Re: [Bugme-new] [Bug 11469] New: TUN with 1024 neighbours: ip6_dst_lookup_tail NULL crash

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Rémi Denis-Courmont" <rdenis@simphalempin.com>
To: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	netdev@vger.kernel.org, bugme-daemon@bugzilla.kernel.org
Subject: Re: [Bugme-new] [Bug 11469] New: TUN with 1024 neighbours: ip6_dst_lookup_tail NULL crash
Date: Fri, 5 Sep 2008 19:03:38 +0300	[thread overview]
Message-ID: <200809051903.41103.rdenis@simphalempin.com> (raw)
In-Reply-To: <20080905114146.GA29408@2ka.mipt.ru>

Le vendredi 5 septembre 2008 14:41:50 Evgeniy Polyakov, vous avez écrit :
> Hi.
>
> On Sun, Aug 31, 2008 at 11:13:04AM -0700, Andrew Morton 
(akpm@linux-foundation.org) wrote:
> > > When an IFF_TUN (/dev/net/tun) device has more than 1023 IPv6
> > > neighbors, a process context crash occurs. Backtrace follows:
>
> Does this problem still exist?

Yes. With 2.6.27-rc5-b380b0d4f7dffcc235c0facefa537d4655619101, I get this:

tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
tun0: Disabled Privacy Extensions
BUG: unable to handle kernel NULL pointer dereference at 0000001d
IP: [<f8b205a0>] :ipv6:ip6_dst_lookup_tail+0x9e/0x166
*pde = 00000000
Oops: 0000 [#1] SMP
Modules linked in: tun fuse nf_conntrack_ftp nf_conntrack_ipv6 
nf_conntrack_ipv4 nf_conntrack ipv6 snd_intel8x0 snd_ac97_codec ac97_bus 
snd_pcm_oss snd_mixer_oss snd_pcm snd_se
q_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer 
snd_seq_device snd soundcore intel_agp agpgart snd_page_alloc psmouse 
iTCO_wdt evdev button parport_pc proce
ssor parport pcspkr dm_mirror dm_log dm_snapshot sg sr_mod cdrom e100 ehci_hcd 
uhci_hcd usbcore unix

Pid: 2313, comm: tunload Not tainted (2.6.27-rc5-00132-gb380b0d #13)
EIP: 0060:[<f8b205a0>] EFLAGS: 00010246 CPU: 0
EIP is at ip6_dst_lookup_tail+0x9e/0x166 [ipv6]
EAX: 00000000 EBX: f7d7fd38 ECX: f678e800 EDX: f7cb9600
ESI: f67aa400 EDI: 00000000 EBP: f7d7fcb4 ESP: f7d7fc5c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process tunload (pid: 2313, ti=f7d7e000 task=f66a3b60 task.ti=f7d7e000)
Stack: 00000000 f7d7fd54 f7d7fda8 f67aa400 f7d7fc7c f8b1f8e8 00000000 f6528e40
       f7d7fcbc f8b211b2 f7d7fdb8 f67aa400 f7cb8900 f67aa624 00000000 00000246
       f7d7fca4 c03124da f7d7fcbc 00000000 f7d7fed0 00000000 f7d7fcbc f8b207bd
Call Trace:
 [<f8b1f8e8>] ? ip6_cork_release+0x2e/0x52 [ipv6]
 [<f8b211b2>] ? ip6_push_pending_frames+0x1c9/0x3d9 [ipv6]
 [<c03124da>] ? _spin_unlock_bh+0xd/0xf
 [<f8b207bd>] ? ip6_dst_lookup+0xe/0x10 [ipv6]
 [<f8b353fa>] ? rawv6_sendmsg+0x25d/0xc08 [ipv6]
 [<c01401e6>] ? clockevents_program_event+0x92/0x119
 [<c02eed00>] ? inet_sendmsg+0x2e/0x50
 [<c02a7bad>] ? sock_sendmsg+0xcc/0xf0
 [<c011d3a9>] ? find_busiest_group+0x160/0x7a0
 [<c01372a5>] ? autoremove_wake_function+0x0/0x3a
 [<c02ad2ba>] ? __kfree_skb+0x31/0x76
 [<c02ad2ba>] ? __kfree_skb+0x31/0x76
 [<c0137449>] ? remove_wait_queue+0x30/0x34
 [<c021ba5f>] ? copy_from_user+0x2a/0x114
 [<c02a7e85>] ? sys_sendto+0xa5/0xc5
 [<c01401e6>] ? clockevents_program_event+0x92/0x119
 [<c01372a5>] ? autoremove_wake_function+0x0/0x3a
 [<c02a8d31>] ? sys_socketcall+0x176/0x295
 [<c0103061>] ? sysenter_do_call+0x12/0x25
 =======================
Code: 22 83 ff 9b 74 37 8b 55 b0 8b 02 e8 24 63 79 c7 8b 4d b0 c7 01 00 00 00 
00 89 f8 83 c4 4c 5b 5e 5f 5d c3 8b 45 b0 8b 10 8b 42 2c <f6> 40 1d de 74 23 
31 ff 89 f8 83 c4 4c 5b 5e 5f 5d c3 64 a1 04
EIP: [<f8b205a0>] ip6_dst_lookup_tail+0x9e/0x166 [ipv6] SS:ESP 0068:f7d7fc5c
---[ end trace fd93373c6fb8880e ]---

> > > Pid: 9950, comm: tunload Tainted: G      D   (2.6.26.3 #8)
>
> By whom it was tainted?

Its own self. I just failed to copy the very first crash trace.

Regards,

-- 
Rémi Denis-Courmont
http://www.remlab.net/

next prev parent reply	other threads:[~2008-09-05 16:03 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <bug-11469-10286@http.bugzilla.kernel.org/>
2008-08-31 18:13 ` [Bugme-new] [Bug 11469] New: TUN with 1024 neighbours: ip6_dst_lookup_tail NULL crash Andrew Morton
2008-09-05 11:41   ` Evgeniy Polyakov
2008-09-05 16:03     ` Rémi Denis-Courmont [this message]
2008-09-05 16:37       ` Evgeniy Polyakov
2008-09-07 18:11   ` Evgeniy Polyakov
2008-09-07 18:19     ` Rémi Denis-Courmont
2008-09-08 20:15       ` David Miller
2008-09-08 20:34         ` Evgeniy Polyakov
2008-09-09 10:56           ` Neil Horman
2008-09-09 11:32         ` Neil Horman
2008-09-09 14:31           ` Evgeniy Polyakov
2008-09-09 15:39             ` Neil Horman
2008-09-09 20:52               ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200809051903.41103.rdenis@simphalempin.com \
    --to=rdenis@simphalempin.com \
    --cc=akpm@linux-foundation.org \
    --cc=bugme-daemon@bugzilla.kernel.org \
    --cc=johnpol@2ka.mipt.ru \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.