2.6.18-rc3-mm2 - BUG in rt6_lookup() from ipv6_del_addr()
On Sun, 06 Aug 2006 03:08:09 PDT, Andrew Morton said: ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.18-rc3/2.6.18-rc3-mm2/ After applying the patch that Patrick McHardy pointed me at, it lived longer. However, I'm now seeing problems at system shutdown (or anytime you try to 'ifdown ethX' where ethX has an IPv6 address attached to it): [ 196.346000] BUG: unable to handle kernel NULL pointer dereference at virtual address 0014 [ 196.347000] printing eip: [ 196.348000] c032c436 [ 196.348000] *pde = [ 196.349000] Oops: [#1] [ 196.349000] 4K_STACKS PREEMPT [ 196.349000] last sysfs file: /class/net/eth1/address [ 196.349000] Modules linked in: thermal sony_acpi processor fan button battery ac nfnetlink i8k floppy nvram orinoco_cs orinoco hermes pcmcia firmware_class ohci1394 ieee1394 intel_agp agpgart iTCO_wdt yenta_socket rsrc_nonstatic pcmcia_core rtc [ 196.349000] CPU:0 [ 196.349000] EIP:0060:[c032c436]Not tainted VLI [ 196.349000] EFLAGS: 00010246 (2.6.18-rc3-mm2 #4) [ 196.349000] EIP is at rt6_lookup+0x47/0x83 [ 196.349000] eax: ebx: ecx: 0005 edx: [ 196.349000] esi: e8b25c98 edi: e8b25c20 ebp: e8b25c78 esp: e8b25c20 [ 196.349000] ds: 007b es: 007b ss: 0068 [ 196.349000] Process ip (pid: 2511, ti=e8b25000 task=effb0aa0 task.ti=e8b25000) [ 196.349000] Stack: 0005 80fe [ 196.349000] [ 196.349000] 0008 eb6e98c8 e8b25ca8 e8b25cb4 c0327c04 [ 196.349000] Call Trace: [ 196.349000] [c0327c04] ipv6_del_addr+0x2ef/0x3a7 [ 196.349000] [c0327d3f] inet6_addr_del+0x83/0xbb [ 196.349000] [c0327dd6] inet6_rtm_deladdr+0x5f/0x6b [ 196.349000] [c02da097] rtnetlink_rcv_msg+0x1b3/0x1d6 [ 196.349000] [c02e011c] netlink_run_queue+0x5a/0xc6 [ 196.349000] [c02d9e9d] rtnetlink_rcv+0x29/0x42 [ 196.349000] [c02e0576] netlink_data_ready+0x12/0x49 [ 196.349000] [c02df518] netlink_sendskb+0x1c/0x4d [ 196.349000] [c02dfea0] netlink_unicast+0x1c4/0x1d0 [ 196.349000] [c02e0557] netlink_sendmsg+0x274/0x281 [ 196.349000] [c02ca57e] sock_sendmsg+0xeb/0x106 [ 196.349000] [c02cad99] sys_sendto+0xbe/0xdc [ 196.349000] [c02cb522] sys_socketcall+0xfb/0x186 [ 196.349000] [c0102849] sysenter_past_esp+0x56/0x79 [ 196.349000] DWARF2 unwinder stuck at sysenter_past_esp+0x56/0x79 [ 196.349000] Leftover inexact backtrace: [ 196.349000] [c01036c7] show_stack_log_lvl+0x8c/0x97 [ 196.349000] [c010381f] show_registers+0x14d/0x1de [ 196.349000] [c0103a5b] die+0x1ab/0x26d [ 196.349000] [c0352205] do_page_fault+0x3f8/0x4c5 [ 196.349000] [c0351271] error_code+0x39/0x40 [ 196.349000] [c0327c04] ipv6_del_addr+0x2ef/0x3a7 [ 196.349000] [c0327d3f] inet6_addr_del+0x83/0xbb [ 196.349000] [c0327dd6] inet6_rtm_deladdr+0x5f/0x6b [ 196.349000] [c02da097] rtnetlink_rcv_msg+0x1b3/0x1d6 [ 196.349000] [c02e011c] netlink_run_queue+0x5a/0xc6 [ 196.349000] [c02d9e9d] rtnetlink_rcv+0x29/0x42 [ 196.349000] [c02e0576] netlink_data_ready+0x12/0x49 [ 196.349000] [c02df518] netlink_sendskb+0x1c/0x4d [ 196.349000] [c02dfea0] netlink_unicast+0x1c4/0x1d0 [ 196.349000] [c02e0557] netlink_sendmsg+0x274/0x281 [ 196.349000] [c02ca57e] sock_sendmsg+0xeb/0x106 [ 196.349000] [c02cad99] sys_sendto+0xbe/0xdc [ 196.349000] [c02cb522] sys_socketcall+0xfb/0x186 [ 196.349000] [c0102849] sysenter_past_esp+0x56/0x79 [ 196.349000] Code: eb ff 89 5d a8 8d 45 b0 b9 10 00 00 00 89 f2 e8 c9 e0 eb ff 31 d2 83 7d 08 00 0f 95 c2 b9 ad cc 32 c0 89 f8 e8 47 7c 01 00 89 c3 66 83 7b 14 00 74 2d 8b 43 04 85 c0 7f 21 68 c4 19 37 c0 68 99 [ 196.349000] EIP: [c032c436] rt6_lookup+0x47/0x83 SS:ESP 0068:e8b25c20 The unlucky 'ip' process then gets a SIGSEGV and dies while holding a lock of some sort, so later 'ip' processes get hung in 'D' state. Checking the lkml and netdev archives didn't find any useful hits for 'ipv6_addr_rel'... pgpPNQBNHkWRz.pgp Description: PGP signature
Re: 2.6.18-rc3-mm2 - BUG in rt6_lookup() from ipv6_del_addr()
From: [EMAIL PROTECTED] Date: Thu, 10 Aug 2006 22:15:26 -0400 On Sun, 06 Aug 2006 03:08:09 PDT, Andrew Morton said: ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.18-rc3/2.6.18-rc3-mm2/ After applying the patch that Patrick McHardy pointed me at, it lived longer. However, I'm now seeing problems at system shutdown (or anytime you try to 'ifdown ethX' where ethX has an IPv6 address attached to it): This is cured by yet another fix already in the net-2.6.19 tree: From 7a3a5e6b0e6847749c756cbe4bf554eda063a577 Mon Sep 17 00:00:00 2001 From: Ville Nuorvala [EMAIL PROTECTED] Date: Tue, 8 Aug 2006 16:44:17 -0700 Subject: [PATCH] [IPV6]: Make sure fib6_rule_lookup doesn't return NULL The callers of fib6_rule_lookup don't expect it to return NULL, therefore it must return ip6_null_entry whenever fib_rule_lookup fails. Signed-off-by: Ville Nuorvala [EMAIL PROTECTED] Signed-off-by: David S. Miller [EMAIL PROTECTED] --- net/ipv6/fib6_rules.c |6 +- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c index bf9bba8..22a2fdb 100644 --- a/net/ipv6/fib6_rules.c +++ b/net/ipv6/fib6_rules.c @@ -63,7 +63,11 @@ struct dst_entry *fib6_rule_lookup(struc if (arg.rule) fib_rule_put(arg.rule); - return (struct dst_entry *) arg.result; + if (arg.result) + return (struct dst_entry *) arg.result; + + dst_hold(ip6_null_entry.u.dst); + return ip6_null_entry.u.dst; } static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp, -- 1.4.2.rc2.g3e042 - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html