Bug 8450 - ip6sic causes bug during interrupt handling
Summary: ip6sic causes bug during interrupt handling
Status: CLOSED CODE_FIX
Alias: None
Product: Networking
Classification: Unclassified
Component: IPV6 (show other bugs)
Hardware: i386 Linux
: P2 normal
Assignee: Hideaki YOSHIFUJI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-08 02:47 UTC by Eric Sesterhenn
Modified: 2007-07-15 11:13 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.21-ga989705c and earlier
Tree: Mainline
Regression: ---


Attachments
fixes the bug for me (340 bytes, patch)
2007-05-08 02:50 UTC, Eric Sesterhenn
Details | Diff

Description Eric Sesterhenn 2007-05-08 02:47:42 UTC
Most recent kernel where this bug did *NOT* occur: had this since 2.6.20, didnt
test earlier versions
Distribution: gentoo
Hardware Environment: p3
Software Environment: gcc 4.1.2
Problem Description:

running ip6sic with the following seed

ip6sic -i lo -d ::1 -p 2000 -r 32321

causes this oops

[   69.293000] Oops: 0000 [#1]
[   69.293000] PREEMPT 
[   69.293000] Modules linked in:
[   69.293000] CPU:    0
[   69.293000] EIP:    0060:[<c0548b76>]    Not tainted VLI
[   69.293000] EFLAGS: 00010282   (2.6.21-ga989705c #7)
[   69.293000] EIP is at ipv6_hop_jumbo+0x26/0x180
[   69.293000] eax: 00000000   ebx: ce61bc08   ecx: 00000001   edx: 00000103
[   69.293000] esi: ce750166   edi: 000000fd   ebp: c0773ed8   esp: c0773ec0
[   69.293000] ds: 007b   es: 007b   fs: 0000  gs: 0033  ss: 0068
[   69.293000] Process ip6sic (pid: 4607, ti=c0773000 task=cf332070
task.ti=cf002000)
[   69.293000] Stack: c06c4ccc 000000fb c0773ef8 00000246 c071ae9c 0000002a
c0773f08 c054837f 
[   69.293000]        ce61bc08 c055a39d c0773f38 c071ae94 ce61bc08 ce75013c
00000306 ce61bc08 
[   69.293000]        c0773f38 ce61bc44 c0773f18 c0548ed1 00000000 cf8bdd84
c0773f48 c052807e 
[   69.293000] Call Trace:
[   69.293000]  [<c010485a>] show_trace_log_lvl+0x1a/0x30
[   69.293000]  [<c0104919>] show_stack_log_lvl+0xa9/0xd0
[   69.293000]  [<c0104b5b>] show_registers+0x21b/0x3a0
[   69.293000]  [<c0104de3>] die+0x103/0x260
[   69.293000]  [<c01162c2>] do_page_fault+0x2d2/0x610
[   69.293000]  [<c05a5732>] error_code+0x6a/0x70
[   69.293000]  [<c054837f>] ip6_parse_tlv+0xef/0x130
[   69.293000]  [<c0548ed1>] ipv6_parse_hopopts+0x41/0xb0
[   69.293000]  [<c052807e>] ipv6_rcv+0x1be/0x370
[   69.293000]  [<c04b32fb>] netif_receive_skb+0x21b/0x2b0
[   69.293000]  [<c04b52d2>] process_backlog+0x82/0xf0
[   69.293000]  [<c04b558b>] net_rx_action+0xab/0x1c0
[   69.293000]  [<c0120cd2>] __do_softirq+0x72/0xe0
[   69.293000]  [<c010627a>] do_softirq+0x8a/0xf0
[   69.293000]  [<c0120fd5>] local_bh_enable+0xa5/0x160
[   69.293000]  [<c04b5738>] dev_queue_xmit+0x98/0x330
[   69.293000]  [<c055a678>] packet_sendmsg+0x208/0x260
[   69.293000]  [<c04a8594>] sock_sendmsg+0xc4/0xf0
[   69.293000]  [<c04a889f>] sys_sendto+0xbf/0xe0
[   69.293000]  [<c04a97c7>] sys_socketcall+0x187/0x260
[   69.293000]  [<c0104132>] sysenter_past_esp+0x5f/0x99
[   69.293000]  =======================
[   69.293000] Code: 90 8d 74 26 00 55 89 e5 56 53 83 ec 10 8b 18 8b 4b 78 8d
34 11 80 7e 01 04 74 3b a1 10 3c 72 c0 85 c0 0f 85 7d 00 00 00 8b 43 1c <8b>
80 8c 00 00 00 85 c0 74 09 8b 80 38 01 00 00 ff 40 08 a1 e4 
[   69.293000] EIP: [<c0548b76>] ipv6_hop_jumbo+0x26/0x180 SS:ESP
0068:c0773ec0
[   69.305000] Kernel panic - not syncing: Fatal exception in interrupt



Steps to reproduce:
Comment 1 Eric Sesterhenn 2007-05-08 02:50:09 UTC
Created attachment 11433 [details]
fixes the bug for me

in exthdrs.c:ipv6_hop_jumbo() we have several places where we call:
IP6_INC_STATS_BH(ip6_dst_idev(skb->dst), IPSTATS_MIB_INHDRERRORS);
the problem is that skb->dst is NULL and we dereference it in ip6_dst_idev(),
the attached patch makes ip6_dst_idev() handle a NULL argument and return NULL,
which IP6_INC_STATS_BH() has no problem with
Comment 2 Hideaki YOSHIFUJI 2007-05-09 01:50:23 UTC
the patch I sent to netdev did not fix this issue, actually...
Comment 3 Natalie Protasevich 2007-07-07 15:56:11 UTC
Any updates on this problem? Thanks.
Comment 4 Natalie Protasevich 2007-07-12 18:04:50 UTC
Commit e76b2b2567b83448c2ee85a896433b96150c92e6 addresses the bug, can be closed.
Comment 5 Natalie Protasevich 2007-07-12 18:05:46 UTC
(Sorry, it was a question :)
Comment 6 Eric Sesterhenn 2007-07-15 11:13:52 UTC
I am not sure if it is my duty to close it, but since this fixes the bug for me, I'll just do it. thanks

Note You need to log in before you can comment on or make changes to this bug.