RHEL6.5: kernel 2.6.32-431.el6 crashes while executing systemtap script netfilter_drop.stp to drop all the incoming packets during a TCP flood attack

Solution Verified - Updated -

Issue

  • System crashes with RIP function 'enter_netfilter_probe_0', which is from systemtap script netfilter_drop.stp.
  • Small portion of oops message showing crash in systemtap module
BUG: unable to handle kernel NULL pointer dereference at 0000000000000280
IP: [<ffffffffa02f0818>] enter_netfilter_probe_0+0x48/0x240 [stap_9334f47a88451be60694f41ddf6e20a8_2242]
...
Modules linked in: stap_9334f47a88451be60694f41ddf6e20a8_2242(U) ipv6 microcode sg virtio_balloon snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore snd_page_alloc e1000 i2c_piix4 i2c_core ext4 jbd2 mbcache virtio_blk sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod [last unloaded: speedstep_lib]

Pid: 0, comm: swapper Not tainted 2.6.32-431.el6.x86_64 #1 Red Hat KVM
RIP: 0010:[<ffffffffa02f0818>]  [<ffffffffa02f0818>] enter_netfilter_probe_0+0x48/0x240 [stap_9334f47a88451be60694f41ddf6e20a8_2242]

Environment

  • Red Hat Enterprise Linux 6.5
    • kernel-2.6.32-431.el6.x86_64
  • systemtap earlier than systemtap-2.5-2.el6
    • systemtap script netfilter_drop.stp
  • TCP SYN flood attack

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content