Bug 33842 - NULL pointer dereference in ip_fragment
Summary: NULL pointer dereference in ip_fragment
Status: CLOSED CODE_FIX
Alias: None
Product: Networking
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Arnaldo Carvalho de Melo
URL:
Keywords:
Depends on:
Blocks: 32012
  Show dependency tree
 
Reported: 2011-04-23 07:51 UTC by Tomas Carnecky
Modified: 2011-06-13 17:21 UTC (History)
4 users (show)

See Also:
Kernel Version: 2.6.39-rc4
Tree: Mainline
Regression: Yes


Attachments
Photo of the stacktrace (1) (389.11 KB, image/jpeg)
2011-04-25 22:49 UTC, Tomas Carnecky
Details
Photo of the stacktrace (2) (357.67 KB, image/jpeg)
2011-04-25 22:50 UTC, Tomas Carnecky
Details

Description Tomas Carnecky 2011-04-23 07:51:53 UTC
The host is using the ath9k driver. eth0+wlan0 are bridged. Shortly after I start using the wireless network with my macbook, the bug triggers. No idea if it's wireless related, because there's also a rtl8169_rx_interrupt entry in the stacktrace.

This is a transcript, since I don't (have/know of) any way to get the backtrace out of a crashed box.

IP: ip_fragment+0x52/0x840
Call Trace:
  <IRQ>
  br_parse_ip_options
  br_flood_deliver
  br_parse_ip_options
  br_nf_dev_queue_xmit
  br_nf_post_routing
  nf_iterate

then also:
  lots of br_flood_deliver
  lots of br_*_finish
  one ? rtl8169_interrupt
  one ? ath9k_ioread32
Comment 1 Andrew Morton 2011-04-25 20:43:51 UTC
Can you take a digital photograph of the screen and attach that to the report?
Comment 2 Tomas Carnecky 2011-04-25 22:47:53 UTC
I provoked the panic twice, so there are two photos. Each time the panic happened, I saw two stack traces fly by. My screen isn't tall enough to capture both, but at the very top of the second photo you see the last couple lines of the first stack trace.

ip_fragment+0x52 is line 160 of include/net/dst.h
Comment 3 Tomas Carnecky 2011-04-25 22:49:29 UTC
Created attachment 55502 [details]
Photo of the stacktrace (1)
Comment 4 Tomas Carnecky 2011-04-25 22:50:55 UTC
Created attachment 55512 [details]
Photo of the stacktrace (2)
Comment 5 Andrew Morton 2011-04-25 22:57:57 UTC
There's no mention of the kernel version in this report?
Comment 6 Tomas Carnecky 2011-04-26 04:11:18 UTC
2.6.39-rc4-0025-g5dd12af
Comment 7 Andrew Morton 2011-04-26 04:25:12 UTC
(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Sat, 23 Apr 2011 07:51:56 GMT bugzilla-daemon@bugzilla.kernel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=33842
> 
>            Summary: NULL pointer dereference in ip_fragment

oops in ip_defragment().  Kernel is 2.6.39-rc4.  There are some
screenshots attached to the report.


>            Product: Networking
>            Version: 2.5
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: Other
>         AssignedTo: acme@ghostprotocols.net
>         ReportedBy: tom@dbservice.com
>         Regression: No
> 
> 
> The host is using the ath9k driver. eth0+wlan0 are bridged. Shortly after I
> start using the wireless network with my macbook, the bug triggers. No idea
> if
> it's wireless related, because there's also a rtl8169_rx_interrupt entry in
> the
> stacktrace.
> 
> This is a transcript, since I don't (have/know of) any way to get the
> backtrace
> out of a crashed box.
> 
> IP: ip_fragment+0x52/0x840
> Call Trace:
>   <IRQ>
>   br_parse_ip_options
>   br_flood_deliver
>   br_parse_ip_options
>   br_nf_dev_queue_xmit
>   br_nf_post_routing
>   nf_iterate
> 
> then also:
>   lots of br_flood_deliver
>   lots of br_*_finish
>   one ? rtl8169_interrupt
>   one ? ath9k_ioread32
>
Comment 8 Rafael J. Wysocki 2011-06-13 17:20:21 UTC
On Sunday, June 12, 2011, Eric Dumazet wrote:
> Le dimanche 12 juin 2011 à 23:12 +0200, Rafael J. Wysocki a écrit :
> > This message has been generated automatically as a part of a report
> > of regressions introduced between 2.6.38 and 2.6.39.
> > 
> > The following bug entry is on the current list of known regressions
> > introduced between 2.6.38 and 2.6.39.  Please verify if it still should
> > be listed and let the tracking team know (either way).
> > 
> > 
> > Bug-Entry   : http://bugzilla.kernel.org/show_bug.cgi?id=33842
> > Subject             : NULL pointer dereference in ip_fragment
> > Submitter   : Tomas Carnecky <tom@dbservice.com>
> > Date                : 2011-04-23 07:51 (51 days old)
> > 
> > 
> 
> This is probably fixed in current linux-2.6 tree, and 2.6.39.1 as well
> 
> 
> If not, maybe commit 64f3b9e203b (ip_expire() must revalidate route)
> needs to be included in 2.6.39.X
> 
> (I believe Greg took it for 2.6.38, but cant find it in 2.6.39 ?)

Note You need to log in before you can comment on or make changes to this bug.