Bug 24532

Summary: ebtables OUTPUT table rule using interface in bridge with STP causes kernel oops and panic
Product: Networking Reporter: Sebastian J. Bronner (waschtl)
Component: OtherAssignee: Arnaldo Carvalho de Melo (acme)
Status: CLOSED CODE_FIX    
Severity: normal CC: florian
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.34 and up Subsystem:
Regression: No Bisected commit-id:
Attachments: Log of kernel Oops and panic with stp-enabled-bridge and ebtables

Description Sebastian J. Bronner 2010-12-09 13:08:26 UTC 
Created attachment 39602 [details]
Log of kernel Oops and panic with stp-enabled-bridge and ebtables

commands to reproduce (as root):

NIF=eth0   # any interface will do
PROT=arp   # tested with arp and ipv4
TARG=DROP  # tested with DROP and ACCEPT
brctl addbr testbr
brctl addif testbr $NIF
brctl stp testbr on
ip link set up dev testbr
ip link set up dev $NIF
ebtables -A OUTPUT -p $PROT -o $NIF -j $TARG

The gist of it:

Given a bridge and physical interface with link state up, the interface is assigned to the bridge, and the bridge has STP turned on. If, under this combination of circumstances, an ebtables rule is created in the OUTPUT table that specifies the physical interface, a kernel Oops is triggered (the kernel output is attached):

""" (short excerpt)
[ 1105.953771] BUG: unable to handle kernel paging request at ffff8801379bda0b
[ 1105.963752] IP: [<ffffffffa0225aa6>] ebt_do_table+0x5d6/0x6d0 [ebtables]
[ 1105.963752] PGD 1a2b063 PUD 1a067 PMD 0 
[ 1105.963752] Oops: 0000 [#1] SMP 
"""

It is immediately followed by a kernel panic (also in the attached file):

""" (short excerpt)
[ 1106.101435] Kernel panic - not syncing: Fatal exception in interrupt
[ 1106.101435] Pid: 2060, comm: kvm Tainted: G      D     2.6.35-23-server #41-Ubuntu
"""

It appears to be irrelevant what protocol is specified with the -p option, although when _no_ protocol is specified, the Oops and panic do not occur. I tested with -p arp and -p ipv4. It also appears to be irrelevant what target is specified with the -j option. I tested with -j DROP and -j ACCEPT.

My test environment was ubuntu maverick 64-bit using mainline (unpatched) kernels.

The tools versions were as follows:
* bridge-utils 1.4-5ubuntu2
* iproute 20100519-2
* ebtables 2.0.9.2-2

I tested the following kernels with identical results (Oops and panic):
* 2.6.34-020634rc1-generic
* 2.6.34-02063401-generic
* 2.6.34-02063407-generic
* 2.6.35-02063507-generic
* 2.6.35-02063508-generic
* 2.6.35-02063509-generic
* 2.6.36-020636rc6-generic
* 2.6.36-020636rc7-generic
* 2.6.36-020636rc8-generic
* 2.6.36-020636-generic
* 2.6.36-02063601-generic
* 2.6.37-999-generic (daily-201012081134)

Testing versions in reverse order, I finally came to a version that did not exhibit the problem (no Oops or panic - the system remained usable):
* 2.6.33-02063307-generic

As a last bit of curiosity, I looked at the patch for 2.6.34rc1 and saw that ebtables.c has undergone extensive modifications. I have the gut feeling that the issue is related to those modifications.

If I can provide any other test results or more specifics about the test environment, or if I should re-test in another environment alltogether, please advise.
Comment 1 Sebastian J. Bronner 2010-12-09 13:12:19 UTC 
Sorry, the short excerpts were from the wrong kernel versions. The excerpts from the attached file are:

Oops:
"""
[   80.040091] BUG: unable to handle kernel paging request at ffff88013c142a0b

[   80.043455] IP: [<ffffffffa00c6500>] ebt_do_table+0x160/0x6b0 [ebtables]

[   80.046191] PGD 1a8b063 PUD 0 

[   80.047897] Oops: 0000 [#1] SMP 

"""

panic:
"""
[   80.050021] Kernel panic - not syncing: Fatal exception in interrupt

[   80.050021] Pid: 0, comm: swapper Tainted: G      D     2.6.36-02063601-generic #201011231330

"""
Comment 2 Florian Mickler 2011-01-24 13:02:54 UTC 
a fix for this has been merged in 2.6.37:
commit e6f26129ebbb0071016e2526036f42036ccf30e1
Author: Florian Westphal <fw@strlen.de>
Date:   Mon Jan 3 04:16:28 2011 +0000

    bridge: stp: ensure mac header is set