Most recent kernel where this bug did not occur: 2.6.8 has this problem, I did not tried earlier kernels Distribution: Debian Hardware Environment: ethernet network card, I've tried i386 and x86_64 archs. Software Environment: Problem Description: The following command from user (even non-root) shell: user-shell$ ip ro get 224.0.0.1 iif eth0 leads to kernel panic: Unable to handle kernel NULL pointer dereference at virtual address 00000009 printing eip: c023c1c3 *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: autofs4 nfs lockd nfs_acl sunrpc dm_mod e100 mii e1000 ipv6 genrtc ext2 mbcache ide_disk generic piix ide_core evdev mousedev CPU: 0 EIP: 0060:[<c023c1c3>] Not tainted VLI EFLAGS: 00010286 (2.6.16.4-1ol1 #1) EIP is at ip_route_input+0xca/0x17e eax: 00000000 ebx: c16a4600 ecx: 00000000 edx: de175180 esi: 010000e0 edi: 00000000 ebp: df4ba000 esp: dda01b64 ds: 007b es: 007b ss: 0068 Process ip (pid: 1531, threadinfo=dda00000 task=dff47560) Stack: <0>00000000 de175180 de175180 ffffffed 00000000 c1581e00 c023d5dc de175180 010000e0 00000000 00000000 df4ba000 dfe593d0 00000000 00000000 00000003 010000e0 00000000 00000009 00000000 00000c14 c02e95cd df147800 c022b325 Call Trace: [<c023d5dc>] inet_rtm_getroute+0xf6/0x236 [<c022b325>] rtnetlink_fill_ifinfo+0x3bc/0x50a [<c022b37c>] rtnetlink_fill_ifinfo+0x413/0x50a [<c022b4b3>] rtnetlink_dump_ifinfo+0x40/0x65 [<c022ba74>] rtnetlink_rcv_msg+0x1c4/0x1e7 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7 [<c02372f3>] netlink_rcv_skb+0x3a/0x8f [<c023738a>] netlink_run_queue+0x42/0xc4 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7 [<c022b85e>] rtnetlink_rcv+0x22/0x40 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7 [<c0236d0a>] netlink_data_ready+0x17/0x54 [<c0236145>] netlink_sendskb+0x1f/0x39 [<c0236b0c>] netlink_sendmsg+0x281/0x292 [<c021b241>] sock_sendmsg+0xe6/0x104 [<c021b38e>] sock_recvmsg+0xf3/0x111 [<c021b241>] sock_sendmsg+0xe6/0x104 [<c0129df6>] autoremove_wake_function+0x0/0x3a [<c01b4b49>] copy_from_user+0x3a/0x5d [<c0220e81>] verify_iovec+0x49/0x7f [<c021c8a7>] sys_sendmsg+0x158/0x1ae [<c013a88b>] get_page_from_freelist+0x70/0x88 [<c013a8e9>] __alloc_pages+0x46/0x263 [<c01422a4>] do_anonymous_page+0xc5/0x148 [<c0111b34>] do_page_fault+0x18a/0x4e0 [<c01b4b49>] copy_from_user+0x3a/0x5d [<c021cc25>] sys_socketcall+0x167/0x180 [<c01119aa>] do_page_fault+0x0/0x4e0 [<c01026af>] sysenter_past_esp+0x54/0x75 Code: e0 34 c0 ff 40 38 8b 09 85 c9 75 a0 89 f0 25 f0 00 00 00 3d e0 00 00 00 75 66 8b 9d a8 00 00 00 85 db 74 55 8b 54 24 04 8b 42 20 <0f> b6 40 09 50 57 56 53 e8 bd 71 02 00 83 c4 10 89 c2 85 c0 75 <0>Kernel panic - not syncing: Fatal exception in interrupt backtrace is slightly different for different kernel versions/hardware type. The trace above is for 2.6.16.4 Steps to reproduce: run shell command "ip ro get 224.0.0.1 iif eth0"
Bug fix has been integrated into current 2.6.17 tree and submitted for 2.6.16.7