From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David Miller <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
netdev <netdev@vger.kernel.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Neal Cardwell <ncardwell@google.com>
Subject: Re: [RFC/BUG] ipv6: bug in "ipv6: Copy cork options in ip6_append_data"
Date: Sun, 16 Jun 2013 22:10:19 +0200 [thread overview]
Message-ID: <20130616201019.GB1515@breakpoint.cc> (raw)
In-Reply-To: <20130616190721.GA1515@breakpoint.cc>
On Sun, Jun 16, 2013 at 09:07:21PM +0200, Sebastian Andrzej Siewior wrote:
> On Sun, Jun 16, 2013 at 02:12:33AM -0700, Eric Dumazet wrote:
> > So far, I am not sure we solved the problem.
> > Could you try latest net-next tree ?
>
> Yep. So I run pretty soon into
>
> | BUG: unable to handle kernel paging request at 000000000e180200
> | IP: [<ffffffff8131ff8c>] ip6_push_pending_frames+0x28a/0x428
This is
| IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len);
|31ff80: 48 8b 80 48 01 00 00 mov 0x148(%rax),%rax
|31ff87: 48 85 c0 test %rax,%rax
|31ff8a: 74 14 je ffffffff8131ffa0 <ip6_push_pending_frames+0x29e>
|31ff8c: 48 8b 80 00 02 00 00 mov 0x200(%rax),%rax
^^^^^
|31ff93: 65 48 ff 40 28 incq %gs:0x28(%rax)
Stupid me, it looks familiar.
While writing this email I also captured
| BUG: unable to handle kernel NULL pointer dereference at 0000000000000031
| IP: [<ffffffff813339aa>] udpv6_sendmsg+0x793/0x8a0
| task: ffff88007b7bc0c0 ti: ffff88007a2d4000 task.ti: ffff88007a2d4000
| RIP: 0010:[<ffffffff813339aa>] [<ffffffff813339aa>] udpv6_sendmsg+0x793/0x8a0
| RSP: 0018:ffff88007a2d5b18 EFLAGS: 00010206
| RAX: 0000000000000005 RBX: ffff88007a1a1200 RCX: ffff88007a1a1560
| RDX: ffff88007a1a1580 RSI: ffff88007ae39f00 RDI: ffff88007ae39f00
| RBP: ffff88007a2d5c40 R08: ffff8800fa101be0 R09: ffff88002e8ec010
| R10: 0000003600000000 R11: 0000000000000001 R12: ffff88007a1a1560
| R13: 0000000000000000 R14: ffff88007ae39f00 R15: ffff88007a1a1560
| Call Trace:
| [<ffffffff810b75c9>] ? get_page_from_freelist+0x5df/0x69f
| [<ffffffff8129cc4e>] ? sock_sendmsg+0x54/0x70
| [<ffffffff8136ceb2>] ? page_fault+0x22/0x30
| [<ffffffff810f1048>] ? fatal_signal_pending+0x9/0x23
| [<ffffffff812a637d>] ? verify_iovec+0x53/0xa0
| [<ffffffff8129ce9f>] ? ___sys_sendmsg+0x1fe/0x28e
| [<ffffffff810baf58>] ? __lru_cache_add+0x1a/0x39
| [<ffffffff810cf82f>] ? handle_pte_fault+0x75a/0x79a
| [<ffffffff810d0776>] ? handle_mm_fault+0x1ae/0x20b
| [<ffffffff81064b23>] ? timekeeping_get_ns.constprop.10+0xd/0x31
| [<ffffffff811b571d>] ? timerqueue_add+0x75/0x8f
| [<ffffffff8104bdae>] ? __hrtimer_start_range_ns+0x263/0x297
| [<ffffffff8104b6b9>] ? lock_hrtimer_base.isra.14+0x1b/0x3c
| [<ffffffff8129db2f>] ? __sys_sendmsg+0x39/0x57
| [<ffffffff813719d2>] ? system_call_fastpath+0x16/0x1b
| Code: df 4c 8b bb 90 02 00 00 e8 ba aa f6 ff 48 8b 54 24 48 48 8b 4c 24 40 49 89 57 48 49 89 4f 50 49 8b 86 a0 00 00 00 48 85 c0 74 05 <8b> 40 2c eb 02 31 c0 41 89 47 74 66 83 83 00 01 00 00 01 eb 08
This is from __ip6_dst_store() the last piece
| np->dst_cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
|3399e: 49 8b 86 a0 00 00 00 mov 0xa0(%r14),%rax
|339a5: 48 85 c0 test %rax,%rax
|339a8: 74 05 je ffffffff813339af <udpv6_sendmsg+0x798>
|339aa: 8b 40 2c mov 0x2c(%rax),%eax
^^^^^
|339ad: eb 02 jmp ffffffff813339b1 <udpv6_sendmsg+0x79a>
|339af: 31 c0 xor %eax,%eax
rt->rt6i_node seems to be five.
Sebastian
next prev parent reply other threads:[~2013-06-16 20:10 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-16 22:23 [RFC/BUG] ipv6: bug in "ipv6: Copy cork options in ip6_append_data" Eric Dumazet
2013-05-17 0:27 ` [PATCH net-next] ipv6: use ipv6_dup_options() from ip6_append_data() Eric Dumazet
2013-05-17 13:58 ` Herbert Xu
2013-05-17 14:53 ` Eric Dumazet
2013-05-17 23:36 ` Herbert Xu
2013-05-18 19:57 ` David Miller
2013-06-15 18:51 ` [RFC/BUG] ipv6: bug in "ipv6: Copy cork options in ip6_append_data" Sebastian Andrzej Siewior
2013-06-16 9:12 ` Eric Dumazet
2013-06-16 19:07 ` Sebastian Andrzej Siewior
2013-06-16 20:10 ` Sebastian Andrzej Siewior [this message]
2013-06-16 20:37 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130616201019.GB1515@breakpoint.cc \
--to=sebastian@breakpoint.cc \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.