View Issue Details

IDProjectCategoryView StatusLast Update
0014879CentOS-7kernelpublic2018-07-18 12:26
Reporterhorihel 
PrioritynormalSeveritycrashReproducibilityalways
Status newResolutionopen 
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0014879: Kernel BUG while trying to activate firewall script with 3.10.0-862.3.2.el7.x86_64
DescriptionI downgraded to 3.10.0-693.21.1.el7.x86_64 which is working fine

The 7.5 kernel crashes with this:
[ 37.121312] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[ 37.121401] IP: [<ffffffffc090d46f>] tcindex_delete+0xcf/0x240 [cls_tcindex]
[ 37.121473] PGD 8000000223eb5067 PUD 22520d067 PMD 0
[ 37.121530] Oops: 0000 [#1] SMP
[ 37.121567] Modules linked in: cls_u32 cls_fw cls_tcindex sch_sfq sch_htb sch_dsmark xt_TCPMSS xt_mark xt_connmark iptable_mangle ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_pkttype xt_iprange xt_multiport iptable_filter binfmt_misc act_nat xt_nat nft_nat nf_nat_tftp nf_nat_sip nf_nat_redirect nf_nat_irc nf_nat_ftp nf_nat_amanda nft_chain_nat_ipv6 nf_nat_masquerade_ipv6 ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6_tables nft_chain_nat_ipv4 nf_tables(T) nf_nat_snmp_basic nf_nat_pptp nf_nat_proto_gre nf_nat_masquerade_ipv4 nf_nat_h323 iptable_nat nf_nat_ipv4 nf_nat ebtable_nat ebtables ebt_snat ebt_dnat xt_conntrack nf_conntrack_tftp nf_conntrack_snmp nf_conntrack_sip nf_conntrack_sane nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_netlink nf_conntrack_netbios_ns
[ 37.122380] nf_conntrack_irc nf_conntrack_h323 nf_conntrack_ftp nf_conntrack_broadcast ts_kmp nf_conntrack_amanda nf_conntrack_ipv4 nf_defrag_ipv4 ip_set nfnetlink ip_vs nf_conntrack mptctl mptbase 8021q garp mrp stp llc macvlan sunrpc sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd iTCO_wdt iTCO_vendor_support pcspkr joydev lpc_ich ipmi_si ipmi_devintf hpwdt ipmi_msghandler hpilo sg acpi_power_meter wmi shpchp ioatdma pcc_cpufreq ip_tables xfs libcrc32c raid1 sd_mod sr_mod cdrom crc_t10dif crct10dif_generic mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ahci drm libahci mpt2sas libata igb crct10dif_pclmul crct10dif_common crc32c_intel ptp serio_raw pps_core
[ 37.123271] dca i2c_algo_bit raid_class i2c_core scsi_transport_sas dm_mirror dm_region_hash dm_log dm_mod
[ 37.123382] CPU: 2 PID: 5809 Comm: tc Kdump: loaded Tainted: G ------------ T 3.10.0-862.3.2.el7.x86_64 #1
[ 37.123473] Hardware name: HP ProLiant DL360e Gen8, BIOS P73 01/22/2018
[ 37.123530] task: ffff952d338c0000 ti: ffff952d1cb6c000 task.ti: ffff952d1cb6c000
[ 37.123592] RIP: 0010:[<ffffffffc090d46f>] [<ffffffffc090d46f>] tcindex_delete+0xcf/0x240 [cls_tcindex]
[ 37.123679] RSP: 0018:ffff952d1cb6f790 EFLAGS: 00010246
[ 37.123725] RAX: ffffffffc08f90b0 RBX: 0000000000000000 RCX: 0000000000000040
[ 37.123786] RDX: 0000000000000000 RSI: ffff952d1fb6f400 RDI: ffff952d23e58000
[ 37.123846] RBP: ffff952d1cb6f7b0 R08: 000000000001ba00 R09: ffffffffb941c858
[ 37.123906] R10: 0000000000000000 R11: 0000000000000004 R12: ffff952c7c716050
[ 37.123966] R13: ffff952d1cb6f7c7 R14: ffff952d35019a20 R15: ffff952d23bacf40
[ 37.124028] FS: 00007f048bfda740(0000) GS:ffff952d36480000(0000) knlGS:0000000000000000
[ 37.124095] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 37.124145] CR2: 0000000000000004 CR3: 00000002203c0000 CR4: 00000000000607e0
[ 37.124205] Call Trace:
[ 37.124235] [<ffffffffc090d605>] tcindex_destroy_element+0x25/0x3b [cls_tcindex]
[ 37.124302] [<ffffffffc090c09f>] tcindex_walk+0x7f/0x140 [cls_tcindex]
[ 37.124360] [<ffffffffc090c1b1>] tcindex_destroy+0x51/0xa0 [cls_tcindex]
[ 37.124420] [<ffffffffc090d5e0>] ? tcindex_delete+0x240/0x240 [cls_tcindex]
[ 37.124484] [<ffffffffb941c89a>] tcf_proto_destroy+0x1a/0x40
[ 37.124535] [<ffffffffb941c8fc>] tcf_chain_flush+0x3c/0x60
[ 37.124585] [<ffffffffb941c980>] tcf_block_put+0x60/0xe0
[ 37.124634] [<ffffffffc08f96ba>] htb_destroy+0x3a/0x180 [sch_htb]
[ 37.124690] [<ffffffffb941739b>] qdisc_destroy+0x6b/0xc0
[ 37.124740] [<ffffffffc08f3192>] dsmark_destroy+0x32/0x70 [sch_dsmark]
[ 37.124799] [<ffffffffb941739b>] qdisc_destroy+0x6b/0xc0
[ 37.124847] [<ffffffffb941ad8d>] notify_and_destroy+0x3d/0x50
[ 37.124899] [<ffffffffb941b0a5>] qdisc_graft+0x165/0x2d0
[ 37.124947] [<ffffffffb941bb78>] tc_get_qdisc+0x1b8/0x250
[ 37.124997] [<ffffffffb9404ff7>] rtnetlink_rcv_msg+0xa7/0x260
[ 37.125051] [<ffffffffb90d39c5>] ? sock_has_perm+0x75/0x90
[ 37.125100] [<ffffffffb9404f50>] ? rtnl_newlink+0x880/0x880
[ 37.125152] [<ffffffffb9425ecb>] netlink_rcv_skb+0xab/0xc0
[ 37.125204] [<ffffffffb93ff498>] rtnetlink_rcv+0x28/0x30
[ 37.125253] [<ffffffffb9425850>] netlink_unicast+0x170/0x210
[ 37.125305] [<ffffffffb9425bf8>] netlink_sendmsg+0x308/0x420
[ 37.125358] [<ffffffffb93cd396>] sock_sendmsg+0xb6/0xf0
[ 37.125460] [<ffffffffc049dc1c>] ? xfs_iunlock+0x11c/0x130 [xfs]
[ 37.125517] [<ffffffffb93ce199>] ___sys_sendmsg+0x3a9/0x3c0
[ 37.125570] [<ffffffffb8fc77bd>] ? handle_mm_fault+0x39d/0x9b0
[ 37.125624] [<ffffffffb93cf761>] __sys_sendmsg+0x51/0x90
[ 37.125674] [<ffffffffb93cf7b2>] SyS_sendmsg+0x12/0x20
[ 37.125723] [<ffffffffb952082f>] system_call_fastpath+0x1c/0x21
[ 37.125778] [<ffffffffb952077b>] ? system_call_after_swapgs+0xc8/0x160
[ 37.125833] Code: 5e 5d c3 66 0f 1f 84 00 00 00 00 00 49 8b 7e 28 48 8b 47 18 48 8b 40 08 48 8b 40 50 e8 2b d5 84 f8 48 85 db 75 89 49 8b 54 24 10 <8b> 4a 04 85 c9 0f 84 c3 00 00 00 8d 71 01 48 8d 7a 04 89 c8 f0
[ 37.129385] RIP [<ffffffffc090d46f>] tcindex_delete+0xcf/0x240 [cls_tcindex]
[ 37.132633] RSP <ffff952d1cb6f790>
[ 37.135861] CR2: 0000000000000004

It seems the reason is firewall script (created by fwbuilder).
Steps To Reproduce* Boot 3.10.0-862.3.2
* sorry, can't disclose the full script

Additional Informationlooking at the stack trace the culprit might be this part:

tc qdisc del dev vmacdmz root
tc qdisc add dev vmacdmz handle 1:0 root dsmark indices 4 default_index 0
tc qdisc add dev vmacdmz handle 2:0 parent 1:0 htb
tc class add dev vmacdmz parent 2:0 classid 2:1 htb rate 125000000bps ceil 125000000bps
tc class add dev vmacdmz parent 2:1 classid 2:2 htb rate 875000bps ceil 937500bps quantum 875000
tc qdisc add dev vmacdmz handle 3:0 parent 2:2 sfq
tc class add dev vmacdmz parent 2:1 classid 2:3 htb rate 875000bps ceil 125000000bps
tc qdisc add dev vmacdmz handle 4:0 parent 2:3 sfq
tc filter add dev vmacdmz parent 2:0 protocol all prio 1 tcindex mask 0x3 shift 0
tc filter add dev vmacdmz parent 2:0 protocol all prio 1 handle 2 tcindex classid 2:3
tc filter add dev vmacdmz parent 2:0 protocol all prio 1 handle 1 tcindex classid 2:2
tc filter add dev vmacdmz parent 1:0 protocol all prio 1 handle 1 fw classid 1:1
tc filter add dev vmacdmz parent 1:0 protocol all prio 2 u32 match u32 0x0 0x0 at 0 classid 1:2

I'm trying to find time to spin up a test machine to check if this is actually the case
Tagskernel panic
abrt_hash
URL

Activities

horihel

horihel

2018-05-29 08:53

reporter   ~0031937

the crash seems to happen only if the snippet is running for the second time.
horihel

horihel

2018-06-29 12:04

reporter   ~0032155

Problem persists with 3.10.0-862.3.3.el7.x86_64
horihel

horihel

2018-07-04 08:05

reporter   ~0032173

same crashbug on 3.10.0-862.6.3.el7.x86_64
horihel

horihel

2018-07-18 12:26

reporter   ~0032301

still crashing on 3.10.0-862.9.1.el7.x86_64

Issue History

Date Modified Username Field Change
2018-05-29 08:35 horihel New Issue
2018-05-29 08:35 horihel Tag Attached: kernel panic
2018-05-29 08:53 horihel Note Added: 0031937
2018-06-29 12:04 horihel Note Added: 0032155
2018-07-04 08:05 horihel Note Added: 0032173
2018-07-18 12:26 horihel Note Added: 0032301