3.3.0, 3.4-rc1 reproducible tun Oops

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Kirby <sim@hostway.ca>
To: netdev@vger.kernel.org
Subject: 3.3.0, 3.4-rc1 reproducible tun Oops
Date: Wed, 4 Apr 2012 15:05:25 -0700	[thread overview]
Message-ID: <20120404220525.GD21505@hostway.ca> (raw)

I use an SSH VPN occasionally from home, and since upgrading the remote
kernel to 3.3.0, the it now seems to Oops when I ^C the tunnel with
sockets still active. If I start the tunnel, log in to a box through it
and run "vmstat 1", ^C the tunnel SSH process, and start it up again, I
get an Oops like this:

BUG: unable to handle kernel NULL pointer dereference at 00000000000000ff
IP: [<ffffffff810ed5fa>] __kmalloc_track_caller+0xaa/0x1b0
PGD 12d2bc067 PUD 0
Oops: 0000 [#1] SMP
CPU 1
Modules linked in: nf_conntrack_netlink nfnetlink iptable_mangle ipt_MASQUERADE xt_state xt_conntrack iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack hwmon_vid ppp_async ppp_generic slhc crc_ccitt tun nvidia(PO) uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core e100

Pid: 16156, comm: sshd Tainted: P           O 3.3.0 #32 System manufacturer System Product Name/A8N-VM CSM
RIP: 0010:[<ffffffff810ed5fa>]  [<ffffffff810ed5fa>] __kmalloc_track_caller+0xaa/0x1b0
RSP: 0000:ffff88012d0b3b58  EFLAGS: 00210206
RAX: 0000000000000000 RBX: ffff8801783f8e00 RCX: 000000000002c11f
RDX: 000000000002c11e RSI: 00000000000000d0 RDI: 0000000000014ac0
RBP: ffff88012d0b3ba8 R08: ffffffff81693c81 R09: ffff88007f546f30
R10: 00000000f80057e0 R11: 0000000000000000 R12: 00000000000000ff
R13: ffff88017b002900 R14: 0000000000000800 R15: 0000000000000800
FS:  0000000000000000(0000) GS:ffff88017fd00000(0063) knlGS:00000000f71ea740
CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000000000ff CR3: 000000011906a000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process sshd (pid: 16156, threadinfo ffff88012d0b2000, task ffff880100a43a00)
Stack:
 dead000000200200 ffff88007fabc0c0 ffffffff816d692c 000000d0000000db
 ffff880100000000 ffff8801783f8e00 0000000000000001 00000000000000d0
 ffff88017b002780 0000000000000800 ffff88012d0b3be8 ffffffff81693cae
Call Trace:
 [<ffffffff816d692c>] ? sk_stream_alloc_skb+0x3c/0x110
 [<ffffffff81693cae>] __alloc_skb+0x6e/0x220
 [<ffffffff816d692c>] sk_stream_alloc_skb+0x3c/0x110
 [<ffffffff816d6c90>] tcp_sendmsg+0x290/0xd90
 [<ffffffff81694537>] ? skb_release_data+0xe7/0xf0
 [<ffffffffa0032e3a>] ? tun_do_read.isra.24+0x29a/0x420 [tun]
 [<ffffffff816f8703>] inet_sendmsg+0x43/0xb0
 [<ffffffff8168b78e>] sock_aio_write+0x10e/0x130
 [<ffffffff810f04fa>] do_sync_write+0xca/0x110
 [<ffffffff8104676a>] ? set_current_blocked+0x3a/0x60
 [<ffffffff810467d5>] ? sigprocmask+0x45/0x80
 [<ffffffff810f0e15>] vfs_write+0x165/0x180
 [<ffffffff810f1085>] sys_write+0x45/0x90
 [<ffffffff818098f9>] ia32_do_call+0x13/0x13
Code: 76 bf 49 8b 4d 00 65 48 03 0c 25 b8 cb 00 00 48 8b 51 08 4c 8b 21 4d 85 e4 0f 84 eb 00 00 00 49 63 45 20 49 8b 7d 00 48 8d 4a 01 <49> 8b 1c 04 4c 89 e0 48 8d 37 e8 37 41 28 00 84 c0 74 c4 4d 85
RIP  [<ffffffff810ed5fa>] __kmalloc_track_caller+0xaa/0x1b0
 RSP <ffff88012d0b3b58>
CR2: 00000000000000ff
---[ end trace 4a40da26b9b3bff5 ]---

Looks like it might need some poisoning there. Sometimes the Oops stops
before it is fully emitted over the serial port. I have verified that
this happens on v3.3 and current Linus head (3.4-rc1+) and not on v3.2.

When I get some more time, I will try to track it down a bit further.

ssh -w any <vpn box> 'ifconfig tun0 x pointopoint y; echo "ifconfig tun0 y pointopoint x && ip route add 10.0.0.0/8 via x"; sleep 1d' | sh -v

Simon-

next             reply	other threads:[~2012-04-04 22:05 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-04-04 22:05 Simon Kirby [this message]
2012-04-05  2:41 ` 3.3.0, 3.4-rc1 reproducible tun Oops Eric Dumazet
2012-04-05  5:58   ` Simon Kirby
2012-04-17  2:08   ` Simon Kirby
2012-04-17 12:18     ` Stanislav Kinsbursky
2012-04-17 18:35       ` Simon Kirby
2012-04-17 18:49         ` Stanislav Kinsbursky
2012-04-18  2:38           ` David Miller
2012-04-18 11:32         ` Stanislav Kinsbursky
2012-05-19  1:07           ` Simon Kirby
2012-05-21 14:51             ` Stanislav Kinsbursky
  -- strict thread matches above, loose matches on Subject: below --
2012-04-18  6:51 Stanislav Kinsbursky

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120404220525.GD21505@hostway.ca \
    --to=sim@hostway.ca \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.