On Sun, 2010-06-13 at 23:15 +0200, Bastian Blank wrote: > On Sun, Jun 13, 2010 at 08:45:19PM +0200, Peter Palfrader wrote: > > | Set name-type for VLAN subsystem.[ 30.676029] Virtual device eth0.221 > > asks to queue packet! > > | Should be visib[ 30.802271] BUG: unable to handle kernel le in > > /proc/net/paging requestvlan/config > > | Add at 00000000815eab98 > > | ed VLAN with VID[ 30.806244] IP: == 221 to IF -: [<ffffffff812b7581>] > > ip6_output2+0x2c/0x28b > > | eth0:- > > | [ 30.806244] PGD 0 > > | [ 30.806244] Thread overran stack, or stack corrupted > > Okay, this is already bad. > > > | [ 30.806244] Oops: 0000 [#1] SMP > > | [ 30.806244] last sysfs file: /sys/devices/virtual/net/eth0.221/dev_id > > | [ 30.806244] CPU 0 > > | [ 30.806244] Modules linked in: 8021q garp stp uhci_hcd shpchp tpm_tis > > tpm tpm_bios snd_pcsp psmouse snd_pcm snd_timer serio_raw snd soundcore > > snd_page_alloc amd64_edac_mod edac_core edac_mce_amd k8temp evdev processor > > i2c_piix4 i2c_core button pci_hotplug usbhid hid ext3 jbd mbcache sg sr_mod > > cdrom sd_mod crc_t10dif pata_serverworks ehci_hcd ohci_hcd ata_generic > > aacraid libata tg3 usbcore nls_base libphy scsi_mod thermal fan thermal_sys > > [last unloaded: scsi_wait_scan] > > | [ 30.806244] Pid: 0, comm: swapper Not tainted 2.6.32-bpo.5-amd64 #1 > > IBM eServer 326m -[796966U]- > > | [ 32.307829] tg3: eth0: Link is up at 1000 Mbps, full duplex. > > | [ 32.307833] tg3: eth0: Flow control is on for TX and on for RX. > > | [ 32.309540] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready > > | [ 30.806244] RIP: 0010:[<ffffffff812b7581>] [<ffffffff812b7581>] > > ip6_output2+0x2c/0x28b > > Code: > | 0xffffffff812b7555 <+0>: push %r13 > | 0xffffffff812b7557 <+2>: push %r12 > | 0xffffffff812b7559 <+4>: push %rbp > | 0xffffffff812b755a <+5>: mov %rdi,%rbp > | 0xffffffff812b755d <+8>: push %rbx > | 0xffffffff812b755e <+9>: sub $0x8,%rsp > | 0xffffffff812b7562 <+13>: mov 0x28(%rdi),%rax > | 0xffffffff812b7566 <+17>: mov 0xc0(%rdi),%ecx > | 0xffffffff812b756c <+23>: add 0xd0(%rdi),%rcx > | > | 0xffffffff812b7577 <+34>: movw $0xdd86,0x7e(%rdi) > | 0xffffffff812b757d <+40>: mov %r13,0x20(%rdi) > | 0xffffffff812b7581 <+44>: cmpb $0xff,0x18(%rcx) > > %rdi is the skb argument, %rcx seems to be not initialized (but as this > function is static, the compiler can use that knowledge).
It is initialised; a destination of %ecx really means %rcx with zero-extension. Matching this up with the source: struct dst_entry *dst = skb_dst(skb); 0xffffffff812b7562 <+13>: mov 0x28(%rdi),%rax struct net_device *dev = dst->dev; 0xffffffff812b7573 <+30>: mov 0x18(%rax),%r13 skb->protocol = htons(ETH_P_IPV6); 0xffffffff812b7577 <+34>: movw $0xdd86,0x7e(%rdi) skb->dev = dev; 0xffffffff812b757d <+40>: mov %r13,0x20(%rdi) if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) { [ipv6_hdr(skb) defined as (struct ipv6hdr *)(skb->head + skb->network_header)] [ipv6_addr_is_multicast(addr) defined as (addr->s6_addr32[0] & htonl(0xFF000000)) == htonl(0xFF000000)] 0xffffffff812b7566 <+17>: mov 0xc0(%rdi),%ecx 0xffffffff812b756c <+23>: add 0xd0(%rdi),%rcx 0xffffffff812b7581 <+44>: cmpb $0xff,0x18(%rcx) So skb->head (or possibly skb->network_header) was invalid here. Looking at the other oops: __be16 type = hh->hh_type; ffe7: 8b 56 40 mov 0x40(%rsi),%edx struct ethhdr *eth; const struct net_device *dev = neigh->dev; ffed: 4c 8b 47 18 mov 0x18(%rdi),%r8 eth = (struct ethhdr *) (((u8 *) hh->hh_data) + (HH_DATA_OFF(sizeof(*eth)))); fff8: 48 8d 4e 5a lea 0x5a(%rsi),%rcx if (type == htons(ETH_P_802_3)) return -1; ffea: 83 c8 ff or $0xffffffffffffffff,%eax fff1: 66 81 fa 00 01 cmp $0x100,%dx fff6: 74 31 je 0x10029 eth->h_proto = type; fffc: 66 89 51 0c mov %dx,0xc(%rcx) memcpy(eth->h_source, dev->dev_addr, ETH_ALEN); 10000: 49 8b 90 20 02 00 00 mov 0x220(%r8),%rdx 10007: 8b 02 mov (%rdx),%eax 10009: 89 46 60 mov %eax,0x60(%rsi) 1000c: 66 8b 42 04 mov 0x4(%rdx),%ax 10010: 66 89 46 64 mov %ax,0x64(%rsi) So neigh->dev was NULL here. Ben. -- Ben Hutchings Once a job is fouled up, anything done to improve it makes it worse.
signature.asc
Description: This is a digitally signed message part