Wind River Support Network

HomeDefectsLIN8-12106
Fixed

LIN8-12106 : SYNPROXY module causing kernel panic

Created: Feb 10, 2020    Updated: Apr 25, 2020
Resolved Date: Apr 20, 2020
Found In Version: 8.0.0.21
Fix Version: 8.0.0.33
Severity: Severe
Applicable for: Wind River Linux 8
Component/s: Kernel

Description

We are trying to mitigate the SYN floods with SYNPROXY module in kernel
 but while applying the below rule my kernel is getting crash

sudo iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack

sudo iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 /*THis is causing kernel crash*/

sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

We have enabled the below configuration

root@128:~# zgrep SYNPROXY /proc/config.gz 
 CONFIG_NETFILTER_SYNPROXY=m
 CONFIG_IP_NF_TARGET_SYNPROXY=m

But getting the below kernel panic logs

[69545.841704] Unable to handle kernel paging request for data at address 0x00000030
 [69545.849211] Faulting instruction address: 0x8000000000c3e104
 [69545.854892] Oops: Kernel access of bad area, sig: 11 [#1]
 [69545.860291] PREEMPT SMP NR_CPUS=24 CoreNet Generic
 [69545.865097] Modules linked in: xt_nat ipt_REJECT nf_reject_ipv4 ip6_tunnel tunnel6 xt_tcpudp xt_connlimit xt_conntrack iptable_filter iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat efdlinux(O) tievent(O) nfsd ipt_SYNPROXY nf_synproxy_core xt_CT nf_conntrack iptable_raw ip_tables x_tables fuse esdi_cpld(O) eri_ipmi(O)
 [69545.894838] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.1.21-WR8.0.0.24_standard #1
 [69545.903715] task: c0000000062ed900 ti: c0000005bf578000 task.ti: c0000000063dc000
 [69545.911201] NIP: 8000000000c3e104 LR: 8000000000c3e814 CTR: 0000000000000000
 [69545.918253] REGS: c0000005bf57af70 TRAP: 0300 Tainted: G O (4.1.21-WR8.0.0.24_standard)
 [69545.927650] MSR: 0000000080029000 <CE,EE,ME> CR: 84042824 XER: 20000000
 [69545.934472] DEAR: 0000000000000030 ESR: 0000000000000000 SOFTE: 1 
 GPR00: 8000000000c3e814 c0000005bf57b1f0 8000000000c47838 c00000059c47ae00 
 GPR04: 0000000000000014 00000000868af591 c00000059c47aec4 0000000000000000 
 GPR08: c0000004e53820d0 00000000000000d0 0000000000000000 8000000000c3f2e8 
 GPR12: 0000000048042828 c00000003fff5000 c000000070acdfce c0000004ddc81200 
 GPR16: c0000004ddc81098 c0000004df044a40 800003ffffa0b5e4 0000000000000000 
 GPR20: c0000004ddc81000 8000000000bc2810 00000005b931b000 0000000000000001 
 GPR24: 0000000000000028 0000000000000000 c000000070acdfce 0000000000000028 
 GPR28: c00000059c47ae00 c00000057dee2600 000000000a415e5e 00000000868af591 
 [69545.994472] NIP [8000000000c3e104] .synproxy_build_ip+0x44/0xb0 [ipt_SYNPROXY]
 [69546.001700] LR [8000000000c3e814] .synproxy_tg4+0x294/0x3a0 [ipt_SYNPROXY]
 [69546.008577] Call Trace:
 [69546.011028] [c0000005bf57b1f0] [c00000000586b188] .nf_ip_checksum+0xa8/0x1c0 (unreliable)
 [69546.019223] [c0000005bf57b290] [8000000000c3e814] .synproxy_tg4+0x294/0x3a0 [ipt_SYNPROXY]
 [69546.027503] [c0000005bf57b370] [8000000000bbd620] .ipt_do_table+0x360/0x520 [ip_tables]
 [69546.035519] [c0000005bf57b4a0] [80000000010f6058] .iptable_filter_hook+0x58/0xd0 [iptable_filter]
 [69546.044405] [c0000005bf57b530] [c0000000057f17a8] .nf_iterate+0xd8/0xf0
 [69546.051029] [c0000005bf57b5d0] [c0000000057f188c] .nf_hook_slow+0xcc/0x1c0
 [69546.057917] [c0000005bf57b680] [c0000000057fb3c0] .ip_local_deliver+0x90/0x110
 [69546.065149] [c0000005bf57b730] [c0000000057fade4] .ip_rcv_finish+0x94/0x420
 [69546.072120] [c0000005bf57b7c0] [c0000000057fb7c8] .ip_rcv+0x388/0x4d0
 [69546.078574] [c0000005bf57b890] [c0000000057a5c34] .__netif_receive_skb_core+0x9a4/0xd50
 [69546.086591] [c0000005bf57b990] [c0000000057a9b2c] .netif_receive_skb_internal+0x4c/0x110
 [69546.094700] [c0000005bf57ba30] [c0000000056a55f4] ._dpa_rx+0x1c4/0x6e0
 [69546.101237] [c0000005bf57bb50] [c0000000056a235c] .priv_rx_default_dqrr+0xcc/0x2b0
 [69546.108821] [c0000005bf57bc00] [c00000000573e3f0] .qman_p_poll_dqrr+0x1c0/0x2b0
 [69546.116139] [c0000005bf57bcd0] [c0000000056a2b34] .dpaa_eth_poll+0x34/0x90
 [69546.123024] [c0000005bf57bd60] [c0000000057aa2a0] .net_rx_action+0x280/0x460
 [69546.130082] [c0000005bf57be70] [c00000000507a15c] .__do_softirq+0x18c/0x530
 [69546.137054] [c0000005bf57bf90] [c000000005027f6c] .call_do_softirq+0x14/0x24
 [69546.144115] [c0000005bf577e00] [c000000005017558] .do_softirq_own_stack+0x58/0xa0
 [69546.151607] [c0000005bf577e90] [c00000000507a784] .irq_exit+0xc4/0xd0
 [69546.158057] [c0000005bf577f00] [c000000005016ff0] .__do_irq+0xc0/0x270
 [69546.164593] [c0000005bf577f90] [c000000005027f90] .call_do_irq+0x14/0x24
 [69546.171303] [c0000000063df940] [c000000005017268] .do_IRQ+0xc8/0x160
 [69546.177668] [c0000000063df9f0] [c00000000502c93c] exc_0x500_common+0xfc/0x100
 [69546.184817] — interrupt: 501 at .book3e_idle+0x24/0x50
 [69546.184817] LR = .book3e_idle+0x24/0x50
 [69546.194307] [c0000000063dfce0] [c00000000501b40c] .arch_cpu_idle+0x3c/0xb0 (unreliable)
 [69546.202333] [c0000000063dfd50] [c0000000050c5c70] .cpu_startup_entry+0x3d0/0x4a0
 [69546.209739] [c0000000063dfe70] [c0000000050124f4] .rest_init+0xb4/0xd0
 [69546.216277] [c0000000063dfef0] [c000000005c4bc48] .start_kernel+0x514/0x530
 [69546.223248] [c0000000063dff90] [c000000005010650] start_here_common+0x20/0x50
Live chat
Online