Kernel-oops with slip+netfilter on 2.4.7 and 2.4.16

From: Sami Ponkanen (
Date: Fri Jan 04 2002 - 06:19:38 EST


I already posted this report to the netfilter list, but I thought it might
fit to the networking list also.

The problem: Reproducible oops when using slip and dnat/redirect in OUTPUT
chain and when sending an udp-packet from the same host.

My network looks like this:
A <--- slip ---> B <--- slip ---> C

How to do it:
At host B:
1. All udp packets sent from B ( to A ( are to be
redirected to B, thus do:
iptables -t nat -A OUTPUT -d -p udp -j DNAT --to-destination
2. Send a udp packet from B to A, for example with the code at the bottom of
the message

The problem is only present when
1. using udp; no problems with tcp or icmp
2. using slip; no problems with ppp or ethernet
3. sending the packet from B; no problems when in B the dnat rule is in
PREROUTING chain and the packet is sent from C to A

Versions of most important stuff:
linux-2.4.7 (crashes also atleast with 2.4.16, but the dumps are from 2.4.7)
slattach 1.21

Below you can find the output of ksymoops and a little helper program. I hope
I did provide enough (but not too much information) to help the debugging of
the problem.


Sami Pönkänen

ksymoops output:
ksymoops 2.4.3 on i586 2.4.7. Options used
     -V (specified)
     -k 20020104122441.ksyms (specified)
     -l 20020104122441.modules (specified)
     -o /lib/modules/2.4.7/ (specified)
     -m /boot/ (specified)

skput:under: c01ca44d:92 put:14 dev:lokernel BUG at skbuff.c:110!
invalid operand: 0000
CPU: 0
EIP: 0010:[<c01c10e1>]
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010282
eax: 0000001c ebx: 00000800 ecx: c1dd4000 edx: c026f224
esi: c2e18200 edi: c1e12220 ebp: 00000000 esp: c1571ccc
ds: 0018 es: 0018 ss: 0018
Process udp_source (pid: 263, stackpage=c1571000)
Stack: c024b08c c024b280 0000006e c01ca456 c2e18200 0000000e c01ca44d c1436c00
       c2e18200 c1e12220 c027bd20 c01c7c46 c2e18200 c027bd20 00000800 c1e12248
       00000000 0000004e c2e18200 c1436c00 00000000 00000002 c01d5264 c2e18200
Call Trace: [<c01ca456>] [<c01ca44d>] [<c01c7c46>] [<c01d5264>] [<c01ca24e>]
[<c01d4141>] [<c01d51d0>]
       [<c01d51c9>] [<c01ca24e>] [<c01d4b86>] [<c01d51bc>] [<c01eb033>]
[<c01eabe0>] [<c01d066f>] [<c01d06a4>]
       [<c01f06d6>] [<c01be675>] [<c01bf393>] [<c010ef74>] [<c010f0d3>]
[<c010ef74>] [<c01be40e>] [<c011f2fd>]
       [<c01bf3d2>] [<c01bfb61>] [<c0106b43>]
Code: 0f 0b 83 c4 0c c3 90 a1 68 f8 2b c0 57 56 53 f7 d8 8b 7c 24

>>EIP; c01c10e0 <skb_under_panic+3c/44> <=====
Trace; c01ca456 <eth_header+36/114>
Trace; c01ca44c <eth_header+2c/114>
Trace; c01c7c46 <neigh_resolve_output+ce/1a8>
Trace; c01d5264 <ip_finish_output2+94/d4>
Trace; c01ca24e <nf_hook_slow+136/188>
Trace; c01d4140 <ip_output+50/58>
Trace; c01d51d0 <ip_finish_output2+0/d4>
Trace; c01d51c8 <output_maybe_reroute+c/14>
Trace; c01ca24e <nf_hook_slow+136/188>
Trace; c01d4b86 <ip_build_xmit+2d6/358>
Trace; c01d51bc <output_maybe_reroute+0/14>
Trace; c01eb032 <udp_sendmsg+34e/3c8>
Trace; c01eabe0 <udp_getfrag+0/bc>
Trace; c01d066e <ip_route_output_slow+5ae/620>
Trace; c01d06a4 <ip_route_output_slow+5e4/620>
Trace; c01f06d6 <inet_sendmsg+3a/40>
Trace; c01be674 <sock_sendmsg+68/88>
Trace; c01bf392 <sys_sendto+c6/e8>
Trace; c010ef74 <do_page_fault+0/45c>
Trace; c010f0d2 <do_page_fault+15e/45c>
Trace; c010ef74 <do_page_fault+0/45c>
Trace; c01be40e <sock_map_fd+fa/17c>
Trace; c011f2fc <do_munmap+240/250>
Trace; c01bf3d2 <sys_send+1e/24>
Trace; c01bfb60 <sys_socketcall+118/200>
Trace; c0106b42 <system_call+32/40>
Code; c01c10e0 <skb_under_panic+3c/44>
00000000 <_EIP>:
Code; c01c10e0 <skb_under_panic+3c/44> <=====
   0: 0f 0b ud2a <=====
Code; c01c10e2 <skb_under_panic+3e/44>
   2: 83 c4 0c add $0xc,%esp
Code; c01c10e4 <skb_under_panic+40/44>
   5: c3 ret
Code; c01c10e6 <skb_under_panic+42/44>
   6: 90 nop
Code; c01c10e6 <skb_under_panic+42/44>
   7: a1 68 f8 2b c0 mov 0xc02bf868,%eax
Code; c01c10ec <alloc_skb+4/190>
   c: 57 push %edi
Code; c01c10ec <alloc_skb+4/190>
   d: 56 push %esi
Code; c01c10ee <alloc_skb+6/190>
   e: 53 push %ebx
Code; c01c10ee <alloc_skb+6/190>
   f: f7 d8 neg %eax
Code; c01c10f0 <alloc_skb+8/190>
  11: 8b 7c 24 00 mov 0x0(%esp,1),%edi

Kernel panic: Aiee, killing interrupt handler!

And finally a little helper program to send udp packets:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>

int main(int argc, char **argv) {
  int socket_type, protocol, port, s;
  struct sockaddr_in dst;
  struct in_addr dst_addr;
  char *packet;
  int packet_len = 50;

  socket_type = SOCK_DGRAM;
  protocol = IPPROTO_UDP;
  port = 7;
  if(argc <= 1 || inet_aton(argv[1], &dst_addr) == 0) {
    perror("Could not resolve destination address");
  if(argc > 2) {
    port = atoi(argv[2]);
    if(port < 0) {
      perror("Invalid destination port");
  dst.sin_family = AF_INET;
  dst.sin_port = htons(port);
  dst.sin_addr = dst_addr;
  s = socket(PF_INET, socket_type, protocol);

  if(s < 0) {
    perror("Could not create socket");
  if(connect(s, (struct sockaddr *) &dst, (socklen_t) sizeof(dst)) < 0) {
    perror("Could not connect");

  packet = (char *) malloc(packet_len);
  while(1) {
    if(send(s, (void *) packet, (size_t) packet_len, 0) < 0) {
      perror("An error occured while trying to send the packet");

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to
More majordomo info at

This archive was generated by hypermail 2b29 : Mon Jan 07 2002 - 21:00:40 EST