Repeatable OOPS with containers and netfilter
Alexey Dobriyan
adobriyan at gmail.com
Fri Sep 9 09:16:41 PDT 2011
net->nfnl = NULL
On Fri, Sep 9, 2011 at 6:33 PM, Alex Bligh <alex at alex.org.uk> wrote:
> We are seeing a repeatable kernel oops (quite a deadly one) when destroying
> containers which are or have been passing forwarded IPv4 traffic and have
> (or have had) a netfilter conntrack rule installed.
>
> To repeat, you need to have
> a) a container
> b) which is forwarding IPv4 traffic from one interface in the container to
> another (2 veth interfaces in this case) - one ping packet per second
> will do
> c) iptables with an IP conntrack rule.
> d) delete the container (it doesn't matter if you delete the iptables
> rule first and sleep for a couple of seconds).
>
> An OOPS like the one below results.
>
> This one is from Ubuntu kernel
> 3.0.0-10-server #16-Ubuntu SMP Fri Sep 2 18:51:05 UTC 2011 x86_64 GNU/Linux
> RIP: 0010:[<ffffffff81511959>] [<ffffffff81511959>] netlink_has_listeners+0x9/0x50
> [<ffffffffa048f145>] nfnetlink_has_listeners+0x15/0x20 [nfnetlink]
> [<ffffffffa049943b>] ctnetlink_conntrack_event+0x5cb/0x890 [nf_conntrack_netlink]
> [<ffffffff814e34d0>] ? net_drop_ns+0x50/0x50
> [<ffffffffa04062d8>] death_by_timeout+0xc8/0x1c0 [nf_conntrack]
> [<ffffffffa0405270>] ? nf_conntrack_attach+0x50/0x50 [nf_conntrack]
> [<ffffffffa0406448>] nf_ct_iterate_cleanup+0x78/0x90 [nf_conntrack]
> [<ffffffffa0406491>] nf_conntrack_cleanup_net+0x31/0x100 [nf_conntrack]
> [<ffffffffa0407f97>] nf_conntrack_cleanup+0x27/0x60 [nf_conntrack]
> [<ffffffffa04081f0>] nf_conntrack_net_exit+0x60/0x80 [nf_conntrack]
> [<ffffffff814e2d28>] ops_exit_list.isra.1+0x38/0x60
> [<ffffffff814e35e2>] cleanup_net+0x112/0x1b0
More information about the Containers
mailing list