Most recent kernel where this bug did *NOT* occur: had this since 2.6.20, didnt test earlier versions Distribution: gentoo Hardware Environment: p3 Software Environment: gcc 4.1.2 Problem Description: running ip6sic with the following seed ip6sic -i lo -d ::1 -p 2000 -r 32321 causes this oops [ 69.293000] Oops: 0000 [#1] [ 69.293000] PREEMPT [ 69.293000] Modules linked in: [ 69.293000] CPU: 0 [ 69.293000] EIP: 0060:[<c0548b76>] Not tainted VLI [ 69.293000] EFLAGS: 00010282 (2.6.21-ga989705c #7) [ 69.293000] EIP is at ipv6_hop_jumbo+0x26/0x180 [ 69.293000] eax: 00000000 ebx: ce61bc08 ecx: 00000001 edx: 00000103 [ 69.293000] esi: ce750166 edi: 000000fd ebp: c0773ed8 esp: c0773ec0 [ 69.293000] ds: 007b es: 007b fs: 0000 gs: 0033 ss: 0068 [ 69.293000] Process ip6sic (pid: 4607, ti=c0773000 task=cf332070 task.ti=cf002000) [ 69.293000] Stack: c06c4ccc 000000fb c0773ef8 00000246 c071ae9c 0000002a c0773f08 c054837f [ 69.293000] ce61bc08 c055a39d c0773f38 c071ae94 ce61bc08 ce75013c 00000306 ce61bc08 [ 69.293000] c0773f38 ce61bc44 c0773f18 c0548ed1 00000000 cf8bdd84 c0773f48 c052807e [ 69.293000] Call Trace: [ 69.293000] [<c010485a>] show_trace_log_lvl+0x1a/0x30 [ 69.293000] [<c0104919>] show_stack_log_lvl+0xa9/0xd0 [ 69.293000] [<c0104b5b>] show_registers+0x21b/0x3a0 [ 69.293000] [<c0104de3>] die+0x103/0x260 [ 69.293000] [<c01162c2>] do_page_fault+0x2d2/0x610 [ 69.293000] [<c05a5732>] error_code+0x6a/0x70 [ 69.293000] [<c054837f>] ip6_parse_tlv+0xef/0x130 [ 69.293000] [<c0548ed1>] ipv6_parse_hopopts+0x41/0xb0 [ 69.293000] [<c052807e>] ipv6_rcv+0x1be/0x370 [ 69.293000] [<c04b32fb>] netif_receive_skb+0x21b/0x2b0 [ 69.293000] [<c04b52d2>] process_backlog+0x82/0xf0 [ 69.293000] [<c04b558b>] net_rx_action+0xab/0x1c0 [ 69.293000] [<c0120cd2>] __do_softirq+0x72/0xe0 [ 69.293000] [<c010627a>] do_softirq+0x8a/0xf0 [ 69.293000] [<c0120fd5>] local_bh_enable+0xa5/0x160 [ 69.293000] [<c04b5738>] dev_queue_xmit+0x98/0x330 [ 69.293000] [<c055a678>] packet_sendmsg+0x208/0x260 [ 69.293000] [<c04a8594>] sock_sendmsg+0xc4/0xf0 [ 69.293000] [<c04a889f>] sys_sendto+0xbf/0xe0 [ 69.293000] [<c04a97c7>] sys_socketcall+0x187/0x260 [ 69.293000] [<c0104132>] sysenter_past_esp+0x5f/0x99 [ 69.293000] ======================= [ 69.293000] Code: 90 8d 74 26 00 55 89 e5 56 53 83 ec 10 8b 18 8b 4b 78 8d 34 11 80 7e 01 04 74 3b a1 10 3c 72 c0 85 c0 0f 85 7d 00 00 00 8b 43 1c <8b> 80 8c 00 00 00 85 c0 74 09 8b 80 38 01 00 00 ff 40 08 a1 e4 [ 69.293000] EIP: [<c0548b76>] ipv6_hop_jumbo+0x26/0x180 SS:ESP 0068:c0773ec0 [ 69.305000] Kernel panic - not syncing: Fatal exception in interrupt Steps to reproduce:
Created attachment 11433 [details] fixes the bug for me in exthdrs.c:ipv6_hop_jumbo() we have several places where we call: IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS); the problem is that skb->dst is NULL and we dereference it in ip6_dst_idev(), the attached patch makes ip6_dst_idev() handle a NULL argument and return NULL, which IP6_INC_STATS_BH() has no problem with
the patch I sent to netdev did not fix this issue, actually...
Any updates on this problem? Thanks.
Commit e76b2b2567b83448c2ee85a896433b96150c92e6 addresses the bug, can be closed.
(Sorry, it was a question :)
I am not sure if it is my duty to close it, but since this fixes the bug for me, I'll just do it. thanks