Re: oops in udpv6_sendmsg

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dave Jones <davej@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: netdev@vger.kernel.org
Subject: Re: oops in udpv6_sendmsg
Date: Tue, 16 Apr 2013 21:02:13 -0400	[thread overview]
Message-ID: <20130417010213.GA9027@redhat.com> (raw)
In-Reply-To: <1364865839.5113.165.camel@edumazet-glaptop>

On Mon, Apr 01, 2013 at 06:23:59PM -0700, Eric Dumazet wrote:
 > On Fri, 2013-03-29 at 11:49 -0700, Eric Dumazet wrote:
 > > On Fri, 2013-03-29 at 14:40 -0400, Dave Jones wrote:
 > > > Just hit this on Linus' current tree.
 > > > 
 > > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000031
 > > > IP: [<ffffffff8166ca6b>] udpv6_sendmsg+0x34b/0xa90
 > > > 
 > > > Looks like the last line of an inlined __ip6_dst_store() call. So line 1243 of net/ipv6/udp.c
 > > > 
 > > > 	Dave
 > > 
 > > Yes, I had the same problem on my lab machine yesterday and was working
 > > on it (Using a linux-3.3.8 code base)
 > > 
 > > In my case, the invalid rt6i_node value was 0x66b579de
 > 
 > I am mystified by this problem, I could not reproduce it...

Still chasing this. It mutated a little..

general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: dlci fuse vmw_vsock_vmci_transport vmw_vmci vsock tun rfcomm cmtp kernelcapi bnep hidp l2tp_ppp l2tp_netlink l2tp_core scsi_transport_iscsi ipt_ULOG can_bcm nfc rds can_raw irda rose caif_socket atm llc2 can caif x25 ipx nfnetlink p8023 p8022 netrom appletalk phonet af_key af_rxrpc af_802154 pppoe crc_ccitt decnet psnap ax25 pppox llc ppp_generic slhc dccp_ipv6 dccp_ipv4 dccp sctp libcrc32c lockd sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack nf_conntrack ip6table_filter ip6_tables snd_hda_codec_realtek kvm_amd snd_hda_intel raid0 kvm snd_hda_codec snd_pcm btusb bluetooth microcode serio_raw edac_core pcspkr snd_page_alloc snd_timer snd rfkill soundcore r8169 mii radeon backlight drm_kms_helper ttm
CPU 0 
Pid: 483153, comm: trinity-child0 Not tainted 3.9.0-rc7+ #24 Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H
RIP: 0010:[<ffffffff8164d45f>]  [<ffffffff8164d45f>] ip6_append_data+0x4ff/0xeb0
RSP: 0018:ffff88010cc1b9b8  EFLAGS: 00010286
RAX: 7ae9fffffff2b8ff RBX: 0000000000000000 RCX: ffff88010cc1ba28
RDX: 00000000000000d0 RSI: 0000000000000048 RDI: ffff88010238f000
RBP: ffff88010cc1ba60 R08: 0000000000000030 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000008
R13: 0000000000000008 R14: ffff88010238f000 R15: 0000000000000008
FS:  00007fc506daa740(0000) GS:ffff88012a600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc505adc000 CR3: 0000000104a3f000 CR4: 00000000000007f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process trinity-child0 (pid: 483153, threadinfo ffff88010cc1a000, task ffff88010479a490)
Stack:
 0000000000000002 0000000000000000 000000200479a490 0000003000000010
 ffff880100000000 ffff88010238f2a0 0000002800000008 ffffffff00000000
 ffff88010cc1bdb0 ffffffff815c90e0 ffff880100000008 000000000000fff0
Call Trace:
 [<ffffffff815c90e0>] ? ip_reply_glue_bits+0x60/0x60
 [<ffffffff8166cfa8>] udpv6_sendmsg+0x278/0xa90
 [<ffffffff8100a144>] ? native_sched_clock+0x24/0x80
 [<ffffffff810b3358>] ? trace_hardirqs_off_caller+0x28/0xc0
 [<ffffffff8160798c>] inet_sendmsg+0x10c/0x220
 [<ffffffff81607885>] ? inet_sendmsg+0x5/0x220
 [<ffffffff81567d67>] sock_sendmsg+0xb7/0xe0
 [<ffffffff8100a144>] ? native_sched_clock+0x24/0x80
 [<ffffffff810b3472>] ? get_lock_stats+0x22/0x70
 [<ffffffff810b3b9e>] ? put_lock_stats.isra.27+0xe/0x40
 [<ffffffff810b419c>] ? lock_release_holdtime.part.28+0x9c/0x150
 [<ffffffff815784b6>] ? verify_iovec+0x56/0xd0
 [<ffffffff81568a7e>] __sys_sendmsg+0x3ae/0x3c0
 [<ffffffff8100a144>] ? native_sched_clock+0x24/0x80
 [<ffffffff810b3472>] ? get_lock_stats+0x22/0x70
 [<ffffffff810b3b9e>] ? put_lock_stats.isra.27+0xe/0x40
 [<ffffffff810b41e5>] ? lock_release_holdtime.part.28+0xe5/0x150
 [<ffffffff8100a144>] ? native_sched_clock+0x24/0x80
 [<ffffffff810b3358>] ? trace_hardirqs_off_caller+0x28/0xc0
 [<ffffffff8156abb9>] sys_sendmsg+0x49/0x90
 [<ffffffff816cdfc2>] system_call_fastpath+0x16/0x1b
Code: 89 83 d4 00 00 00 c7 45 c8 f2 ff ff ff 48 8b 45 28 45 29 be 7c 05 00 00 48 8b 80 48 01 00 00 48 85 c0 74 0c 48 8b 80 18 03 00 00 <65> 48 ff 40 70 49 8b 46 30 48 8b 80 b0 01 00 00 65 48 ff 40 70 
RIP  [<ffffffff8164d45f>] ip6_append_data+0x4ff/0xeb0
 RSP <ffff88010cc1b9b8>
---[ end trace ad33312480976359 ]---

Disassembly looks like..

    1924:       89 83 d4 00 00 00       mov    %eax,0xd4(%rbx)
        }

        return 0;

error_efault:
        err = -EFAULT;
    192a:       c7 45 c8 f2 ff ff ff    movl   $0xfffffff2,-0x38(%rbp)
error:
        cork->length -= length;
        IP6_INC_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
    1931:       48 8b 45 28             mov    0x28(%rbp),%rax
        return 0;

error_efault:
        err = -EFAULT;
error:
        cork->length -= length;
    1935:       45 29 be 7c 05 00 00    sub    %r15d,0x57c(%r14)
        IP6_INC_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
    193c:       48 8b 80 48 01 00 00    mov    0x148(%rax),%rax
    1943:       48 85 c0                test   %rax,%rax
    1946:       74 0c                   je     1954 <ip6_append_data+0x504>
    1948:       48 8b 80 18 03 00 00    mov    0x318(%rax),%rax
->    194f:       65 48 ff 40 70          incq   %gs:0x70(%rax)
    1954:       49 8b 46 30             mov    0x30(%r14),%rax
    1958:       48 8b 80 b0 01 00 00    mov    0x1b0(%rax),%rax
    195f:       65 48 ff 40 70          incq   %gs:0x70(%rax)
        return err;



rax is all kinds of crazy. 7ae9fffffff2b8ff doesn't look anything like an address.

	Dave

next prev parent reply	other threads:[~2013-04-17  1:02 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-29 18:40 oops in udpv6_sendmsg Dave Jones
2013-03-29 18:49 ` Eric Dumazet
2013-04-02  1:23   ` Eric Dumazet
2013-04-11  0:29     ` Dave Jones
2013-04-17  1:02     ` Dave Jones [this message]
2013-04-17  2:02       ` Eric Dumazet
2013-04-17 14:11         ` Dave Jones
2013-04-17 14:27           ` Eric Dumazet
2013-04-17 16:05             ` Eric Dumazet
2013-06-25 21:28               ` Hannes Frederic Sowa
2013-06-26  9:22                 ` Eric Dumazet
2013-06-26  9:29                   ` Eric Dumazet
2013-06-26 11:15                     ` Eric Dumazet
2013-06-26 13:07                       ` Hannes Frederic Sowa
2013-06-26 22:15                         ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130417010213.GA9027@redhat.com \
    --to=davej@redhat.com \
    --cc=eric.dumazet@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.