Summary: | net-firewall/ipset incompatible with 2.6.28 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jochen Schlick <josch09> |
Component: | [OLD] Core system | Assignee: | Robin Johnson <robbat2> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | amd64, ppc, pva, x86 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
kernel config
dmesg output (after shorewall/iptables start) lsmod output /var/log/messages after /etc/init.d/shorewall start debug patch iptables log of the new patched kernel - nocrash :-( messages of the new patched kernel - nocrash :-( iptables log of the unpatched kernel messages of the unpatched kernel messages of a 2.6.28 vanilla kernel (with nvidia) messages of a 2.6.28 vanilla kernel (no nvidia) |
Description
Jochen Schlick
2009-01-08 10:20:33 UTC
Could you attach your kernel config and your lsmod and dmesg output? Thanks :) Created attachment 177792 [details]
kernel config
Created attachment 177793 [details]
dmesg output (after shorewall/iptables start)
Created attachment 177795 [details]
lsmod output
It would, also, be very helpful if you followed the steps below to isolate the line of code that is causing the oops. The instructions have to be followed in an identical kernel as the one that causes the crashes. # emerge -n gdb # cd /usr/src/linux #or wherever your kernel lies # rm net/netfilter/x_tables.o # make CONFIG_DEBUG_INFO=y net/netfilter/x_tables.o # gdb net/netfilter/x_tables.o Then at the gdb prompt: # list *xt_check_match+0xf5 Then just post the output of the above command here! Thanks :) hope this helps /usr/src/linux-2.6.28-gentoo # gdb net/netfilter/x_tables.o GNU gdb 6.8 Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu"... (gdb) list *xt_check_match+0xf5 0x1a95 is in xt_check_match (net/netfilter/x_tables.c:357). 352 printk("%s_tables: %s match: only valid for protocol %u\n", 353 xt_prefix[par->family], par->match->name, 354 par->match->proto); 355 return -EINVAL; 356 } 357 if (par->match->checkentry != NULL && !par->match->checkentry(par)) 358 return -EINVAL; 359 return 0; 360 } 361 EXPORT_SYMBOL_GPL(xt_check_match); (gdb) Great output thanks. Please make sure the below lines are set on /etc/shorewall/shorewall.conf file LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" If these line are like this already, attach your /var/log/messages. If they are not,bootup your system without starting shorewall. After booting successfully, run the shorewall by executing /etc/init.d/shorewall start The your system , should crash. If so, reboot and attach here your /var/log/messages Thank you Also, which is the last known working kernel? sorry for the delay, but the thinkpad is not available at the moment (until tomorrow morning). but the current working kernel on this thinkpad is: linux-2.6.27-gentoo-r7 best regards Created attachment 177991 [details]
/var/log/messages after /etc/init.d/shorewall start
there is no output from shorewall in /var/log/messages - only from iptables and the concerning oops after manual start of shorewall....
Please create a file at /usr/local/bin/iptables_log and put this inside it: ----------- #!/bin/bash echo "$(date) $$ $*" >> /tmp/iptables_log exec /sbin/iptables $* ----------- make it executable: chmod a+x /usr/local/bin/iptables_log Then in shorewall.conf add: IPTABLES=/usr/local/bin/iptables_log Then start shorewall on an affected kernel, reproducing the crash. Post the new crash dump, and the contents of /usr/local/bin/iptables_log to this bug. Thanks! (In reply to comment #11) > Then start shorewall on an affected kernel, reproducing the crash. Post the new > crash dump, and the contents of /usr/local/bin/iptables_log to this bug. > Thanks! Should have read: > Then start shorewall on an affected kernel, reproducing the crash. Post the new > crash dump, and the contents of /tmp/iptables_log to this bug. Created attachment 178020 [details, diff]
debug patch
At the same time, please have this patch applied to 2.6.28 to add some more debug output. When including the updated crash dump per the instructions above, please also include the few preceding lines in the kernel log (which is what this patch will add)
ok, first of all shorewall expected then also a "iptables_log-restore" in /usr/local/bin, so I created one (a symlink to /sbin/iptables-restore). I hope this is correct. I built a new kernel (2.6.28-gentoo.debug), rebooted several times but no oops :-( (still investigating) Created attachment 178083 [details]
iptables log of the new patched kernel - nocrash :-(
Created attachment 178084 [details]
messages of the new patched kernel - nocrash :-(
Created attachment 178087 [details]
iptables log of the unpatched kernel
Created attachment 178089 [details]
messages of the unpatched kernel
How strange. The fact that the debug patch changes the behaviour probably means that it is a timing-sensitive issue. The command it is crashing on is: iptables -A fooX1594 -m set --set fooX1594 src -j ACCEPT I think we should take this upstream as the next step. Before we do that, we need to reproduce this on an unpatched, untainted kernel. Please can you reproduce this on vanilla-sources-2.6.28, without the nvidia module, and post a new crash dump? Created attachment 178271 [details]
messages of a 2.6.28 vanilla kernel (with nvidia)
sys-kernel/vanilla-sources 2.6.28 created with genkernel crashes also
Thanks. That one still had the nvidia driver loaded though. Please configure your system so that the nvidia module doesn't get loaded at all, and post a new crash dump. Created attachment 178287 [details]
messages of a 2.6.28 vanilla kernel (no nvidia)
not so fast ;-)
I removed the nvidia kernel module and called depmod for the vanilla kernel and it oopses again with the untainted kernel.
PS: I write this comment on the same laptop running the 2.6.28-gentoo.debug kernel and still no crash with this kernel.
Perfect, thanks. Please now file an upstream bug for this at http://bugzilla.kernel.org. My suggestions: - emphasize that this is a 2.6.28 regression (2.6.27 worked) - note the iptables command which we have determined to be the trigger for the crash (explained above) - attach your most recent dmesg there (non-tainted kernel with crash message) I'll add some more technical details after you have done that. Please post the new bug URL here when done, thanks! ok I created one on bugzilla.kernel.org http://bugzilla.kernel.org/show_bug.cgi?id=12517 The reason for the oops was an incompatibility between the 2.6.28 kernels and the net-firewall/ipset package !! deinstallation of /net-firewall/ipset fixes the problem. ah, that explains it Jochen I just added to the tree ipset-2.4.7. Could you verify that it does not crash 2.6.28 kernel? installed, firewall restarted, ipset-modules are loaded - no crash. (In reply to comment #28) > installed, firewall restarted, ipset-modules are loaded - no crash. Thank you, Jochen. I think we should stabilize ipset-2.4.7 together with 2.6.28 kernel. Keeping this bug open untill then. This bug became quite long, so I've requested stabilization in bug 257483. Closing. |