Bug 15847

Summary: crash in inet6_csk_bind_conflict
Product: Networking Reporter: Michael S. Tsirkin (m.s.tsirkin)
Component: IPV6Assignee: Hideaki YOSHIFUJI (yoshfuji)
Severity: normal CC: maciej.rutecki, rjw, stefan.bosak
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: v2.6.34-rc5-204-gddc9b34 Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 15310    

Description Michael S. Tsirkin 2010-04-25 14:29:02 UTC
with rhel6 beta userspace, v2.6.34-rc5-204-gddc9b34 kernel, my system crashes during boot
the crash seems to be around net/ipv6/inet6_connection_sock.c:50

kernel v2.6.34-rc5 boots fine. after reverting fda48a0d7a8412cedacda46a9c0bf8ef9cd13559,
the crash goes away.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
IP: [<ffffffffa02b99aa>] inet6_csk_bind_conflict+0x6a/0x110 [ipv6]
PGD 0 
[  OK  ]
Oops: 0000 [#1] SMP 
last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/net/eth0/ifindex
CPU 9 
Modules linked in: ip6t_REJECT nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 dm_mirror dm_region_hash dm_log igb i2c_i801 sg iTCO_wdt iTCO_vendor_support shpchp ioatdma dca pcspkr sr_mod cdrom ext4 mbcache jbd2 sd_mod ata_generic crc_t10dif pata_acpi ahci pata_jmicron radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core dm_mod [last unloaded: scsi_wait_scan]

Pid: 1640, comm: master Not tainted 2.6.34-rc5-mst #1 X8DTN/X8DTN
RIP: 0010:[<ffffffffa02b99aa>]  [<ffffffffa02b99aa>] inet6_csk_bind_conflict+0x6a/0x110 [ipv6]
RSP: 0018:ffff8803357a7d98  EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff880335709440 RCX: 0000000000000000
RDX: 0000000000020011 RSI: ffff880335709440 RDI: ffff880334c61e78
RBP: ffff8803357a7db8 R08: 0000000000000019 R09: 0000000000000019
R10: 00000000000000d4 R11: 0000000000000400 R12: ffff880335709468
R13: ffff880334c61800 R14: ffff880335489500 R15: ffffffff8225d700
FS:  00007feacd26f7c0(0000) GS:ffff8801c5700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000004 CR3: 00000003341ef000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process master (pid: 1640, threadinfo ffff8803357a6000, task ffff880334225540)
 0000000000000000 ffffffff8225b500 ffffc9001251ced0 ffff880334c61800
<0> ffff8803357a7e48 ffffffff81418fa8 ffff880300000019 ffffffff8149ceb6
<0> 0000000536306140 0000000000000246 ffff8803357a7e08 0000000000000246
Call Trace:
 [<ffffffff81418fa8>] inet_csk_get_port+0x238/0x450
 [<ffffffff8149ceb6>] ? _raw_spin_lock_bh+0x16/0x40
 [<ffffffff8149ce15>] ? _raw_read_unlock_bh+0x15/0x20
 [<ffffffffa0290226>] ? ipv6_chk_addr+0xe6/0x100 [ipv6]
Comment 1 Rafael J. Wysocki 2010-04-27 21:31:40 UTC
Reportedly caused by:

commit fda48a0d7a8412cedacda46a9c0bf8ef9cd13559
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Wed Apr 21 09:26:15 2010 +0000

    tcp: bind() fix when many ports are bound

    Reported-by: Gaspar Chilingarov <gasparch@gmail.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

First-Bad-Commit : fda48a0d7a8412cedacda46a9c0bf8ef9cd13559
Comment 2 Rafael J. Wysocki 2010-04-27 21:31:54 UTC
*** Bug 15848 has been marked as a duplicate of this bug. ***
Comment 3 Rafael J. Wysocki 2010-04-27 21:33:11 UTC
Fixed by commit 6443bb1fc2050ca2b6585a3fa77f7833b55329ed .