V
vdx
Guest
Dear Friends,
I am building a packet forwarder kern-mod. for that I did add prerouting hook function in netfilter.
In the same function, on successful match I am stilling that same. For that I use below function,
the issue with above is, at some point of time my system gets crash. Below is crash dump utility analysis
I getting NULL pointer deref issue in above case. how do I resolve ?
I am building a packet forwarder kern-mod. for that I did add prerouting hook function in netfilter.
In the same function, on successful match I am stilling that same. For that I use below function,
Code:
/* Transmitter function */
static int my_xmit(struct sk_buff *skb)
{
struct rtable *rt; // route to the other host
struct iphdr *iph = skb->nh.iph;
u8 tos = iph->tos;
int mtu;
struct flowi flp;
memset(&flp, 0, sizeof(flp));
flp.fl4_dst = iph->daddr;
flp.fl4_tos = RT_TOS(tos);
if(ip_route_output_flow(&rt, &flp, NULL, 0)) {
printk(KERN_ERR "my_xmit[%d]: ip_route_output error, dest: %u.%u.%u.%u\n",__LINE__,NIPQUAD(iph->daddr));
goto tx_error_icmp;
}
/* MTU checking ??? */
mtu = dst_mtu(&rt->u.dst);
if ((skb->len > mtu) && (iph->frag_off&__constant_htons(IP_DF))) {
icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
ip_rt_put(rt);
printk(KERN_ERR "my_xmit[%d]: frag needed\n",__LINE__);
goto tx_error;
}
/* drop old route */
dst_release(skb->dst);
skb->dst = &rt->u.dst;
dst_output(skb);
return NF_STOLEN;
tx_error_icmp:
dst_link_failure(skb);
tx_error:
kfree_skb(skb);
return NF_STOLEN;
}
the issue with above is, at some point of time my system gets crash. Below is crash dump utility analysis
Code:
crash> bt
PID: 0 TASK: ffff81022fd0f040 CPU: 16 COMMAND: "swapper"
#0 [ffff81012fe0b9b0] crash_kexec at ffffffff800b093a
#1 [ffff81012fe0ba70] __die at ffffffff80065137
#2 [ffff81012fe0bab0] do_page_fault at ffffffff80067484
#3 [ffff81012fe0bba0] error_exit at ffffffff8005dde9
[exception RIP: my_prerouting_hook+1044]
RIP: ffffffff8845a475 RSP: ffff81012fe0bc50 RFLAGS: 00010206
RAX: ffffc200111b5000 RBX: ffff81012fe0bd50 RCX: 0000000000000000
RDX: ffff81010a591044 RSI: 0000000000000014 RDI: ffff81011be607c0
RBP: 0000000007be4e60 R8: ffffffff80254a2c R9: ffffffff8845d3c0
R10: ffff81010f52b080 R11: 00000000000000c8 R12: ffff81012b5a4000
R13: 00000000000ffff0 R14: ffff81012fe0bda0 R15: ffffffff805c7ac0
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#4 [ffff81012fe0bce8] nf_iterate at ffffffff80033faf
#5 [ffff81012fe0bd10] ip_rcv_finish at ffffffff80254a2c
#6 [ffff81012fe0bd88] ip_rcv at ffffffff8003550b
#7 [ffff81012fe0bdc8] netif_receive_skb at ffffffff80020aed
#8 [ffff81012fe0be18] tg3_poll at ffffffff881b0be7 [tg3]
#9 [ffff81012fe0bef8] net_rx_action at ffffffff8000c9bf
#10 [ffff81012fe0bf38] __do_softirq at ffffffff80012531
#11 [ffff81012fe0bf68] call_softirq at ffffffff8005e2fc
#12 [ffff81012fe0bf80] do_softirq at ffffffff8006d646
#13 [ffff81012fe0bf90] do_IRQ at ffffffff8006d4d6
Code:
crash> dis -lr ffffffff8845a475
0xffffffff8845a061 <my_prerouting_hook>: push %r14
0xffffffff8845a0bb <my_prerouting_hook+90>: mov %rbx,%rdx
0xffffffff8845a0be <my_prerouting_hook+93>: callq 0xffffffff80233be4 <skb_copy_bits+317>
0xffffffff8845a218 <my_prerouting_hook+439>: callq 0xffffffff80048106 <mpage_end_io_read+71>
0xffffffff8845a23b <my_prerouting_hook+474>: callq 0xffffffff802509ae <nf_register_hooks+11>
0xffffffff8845a29e <my_prerouting_hook+573>: callq 0xffffffff80011fec <do_munmap+634>
0xffffffff8845a305 <my_prerouting_hook+676>: callq 0xffffffff8025713a <ip_copy_metadata+167>
0xffffffff8845a31e <my_prerouting_hook+701>: callq 0xffffffff8006201c <__memset>
0xffffffff8845a33d <my_prerouting_hook+732>: callq 0xffffffff80253106 <ip_route_output_flow+316>
0xffffffff8845a370 <my_prerouting_hook+783>: callq 0xffffffff8026ab1a <icmp_send+326>
0xffffffff8845a3a2 <my_prerouting_hook+833>: callq 0xffffffff80094387 <printk+3>
0xffffffff8845a3a7 <my_prerouting_hook+838>: callq 0xffffffff8006c4a1 <dump_stack>
0xffffffff8845a3f4 <my_prerouting_hook+915>: callq 0xffffffff80094387 <printk+3>
0xffffffff8845a3f9 <my_prerouting_hook+920>: callq 0xffffffff8006c4a1 <dump_stack>
0xffffffff8845a43a <my_prerouting_hook+985>: callq 0xffffffff80094387 <printk+3>
0xffffffff8845a465 <my_prerouting_hook+1028>: callq 0xffffffff802344b1 <skb_release_data+150>
0xffffffff8845a46a <my_prerouting_hook+1033>: mov $0x2,%eax
0xffffffff8845a46f <my_prerouting_hook+1038>: jmp 0xffffffff8845a4a8
0xffffffff8845a471 <my_prerouting_hook+1040>: mov 0x0(%rbp),%rbp
0xffffffff8845a475 <my_prerouting_hook+1044>: mov 0x0(%rbp),%rax
I getting NULL pointer deref issue in above case. how do I resolve ?