From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bernd Schubert <bs@q-leap.de>
Subject: virtio_net null pointer dereference
Date: Thu, 15 May 2008 18:24:14 +0200
Message-ID: <g0ho3e$coq$1@ger.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: kvm-devel@lists.sourceforge.net
Return-path: <kvm-devel-bounces@lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=kvm-devel>
List-Post: <mailto:kvm-devel@lists.sourceforge.net>
List-Help: <mailto:kvm-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/kvm-devel>,
	<mailto:kvm-devel-request@lists.sourceforge.net?subject=subscribe>
Sender: kvm-devel-bounces@lists.sourceforge.net
Errors-To: kvm-devel-bounces@lists.sourceforge.net
List-Id: kvm.vger.kernel.org

Hello,

with 2.6.26-rc2 (git-something from the weekend) I get a NULL pointer
dereference:

(gdb) l *(start_xmit+0x48/0x12e)
0xffffffff80413752 is in start_xmit (drivers/net/virtio_net.c:282).
277
278             return vi->svq->vq_ops->add_buf(vi->svq, sg, num, 0, skb);
279     }
280
281     static int start_xmit(struct sk_buff *skb, struct net_device *dev)
282     {
283             struct virtnet_info *vi = netdev_priv(dev);
284
285     again:
286             /* Free up any pending old buffers before queueing new ones.
*/


[17180705.299138] Loglevel set to 9
[17180730.942144] BUG: unable to handle kernel NULL pointer dereference at
0000000000000008
[17180730.943115] IP: [<ffffffff8041379a>] start_xmit+0x48/0x12e
[17180730.943115] PGD 11d54067 PUD 11d55067 PMD 0
[17180730.943115] Oops: 0002 [1] SMP
[17180730.943115] CPU 0
[17180730.943115] Modules linked in: rtc psmouse i2c_piix4 i2c_core
[17180730.943115] Pid: 2552, comm: iperf Not tainted 2.6.26-rc2 #12
[17180730.943115] RIP: 0010:[<ffffffff8041379a>]  [<ffffffff8041379a>]
start_xmit+0x48/0x12e
[17180730.943115] RSP: 0018:ffff8100117939e8  EFLAGS: 00010202
[17180730.943115] RAX: ffff810011d5bcc0 RBX: ffff810011dc3880 RCX:
ffff810011dc7000
[17180730.943115] RDX: 0000000000000000 RSI: ffff8100117939fc RDI:
ffff8100117bddc0
[17180730.943115] RBP: ffff810011793a28 R08: ffff8100117939a8 R09:
0000000000000002
[17180730.943115] R10: 00000000a43eb07b R11: ffff810011dc3318 R12:
ffff810011dc3000
[17180730.943115] R13: ffff810011d5b940 R14: ffff810011dc3928 R15:
ffff8100117939fc
[17180730.943115] FS:  0000000040d89960(0063) GS:ffffffff806c0000(0000)
knlGS:0000000000000000
[17180730.943115] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[17180730.943115] CR2: 0000000000000008 CR3: 0000000011deb000 CR4:
00000000000006e0
[17180730.943115] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[17180730.943115] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[17180730.943115] Process iperf (pid: 2552, threadinfo ffff810011792000,
task ffff8100117be280)
[17180730.943115] Stack:  ffff810011793a38 ffff810011dc3318 000005f400000246
0000000000000000
[17180730.943115]  ffff810011d5b940 ffff810011d5b940 ffff810011dc3000
ffff810011dc3300
[17180730.943115]  ffff810011793a58 ffffffff80480778 0000000000000000
ffff810011dc3000
[17180730.943115] Call Trace:
[17180730.943115]  [<ffffffff80480778>] dev_hard_start_xmit+0x205/0x279
[17180730.943115]  [<ffffffff8048e0cb>] __qdisc_run+0xcf/0x1d3
[17180730.943115]  [<ffffffff80482e43>] dev_queue_xmit+0x15f/0x2c8
[17180730.943115]  [<ffffffff8049a61c>] ip_finish_output+0x1ed/0x22f
[17180730.943115]  [<ffffffff8049a91c>] ip_output+0x52/0x54
[17180730.943115]  [<ffffffff80499128>] ip_local_out+0x20/0x24
[17180730.943115]  [<ffffffff8049ad2f>] ip_queue_xmit+0x2a5/0x2fa
[17180730.943115]  [<ffffffff80265441>] ? mark_held_locks+0x59/0x75
[17180730.943115]  [<ffffffff8029a714>] ? kmem_cache_alloc_node+0x150/0x185
[17180730.943115]  [<ffffffff80265606>] ? trace_hardirqs_on+0xff/0x12a
[17180730.943115]  [<ffffffff804aa8d7>] tcp_transmit_skb+0x6b7/0x6ea
[17180730.943115]  [<ffffffff8029a76d>] ? __kmalloc_node+0x24/0x29
[17180730.943115]  [<ffffffff804ac7fa>] tcp_push_one+0xa7/0xc7
[17180730.943115]  [<ffffffff804a14c7>] tcp_sendmsg+0x7d3/0xa5e
[17180730.943115]  [<ffffffff8025c036>] ? hrtimer_start+0x118/0x13a
[17180730.943115]  [<ffffffff8025c036>] ? hrtimer_start+0x118/0x13a
[17180730.943115]  [<ffffffff804749df>] sock_aio_write+0xe2/0xf2
[17180730.943115]  [<ffffffff802a015c>] do_sync_write+0xeb/0x132
[17180730.943115]  [<ffffffff802592f8>] ? autoremove_wake_function+0x0/0x38
[17180730.943115]  [<ffffffff80224a11>] ? native_sched_clock+0x68/0x8f
[17180730.943115]  [<ffffffff802a1655>] ? fget_light+0xc0/0xe6
[17180730.943115]  [<ffffffff80224929>] ? sched_clock+0x9/0xc
[17180730.943115]  [<ffffffff802a1655>] ? fget_light+0xc0/0xe6
[17180730.943115]  [<ffffffff802a0907>] vfs_write+0xc1/0x137
[17180730.943115]  [<ffffffff802a0e5d>] sys_write+0x47/0x70
[17180730.943115]  [<ffffffff8021dd6a>] system_call_after_swapgs+0x8a/0x8f
[17180730.943115]
[17180730.943115]
[17180730.943115] Code: 9e 40 03 00 00 4c 8d b3 a8 00 00 00 eb 3f 41 ff 4e
10 48 8b 17 48 8b 47 08 48 c7 07 00 00 00 00 48 c7 47 08 00 00 00 00 48 89
10 <48> 89 42 08 48 8b 53 18 8b 47 68 48 01 82 98 00 00 00 48 8b 43
[17180730.943115] RIP  [<ffffffff8041379a>] start_xmit+0x48/0x12e
[17180730.943115]  RSP <ffff8100117939e8>
[17180730.943115] CR2: 0000000000000008
[17180731.066868] ---[ end trace deb46891ec66565a ]---
[17180731.070868] Kernel panic - not syncing: Aiee, killing interrupt
handler!


Thanks,
Bernd


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/