Re: [ipv4/FIB] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030

[Alexander Duyck <alexander.duyck@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 5658 bytes --]

On 03/21/2015 04:12 AM, Fengguang Wu wrote:
> Greetings,
>
> 0day kernel testing robot got the below dmesg and the first bad commit is
>
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git master
>
> commit 0ddcf43d5d4a03ded1ee3f6b3b72a0cbed4e90b1
> Author:     Alexander Duyck <alexander.h.duyck@redhat.com>
> AuthorDate: Fri Mar 6 13:47:00 2015 -0800
> Commit:     David S. Miller <davem@davemloft.net>
> CommitDate: Wed Mar 11 16:22:14 2015 -0400
>
>     ipv4: FIB Local/MAIN table collapse
>     
>     This patch is meant to collapse local and main into one by converting
>     tb_data from an array to a pointer.  Doing this allows us to point the
>     local table into the main while maintaining the same variables in the
>     table.
>     
>     As such the tb_data was converted from an array to a pointer, and a new
>     array called data is added in order to still provide an object for tb_data
>     to point to.
>     
>     In order to track the origin of the fib aliases a tb_id value was added in
>     a hole that existed on 64b systems.  Using this we can also reverse the
>     merge in the event that custom FIB rules are enabled.
>     
>     With this patch I am seeing an improvement of 20ns to 30ns for routing
>     lookups as long as custom rules are not enabled, with custom rules enabled
>     we fall back to split tables and the original behavior.
>     
>     Signed-off-by: Alexander Duyck <alexander.h.duyck@redhat.com>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
>
>
> testbox/testcase/testparams: vm-vp-quantal-x86_64/boot/1
>
> 169bf9121b19dd60  0ddcf43d5d4a03ded1ee3f6b3b
> ----------------  --------------------------
>        fail:runs  %reproduction    fail:runs
>            |             |             |
>           0:80          12%          10:80    dmesg.BUG:unable_to_handle_kernel
>           0:80          12%          10:80    dmesg.Kernel_panic-not_syncing:Fatal_exception
>           0:80          12%          10:80    dmesg.Oops
>           0:80          12%          10:80    dmesg.RIP:fib_trie_unmerge
>
> [   14.975179] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
> [   14.976015] IP: [<ffffffff817f77bd>] fib_trie_unmerge+0x1d/0x2f0
> [   14.976015] PGD 0 
> [   14.976015] Oops: 0000 [#1] SMP 
> [   14.976015] Modules linked in:
> [   14.976015] CPU: 1 PID: 52 Comm: kworker/u4:1 Not tainted 4.0.0-rc3-00503-g0ddcf43 #1
> [   14.976015] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
> [   14.976015] Workqueue: netns cleanup_net
> [   14.976015] task: ffff88001605d880 ti: ffff880016064000 task.ti: ffff880016064000
> [   14.976015] RIP: 0010:[<ffffffff817f77bd>]  [<ffffffff817f77bd>] fib_trie_unmerge+0x1d/0x2f0
> [   14.976015] RSP: 0018:ffff880016067c38  EFLAGS: 00010292
> [   14.976015] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000038
> [   14.976015] RDX: ffff880012200808 RSI: 00000000000000ff RDI: 0000000000000000
> [   14.976015] RBP: ffff880016067c88 R08: ffff880012200600 R09: 00000001800c0003
> [   14.976015] R10: ffff88001371a080 R11: ffff880014bfaa00 R12: ffff880015ac8000
> [   14.976015] R13: ffff880012200780 R14: ffff880012200808 R15: ffff880015ac8008
> [   14.976015] FS:  0000000000000000(0000) GS:ffff880013700000(0000) knlGS:0000000000000000
> [   14.976015] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [   14.976015] CR2: 0000000000000030 CR3: 0000000001cb3000 CR4: 00000000000007e0
> [   14.976015] Stack:
> [   14.976015]  ffff880016067c68 ffffffff811c724e ffff880014bfa838 ffff880014bfa7b0
> [   14.976015]  ffff880014bfa838 0000000000000000 ffff880015ac8000 ffff880012200780
> [   14.976015]  ffff880012200808 ffff880015ac8008 ffff880016067ca8 ffffffff817f11a4
> [   14.976015] Call Trace:
> [   14.976015]  [<ffffffff811c724e>] ? kmem_cache_free+0x1de/0x200
> [   14.976015]  [<ffffffff817f11a4>] fib_unmerge+0x24/0xc0
> [   14.976015]  [<ffffffff817fcb0f>] fib4_rule_delete+0x1f/0x60
> [   14.976015]  [<ffffffff8178ea14>] fib_rules_unregister+0x84/0xe0
> [   14.976015]  [<ffffffff817fcf45>] fib4_rules_exit+0x15/0x20
> [   14.976015]  [<ffffffff817f05ab>] ip_fib_net_exit+0x1b/0x120
> [   14.976015]  [<ffffffff817f06e5>] fib_net_exit+0x35/0x40
> [   14.976015]  [<ffffffff81766759>] ops_exit_list+0x39/0x60
> [   14.976015]  [<ffffffff81767538>] cleanup_net+0x158/0x260
> [   14.976015]  [<ffffffff8108ba28>] process_one_work+0x158/0x490
> [   14.976015]  [<ffffffff8108c673>] worker_thread+0x73/0x570
> [   14.976015]  [<ffffffff8108c600>] ? rescuer_thread+0x400/0x400
> [   14.976015]  [<ffffffff810919df>] kthread+0xef/0x110
> [   14.976015]  [<ffffffff810918f0>] ? kthread_create_on_node+0x180/0x180
> [   14.976015]  [<ffffffff818b4198>] ret_from_fork+0x58/0x90
> [   14.976015]  [<ffffffff810918f0>] ? kthread_create_on_node+0x180/0x180
> [   14.976015] Code: 9c ff 31 c0 eb 88 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8d 4f 38 48 89 f8 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 28 <48> 8b 57 30 48 39 ca 48 89 55 c8 0f 84 12 01 00 00 31 f6 bf ff 
> [   14.976015] RIP  [<ffffffff817f77bd>] fib_trie_unmerge+0x1d/0x2f0
> [   14.976015]  RSP <ffff880016067c38>
> [   14.976015] CR2: 0000000000000030
> [   14.976015] ---[ end trace ada4f02c5ab95ed8 ]---
> [   14.976015] Kernel panic - not syncing: Fatal exception
>

The fix for this should already be in under commit
3c9e9f7320f0138497ef7879c0903246746e0ed3 ("fib_trie: Avoid NULL pointer
if local table is not allocated") in Dave's net-next tree.

- Alex

[-- Attachment #2: attachment.html --]
[-- Type: text/html, Size: 6329 bytes --]