Bug#648004: linux-image-2.6.32-5-xen-amd64: tc(8) Oopses, unable to establish new connections afterwards

[Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>]

Package: linux-image-2.6.32-5-xen-amd64
Version: 2.6.32-35
Severity: critical
Justification: breaks the whole system

Dear Maintainer,

On debian 6.0.2 i am running a XEN guest with 2.6.32-5-xen-amd64
from linux-image-2.6.32-5-xen-amd64 (version 2.6.32-35).

The bug sounds like it comes from the openvirtuozzo patch.

When attempting to do:

# sh -x ./foo add 5038
+ what=add
+ port=5038
+ bitspersec=30000
+ bps=3750bps
+ burst=3kb
+ tc qdisc add dev eth0 root handle 1:0 htb
+ tc class add dev eth0 parent 1:0 classid 1:666 htb rate 100mbit ceil 100mbit
+ tc qdisc add dev eth0 parent 1:666 handle 2:0 sfq perturb 10
+ tc filter add dev eth0 parent 2:0 protocol ip u32 match ip sport 5038 0xff00 police rate 3750bps burst 3kb mpu 0 action drop/continue flowid 2:0
Killed
+ [ add = add ]
+ tc qdisc show dev eth0

[hangs forever]

dmesg tells me:

[2313063.901744] HTB: quantum of class 10666 is big. Consider r2q change.
[2313063.908460] u32 classifier
[2313063.908465]     Performance counters on
[2313063.908468]     input device check on 
[2313063.908471]     Actions configured 
[2313063.910372] BUG: unable to handle kernel NULL pointer dereference at (null)
[2313063.910381] IP: [<(null)>] (null)
[2313063.910386] PGD 9a6ba067 PUD fe070067 PMD 0 
[2313063.910393] Oops: 0010 [#1] SMP 
[2313063.910398] last sysfs file: /sys/devices/virtual/net/lo/operstate
[2313063.910402] CPU 0 
[2313063.910406] Modules linked in: act_police cls_u32 sch_sfq sch_htb snd_pcm snd_timer snd soundcore evdev snd_page_alloc pcspkr ext4 mbcache jbd2 crc16 xen_netfront xen_blkfront
[2313063.910432] Pid: 1331, comm: tc Not tainted 2.6.32-5-xen-amd64 #1 
[2313063.910436] RIP: e030:[<0000000000000000>]  [<(null)>] (null)
[2313063.910441] RSP: e02b:ffff880002e03940  EFLAGS: 00010282
[2313063.910446] RAX: ffffffffa0106c80 RBX: ffff8800fe5650c0 RCX: 0000000071dde1fb
[2313063.910451] RDX: 0000000000020000 RSI: 0000000000000000 RDI: ffff8800fe4a8000
[2313063.910456] RBP: ffff8800fd72d840 R08: ffff8800038ade30 R09: ffff880002e038d8
[2313063.910461] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8800fd72dfc0
[2313063.910466] R13: ffff8800fe5650c0 R14: ffff880002e039b8 R15: 0000000000000000
[2313063.910474] FS:  00007fbc7d947700(0000) GS:ffff88000389c000(0000) knlGS:0000000000000000
[2313063.910479] CS:  e033 DS: 0000 ES: 0000 CR0: 000000008005003b
[2313063.910484] CR2: 0000000000000000 CR3: 00000000027ec000 CR4: 0000000000002660
[2313063.910489] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[2313063.910494] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[2313063.910499] Process tc (pid: 1331, threadinfo ffff880002e02000, task ffff8800fdb98000)
[2313063.910504] Stack:
[2313063.910507]  ffffffffa010d7b8 ffff8800fe79a500 ffffffffa010dabe 00000020a010d439
[2313063.910514] <0> ffff8800fe5650c0 ffff88009a107488 0000000080000800 ffff8800fd72d840
[2313063.913009] <0> ffff880002e03aa8 ffff8800fd72dfc0 ffffffffa010db3c 0000000000000002
[2313063.913009] Call Trace:
[2313063.913009]  [<ffffffffa010d7b8>] ? u32_set_parms+0xbd/0x143 [cls_u32]
[2313063.913009]  [<ffffffffa010dabe>] ? u32_change+0x280/0x39c [cls_u32]
[2313063.913009]  [<ffffffffa010db3c>] ? u32_change+0x2fe/0x39c [cls_u32]
[2313063.913009]  [<ffffffff812769bf>] ? tc_ctl_tfilter+0x544/0x5af
[2313063.913009]  [<ffffffff81276965>] ? tc_ctl_tfilter+0x4ea/0x5af
[2313063.913009]  [<ffffffff8100e629>] ? xen_force_evtchn_callback+0x9/0xa
[2313063.913009]  [<ffffffff8127b308>] ? netlink_sendmsg+0x162/0x255
[2313063.913009]  [<ffffffff81269c83>] ? rtnetlink_rcv_msg+0x0/0x1f5
[2313063.913009]  [<ffffffff8127aec8>] ? netlink_rcv_skb+0x34/0x7c
[2313063.913009]  [<ffffffff81269c7d>] ? rtnetlink_rcv+0x1f/0x25
[2313063.913009]  [<ffffffff8127acbc>] ? netlink_unicast+0xe2/0x148
[2313063.913009]  [<ffffffff81258a89>] ? __alloc_skb+0x69/0x15a
[2313063.913009]  [<ffffffff8127b3e8>] ? netlink_sendmsg+0x242/0x255
[2313063.913009]  [<ffffffff812513f5>] ? sock_sendmsg+0xa3/0xbb
[2313063.913009]  [<ffffffff812512f9>] ? sock_recvmsg+0xa6/0xbe
[2313063.913009]  [<ffffffff81065f06>] ? autoremove_wake_function+0x0/0x2e
[2313063.913009]  [<ffffffff81065f06>] ? autoremove_wake_function+0x0/0x2e
[2313063.913009]  [<ffffffff81259df4>] ? verify_iovec+0x46/0x96
[2313063.913009]  [<ffffffff81251637>] ? sys_sendmsg+0x22a/0x2b5
[2313063.913009]  [<ffffffff8100ece2>] ? check_events+0x12/0x20
[2313063.913009]  [<ffffffff811541f7>] ? cap_file_free_security+0x0/0x1
[2313063.913009]  [<ffffffff8130f906>] ? do_page_fault+0x2e0/0x2fc
[2313063.913009]  [<ffffffff81011b42>] ? system_call_fastpath+0x16/0x1b
[2313063.913009] Code:  Bad RIP value.
[2313063.913009] RIP  [<(null)>] (null)
[2313063.913009]  RSP <ffff880002e03940>
[2313063.913009] CR2: 0000000000000000
[2313063.913009] ---[ end trace 3a2d2e66e526d672 ]---

The tc comes from:
ii  iproute        20100519-3

System Information below is from the host running reportbug which
is NOT the machine the oops occurs;
Problem installation is running:
squeeze (6.0.2), amd64, 2.6.32-5-xen-amd64

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash