From: Patrick McHardy <kaber@trash.net>
To: netdev@vger.kernel.org
Cc: James Morris <jmorris@namei.org>, Curtis Doty <Curtis@GreenKey.net>
Subject: Re: oops in net/ipv4/icmp.c:icmp_send() with icmp_errors_use_inbound_ifaddr (fwd)
Date: Mon, 14 May 2007 21:19:50 +0200 [thread overview]
Message-ID: <4648B656.6030800@trash.net> (raw)
In-Reply-To: <4648AE85.6020608@trash.net>
Patrick McHardy wrote:
> James Morris wrote:
>
>>---------- Forwarded message ----------
>>Date: Mon, 14 May 2007 08:15:50 -0700 (PDT)
>>From: Curtis Doty <Curtis@GreenKey.net>
>>To: Linux Kernel <linux-kernel@vger.kernel.org>
>>Subject: oops in net/ipv4/icmp.c:icmp_send() with icmp_errors_use_inbound_ifaddr
>>
>>BUG: unable to handle kernel NULL pointer dereference at virtual address
>>000000a8
>>[...]
>>EIP is at inet_select_addr+0x4/0x9f
>>eax: 00000000 ebx: f8b97046 ecx: 000000fd edx: 00000000
>>esi: 000000fd edi: 00000001 ebp: f71cd0ac esp: c078bc9c
>>ds: 007b es: 007b ss: 0068
>>Process swapper (pid: 0, ti=c078b000 task=c06fc480 task.ti=c0746000)
>>Stack: f8b97046 f601b130 c05fd0b6 f728b980 f728b980 f8b5adbb c05bcb6e c078bd74
>> 00000003 00000003 00000246 00000246 00000000 f887e014 f8a611a6 f7c1ea80
>> f728b9a8 00000000 f727d220 f887e000 00000001 00000072 f7383800 f728b980
>>Call Trace:
>> [<f8b97046>] reject+0x0/0x4ae [ipt_REJECT]
>> [<c05fd0b6>] icmp_send+0x14d/0x39b
>
>
>
> A REJECT target in the output chain will trigger this in combination
> with icmp_errors_use_inbound_ifaddr because skb->dev is still NULL
> at this point and its passed to inet_select_addr.
>
> I'll look into this.
saddr = iph->daddr;
if (!(rt->rt_flags & RTCF_LOCAL)) {
if (sysctl_icmp_errors_use_inbound_ifaddr)
saddr = inet_select_addr(skb_in->dev, 0, RT_SCOPE_LINK);
else
saddr = 0;
}
Fixing the crash is easy, the right thing to do when skb->dev
is not set is to let routing choose the address because the
packet was locally generated and icmp_errors_use_inbound_ifaddr
shouldn't apply (the crash can also happen with IPsec tunnels
by the way).
This leaves the question what to do in the path after ip_output,
when skb->dev points to the output device. We don't know the
input device anymore, so there doesn't seem to be a way to make
it do what the sysctl promises.
next prev parent reply other threads:[~2007-05-14 19:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-14 18:30 oops in net/ipv4/icmp.c:icmp_send() with icmp_errors_use_inbound_ifaddr (fwd) James Morris
2007-05-14 18:46 ` Patrick McHardy
2007-05-14 19:19 ` Patrick McHardy [this message]
2007-05-17 16:52 ` Patrick McHardy
2007-05-18 0:57 ` Julian Anastasov
2007-05-19 21:50 ` David Miller
2007-05-21 17:03 ` Patrick McHardy
2007-05-20 5:26 ` Herbert Xu
2007-05-21 16:36 ` Patrick McHardy
2007-05-21 21:28 ` Herbert Xu
2007-05-21 21:32 ` Patrick McHardy
2007-05-14 20:24 ` Curtis Doty
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4648B656.6030800@trash.net \
--to=kaber@trash.net \
--cc=Curtis@GreenKey.net \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.