* bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference
@ 2010-07-05 19:05 Frank Arnold
2010-07-06 0:48 ` Herbert Xu
0 siblings, 1 reply; 4+ messages in thread
From: Frank Arnold @ 2010-07-05 19:05 UTC (permalink / raw)
To: Stephen Hemminger, YOSHIFUJI Hideaki, Herbert Xu; +Cc: netdev
Hi,
we see a kernel NULL pointer dereference during testing of the KVM tree,
currently based on 2.6.35-rc3. We are using bridge to connect the KVM
guests through the hosts network interface. Here is the trace:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
IP: [<ffffffffa0196da0>] __br_ip4_hash+0x0/0x7c [bridge]
PGD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/module/lockd/initstate
CPU 3
Modules linked in: nfsd exportfs nfs lockd nfs_acl auth_rpcgss sunrpc bridge stp ipv6 kvm_amd kvm snd_hda_codec_atihdmi
snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd pcspkr serio_raw ata_generic r8169 so
undcore i2c_piix4 pata_acpi i2c_core joydev snd_page_alloc mii pata_atiixp shpchp [last unloaded: scsi_wait_scan]
Pid: 0, comm: swapper Not tainted 2.6.35.20100705_8dea564-1.fc11.osrc.x86_64 #1 GA-MA74GM-S2H/GA-MA74GM-S2H
RIP: 0010:[<ffffffffa0196da0>] [<ffffffffa0196da0>] __br_ip4_hash+0x0/0x7c [bridge]
RSP: 0018:ffff880001b838a8 EFLAGS: 00010246
RAX: ffff880126028000 RBX: 0000000000000000 RCX: ffff880127b3a828
RDX: 0000000001b80008 RSI: 0000000064ffffef RDI: 0000000000000000
RBP: ffff880001b838b0 R08: ffff8800054c3870 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff880001b83a00
R13: ffff880001b83a00 R14: ffff880127b3a800 R15: ffff880125ccc400
FS: 00007f17d45ea6f0(0000) GS:ffff880001b80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000028 CR3: 00000000016b0000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper (pid: 0, threadinfo ffff880127ab4000, task ffff880127ab96b0)
Stack:
ffffffffa0196f48 ffff880001b838d0 ffffffffa01970be ffff880126028640
<0> ffff880125ccc400 ffff880001b83910 ffffffffa0197511 ffff880001b83900
<0> ffff880127b3a800 ffff8800054c3868 ffff880126028640 ffff880127b3a800
Call Trace:
<IRQ>
[<ffffffffa0196f48>] ? br_ip_hash+0x1f/0x28 [bridge]
[<ffffffffa01970be>] br_mdb_ip_get+0x12/0x24 [bridge]
[<ffffffffa0197511>] br_multicast_leave_group+0x62/0x160 [bridge]
[<ffffffffa0199028>] br_multicast_rcv+0x60e/0xcda [bridge]
[<ffffffff81043320>] ? local_bh_enable_ip+0x9/0xb
[<ffffffff81369f85>] ? _raw_spin_unlock_bh+0xf/0x11
[<ffffffff812f9a1a>] ? packet+0x1a/0x24
[<ffffffff812f777b>] ? nf_conntrack_in+0x4ee/0x59f
[<ffffffffa01907d5>] ? fdb_create+0x28/0x73 [bridge]
[<ffffffffa0190945>] ? br_fdb_update+0x125/0x134 [bridge]
[<ffffffffa0191e74>] br_handle_frame_finish+0x6d/0x1ba [bridge]
[<ffffffffa0191e07>] ? br_handle_frame_finish+0x0/0x1ba [bridge]
[<ffffffffa0195c79>] NF_HOOK_THRESH+0x46/0x4d [bridge]
[<ffffffffa0195ed2>] ? nf_bridge_push_encap_header+0x2f/0x3c [bridge]
[<ffffffffa0196c65>] br_nf_pre_routing_finish+0x222/0x231 [bridge]
[<ffffffff812f4a10>] ? nf_hook_slow+0x65/0xc6
[<ffffffffa0196a43>] ? br_nf_pre_routing_finish+0x0/0x231 [bridge]
[<ffffffffa0196a43>] ? br_nf_pre_routing_finish+0x0/0x231 [bridge]
[<ffffffffa0195c79>] NF_HOOK_THRESH+0x46/0x4d [bridge]
[<ffffffffa019609a>] ? nf_bridge_alloc+0x1d/0x3a [bridge]
[<ffffffffa0196a26>] br_nf_pre_routing+0x550/0x56d [bridge]
[<ffffffff812f4968>] nf_iterate+0x41/0x84
[<ffffffffa0191e07>] ? br_handle_frame_finish+0x0/0x1ba [bridge]
[<ffffffff812f4a10>] nf_hook_slow+0x65/0xc6
[<ffffffffa0191e07>] ? br_handle_frame_finish+0x0/0x1ba [bridge]
[<ffffffffa0191e07>] ? br_handle_frame_finish+0x0/0x1ba [bridge]
[<ffffffffa0191df5>] NF_HOOK.clone.0+0x41/0x53 [bridge]
[<ffffffffa0192137>] br_handle_frame+0x176/0x18f [bridge]
[<ffffffff812d54e5>] __netif_receive_skb+0x2b0/0x3f5
[<ffffffff810592d2>] ? ktime_get_real+0x11/0x3e
[<ffffffff812d612c>] netif_receive_skb+0x52/0x59
[<ffffffff812d0ce6>] ? __netdev_alloc_skb+0x2f/0x4b
[<ffffffffa0054ff1>] rtl8169_rx_interrupt+0x385/0x4d6 [r8169]
[<ffffffff81222203>] ? scsi_next_command+0x3e/0x46
[<ffffffff812354b3>] ? __ata_qc_complete+0xdf/0xe7
[<ffffffffa0057614>] rtl8169_poll+0x37/0x1a1 [r8169]
[<ffffffff812d62ed>] net_rx_action+0xab/0x18c
[<ffffffffa00565f4>] ? rtl8169_interrupt+0x2cb/0x36e [r8169]
[<ffffffff81043446>] __do_softirq+0x97/0x125
[<ffffffff8101a026>] ? ack_apic_level+0x78/0x1ce
[<ffffffff810038dc>] call_softirq+0x1c/0x28
[<ffffffff81004e61>] do_softirq+0x41/0x7e
[<ffffffff810431ce>] irq_exit+0x36/0x78
[<ffffffff8100459c>] do_IRQ+0xa7/0xbe
[<ffffffff8136a1d3>] ret_from_intr+0x0/0x11
<EOI>
[<ffffffff8102036c>] ? native_safe_halt+0x6/0x8
[<ffffffff8136d161>] ? atomic_notifier_call_chain+0x13/0x15
[<ffffffff81009696>] default_idle+0x27/0x44
[<ffffffff81001d3a>] cpu_idle+0x58/0x93
[<ffffffff81364944>] start_secondary+0x1a4/0x1a8
Code: 7e 66 81 fa 81 00 74 0d 31 c0 66 81 fa 88 64 0f 94 c0 c1 e0 03 89 c2 48 29 93 e0 00 00 00 01 43 68 31 c0 5b 41 5c
c9 c3 90 90 90 <8b> 47 28 89 f1 ba b9 79 37 9e c1 e9 0d 29 f2 55 29 f0 48 89 e5
RIP [<ffffffffa0196da0>] __br_ip4_hash+0x0/0x7c [bridge]
RSP <ffff880001b838a8>
CR2: 0000000000000028
---[ end trace c0f05a4e3727475d ]---
Kernel panic - not syncing: Fatal exception in interrupt
--
Frank Arnold
Systems Design Technician, Software Test
AMD Operating System Research Center
Dresden, Germany
Tel: +49 351 448 356702
Legal Information:
Advanced Micro Devices GmbH
Einsteinring 24
85609 Dornach b. München
Geschäftsführer: Alberto Bozzo, Andrew Bowd
Sitz: Dornach, Gemeinde Aschheim, Landkreis München
Registergericht München, HRB Nr. 43632
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference 2010-07-05 19:05 bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference Frank Arnold @ 2010-07-06 0:48 ` Herbert Xu 2010-07-06 0:50 ` Herbert Xu 0 siblings, 1 reply; 4+ messages in thread From: Herbert Xu @ 2010-07-06 0:48 UTC (permalink / raw) To: Frank Arnold Cc: Stephen Hemminger, YOSHIFUJI Hideaki, netdev, David S. Miller On Mon, Jul 05, 2010 at 09:05:37PM +0200, Frank Arnold wrote: > Hi, > > we see a kernel NULL pointer dereference during testing of the KVM tree, > currently based on 2.6.35-rc3. We are using bridge to connect the KVM > guests through the hosts network interface. Here is the trace: > > BUG: unable to handle kernel NULL pointer dereference at > 0000000000000028 > IP: [<ffffffffa0196da0>] __br_ip4_hash+0x0/0x7c [bridge] Thanks for the report! Luckily this bug was introduced after 2.6.34 so we don't need it in stable. bridge: Restore NULL check in br_mdb_ip_get Somewhere along the line the NULL check in br_mdb_ip_get went AWOL, causing crashes when we receive an IGMP packet with no multicast table allocated. This patch restores it and ensures all br_mdb_*_get functions use it. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 9d21d98..27ae946 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -99,6 +99,15 @@ static struct net_bridge_mdb_entry *__br_mdb_ip_get( return NULL; } +static struct net_bridge_mdb_entry *br_mdb_ip_get( + struct net_bridge_mdb_htable *mdb, struct br_ip *dst) +{ + if (!mdb) + return NULL; + + return __br_mdb_ip_get(mdb, dst, br_ip_hash(mdb, dst)); +} + static struct net_bridge_mdb_entry *br_mdb_ip4_get( struct net_bridge_mdb_htable *mdb, __be32 dst) { @@ -107,7 +116,7 @@ static struct net_bridge_mdb_entry *br_mdb_ip4_get( br_dst.u.ip4 = dst; br_dst.proto = htons(ETH_P_IP); - return __br_mdb_ip_get(mdb, &br_dst, __br_ip4_hash(mdb, dst)); + return br_mdb_ip_get(mdb, &br_dst); } #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) @@ -119,23 +128,17 @@ static struct net_bridge_mdb_entry *br_mdb_ip6_get( ipv6_addr_copy(&br_dst.u.ip6, dst); br_dst.proto = htons(ETH_P_IPV6); - return __br_mdb_ip_get(mdb, &br_dst, __br_ip6_hash(mdb, dst)); + return br_mdb_ip_get(mdb, &br_dst); } #endif -static struct net_bridge_mdb_entry *br_mdb_ip_get( - struct net_bridge_mdb_htable *mdb, struct br_ip *dst) -{ - return __br_mdb_ip_get(mdb, dst, br_ip_hash(mdb, dst)); -} - struct net_bridge_mdb_entry *br_mdb_get(struct net_bridge *br, struct sk_buff *skb) { struct net_bridge_mdb_htable *mdb = br->mdb; struct br_ip ip; - if (!mdb || br->multicast_disabled) + if (br->multicast_disabled) return NULL; if (BR_INPUT_SKB_CB(skb)->igmp) Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference 2010-07-06 0:48 ` Herbert Xu @ 2010-07-06 0:50 ` Herbert Xu 2010-07-06 3:07 ` David Miller 0 siblings, 1 reply; 4+ messages in thread From: Herbert Xu @ 2010-07-06 0:50 UTC (permalink / raw) To: Frank Arnold Cc: Stephen Hemminger, YOSHIFUJI Hideaki, netdev, David S. Miller On Tue, Jul 06, 2010 at 08:48:35AM +0800, Herbert Xu wrote: > > bridge: Restore NULL check in br_mdb_ip_get Resend with proper attribution. bridge: Restore NULL check in br_mdb_ip_get Somewhere along the line the NULL check in br_mdb_ip_get went AWOL, causing crashes when we receive an IGMP packet with no multicast table allocated. This patch restores it and ensures all br_mdb_*_get functions use it. Reported-by: Frank Arnold <frank.arnold@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index 9d21d98..27ae946 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -99,6 +99,15 @@ static struct net_bridge_mdb_entry *__br_mdb_ip_get( return NULL; } +static struct net_bridge_mdb_entry *br_mdb_ip_get( + struct net_bridge_mdb_htable *mdb, struct br_ip *dst) +{ + if (!mdb) + return NULL; + + return __br_mdb_ip_get(mdb, dst, br_ip_hash(mdb, dst)); +} + static struct net_bridge_mdb_entry *br_mdb_ip4_get( struct net_bridge_mdb_htable *mdb, __be32 dst) { @@ -107,7 +116,7 @@ static struct net_bridge_mdb_entry *br_mdb_ip4_get( br_dst.u.ip4 = dst; br_dst.proto = htons(ETH_P_IP); - return __br_mdb_ip_get(mdb, &br_dst, __br_ip4_hash(mdb, dst)); + return br_mdb_ip_get(mdb, &br_dst); } #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) @@ -119,23 +128,17 @@ static struct net_bridge_mdb_entry *br_mdb_ip6_get( ipv6_addr_copy(&br_dst.u.ip6, dst); br_dst.proto = htons(ETH_P_IPV6); - return __br_mdb_ip_get(mdb, &br_dst, __br_ip6_hash(mdb, dst)); + return br_mdb_ip_get(mdb, &br_dst); } #endif -static struct net_bridge_mdb_entry *br_mdb_ip_get( - struct net_bridge_mdb_htable *mdb, struct br_ip *dst) -{ - return __br_mdb_ip_get(mdb, dst, br_ip_hash(mdb, dst)); -} - struct net_bridge_mdb_entry *br_mdb_get(struct net_bridge *br, struct sk_buff *skb) { struct net_bridge_mdb_htable *mdb = br->mdb; struct br_ip ip; - if (!mdb || br->multicast_disabled) + if (br->multicast_disabled) return NULL; if (BR_INPUT_SKB_CB(skb)->igmp) Thanks, -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference 2010-07-06 0:50 ` Herbert Xu @ 2010-07-06 3:07 ` David Miller 0 siblings, 0 replies; 4+ messages in thread From: David Miller @ 2010-07-06 3:07 UTC (permalink / raw) To: herbert; +Cc: frank.arnold, shemminger, yoshfuji, netdev From: Herbert Xu <herbert@gondor.apana.org.au> Date: Tue, 6 Jul 2010 08:50:08 +0800 > On Tue, Jul 06, 2010 at 08:48:35AM +0800, Herbert Xu wrote: >> >> bridge: Restore NULL check in br_mdb_ip_get > > Resend with proper attribution. > > bridge: Restore NULL check in br_mdb_ip_get > > Somewhere along the line the NULL check in br_mdb_ip_get went > AWOL, causing crashes when we receive an IGMP packet with no > multicast table allocated. It got removed by: -------------------- commit 8ef2a9a59854994bace13b5c4f7edc2c8d4d124e Author: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Date: Sun Apr 18 12:42:07 2010 +0900 bridge br_multicast: Make functions less ipv4 dependent. Introduce struct br_ip{} to store ip address and protocol and make functions more generic so that we can support both IPv4 and IPv6 with less pain. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> -------------------- > This patch restores it and ensures all br_mdb_*_get functions > use it. > > Reported-by: Frank Arnold <frank.arnold@amd.com> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Applied, thanks. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-07-06 3:07 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-07-05 19:05 bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference Frank Arnold 2010-07-06 0:48 ` Herbert Xu 2010-07-06 0:50 ` Herbert Xu 2010-07-06 3:07 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).