c03bce64 00000040 c0392dc0 00000001
cf091d8c cf091d68 
[90575.338073] 1d60: c0220e8c c02214f0 00000104 cf090000 c0392dc0 00000001
0000000c 0000000a 
[90575.338134] 1d80: cf091dbc cf091d90 c005c0dc c0220e48 c036d020 0000000c
0000000c 00000000 
[90575.338165] 1da0: cf090000 00000003 00000002 cf01deb4 cf091dd4 cf091dc0
c005c4e4 c005c084 
[90575.338226] 1dc0: 0000000c 00000000 cf091dec cf091dd8 c002c088 c005c4a4
ffffffff d8200000 
[90575.338256] 1de0: cf091e64 cf091df0 c028d204 c002c00c 00000001 00000000
0009dde9 00000002 
[90575.338287] 1e00: c0292928 cf01dd40 cf090000 7fffffff c035d8c0 c028b5a4
cf01deb4 cf091e64 
[90575.338348] 1e20: c038d880 cf091e38 c028ade4 c028ae2c 00000013 ffffffff
00000000 cf091ec8 
[90575.338378] 1e40: cf01dd40 cf090000 7fffffff cf08b31c 00000008 00000002
cf091eb4 cf091e68 
[90575.338439] 1e60: c028b5a4 c028ac70 cf091e8c cf091e78 c028f3d4 c028f360
00000000 cf01dd40 
[90575.338470] 1e80: cf091ebc cf091e90 c028af18 c0050880 40000000 cf090000
cf091ec8 cf01dd40 
[90575.338500] 1ea0: cf090
Log Entry 10 (at position 9)
<7>mtdoops: Ready 9, 10 (no erase)
[90575.339202] 7fffffff cf091ef4 cf091eb8 c028b374 c028b590 c028b0e0 00000001 
[90575.339263] 1ec0: cf01dd40 c00527a8 cf08b320 cf08b320 00000000 00000001
cf08a600 ceac5ea4 
[90575.339294] 1ee0: cf08b300 00000002 cf091f04 cf091ef8 c028b4bc c028b28c
cf091f7c cf091f08 
[90575.339355] 1f00: c01c9978 c028b4b0 00000000 00000000 00000001 c0049fdc
cf090000 cf08a540 
[90575.339385] 1f20: ceac5eec 00000001 cf08b4c0 00000000 00000000 00000002
480ba000 00000000 
[90575.339416] 1f40: ceaf3118 d80ba03c d80ba038 00000008 cf091f74 cf08a544
cf090000 cf0876c0 
[90575.339477] 1f60: cf08a540 c01c95e0 00000000 00000000 cf091fa4 cf091f80
c0068dfc c01c95ec 
[90575.339508] 1f80: cf091fb8 cf01dd40 cf090000 cf0876c0 00000000 00000000
cf091fdc cf091fa8 
[90575.339538] 1fa0: c0069b9c c0068d34 cf0876c0 00000000 cf01dd40 c006d1a4
cf091fb8 cf091fb8 
[90575.339599] 1fc0: cf0876c0 c0069aac 00000000 00000000 cf091ff4 cf091fe0
c006ce14 c0069ab8 
[90575.339630] 1fe0: 00000000 00000000 00000000 cf091ff8 c0059d6c c006cdcc
ffdffeef bdffefff 
[90575.339691] Backtrace: 
[90575.339691] [<bf2d6328>] (net_out_hook+0x0/0x198 [iphb]) from [<c0233f94>]
(nf_iterate+0x64/0xac)
[90575.339752]  r5:00000000 r4:cf091bfc
[90575.339782] [<c0233f30>] (nf_iterate+0x0/0xac) from [<c02342cc>]
(nf_hook_slow+0x7c/0x12c)
[90575.339813] [<c0234250>] (nf_hook_slow+0x0/0x12c) from [<c023f3c4>]
(ip_output+0xc4/0xe8)
[90575.339843] [<c023f300>] (ip_output+0x0/0xe8) from [<c023be1c>]
(ip_forward_finish+0x44/0x4c)
[90575.339904]  r5:c3ced650 r4:cc93f300
[90575.339904] [<c023bdd8>] (ip_forward_finish+0x0/0x4c) from [<c023c148>]
(ip_forward+0x324/0x3a0)
[90575.339935]  r5:c3ced650 r4:cc93f300
[90575.339965] [<c023be24>] (ip_forward+0x0/0x3a0) from [<c023a844>]
(ip_rcv_finish+0x300/0x320)
[90575.339996]  r7:cf1bb000 r6:c03bcc3c r5:cc93f300 r4:c3cede30
[90575.340026] [<c023a544>] (ip_rcv_finish+0x0/0x320) from [<c023ae88>]
(ip_rcv+0x258/0x290)
[90575.340057]  r8:c03bcf20 r7:cf1bb000 r6:c03bcc3c r5:cc93f300 r4:cc93f300
[90575.340087] [<c023ac30>] (ip_rcv+0x0/0x290) from [<c021ec20>]
(netif_receive_skb+0x2f4/0x344)
[90575.340148]  r7:00000008 r6:cf1bb000 r5:c03bcf08 r4:cc93f300
[90575.340179] [<c021e92c>] (netif_receive_skb+0x0/0x344) from [<c0221560>]
(process_backlog+0x7c/0x110)
[90575.340209] [<c02214e4>] (process_backlog+0x0/0x110) from [<c0220e8c>]
(net_rx_action+0x50/0x19c)
[90575.340240]  r7:00000001 r6:c0392dc0 r5:00000040 r4:c03bce64
[90575.340270] [<c0220e3c>] (net_rx_action+0x0/0x19c) from [<c005c0dc>]
(__do_softirq+0x64/0xf4)
[90575.340332] [<c005c078>] (__do_softirq+0x0/0xf4) from [<c005c4e4>]
(irq_exit+0x4c/0xa8)
[90575.340362] [<c005c498>] (irq_exit+0x0/0xa8) from [<c002c088>]
(__exception_text_start+0x88/0xa8)
[90575.340393]  r5:00000000 r4:0000000c
[90575.340423] [<c002c000>] (__exception_text_start+0x0/0xa8) from [<c028d204>]
(__irq_svc+0x44/0xa4)
[90575.340454] Exception stack(0xcf091df0 to 0xcf091e38)
[90575.340484] 1de0:                                     00000001 00000000
0009dde9 00000002 
[90575.340515] 1e00: c0292928 cf01dd40 cf090000 7fffffff c035d8c0 c028b5a4
cf01deb4 cf091e64 
[90575.340545] 1e20: c038d880 cf091e38 c028ade4 c028ae2c 00000013 ffffffff      
[90575.340606]  r5:d8200000 r4:ffffffff
[90575.340606] [<c028ac64>] (schedule+0x0/0x328) from [<c028b5a4>]
(schedule_timeout+0x20/0xb8)
[90575.340667] [<c028b584>] (schedule_timeout+0x0/0xb8) from [<c028b374>]
(wait_for_common+0xf4/0x1ac)
[90575.340698]  r7:7fffffff r6:cf090000 r5:cf01dd40 r4:cf091ec8
[90575.340728] [<c028b280>] (wait_for_common+0x0/0x1ac) from [<c028b4bc>]
(wait_for_completion+0x18/0x1c)
[90575.340789] [<c028b4a4>] (wait_for_completion+0x0/0x1c) from [<c01c9978>]
(omap2_mcspi_work+0x398/0x728)
[90575.340820] [<c01c95e0>] (omap2_mcspi_work+0x0/0x728) from [<c0068dfc>]
(run_workqueue+0xd4/0x198)
[90575.340881] [<c0068d28>] (run_workqueue+0x0/0x198) from [<c0069b9c>]
(worker_thread+0xf0/0x104)
[90575.340911]  r9:00000000 r8:00000000 r7:cf0876c0 r6:cf090000 r5:cf01dd40
[90575.340942] r4:cf091fb8
[90575.340972] [<c0069aac>] (worker_thread+0x0/0x1
Log Entry 11 (at position 10)
<7>mtdoops: Ready 10, 11 (no erase)
[90575.341644] from [<c006ce14>] (kthread+0x54/0x80)
[90575.341674]  r7:00000000 r6:00000000 r5:c0069aac r4:cf0876c0
[90575.341705] [<c006cdc0>] (kthread+0x0/0x80) from [<c0059d6c>]
(do_exit+0x0/0x7b4)
[90575.341735]  r5:00000000 r4:00000000
[90575.341766] Code: 1a00000a e5903004 e0232863 e3c228ff (e59e12e4)
Comment 2 Lucas Maneos 2010-01-31 17:23:51 UTC
Thanks for the report and patch!

(In reply to comment #1)
> the thread is here: http://talk.maemo.org/showthread.php?t=30916

According to post #122 this does not seem to fully fix the issue yet.
Comment 3 Matan Ziv-Av (reporter) 2010-02-02 14:50:12 UTC
My interpretation of that post is that it is another problem that manifests
itself as "instability while using NAT".
Comment 4 Andre Klapper maemo.org 2010-02-03 19:01:27 UTC
Hi & thanks! Version of this report says "1.2009.42-11". If you are really
using that, does this still apply to current 2.2009.51-1?
Comment 5 Andre Klapper maemo.org 2010-03-29 13:21:38 UTC
According to Nokia this is not going to be fixed in Fremantle (Maemo5).
Maemo6/Harmattan will definitely include the fix for this.