Distribution: Ubuntu Edgy Eft Hardware Environment: i686/Pentium M Software Environment: Kernel 2.6.17-11-386 Problem Description: There is a NULL pointer dereference in the function do_ipv6_setsockopt in net/ipv6/ipv6_sockglue.c. Line 417, opt can be NULL and dereferenced : opt = ipv6_renew_options(sk, np->opt, optname, // opt = NULL (struct ipv6_opt_hdr __user *)optval, optlen); if (IS_ERR(opt)) { retv = PTR_ERR(opt); break; } /* routing header option needs extra check */ if (optname == IPV6_RTHDR && opt->srcrt) { // Oops Those few lines reproduce the bug : #include <netinet/in.h> int main(int argc, char **argv) { int s, optval; s = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP); setsockopt(s, SOL_IPV6, IPV6_RTHDR, &optval, 0); return 0; } Kernel Oops here : Mar 8 23:57:17 localhost kernel: BUG: unable to handle kernel NULL pointer dereference at virtual address 00000010 Mar 8 23:57:17 localhost kernel: printing eip: Mar 8 23:57:17 localhost kernel: f8ebb270 Mar 8 23:57:17 localhost kernel: *pde = 00000000 Mar 8 23:57:17 localhost kernel: Oops: 0000 [#1] Mar 8 23:57:17 localhost kernel: Modules linked in: binfmt_misc rfcomm hidp l2cap bluetooth fglrx speedstep_centrino cpufreq_userspace cpufreq_stats freq_table cpufreq_powersave cpufreq_ondemand cpufreq_conservative video tc1100_wmi sbs sony_acpi pcc_acpi i2c_ec i2c_core hotkey dev_acpi button battery container ac asus_acpi dm_mod md_mod sr_mod sbp2 scsi_mod ipv6 parport_pc lp parport 8139cp joydev tsdev usbhid pcmcia tifm_7xx1 tifm_core sdhci mmc_core 8139too mii snd_intel8x0 snd_ac97_codec snd_ac97_bus ipw2200 snd_pcm_oss snd_mixer_oss yenta_socket rsrc_nonstatic pcmcia_core snd_pcm ieee80211 ieee80211_crypt psmouse serio_raw evdev snd_timer shpchp pci_hotplug intel_agp agpgart snd soundcore snd_page_alloc rtc ext3 jbd ohci1394 ieee1394 ehci_hcd uhci_hcd usbcore ide_generic ide_cd cdrom ide_disk piix generic thermal processor fan capability commoncap vesafb fbcon tileblit font bitblit softcursor Mar 8 23:57:17 localhost kernel: CPU: 0 Mar 8 23:57:17 localhost kernel: EIP: 0060:[<f8ebb270>] Tainted: P VLI Mar 8 23:57:17 localhost kernel: EFLAGS: 00010246 (2.6.17-11-386 #2) Mar 8 23:57:17 localhost kernel: EIP is at ipv6_setsockopt+0xa90/0xc40 [ipv6] Mar 8 23:57:17 localhost kernel: eax: 00000000 ebx: f0cfca40 ecx: 00000039 edx: 00000000 Mar 8 23:57:17 localhost kernel: esi: 00000000 edi: 00000000 ebp: 00000039 esp: f25a9da8 Mar 8 23:57:17 localhost kernel: ds: 007b es: 007b ss: 0068 Mar 8 23:57:17 localhost kernel: Process null_deref (pid: 5076, threadinfo=f25a8000 task=f24a7580) Mar 8 23:57:17 localhost kernel: Stack: 00000000 00000000 c199ce00 f8c9a4ff 00000001 00000000 f0cfce58 ee42e9c0 Mar 8 23:57:17 localhost kernel: c18e1e7c c0179c74 3b9aca00 c199ce00 c18e1de0 ee42e9c0 c18e1e7c 00000000 Mar 8 23:57:17 localhost kernel: c199ce00 00000000 ee42e9c0 c18e1e7c 00000000 c013c78b 00001000 c0359330 Mar 8 23:57:17 localhost kernel: Call Trace: Mar 8 23:57:17 localhost kernel: <c0179c74> __mark_inode_dirty+0x34/0x170 <c013c78b> do_generic_mapping_read+0x42b/0x540 Mar 8 23:57:17 localhost kernel: <c0154f74> cache_alloc_refill+0x314/0x4d0 <c01cc98c> vsnprintf+0x55c/0x640 Mar 8 23:57:17 localhost kernel: <c016f0b7> d_alloc+0x27/0x190 <c016f059> d_instantiate+0x49/0x80 Mar 8 23:57:17 localhost kernel: <f8eba7e0> ipv6_setsockopt+0x0/0xc40 [ipv6] <c0289966> tcp_setsockopt+0x36/0x370 Mar 8 23:57:17 localhost kernel: <c0259e83> sock_common_setsockopt+0x23/0x30 <c02587d5> sys_setsockopt+0x75/0xd0 Mar 8 23:57:17 localhost kernel: <c0259a19> sys_socketcall+0x209/0x280 <c02c7a00> do_page_fault+0x0/0x6e0 Mar 8 23:57:17 localhost kernel: <c0102dbb> sysenter_past_esp+0x54/0x79 Mar 8 23:57:17 localhost kernel: Code: 00 00 d0 54 2a c0 ff 0d 80 88 ee f8 83 3d 80 87 ee f8 02 0f 85 34 fc ff ff a1 08 89 ee f8 31 ff e8 56 ab 25 c7 e9 d5 f6 ff ff 90 <8b> 50 10 85 d2 0f 84 3e f9 ff ff 80 7a 02 00 90 75 13 0f b6 42 Mar 8 23:57:17 localhost kernel: EIP: [<f8ebb270>] ipv6_setsockopt+0xa90/0xc40 [ipv6] SS:ESP 0068:f25a9da8
A patch for this was accepted by davem, and is scheduled to go into the next -stable kernel as well.