#22283: Kernel Oops when delivering skb from IPv4 to transport layer
-----------------------+--------------------------------
Reporter: anonymous | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone:
Component: packages | Version: Chaos Calmer 15.05
Keywords: |
-----------------------+--------------------------------
A similar setup to #22265 but with a second bridge br-lanbackup. The br-
ssid1 ssid also contains an AP interface and a vlan over a bat0 device.
The eth1 interface is switching from eth1 to br-lanbackup when it goes
down and to br-ssid1 when it goes up again (and a DHCP REQUEST is received
- but just ignore that for now). The stacktrace created is:
{{{
CPU 0 Unable to handle kernel paging request at virtual address 00000000,
epc == 00000000, ra == 8018c50c
Oops[#1]:
CPU: 0 PID: 1072 Comm: sysctl Tainted: P 3.18.8 #1
task: 879c3548 ti: 86bbc000 task.ti: 86bbc000
$ 0 : 00000000 00000001 00000000 fffffffe
$ 4 : 86a30480 86b3b831 00000001 00000000
$ 8 : c7eb9975 80064f28 86a30540 00000000
$12 : 00000000 00000000 00000000 00000000
$16 : 86a30480 867fc050 80359178 86b3b000
$20 : 00000000 00000800 8034d148 8034d140
$24 : 00000000 76eb7d20
$28 : 86bbc000 86bbdc10 00000000 8018c50c
Hi : 0000040b
Lo : a3656800
epc : 00000000 (null)
Tainted: P
ra : 8018c50c ip_rcv_finish+0x348/0x3b8
Status: 1100fc03 KERNEL EXL IE
Cause : 00800008
BadVA : 00000000
PrId : 00019750 (MIPS 74Kc)
[...]
Stack : 8034d864 80000000 86a30480 867fc050 80359178 86b3b000 86a30480
867fc050
80359178 86b3b000 00000000 8018c118 8008896c 800e598c 86a30780
8008896c
00000000 8018c1c4 80000000 86b3b000 00000000 8034e588 8034d134
86a30480
86b3b000 800a26d0 86bbdce0 801e0b8c 87a5c000 800e595c 8034d148
86b3b000
801dbb6c 80113038 86a30480 86a30480 86b3b420 867fc042 867e0200
80360bf0
...
Call Trace:
[<8018c118>] ip_rcv+0x3b4/0x460
[<8008896c>] __br_forward+0x0/0xdc
[<800e598c>] br_forward_finish+0x30/0x7c
[<8008896c>] __br_forward+0x0/0xdc
[<8018c1c4>] ip_rcv_finish+0x0/0x3b8
[<800a26d0>] __netif_receive_skb_core+0x630/0x6b0
[<801e0b8c>] nf_iterate+0x88/0xe0
[<800e595c>] br_forward_finish+0x0/0x7c
[<801dbb6c>] netif_receive_skb+0x0/0x1c
[<80113038>] deliver_clone+0x50/0x6c
[<800e5b90>] br_handle_frame+0x0/0x2e8
[<800a2048>] __netif_receive_skb+0x28/0x80
[<801247a4>] do_dentry_open.isra.15+0x54/0x334
[<801dbbe8>] netif_receive_skb_internal+0x60/0x70
[<801dbb6c>] netif_receive_skb+0x0/0x1c
[<801dbb7c>] netif_receive_skb+0x10/0x1c
[<800e5b90>] br_handle_frame+0x0/0x2e8
[<800e61c0>] br_handle_frame_finish+0x348/0x404
[<800e5e78>] br_handle_frame_finish+0x0/0x404
[<801dbb6c>] netif_receive_skb+0x0/0x1c
[<800e5dfc>] br_handle_frame+0x26c/0x2e8
[<8684d0e0>] 0x8684d0e0
[<800e5e78>] br_handle_frame_finish+0x0/0x404
[<800a255c>] __netif_receive_skb_core+0x4bc/0x6b0
[<801f0de0>] pagecache_get_page+0x5c/0x244
[<800a2048>] __netif_receive_skb+0x28/0x80
[<801adb28>] kmem_cache_alloc+0x3c/0xec
[<801f5428>] path_openat+0x218/0x57c
[<801dbbe8>] netif_receive_skb_internal+0x60/0x70
[<800f25dc>] build_skb+0x44/0xd4
[<801dbb7c>] netif_receive_skb+0x10/0x1c
[<879d0954>] 0x879d0954
[<801d9904>] net_rx_action+0x10c/0x1dc
[<80090460>] __do_softirq+0xf8/0x230
[<801939b8>] irq_exit+0x54/0x78
[<80122174>] do_IRQ+0x24/0x34
[<80074ad4>] SyS_ioctl+0x50/0x94
[<8020c148>] plat_irq_dispatch+0x4c/0x9c
[<80060830>] ret_from_irq+0x0/0x4
}}}
The stacktrace was generated with a kernel that was modified to be
compiled with less optimizations to create a readable calltrace (otherwise
most of it would be optimized out and not part of the stack)
{{{
KBUILD_CFLAGS += -fno-optimize-sibling-calls
}}}
The jump to NULL happens in ip_rcv_finish -> dst_input because input is
NULL in
{{{
static inline int dst_input(struct sk_buff *skb)
{
return skb_dst(skb)->input(skb);
}
}}}
This crash could not be reproduced again when the patch
050-backport_netfilter_rtcache.patch was removed.
--
Ticket URL: <https://dev.openwrt.org/ticket/22283>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
