Opened 22 months ago

#22283 new defect

Kernel Oops when delivering skb from IPv4 to transport layer

Reported by: anonymous Owned by: developers
Priority: normal Milestone:
Component: packages Version: Chaos Calmer 15.05
Keywords: Cc: nbd@…, fw@…


A similar setup to #22265 but with a second bridge br-lanbackup. The br-ssid1 ssid also contains an AP interface and a vlan over a bat0 device.

The eth1 interface is switching from eth1 to br-lanbackup when it goes down and to br-ssid1 when it goes up again (and a DHCP REQUEST is received - but just ignore that for now). The stacktrace created is:

CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 00000000, ra == 8018c50c
CPU: 0 PID: 1072 Comm: sysctl Tainted: P               3.18.8 #1
task: 879c3548 ti: 86bbc000 task.ti: 86bbc000
$ 0   : 00000000 00000001 00000000 fffffffe
$ 4   : 86a30480 86b3b831 00000001 00000000
$ 8   : c7eb9975 80064f28 86a30540 00000000
$12   : 00000000 00000000 00000000 00000000
$16   : 86a30480 867fc050 80359178 86b3b000
$20   : 00000000 00000800 8034d148 8034d140
$24   : 00000000 76eb7d20
$28   : 86bbc000 86bbdc10 00000000 8018c50c
Hi    : 0000040b
Lo    : a3656800
epc   : 00000000   (null)
    Tainted: P
ra    : 8018c50c ip_rcv_finish+0x348/0x3b8
Status: 1100fc03 KERNEL EXL IE
Cause : 00800008
BadVA : 00000000
PrId  : 00019750 (MIPS 74Kc)
Stack : 8034d864 80000000 86a30480 867fc050 80359178 86b3b000 86a30480 867fc050
        80359178 86b3b000 00000000 8018c118 8008896c 800e598c 86a30780 8008896c
        00000000 8018c1c4 80000000 86b3b000 00000000 8034e588 8034d134 86a30480
        86b3b000 800a26d0 86bbdce0 801e0b8c 87a5c000 800e595c 8034d148 86b3b000
        801dbb6c 80113038 86a30480 86a30480 86b3b420 867fc042 867e0200 80360bf0
Call Trace:
[<8018c118>] ip_rcv+0x3b4/0x460
[<8008896c>] __br_forward+0x0/0xdc
[<800e598c>] br_forward_finish+0x30/0x7c
[<8008896c>] __br_forward+0x0/0xdc
[<8018c1c4>] ip_rcv_finish+0x0/0x3b8
[<800a26d0>] __netif_receive_skb_core+0x630/0x6b0
[<801e0b8c>] nf_iterate+0x88/0xe0
[<800e595c>] br_forward_finish+0x0/0x7c
[<801dbb6c>] netif_receive_skb+0x0/0x1c
[<80113038>] deliver_clone+0x50/0x6c
[<800e5b90>] br_handle_frame+0x0/0x2e8
[<800a2048>] __netif_receive_skb+0x28/0x80
[<801247a4>] do_dentry_open.isra.15+0x54/0x334
[<801dbbe8>] netif_receive_skb_internal+0x60/0x70
[<801dbb6c>] netif_receive_skb+0x0/0x1c
[<801dbb7c>] netif_receive_skb+0x10/0x1c
[<800e5b90>] br_handle_frame+0x0/0x2e8
[<800e61c0>] br_handle_frame_finish+0x348/0x404
[<800e5e78>] br_handle_frame_finish+0x0/0x404
[<801dbb6c>] netif_receive_skb+0x0/0x1c
[<800e5dfc>] br_handle_frame+0x26c/0x2e8
[<8684d0e0>] 0x8684d0e0
[<800e5e78>] br_handle_frame_finish+0x0/0x404
[<800a255c>] __netif_receive_skb_core+0x4bc/0x6b0
[<801f0de0>] pagecache_get_page+0x5c/0x244
[<800a2048>] __netif_receive_skb+0x28/0x80
[<801adb28>] kmem_cache_alloc+0x3c/0xec
[<801f5428>] path_openat+0x218/0x57c
[<801dbbe8>] netif_receive_skb_internal+0x60/0x70
[<800f25dc>] build_skb+0x44/0xd4
[<801dbb7c>] netif_receive_skb+0x10/0x1c
[<879d0954>] 0x879d0954
[<801d9904>] net_rx_action+0x10c/0x1dc
[<80090460>] __do_softirq+0xf8/0x230
[<801939b8>] irq_exit+0x54/0x78
[<80122174>] do_IRQ+0x24/0x34
[<80074ad4>] SyS_ioctl+0x50/0x94
[<8020c148>] plat_irq_dispatch+0x4c/0x9c
[<80060830>] ret_from_irq+0x0/0x4

The stacktrace was generated with a kernel that was modified to be compiled with less optimizations to create a readable calltrace (otherwise most of it would be optimized out and not part of the stack)

KBUILD_CFLAGS	+= -fno-optimize-sibling-calls

The jump to NULL happens in ip_rcv_finish -> dst_input because input is NULL in

static inline int dst_input(struct sk_buff *skb)
	return skb_dst(skb)->input(skb);

This crash could not be reproduced again when the patch 050-backport_netfilter_rtcache.patch was removed.

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

as new .

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.