oops in udpv6_sendmsg

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dave Jones <davej@redhat.com>
To: netdev@vger.kernel.org
Subject: oops in udpv6_sendmsg
Date: Fri, 29 Mar 2013 14:40:06 -0400	[thread overview]
Message-ID: <20130329184006.GA23893@redhat.com> (raw)

Just hit this on Linus' current tree.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000031
IP: [<ffffffff8166ca6b>] udpv6_sendmsg+0x34b/0xa90
PGD 67f4e067 PUD 60281067 PMD 0 
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: dlci 8021q garp mrp fuse vmw_vsock_vmci_transport vmw_vmci vsock bnep hidp bridge stp rfcomm l2tp_ppp l2tp_netlink l2tp_core phonet af_key af_rxrpc caif_socket caif rose llc2 netrom can_raw cmtp kernelcapi nfnetlink ipt_ULOG can_bcm can af_802154 scsi_transport_iscsi pppoe ipx atm ax25 p8023 p8022 nfc pppox decnet irda ppp_generic x25 slhc rds crc_ccitt appletalk psnap llc lockd sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables snd_hda_codec_realtek raid0 snd_hda_intel snd_hda_codec snd_pcm btusb microcode snd_page_alloc serio_raw snd_timer bluetooth pcspkr snd edac_core rfkill soundcore r8169 mii vhost_net tun macvtap macvlan kvm_amd kvm radeon backlight drm_kms_helper ttm
CPU 0 
Pid: 22781, comm: trinity-child33 Not tainted 3.9.0-rc4+ #7 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H
RIP: 0010:[<ffffffff8166ca6b>]  [<ffffffff8166ca6b>] udpv6_sendmsg+0x34b/0xa90
RSP: 0018:ffff880011811a70  EFLAGS: 00010206
RAX: 0000000000000005 RBX: ffff8800167a7000 RCX: ffff8800167a7618
RDX: ffff8800167a7248 RSI: ffff88011959d680 RDI: ffff88011959d680
RBP: ffff880011811ba0 R08: ffff8800167a75f8 R09: 0000000000000001
R10: ffff8800603f2490 R11: 0000000000000002 R12: 00000000ffffffe0
R13: ffff8800167a75f8 R14: ffff88011959d680 R15: ffff8800167a75f8
FS:  00007f655b275740(0000) GS:ffff88012a600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000031 CR3: 000000008e94a000 CR4: 00000000000007f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process trinity-child33 (pid: 22781, threadinfo ffff880011810000, task ffff8800603f2490)
Stack:
 ffff880000000000 0000000000000000 ffff880011811b28 ffff88011959d680
 00000000200065c0 ffffffff00000000 ffff8800167a7600 ffff8800167a75f8
 0000000011811ac0 0000000000000000 ffff8800167a7618 ffff8800167a7248
Call Trace:
 [<ffffffff8100a144>] ? native_sched_clock+0x24/0x80
 [<ffffffff810b3348>] ? trace_hardirqs_off_caller+0x28/0xc0
 [<ffffffff816076ac>] inet_sendmsg+0x10c/0x220
 [<ffffffff816075a5>] ? inet_sendmsg+0x5/0x220
 [<ffffffff81567b37>] sock_sendmsg+0xb7/0xe0
 [<ffffffff8100a144>] ? native_sched_clock+0x24/0x80
 [<ffffffff810b3462>] ? get_lock_stats+0x22/0x70
 [<ffffffff810b3b8e>] ? put_lock_stats.isra.27+0xe/0x40
 [<ffffffff810b418c>] ? lock_release_holdtime.part.28+0x9c/0x150
 [<ffffffff81578286>] ? verify_iovec+0x56/0xd0
 [<ffffffff8156884e>] __sys_sendmsg+0x3ae/0x3c0
 [<ffffffff8100a144>] ? native_sched_clock+0x24/0x80
 [<ffffffff810b3462>] ? get_lock_stats+0x22/0x70
 [<ffffffff810b3b8e>] ? put_lock_stats.isra.27+0xe/0x40
 [<ffffffff810b41d5>] ? lock_release_holdtime.part.28+0xe5/0x150
 [<ffffffff8100a144>] ? native_sched_clock+0x24/0x80
 [<ffffffff810b3348>] ? trace_hardirqs_off_caller+0x28/0xc0
 [<ffffffff810b3b8e>] ? put_lock_stats.isra.27+0xe/0x40
 [<ffffffff816c512c>] ? _raw_spin_unlock_irq+0x2c/0x60
 [<ffffffff811dbe5c>] ? fget_light+0x38c/0x500
 [<ffffffff8156a989>] sys_sendmsg+0x49/0x90
 [<ffffffff816cd942>] system_call_fastpath+0x16/0x1b
Code: dc 03 f0 ff 48 8b 4c 24 50 4c 8b 44 24 38 48 8b 54 24 58 49 89 4d 48 4d 89 45 50 49 8b 86 a0 00 00 00 48 85 c0 0f 84 6c 06 00 00 <8b> 40 2c 41 89 45 74 48 89 d7 e8 66 85 05 00 45 85 e4 7e 1e 41 
RIP  [<ffffffff8166ca6b>] udpv6_sendmsg+0x34b/0xa90
 RSP <ffff880011811a70>
CR2: 0000000000000031
---[ end trace aafad9c3e4a4dfb2 ]---

All code
========
   0:	dc 03                	faddl  (%rbx)
   2:	f0 ff 48 8b          	lock decl -0x75(%rax)
   6:	4c 24 50             	rex.WR and $0x50,%al
   9:	4c 8b 44 24 38       	mov    0x38(%rsp),%r8
   e:	48 8b 54 24 58       	mov    0x58(%rsp),%rdx
  13:	49 89 4d 48          	mov    %rcx,0x48(%r13)
  17:	4d 89 45 50          	mov    %r8,0x50(%r13)
  1b:	49 8b 86 a0 00 00 00 	mov    0xa0(%r14),%rax
  22:	48 85 c0             	test   %rax,%rax
  25:	0f 84 6c 06 00 00    	je     0x697
  2b:*	8b 40 2c             	mov    0x2c(%rax),%eax     <-- trapping instruction
  2e:	41 89 45 74          	mov    %eax,0x74(%r13)
  32:	48 89 d7             	mov    %rdx,%rdi
  35:	e8 66 85 05 00       	callq  0x585a0
  3a:	45 85 e4             	test   %r12d,%r12d
  3d:	7e 1e                	jle    0x5d
  3f:	41                   	rex.B

which looks like this in udpv6_sendmsg ..


        np->daddr_cache = daddr;
     ca3:       49 89 4d 48             mov    %rcx,0x48(%r13)
#ifdef CONFIG_IPV6_SUBTREES
        np->saddr_cache = saddr;
     ca7:       4d 89 45 50             mov    %r8,0x50(%r13)
#endif
        np->dst_cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
     cab:       49 8b 86 a0 00 00 00    mov    0xa0(%r14),%rax
     cb2:       48 85 c0                test   %rax,%rax
     cb5:       0f 84 6c 06 00 00       je     1327 <udpv6_sendmsg+0x9b7>
     cbb:       8b 40 2c                mov    0x2c(%rax),%eax
     cbe:       41 89 45 74             mov    %eax,0x74(%r13)
        raw_spin_lock_irqsave_nested(spinlock_check(lock), flags, subclass); \
} while (0)

Looks like the last line of an inlined __ip6_dst_store() call. So line 1243 of net/ipv6/udp.c

	Dave

next             reply	other threads:[~2013-03-29 18:40 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-29 18:40 Dave Jones [this message]
2013-03-29 18:49 ` oops in udpv6_sendmsg Eric Dumazet
2013-04-02  1:23   ` Eric Dumazet
2013-04-11  0:29     ` Dave Jones
2013-04-17  1:02     ` Dave Jones
2013-04-17  2:02       ` Eric Dumazet
2013-04-17 14:11         ` Dave Jones
2013-04-17 14:27           ` Eric Dumazet
2013-04-17 16:05             ` Eric Dumazet
2013-06-25 21:28               ` Hannes Frederic Sowa
2013-06-26  9:22                 ` Eric Dumazet
2013-06-26  9:29                   ` Eric Dumazet
2013-06-26 11:15                     ` Eric Dumazet
2013-06-26 13:07                       ` Hannes Frederic Sowa
2013-06-26 22:15                         ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130329184006.GA23893@redhat.com \
    --to=davej@redhat.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.