* [BUG] in inet6_create
@ 2007-11-01 20:07 Roel Kluin
2007-11-01 21:14 ` Roel Kluin
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Roel Kluin @ 2007-11-01 20:07 UTC (permalink / raw)
To: netdev
I got this bug recently, I am not sure whether this is related to any previously
reported ones. It was a recently pulled git kernel. Also I have been hacking my
kernel a bit lately, but I think that I haven't got any changes in the currently
running kernel.
FYI: my network card was not running (module not loaded, and I just started
thunderbird)
Roel
More information needed?
--
NET: Registered protocol family 10
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
printing eip: f881034f *pde = 00000000
Oops: 0000 [#1]
Modules linked in: ipv6
Pid: 17080, comm: modprobe Not tainted (2.6.24-rc1 #1)
EIP: 0060:[<f881034f>] EFLAGS: 00010293 CPU: 0
EIP is at inet6_create+0x5f/0x340 [ipv6]
EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78
ESI: ffffffff EDI: 0000003a EBP: ffffff9f ESP: d780de74
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process modprobe (pid: 17080, ti=d780c000 task=c3a86000 task.ti=d780c000)
Stack: 00000000 00000246 00000246 00000003 c60e22a0 00000246 00000000 00000000
f88410fc ffffffea 00000003 c063f680 c028d597 00000002 00000001 c028d52c
c60e22a0 00000003 f8842d00 00000032 00000000 c028d6a7 0000003a f88438c0
Call Trace:
[<c028d597>] __sock_create+0xf7/0x1e0
[<c028d52c>] __sock_create+0x8c/0x1e0
[<c028d6a7>] sock_create_kern+0x27/0x30
[<f88457af>] icmpv6_init+0x1f/0xa0 [ipv6]
[<f884513f>] inet6_init+0x13f/0x2f0 [ipv6]
[<c0144f73>] sys_init_module+0x173/0x16c0
[<c0132860>] autoremove_wake_function+0x0/0x50
[<c0171ef1>] sys_read+0x41/0x70
[<c010818e>] syscall_call+0x7/0xb
=======================
Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85
EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:d780de74
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
printing eip: f881034f *pde = 00000000
Oops: 0000 [#2]
Modules linked in: ipv6
Pid: 17078, comm: thunderbird-bin Tainted: G D (2.6.24-rc1 #1)
EIP: 0060:[<f881034f>] EFLAGS: 00210293 CPU: 0
EIP is at inet6_create+0x5f/0x340 [ipv6]
EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78
ESI: ffffffff EDI: 00000000 EBP: ffffff9f ESP: c2801f00
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process thunderbird-bin (pid: 17078, ti=c2800000 task=c20bf000 task.ti=c2800000)
Stack: c0185024 00200246 00200246 00000001 c60e2000 00200246 00000000 00000000
f88410fc ffffffea 00000001 c063f680 c028d597 00000002 00000001 c028d52c
c60e2000 00000001 0000000a 08b095bc c2800000 c028d6e9 00000000 c2801f74
Call Trace:
[<c0185024>] new_inode+0x24/0x90
[<c028d597>] __sock_create+0xf7/0x1e0
[<c028d52c>] __sock_create+0x8c/0x1e0
[<c028d6e9>] sock_create+0x39/0x50
[<c028d89c>] sys_socket+0x1c/0x50
[<c028e248>] sys_socketcall+0x68/0x280
[<c013da9b>] trace_hardirqs_on+0xbb/0x160
[<c011b80d>] do_sched_setscheduler+0xad/0xc0
[<c01081fb>] restore_nocheck+0x12/0x15
[<c010818e>] syscall_call+0x7/0xb
=======================
Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85
EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:c2801f00
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: [BUG] in inet6_create 2007-11-01 20:07 [BUG] in inet6_create Roel Kluin @ 2007-11-01 21:14 ` Roel Kluin 2007-11-02 9:15 ` Pavel Emelyanov 2007-11-02 9:59 ` Pavel Emelyanov 2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明 2 siblings, 1 reply; 12+ messages in thread From: Roel Kluin @ 2007-11-01 21:14 UTC (permalink / raw) To: netdev; +Cc: linux-net Roel Kluin wrote: > I got this bug recently, I am not sure whether this is related to any previously > reported ones. It was a recently pulled git kernel. Also I have been hacking my > kernel a bit lately, but I think that I haven't got any changes in the currently > running kernel. > > FYI: my network card was not running (module not loaded, and I just started > thunderbird) > > Roel > > More information needed? > -- probably mailing to linux-net was more appropriate > > NET: Registered protocol family 10 > BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 > printing eip: f881034f *pde = 00000000 > Oops: 0000 [#1] > Modules linked in: ipv6 > > Pid: 17080, comm: modprobe Not tainted (2.6.24-rc1 #1) > EIP: 0060:[<f881034f>] EFLAGS: 00010293 CPU: 0 > EIP is at inet6_create+0x5f/0x340 [ipv6] > EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78 > ESI: ffffffff EDI: 0000003a EBP: ffffff9f ESP: d780de74 > DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 > Process modprobe (pid: 17080, ti=d780c000 task=c3a86000 task.ti=d780c000) > Stack: 00000000 00000246 00000246 00000003 c60e22a0 00000246 00000000 00000000 > f88410fc ffffffea 00000003 c063f680 c028d597 00000002 00000001 c028d52c > c60e22a0 00000003 f8842d00 00000032 00000000 c028d6a7 0000003a f88438c0 > Call Trace: > [<c028d597>] __sock_create+0xf7/0x1e0 > [<c028d52c>] __sock_create+0x8c/0x1e0 > [<c028d6a7>] sock_create_kern+0x27/0x30 > [<f88457af>] icmpv6_init+0x1f/0xa0 [ipv6] > [<f884513f>] inet6_init+0x13f/0x2f0 [ipv6] > [<c0144f73>] sys_init_module+0x173/0x16c0 > [<c0132860>] autoremove_wake_function+0x0/0x50 > [<c0171ef1>] sys_read+0x41/0x70 > [<c010818e>] syscall_call+0x7/0xb > ======================= > Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85 > EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:d780de74 > BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 > printing eip: f881034f *pde = 00000000 > Oops: 0000 [#2] > Modules linked in: ipv6 > > Pid: 17078, comm: thunderbird-bin Tainted: G D (2.6.24-rc1 #1) > EIP: 0060:[<f881034f>] EFLAGS: 00210293 CPU: 0 > EIP is at inet6_create+0x5f/0x340 [ipv6] > EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78 > ESI: ffffffff EDI: 00000000 EBP: ffffff9f ESP: c2801f00 > DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 > Process thunderbird-bin (pid: 17078, ti=c2800000 task=c20bf000 task.ti=c2800000) > Stack: c0185024 00200246 00200246 00000001 c60e2000 00200246 00000000 00000000 > f88410fc ffffffea 00000001 c063f680 c028d597 00000002 00000001 c028d52c > c60e2000 00000001 0000000a 08b095bc c2800000 c028d6e9 00000000 c2801f74 > Call Trace: > [<c0185024>] new_inode+0x24/0x90 > [<c028d597>] __sock_create+0xf7/0x1e0 > [<c028d52c>] __sock_create+0x8c/0x1e0 > [<c028d6e9>] sock_create+0x39/0x50 > [<c028d89c>] sys_socket+0x1c/0x50 > [<c028e248>] sys_socketcall+0x68/0x280 > [<c013da9b>] trace_hardirqs_on+0xbb/0x160 > [<c011b80d>] do_sched_setscheduler+0xad/0xc0 > [<c01081fb>] restore_nocheck+0x12/0x15 > [<c010818e>] syscall_call+0x7/0xb > ======================= > Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85 > EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:c2801f00 > - > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-01 21:14 ` Roel Kluin @ 2007-11-02 9:15 ` Pavel Emelyanov 2007-11-02 17:51 ` Roel Kluin 0 siblings, 1 reply; 12+ messages in thread From: Pavel Emelyanov @ 2007-11-02 9:15 UTC (permalink / raw) To: Roel Kluin; +Cc: netdev, linux-net Roel Kluin wrote: > Roel Kluin wrote: >> I got this bug recently, I am not sure whether this is related to any previously >> reported ones. It was a recently pulled git kernel. Also I have been hacking my >> kernel a bit lately, but I think that I haven't got any changes in the currently >> running kernel. >> >> FYI: my network card was not running (module not loaded, and I just started >> thunderbird) >> >> Roel >> >> More information needed? Yes, please. Can you send us the disasm (objdump -dr) of your ipv6 module. More precisely - I need the disassembled inet6_create() function to figure out where exactly this thing happened. Thanks, Pavel >> -- > > probably mailing to linux-net was more appropriate > >> NET: Registered protocol family 10 >> BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 >> printing eip: f881034f *pde = 00000000 >> Oops: 0000 [#1] >> Modules linked in: ipv6 >> >> Pid: 17080, comm: modprobe Not tainted (2.6.24-rc1 #1) >> EIP: 0060:[<f881034f>] EFLAGS: 00010293 CPU: 0 >> EIP is at inet6_create+0x5f/0x340 [ipv6] >> EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78 >> ESI: ffffffff EDI: 0000003a EBP: ffffff9f ESP: d780de74 >> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 >> Process modprobe (pid: 17080, ti=d780c000 task=c3a86000 task.ti=d780c000) >> Stack: 00000000 00000246 00000246 00000003 c60e22a0 00000246 00000000 00000000 >> f88410fc ffffffea 00000003 c063f680 c028d597 00000002 00000001 c028d52c >> c60e22a0 00000003 f8842d00 00000032 00000000 c028d6a7 0000003a f88438c0 >> Call Trace: >> [<c028d597>] __sock_create+0xf7/0x1e0 >> [<c028d52c>] __sock_create+0x8c/0x1e0 >> [<c028d6a7>] sock_create_kern+0x27/0x30 >> [<f88457af>] icmpv6_init+0x1f/0xa0 [ipv6] >> [<f884513f>] inet6_init+0x13f/0x2f0 [ipv6] >> [<c0144f73>] sys_init_module+0x173/0x16c0 >> [<c0132860>] autoremove_wake_function+0x0/0x50 >> [<c0171ef1>] sys_read+0x41/0x70 >> [<c010818e>] syscall_call+0x7/0xb >> ======================= >> Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85 >> EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:d780de74 >> BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000 >> printing eip: f881034f *pde = 00000000 >> Oops: 0000 [#2] >> Modules linked in: ipv6 >> >> Pid: 17078, comm: thunderbird-bin Tainted: G D (2.6.24-rc1 #1) >> EIP: 0060:[<f881034f>] EFLAGS: 00210293 CPU: 0 >> EIP is at inet6_create+0x5f/0x340 [ipv6] >> EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78 >> ESI: ffffffff EDI: 00000000 EBP: ffffff9f ESP: c2801f00 >> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 >> Process thunderbird-bin (pid: 17078, ti=c2800000 task=c20bf000 task.ti=c2800000) >> Stack: c0185024 00200246 00200246 00000001 c60e2000 00200246 00000000 00000000 >> f88410fc ffffffea 00000001 c063f680 c028d597 00000002 00000001 c028d52c >> c60e2000 00000001 0000000a 08b095bc c2800000 c028d6e9 00000000 c2801f74 >> Call Trace: >> [<c0185024>] new_inode+0x24/0x90 >> [<c028d597>] __sock_create+0xf7/0x1e0 >> [<c028d52c>] __sock_create+0x8c/0x1e0 >> [<c028d6e9>] sock_create+0x39/0x50 >> [<c028d89c>] sys_socket+0x1c/0x50 >> [<c028e248>] sys_socketcall+0x68/0x280 >> [<c013da9b>] trace_hardirqs_on+0xbb/0x160 >> [<c011b80d>] do_sched_setscheduler+0xad/0xc0 >> [<c01081fb>] restore_nocheck+0x12/0x15 >> [<c010818e>] syscall_call+0x7/0xb >> ======================= >> Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85 >> EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:c2801f00 >> - >> To unsubscribe from this list: send the line "unsubscribe netdev" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > > - > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-02 9:15 ` Pavel Emelyanov @ 2007-11-02 17:51 ` Roel Kluin 2007-11-06 8:14 ` Pavel Emelyanov 0 siblings, 1 reply; 12+ messages in thread From: Roel Kluin @ 2007-11-02 17:51 UTC (permalink / raw) To: Pavel Emelyanov; +Cc: netdev, linux-net Pavel Emelyanov wrote: > Roel Kluin wrote: >> Roel Kluin wrote: >>> I got this bug recently, I am not sure whether this is related to any previously >>> reported ones. It was a recently pulled git kernel. Also I have been hacking my >>> kernel a bit lately, but I think that I haven't got any changes in the currently >>> running kernel. >>> >>> FYI: my network card was not running (module not loaded, and I just started >>> thunderbird) >>> >>> Roel >>> >>> More information needed? > > Yes, please. > > Can you send us the disasm (objdump -dr) of your ipv6 module. > More precisely - I need the disassembled inet6_create() function to > figure out where exactly this thing happened. I was very lucky to still be able to produce this: When the bug hit me, I had just recompiled a new kernel, however, since I had previously git-pulled, (but not yet compiled) the old module was not overwritten. to answer the question in your other mail - whether I hacked this kernel - I am not 100% certain, I am certain, however that I did not touch IPv6 code, and my changes to net code were very trivial oneliner changes that I have previously posted, and were generally accepted as fixes. -- 000002f0 <inet6_create>: 2f0: 55 push %ebp 2f1: bd 9f ff ff ff mov $0xffffff9f,%ebp 2f6: 57 push %edi 2f7: 56 push %esi 2f8: 89 ce mov %ecx,%esi 2fa: 53 push %ebx 2fb: 83 ec 20 sub $0x20,%esp 2fe: 3d 00 00 00 00 cmp $0x0,%eax 2ff: R_386_32 init_net 303: 89 54 24 10 mov %edx,0x10(%esp) 307: 74 0a je 313 <inet6_create+0x23> 309: 83 c4 20 add $0x20,%esp 30c: 89 e8 mov %ebp,%eax 30e: 5b pop %ebx 30f: 5e pop %esi 310: 5f pop %edi 311: 5d pop %ebp 312: c3 ret 313: 8b 42 3c mov 0x3c(%edx),%eax 316: 83 e8 02 sub $0x2,%eax 319: 66 83 f8 01 cmp $0x1,%ax 31d: 76 0e jbe 32d <inet6_create+0x3d> 31f: 8b 0d 00 00 00 00 mov 0x0,%ecx 321: R_386_32 inet_ehash_secret 325: 85 c9 test %ecx,%ecx 327: 0f 84 76 02 00 00 je 5a3 <inet6_create+0x2b3> 32d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp) 334: 00 335: 31 d2 xor %edx,%edx 337: 31 c9 xor %ecx,%ecx 339: b8 00 00 00 00 mov $0x0,%eax 33a: R_386_32 rcu_lock_map 33e: c7 44 24 08 35 03 00 movl $0x335,0x8(%esp) 345: 00 342: R_386_32 .text 346: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp) 34d: 00 34e: c7 04 24 02 00 00 00 movl $0x2,(%esp) 355: e8 fc ff ff ff call 356 <inet6_create+0x66> 356: R_386_PC32 lock_acquire 35a: 8b 44 24 10 mov 0x10(%esp),%eax 35e: 8b 78 3c mov 0x3c(%eax),%edi 361: 0f bf c7 movswl %di,%eax 364: c1 e0 03 shl $0x3,%eax 367: 8b 98 00 00 00 00 mov 0x0(%eax),%ebx 369: R_386_32 .bss 36d: 8d 90 00 00 00 00 lea 0x0(%eax),%edx 36f: R_386_32 .bss 373: 89 5c 24 1c mov %ebx,0x1c(%esp) 377: 8b 44 24 1c mov 0x1c(%esp),%eax 37b: 8b 00 mov (%eax),%eax 37d: 8d 44 20 00 lea 0x0(%eax),%eax 381: 39 d3 cmp %edx,%ebx 383: bd a2 ff ff ff mov $0xffffffa2,%ebp 388: 75 3a jne 3c4 <inet6_create+0xd4> 38a: e9 23 02 00 00 jmp 5b2 <inet6_create+0x2c2> 38f: 90 nop 390: 85 f6 test %esi,%esi 392: 0f 84 5d 02 00 00 je 5f5 <inet6_create+0x305> 398: 66 85 c0 test %ax,%ax 39b: 90 nop 39c: 8d 74 26 00 lea 0x0(%esi),%esi 3a0: 74 31 je 3d3 <inet6_create+0xe3> 3a2: 8b 1b mov (%ebx),%ebx 3a4: 89 5c 24 1c mov %ebx,0x1c(%esp) 3a8: 8b 44 24 1c mov 0x1c(%esp),%eax 3ac: 8b 00 mov (%eax),%eax 3ae: 8d 44 20 00 lea 0x0(%eax),%eax 3b2: 0f bf c7 movswl %di,%eax 3b5: 8d 04 c5 00 00 00 00 lea 0x0(,%eax,8),%eax 3b8: R_386_32 .bss 3bc: 39 d8 cmp %ebx,%eax 3be: 0f 84 e9 01 00 00 je 5ad <inet6_create+0x2bd> 3c4: 0f b7 43 0a movzwl 0xa(%ebx),%eax 3c8: 0f b7 c8 movzwl %ax,%ecx 3cb: 39 ce cmp %ecx,%esi 3cd: 75 c1 jne 390 <inet6_create+0xa0> 3cf: 85 f6 test %esi,%esi 3d1: 74 cf je 3a2 <inet6_create+0xb2> 3d3: 8b 43 14 mov 0x14(%ebx),%eax 3d6: 85 c0 test %eax,%eax 3d8: 7e 12 jle 3ec <inet6_create+0xfc> 3da: e8 fc ff ff ff call 3db <inet6_create+0xeb> 3db: R_386_PC32 capable 3df: 85 c0 test %eax,%eax 3e1: bd ff ff ff ff mov $0xffffffff,%ebp 3e6: 0f 84 99 01 00 00 je 585 <inet6_create+0x295> 3ec: 8b 43 10 mov 0x10(%ebx),%eax 3ef: 8b 54 24 10 mov 0x10(%esp),%edx 3f3: b9 ec 03 00 00 mov $0x3ec,%ecx 3f4: R_386_32 .text 3f8: 89 42 08 mov %eax,0x8(%edx) 3fb: 0f b6 43 18 movzbl 0x18(%ebx),%eax 3ff: 8b 7b 0c mov 0xc(%ebx),%edi 402: 88 44 24 17 mov %al,0x17(%esp) 406: 0f b6 53 19 movzbl 0x19(%ebx),%edx 40a: b8 00 00 00 00 mov $0x0,%eax 40b: R_386_32 rcu_lock_map 40f: 88 54 24 16 mov %dl,0x16(%esp) 413: ba 01 00 00 00 mov $0x1,%edx 418: e8 fc ff ff ff call 419 <inet6_create+0x129> 419: R_386_PC32 lock_release 41d: 8b 57 70 mov 0x70(%edi),%edx 420: 85 d2 test %edx,%edx 422: 0f 84 36 02 00 00 je 65e <inet6_create+0x36e> 428: b9 d0 00 00 00 mov $0xd0,%ecx 42d: ba 0a 00 00 00 mov $0xa,%edx 432: b8 00 00 00 00 mov $0x0,%eax 433: R_386_32 init_net 437: 89 3c 24 mov %edi,(%esp) 43a: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp) 441: 00 442: bd 97 ff ff ff mov $0xffffff97,%ebp 447: e8 fc ff ff ff call 448 <inet6_create+0x158> 448: R_386_PC32 sk_alloc 44c: 85 c0 test %eax,%eax 44e: 89 c7 mov %eax,%edi 450: 0f 84 b3 fe ff ff je 309 <inet6_create+0x19> 456: 89 c2 mov %eax,%edx 458: 8b 44 24 10 mov 0x10(%esp),%eax 45c: e8 fc ff ff ff call 45d <inet6_create+0x16d> 45d: R_386_PC32 sock_init_data 461: 80 64 24 17 03 andb $0x3,0x17(%esp) 466: 0f b6 54 24 17 movzbl 0x17(%esp),%edx 46b: 0f b6 47 28 movzbl 0x28(%edi),%eax 46f: c1 e2 02 shl $0x2,%edx 472: 83 e0 f3 and $0xfffffff3,%eax 475: 09 d0 or %edx,%eax 477: 88 47 28 mov %al,0x28(%edi) 47a: 0f b6 44 24 16 movzbl 0x16(%esp),%eax 47f: a8 01 test $0x1,%al 481: 74 04 je 487 <inet6_create+0x197> 483: c6 47 03 01 movb $0x1,0x3(%edi) 487: 0f b6 97 3f 02 00 00 movzbl 0x23f(%edi),%edx 48e: c1 e8 02 shr $0x2,%eax 491: 83 e0 01 and $0x1,%eax 494: 01 c0 add %eax,%eax 496: 83 e2 fd and $0xfffffffd,%edx 499: 09 c2 or %eax,%edx 49b: 88 97 3f 02 00 00 mov %dl,0x23f(%edi) 4a1: 8b 44 24 10 mov 0x10(%esp),%eax 4a5: 66 83 78 3c 03 cmpw $0x3,0x3c(%eax) 4aa: 0f 84 64 01 00 00 je 614 <inet6_create+0x324> 4b0: 89 f2 mov %esi,%edx 4b2: c7 87 18 02 00 00 00 movl $0x0,0x218(%edi) 4b9: 00 00 00 4b8: R_386_32 inet_sock_destruct 4bc: 66 c7 07 0a 00 movw $0xa,(%edi) 4c1: 88 57 29 mov %dl,0x29(%edi) 4c4: 8b 43 0c mov 0xc(%ebx),%eax 4c7: 8b 40 40 mov 0x40(%eax),%eax 4ca: 89 87 14 02 00 00 mov %eax,0x214(%edi) 4d0: 8b 47 20 mov 0x20(%edi),%eax 4d3: 8b 48 74 mov 0x74(%eax),%ecx 4d6: 83 e9 70 sub $0x70,%ecx 4d9: 8d 0c 0f lea (%edi,%ecx,1),%ecx 4dc: 89 8f 1c 02 00 00 mov %ecx,0x21c(%edi) 4e2: 0f b6 41 46 movzbl 0x46(%ecx),%eax 4e6: 66 c7 41 3c ff ff movw $0xffff,0x3c(%ecx) 4ec: 66 c7 41 3e ff ff movw $0xffff,0x3e(%ecx) 4f2: 83 e0 e7 and $0xffffffe7,%eax 4f5: 83 c8 09 or $0x9,%eax 4f8: 88 41 46 mov %al,0x46(%ecx) 4fb: 0f b6 15 00 00 00 00 movzbl 0x0,%edx 4fe: R_386_32 sysctl_ipv6_bindv6only 502: 83 e0 df and $0xffffffdf,%eax 505: 83 e2 01 and $0x1,%edx 508: c1 e2 05 shl $0x5,%edx 50b: 09 d0 or %edx,%eax 50d: 88 41 46 mov %al,0x46(%ecx) 510: 80 8f 3f 02 00 00 10 orb $0x10,0x23f(%edi) 517: 66 c7 87 30 02 00 00 movw $0xffff,0x230(%edi) 51e: ff ff 520: c6 87 3d 02 00 00 01 movb $0x1,0x23d(%edi) 527: c7 87 40 02 00 00 00 movl $0x0,0x240(%edi) 52e: 00 00 00 531: c7 87 48 02 00 00 00 movl $0x0,0x248(%edi) 538: 00 00 00 53b: a1 04 00 00 00 mov 0x4,%eax 53c: R_386_32 ipv4_config 540: 85 c0 test %eax,%eax 542: 0f b7 87 2a 02 00 00 movzwl 0x22a(%edi),%eax 549: 0f 94 87 3e 02 00 00 sete 0x23e(%edi) 550: 66 85 c0 test %ax,%ax 553: 0f 85 a3 00 00 00 jne 5fc <inet6_create+0x30c> 559: 8b 47 20 mov 0x20(%edi),%eax 55c: 31 ed xor %ebp,%ebp 55e: 8b 50 14 mov 0x14(%eax),%edx 561: 85 d2 test %edx,%edx 563: 0f 84 a0 fd ff ff je 309 <inet6_create+0x19> 569: 89 f8 mov %edi,%eax 56b: ff d2 call *%edx 56d: 85 c0 test %eax,%eax 56f: 89 c5 mov %eax,%ebp 571: 0f 84 92 fd ff ff je 309 <inet6_create+0x19> 577: 89 f8 mov %edi,%eax 579: e8 fc ff ff ff call 57a <inet6_create+0x28a> 57a: R_386_PC32 sk_common_release 57e: 66 90 xchg %ax,%ax 580: e9 84 fd ff ff jmp 309 <inet6_create+0x19> 585: b8 00 00 00 00 mov $0x0,%eax 586: R_386_32 rcu_lock_map 58a: b9 85 05 00 00 mov $0x585,%ecx 58b: R_386_32 .text 58f: ba 01 00 00 00 mov $0x1,%edx 594: e8 fc ff ff ff call 595 <inet6_create+0x2a5> 595: R_386_PC32 lock_release 599: 83 c4 20 add $0x20,%esp 59c: 89 e8 mov %ebp,%eax 59e: 5b pop %ebx 59f: 5e pop %esi 5a0: 5f pop %edi 5a1: 5d pop %ebp 5a2: c3 ret 5a3: e8 fc ff ff ff call 5a4 <inet6_create+0x2b4> 5a4: R_386_PC32 build_ehash_secret 5a8: e9 80 fd ff ff jmp 32d <inet6_create+0x3d> 5ad: bd a3 ff ff ff mov $0xffffffa3,%ebp 5b2: 83 7c 24 18 02 cmpl $0x2,0x18(%esp) 5b7: 74 cc je 585 <inet6_create+0x295> 5b9: b9 b9 05 00 00 mov $0x5b9,%ecx 5ba: R_386_32 .text 5be: ba 01 00 00 00 mov $0x1,%edx 5c3: b8 00 00 00 00 mov $0x0,%eax 5c4: R_386_32 rcu_lock_map 5c8: e8 fc ff ff ff call 5c9 <inet6_create+0x2d9> 5c9: R_386_PC32 lock_release 5cd: ff 44 24 18 incl 0x18(%esp) 5d1: 83 7c 24 18 01 cmpl $0x1,0x18(%esp) 5d6: 74 5d je 635 <inet6_create+0x345> 5d8: 89 74 24 08 mov %esi,0x8(%esp) 5dc: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) 5e3: 00 5e4: c7 04 24 1b 00 00 00 movl $0x1b,(%esp) 5e7: R_386_32 .rodata.str1.1 5eb: e8 fc ff ff ff call 5ec <inet6_create+0x2fc> 5ec: R_386_PC32 request_module 5f0: e9 40 fd ff ff jmp 335 <inet6_create+0x45> 5f5: 89 ce mov %ecx,%esi 5f7: e9 d7 fd ff ff jmp 3d3 <inet6_create+0xe3> 5fc: 8b 57 20 mov 0x20(%edi),%edx 5ff: 66 c1 c0 08 rol $0x8,%ax 603: 66 89 87 38 02 00 00 mov %ax,0x238(%edi) 60a: 89 f8 mov %edi,%eax 60c: ff 52 44 call *0x44(%edx) 60f: e9 45 ff ff ff jmp 559 <inet6_create+0x269> 614: 81 fe ff 00 00 00 cmp $0xff,%esi 61a: 66 89 b7 2a 02 00 00 mov %si,0x22a(%edi) 621: 0f 85 89 fe ff ff jne 4b0 <inet6_create+0x1c0> 627: 83 ca 08 or $0x8,%edx 62a: 88 97 3f 02 00 00 mov %dl,0x23f(%edi) 630: e9 7b fe ff ff jmp 4b0 <inet6_create+0x1c0> 635: 8b 54 24 10 mov 0x10(%esp),%edx 639: 0f bf 42 3c movswl 0x3c(%edx),%eax 63d: 89 74 24 08 mov %esi,0x8(%esp) 641: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) 648: 00 649: c7 04 24 00 00 00 00 movl $0x0,(%esp) 64c: R_386_32 .rodata.str1.1 650: 89 44 24 0c mov %eax,0xc(%esp) 654: e8 fc ff ff ff call 655 <inet6_create+0x365> 655: R_386_PC32 request_module 659: e9 d7 fc ff ff jmp 335 <inet6_create+0x45> 65e: c7 44 24 0c a2 00 00 movl $0xa2,0xc(%esp) 665: 00 666: c7 44 24 08 a0 00 00 movl $0xa0,0x8(%esp) 66d: 00 66a: R_386_32 .rodata.str1.4 66e: c7 44 24 04 2e 00 00 movl $0x2e,0x4(%esp) 675: 00 672: R_386_32 .rodata.str1.1 676: c7 04 24 e0 00 00 00 movl $0xe0,(%esp) 679: R_386_32 .rodata.str1.4 67d: e8 fc ff ff ff call 67e <inet6_create+0x38e> 67e: R_386_PC32 printk 682: e9 a1 fd ff ff jmp 428 <inet6_create+0x138> 687: 89 f6 mov %esi,%esi 689: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi 00000690 <inet6_destroy_sock>: ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-02 17:51 ` Roel Kluin @ 2007-11-06 8:14 ` Pavel Emelyanov 2007-11-06 15:44 ` Roel Kluin 0 siblings, 1 reply; 12+ messages in thread From: Pavel Emelyanov @ 2007-11-06 8:14 UTC (permalink / raw) To: Roel Kluin; +Cc: netdev, linux-net Roel Kluin wrote: > Pavel Emelyanov wrote: >> Roel Kluin wrote: >>> Roel Kluin wrote: >>>> I got this bug recently, I am not sure whether this is related to any previously >>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my >>>> kernel a bit lately, but I think that I haven't got any changes in the currently >>>> running kernel. >>>> >>>> FYI: my network card was not running (module not loaded, and I just started >>>> thunderbird) >>>> >>>> Roel >>>> >>>> More information needed? >> Yes, please. >> >> Can you send us the disasm (objdump -dr) of your ipv6 module. >> More precisely - I need the disassembled inet6_create() function to >> figure out where exactly this thing happened. > > I was very lucky to still be able to produce this: When the bug hit me, I had just > recompiled a new kernel, however, since I had previously git-pulled, (but not yet > compiled) the old module was not overwritten. > > to answer the question in your other mail - whether I hacked this kernel - I am not > 100% certain, I am certain, however that I did not touch IPv6 code, and my changes > to net code were very trivial oneliner changes that I have previously posted, and > were generally accepted as fixes. > -- > 000002f0 <inet6_create>: Hm... The oops says that the buggy place is <inet6_create>+0x5f, that is (according to this dump) 0x2f0 + 0x5f = 0x34f, but: 1. there's no instruction at this address (there are 0x34e and 0x355) 2. the codeline (... 1c <8b> 00 0f 18 ...) is not present here There's something wrong with this oops... Is this reproducible? If yes, can you try the non-patched net-2.6 kernel. Thanks, Pavel > 2f0: 55 push %ebp > 2f1: bd 9f ff ff ff mov $0xffffff9f,%ebp > 2f6: 57 push %edi > 2f7: 56 push %esi > 2f8: 89 ce mov %ecx,%esi > 2fa: 53 push %ebx > 2fb: 83 ec 20 sub $0x20,%esp > 2fe: 3d 00 00 00 00 cmp $0x0,%eax > 2ff: R_386_32 init_net > 303: 89 54 24 10 mov %edx,0x10(%esp) > 307: 74 0a je 313 <inet6_create+0x23> > 309: 83 c4 20 add $0x20,%esp > 30c: 89 e8 mov %ebp,%eax > 30e: 5b pop %ebx > 30f: 5e pop %esi > 310: 5f pop %edi > 311: 5d pop %ebp > 312: c3 ret > 313: 8b 42 3c mov 0x3c(%edx),%eax > 316: 83 e8 02 sub $0x2,%eax > 319: 66 83 f8 01 cmp $0x1,%ax > 31d: 76 0e jbe 32d <inet6_create+0x3d> > 31f: 8b 0d 00 00 00 00 mov 0x0,%ecx > 321: R_386_32 inet_ehash_secret > 325: 85 c9 test %ecx,%ecx > 327: 0f 84 76 02 00 00 je 5a3 <inet6_create+0x2b3> > 32d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp) > 334: 00 > 335: 31 d2 xor %edx,%edx > 337: 31 c9 xor %ecx,%ecx > 339: b8 00 00 00 00 mov $0x0,%eax > 33a: R_386_32 rcu_lock_map > 33e: c7 44 24 08 35 03 00 movl $0x335,0x8(%esp) > 345: 00 > 342: R_386_32 .text > 346: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp) > 34d: 00 > 34e: c7 04 24 02 00 00 00 movl $0x2,(%esp) > 355: e8 fc ff ff ff call 356 <inet6_create+0x66> > 356: R_386_PC32 lock_acquire > 35a: 8b 44 24 10 mov 0x10(%esp),%eax > 35e: 8b 78 3c mov 0x3c(%eax),%edi > 361: 0f bf c7 movswl %di,%eax > 364: c1 e0 03 shl $0x3,%eax > 367: 8b 98 00 00 00 00 mov 0x0(%eax),%ebx > 369: R_386_32 .bss > 36d: 8d 90 00 00 00 00 lea 0x0(%eax),%edx > 36f: R_386_32 .bss > 373: 89 5c 24 1c mov %ebx,0x1c(%esp) > 377: 8b 44 24 1c mov 0x1c(%esp),%eax > 37b: 8b 00 mov (%eax),%eax > 37d: 8d 44 20 00 lea 0x0(%eax),%eax > 381: 39 d3 cmp %edx,%ebx > 383: bd a2 ff ff ff mov $0xffffffa2,%ebp > 388: 75 3a jne 3c4 <inet6_create+0xd4> > 38a: e9 23 02 00 00 jmp 5b2 <inet6_create+0x2c2> > 38f: 90 nop > 390: 85 f6 test %esi,%esi > 392: 0f 84 5d 02 00 00 je 5f5 <inet6_create+0x305> > 398: 66 85 c0 test %ax,%ax > 39b: 90 nop > 39c: 8d 74 26 00 lea 0x0(%esi),%esi > 3a0: 74 31 je 3d3 <inet6_create+0xe3> > 3a2: 8b 1b mov (%ebx),%ebx > 3a4: 89 5c 24 1c mov %ebx,0x1c(%esp) > 3a8: 8b 44 24 1c mov 0x1c(%esp),%eax > 3ac: 8b 00 mov (%eax),%eax > 3ae: 8d 44 20 00 lea 0x0(%eax),%eax > 3b2: 0f bf c7 movswl %di,%eax > 3b5: 8d 04 c5 00 00 00 00 lea 0x0(,%eax,8),%eax > 3b8: R_386_32 .bss > 3bc: 39 d8 cmp %ebx,%eax > 3be: 0f 84 e9 01 00 00 je 5ad <inet6_create+0x2bd> > 3c4: 0f b7 43 0a movzwl 0xa(%ebx),%eax > 3c8: 0f b7 c8 movzwl %ax,%ecx > 3cb: 39 ce cmp %ecx,%esi > 3cd: 75 c1 jne 390 <inet6_create+0xa0> > 3cf: 85 f6 test %esi,%esi > 3d1: 74 cf je 3a2 <inet6_create+0xb2> > 3d3: 8b 43 14 mov 0x14(%ebx),%eax > 3d6: 85 c0 test %eax,%eax > 3d8: 7e 12 jle 3ec <inet6_create+0xfc> > 3da: e8 fc ff ff ff call 3db <inet6_create+0xeb> > 3db: R_386_PC32 capable > 3df: 85 c0 test %eax,%eax > 3e1: bd ff ff ff ff mov $0xffffffff,%ebp > 3e6: 0f 84 99 01 00 00 je 585 <inet6_create+0x295> > 3ec: 8b 43 10 mov 0x10(%ebx),%eax > 3ef: 8b 54 24 10 mov 0x10(%esp),%edx > 3f3: b9 ec 03 00 00 mov $0x3ec,%ecx > 3f4: R_386_32 .text > 3f8: 89 42 08 mov %eax,0x8(%edx) > 3fb: 0f b6 43 18 movzbl 0x18(%ebx),%eax > 3ff: 8b 7b 0c mov 0xc(%ebx),%edi > 402: 88 44 24 17 mov %al,0x17(%esp) > 406: 0f b6 53 19 movzbl 0x19(%ebx),%edx > 40a: b8 00 00 00 00 mov $0x0,%eax > 40b: R_386_32 rcu_lock_map > 40f: 88 54 24 16 mov %dl,0x16(%esp) > 413: ba 01 00 00 00 mov $0x1,%edx > 418: e8 fc ff ff ff call 419 <inet6_create+0x129> > 419: R_386_PC32 lock_release > 41d: 8b 57 70 mov 0x70(%edi),%edx > 420: 85 d2 test %edx,%edx > 422: 0f 84 36 02 00 00 je 65e <inet6_create+0x36e> > 428: b9 d0 00 00 00 mov $0xd0,%ecx > 42d: ba 0a 00 00 00 mov $0xa,%edx > 432: b8 00 00 00 00 mov $0x0,%eax > 433: R_386_32 init_net > 437: 89 3c 24 mov %edi,(%esp) > 43a: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp) > 441: 00 > 442: bd 97 ff ff ff mov $0xffffff97,%ebp > 447: e8 fc ff ff ff call 448 <inet6_create+0x158> > 448: R_386_PC32 sk_alloc > 44c: 85 c0 test %eax,%eax > 44e: 89 c7 mov %eax,%edi > 450: 0f 84 b3 fe ff ff je 309 <inet6_create+0x19> > 456: 89 c2 mov %eax,%edx > 458: 8b 44 24 10 mov 0x10(%esp),%eax > 45c: e8 fc ff ff ff call 45d <inet6_create+0x16d> > 45d: R_386_PC32 sock_init_data > 461: 80 64 24 17 03 andb $0x3,0x17(%esp) > 466: 0f b6 54 24 17 movzbl 0x17(%esp),%edx > 46b: 0f b6 47 28 movzbl 0x28(%edi),%eax > 46f: c1 e2 02 shl $0x2,%edx > 472: 83 e0 f3 and $0xfffffff3,%eax > 475: 09 d0 or %edx,%eax > 477: 88 47 28 mov %al,0x28(%edi) > 47a: 0f b6 44 24 16 movzbl 0x16(%esp),%eax > 47f: a8 01 test $0x1,%al > 481: 74 04 je 487 <inet6_create+0x197> > 483: c6 47 03 01 movb $0x1,0x3(%edi) > 487: 0f b6 97 3f 02 00 00 movzbl 0x23f(%edi),%edx > 48e: c1 e8 02 shr $0x2,%eax > 491: 83 e0 01 and $0x1,%eax > 494: 01 c0 add %eax,%eax > 496: 83 e2 fd and $0xfffffffd,%edx > 499: 09 c2 or %eax,%edx > 49b: 88 97 3f 02 00 00 mov %dl,0x23f(%edi) > 4a1: 8b 44 24 10 mov 0x10(%esp),%eax > 4a5: 66 83 78 3c 03 cmpw $0x3,0x3c(%eax) > 4aa: 0f 84 64 01 00 00 je 614 <inet6_create+0x324> > 4b0: 89 f2 mov %esi,%edx > 4b2: c7 87 18 02 00 00 00 movl $0x0,0x218(%edi) > 4b9: 00 00 00 > 4b8: R_386_32 inet_sock_destruct > 4bc: 66 c7 07 0a 00 movw $0xa,(%edi) > 4c1: 88 57 29 mov %dl,0x29(%edi) > 4c4: 8b 43 0c mov 0xc(%ebx),%eax > 4c7: 8b 40 40 mov 0x40(%eax),%eax > 4ca: 89 87 14 02 00 00 mov %eax,0x214(%edi) > 4d0: 8b 47 20 mov 0x20(%edi),%eax > 4d3: 8b 48 74 mov 0x74(%eax),%ecx > 4d6: 83 e9 70 sub $0x70,%ecx > 4d9: 8d 0c 0f lea (%edi,%ecx,1),%ecx > 4dc: 89 8f 1c 02 00 00 mov %ecx,0x21c(%edi) > 4e2: 0f b6 41 46 movzbl 0x46(%ecx),%eax > 4e6: 66 c7 41 3c ff ff movw $0xffff,0x3c(%ecx) > 4ec: 66 c7 41 3e ff ff movw $0xffff,0x3e(%ecx) > 4f2: 83 e0 e7 and $0xffffffe7,%eax > 4f5: 83 c8 09 or $0x9,%eax > 4f8: 88 41 46 mov %al,0x46(%ecx) > 4fb: 0f b6 15 00 00 00 00 movzbl 0x0,%edx > 4fe: R_386_32 sysctl_ipv6_bindv6only > 502: 83 e0 df and $0xffffffdf,%eax > 505: 83 e2 01 and $0x1,%edx > 508: c1 e2 05 shl $0x5,%edx > 50b: 09 d0 or %edx,%eax > 50d: 88 41 46 mov %al,0x46(%ecx) > 510: 80 8f 3f 02 00 00 10 orb $0x10,0x23f(%edi) > 517: 66 c7 87 30 02 00 00 movw $0xffff,0x230(%edi) > 51e: ff ff > 520: c6 87 3d 02 00 00 01 movb $0x1,0x23d(%edi) > 527: c7 87 40 02 00 00 00 movl $0x0,0x240(%edi) > 52e: 00 00 00 > 531: c7 87 48 02 00 00 00 movl $0x0,0x248(%edi) > 538: 00 00 00 > 53b: a1 04 00 00 00 mov 0x4,%eax > 53c: R_386_32 ipv4_config > 540: 85 c0 test %eax,%eax > 542: 0f b7 87 2a 02 00 00 movzwl 0x22a(%edi),%eax > 549: 0f 94 87 3e 02 00 00 sete 0x23e(%edi) > 550: 66 85 c0 test %ax,%ax > 553: 0f 85 a3 00 00 00 jne 5fc <inet6_create+0x30c> > 559: 8b 47 20 mov 0x20(%edi),%eax > 55c: 31 ed xor %ebp,%ebp > 55e: 8b 50 14 mov 0x14(%eax),%edx > 561: 85 d2 test %edx,%edx > 563: 0f 84 a0 fd ff ff je 309 <inet6_create+0x19> > 569: 89 f8 mov %edi,%eax > 56b: ff d2 call *%edx > 56d: 85 c0 test %eax,%eax > 56f: 89 c5 mov %eax,%ebp > 571: 0f 84 92 fd ff ff je 309 <inet6_create+0x19> > 577: 89 f8 mov %edi,%eax > 579: e8 fc ff ff ff call 57a <inet6_create+0x28a> > 57a: R_386_PC32 sk_common_release > 57e: 66 90 xchg %ax,%ax > 580: e9 84 fd ff ff jmp 309 <inet6_create+0x19> > 585: b8 00 00 00 00 mov $0x0,%eax > 586: R_386_32 rcu_lock_map > 58a: b9 85 05 00 00 mov $0x585,%ecx > 58b: R_386_32 .text > 58f: ba 01 00 00 00 mov $0x1,%edx > 594: e8 fc ff ff ff call 595 <inet6_create+0x2a5> > 595: R_386_PC32 lock_release > 599: 83 c4 20 add $0x20,%esp > 59c: 89 e8 mov %ebp,%eax > 59e: 5b pop %ebx > 59f: 5e pop %esi > 5a0: 5f pop %edi > 5a1: 5d pop %ebp > 5a2: c3 ret > 5a3: e8 fc ff ff ff call 5a4 <inet6_create+0x2b4> > 5a4: R_386_PC32 build_ehash_secret > 5a8: e9 80 fd ff ff jmp 32d <inet6_create+0x3d> > 5ad: bd a3 ff ff ff mov $0xffffffa3,%ebp > 5b2: 83 7c 24 18 02 cmpl $0x2,0x18(%esp) > 5b7: 74 cc je 585 <inet6_create+0x295> > 5b9: b9 b9 05 00 00 mov $0x5b9,%ecx > 5ba: R_386_32 .text > 5be: ba 01 00 00 00 mov $0x1,%edx > 5c3: b8 00 00 00 00 mov $0x0,%eax > 5c4: R_386_32 rcu_lock_map > 5c8: e8 fc ff ff ff call 5c9 <inet6_create+0x2d9> > 5c9: R_386_PC32 lock_release > 5cd: ff 44 24 18 incl 0x18(%esp) > 5d1: 83 7c 24 18 01 cmpl $0x1,0x18(%esp) > 5d6: 74 5d je 635 <inet6_create+0x345> > 5d8: 89 74 24 08 mov %esi,0x8(%esp) > 5dc: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) > 5e3: 00 > 5e4: c7 04 24 1b 00 00 00 movl $0x1b,(%esp) > 5e7: R_386_32 .rodata.str1.1 > 5eb: e8 fc ff ff ff call 5ec <inet6_create+0x2fc> > 5ec: R_386_PC32 request_module > 5f0: e9 40 fd ff ff jmp 335 <inet6_create+0x45> > 5f5: 89 ce mov %ecx,%esi > 5f7: e9 d7 fd ff ff jmp 3d3 <inet6_create+0xe3> > 5fc: 8b 57 20 mov 0x20(%edi),%edx > 5ff: 66 c1 c0 08 rol $0x8,%ax > 603: 66 89 87 38 02 00 00 mov %ax,0x238(%edi) > 60a: 89 f8 mov %edi,%eax > 60c: ff 52 44 call *0x44(%edx) > 60f: e9 45 ff ff ff jmp 559 <inet6_create+0x269> > 614: 81 fe ff 00 00 00 cmp $0xff,%esi > 61a: 66 89 b7 2a 02 00 00 mov %si,0x22a(%edi) > 621: 0f 85 89 fe ff ff jne 4b0 <inet6_create+0x1c0> > 627: 83 ca 08 or $0x8,%edx > 62a: 88 97 3f 02 00 00 mov %dl,0x23f(%edi) > 630: e9 7b fe ff ff jmp 4b0 <inet6_create+0x1c0> > 635: 8b 54 24 10 mov 0x10(%esp),%edx > 639: 0f bf 42 3c movswl 0x3c(%edx),%eax > 63d: 89 74 24 08 mov %esi,0x8(%esp) > 641: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) > 648: 00 > 649: c7 04 24 00 00 00 00 movl $0x0,(%esp) > 64c: R_386_32 .rodata.str1.1 > 650: 89 44 24 0c mov %eax,0xc(%esp) > 654: e8 fc ff ff ff call 655 <inet6_create+0x365> > 655: R_386_PC32 request_module > 659: e9 d7 fc ff ff jmp 335 <inet6_create+0x45> > 65e: c7 44 24 0c a2 00 00 movl $0xa2,0xc(%esp) > 665: 00 > 666: c7 44 24 08 a0 00 00 movl $0xa0,0x8(%esp) > 66d: 00 > 66a: R_386_32 .rodata.str1.4 > 66e: c7 44 24 04 2e 00 00 movl $0x2e,0x4(%esp) > 675: 00 > 672: R_386_32 .rodata.str1.1 > 676: c7 04 24 e0 00 00 00 movl $0xe0,(%esp) > 679: R_386_32 .rodata.str1.4 > 67d: e8 fc ff ff ff call 67e <inet6_create+0x38e> > 67e: R_386_PC32 printk > 682: e9 a1 fd ff ff jmp 428 <inet6_create+0x138> > 687: 89 f6 mov %esi,%esi > 689: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi > > 00000690 <inet6_destroy_sock>: > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-06 8:14 ` Pavel Emelyanov @ 2007-11-06 15:44 ` Roel Kluin 2007-11-06 16:06 ` Pavel Emelyanov 0 siblings, 1 reply; 12+ messages in thread From: Roel Kluin @ 2007-11-06 15:44 UTC (permalink / raw) To: Pavel Emelyanov; +Cc: netdev, linux-net Pavel Emelyanov wrote: > Roel Kluin wrote: >> Pavel Emelyanov wrote: >>> Roel Kluin wrote: >>>> Roel Kluin wrote: >>>>> I got this bug recently, I am not sure whether this is related to any previously >>>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my >>>>> kernel a bit lately, but I think that I haven't got any changes in the currently >>>>> running kernel. >>>>> >>>>> FYI: my network card was not running (module not loaded, and I just started >>>>> thunderbird) >>>>> >>>>> More information needed? >>> Yes, please. >>> >>> Can you send us the disasm (objdump -dr) of your ipv6 module. >>> More precisely - I need the disassembled inet6_create() function to >>> figure out where exactly this thing happened. >> I was very lucky to still be able to produce this: When the bug hit me, I had just >> recompiled a new kernel, however, since I had previously git-pulled, (but not yet >> compiled) the old module was not overwritten. >> >> to answer the question in your other mail - whether I hacked this kernel - I am not >> 100% certain, I am certain, however that I did not touch IPv6 code, and my changes >> to net code were very trivial oneliner changes that I have previously posted, and >> were generally accepted as fixes. >> -- >> 000002f0 <inet6_create>: > > Hm... The oops says that the buggy place is <inet6_create>+0x5f, that is > (according to this dump) 0x2f0 + 0x5f = 0x34f, but: > > 1. there's no instruction at this address (there are 0x34e and 0x355) > 2. the codeline (... 1c <8b> 00 0f 18 ...) is not present here > > There's something wrong with this oops... hmmm, I see my mistake: I _was_ already running the 2.6.24-rc1 kernel. It even says so in the BUG report Since the module is already overwritten, does it still help to make the objdump? Ok, I'll check for the address... yes it exists Sorry for my mistake, the objdump for this module is below. note however that the module has been overwritten previously after kernel compilation. > Is this reproducible? If yes, can you try the non-patched net-2.6 kernel. I'll try to reproduce it. I'll confirm it when it happens again. -- 000002f0 <inet6_create>: 2f0: 55 push %ebp 2f1: bd 9f ff ff ff mov $0xffffff9f,%ebp 2f6: 57 push %edi 2f7: 89 cf mov %ecx,%edi 2f9: 56 push %esi 2fa: 53 push %ebx 2fb: 83 ec 20 sub $0x20,%esp 2fe: 3d 00 00 00 00 cmp $0x0,%eax 2ff: R_386_32 init_net 303: 89 54 24 10 mov %edx,0x10(%esp) 307: 74 0a je 313 <inet6_create+0x23> 309: 83 c4 20 add $0x20,%esp 30c: 89 e8 mov %ebp,%eax 30e: 5b pop %ebx 30f: 5e pop %esi 310: 5f pop %edi 311: 5d pop %ebp 312: c3 ret 313: 8b 72 20 mov 0x20(%edx),%esi 316: 8d 46 fe lea -0x2(%esi),%eax 319: 66 83 f8 01 cmp $0x1,%ax 31d: 76 0e jbe 32d <inet6_create+0x3d> 31f: 8b 0d 00 00 00 00 mov 0x0,%ecx 321: R_386_32 inet_ehash_secret 325: 85 c9 test %ecx,%ecx 327: 0f 84 12 02 00 00 je 53f <inet6_create+0x24f> 32d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp) 334: 00 335: 0f bf c6 movswl %si,%eax 338: c1 e0 03 shl $0x3,%eax 33b: 8b 98 00 00 00 00 mov 0x0(%eax),%ebx 33d: R_386_32 .bss 341: 8d 90 00 00 00 00 lea 0x0(%eax),%edx 343: R_386_32 .bss 347: 89 5c 24 1c mov %ebx,0x1c(%esp) 34b: 8b 44 24 1c mov 0x1c(%esp),%eax 34f: 8b 00 mov (%eax),%eax 351: 8d 44 20 00 lea 0x0(%eax),%eax 355: 39 d3 cmp %edx,%ebx 357: bd a2 ff ff ff mov $0xffffffa2,%ebp 35c: 75 36 jne 394 <inet6_create+0xa4> 35e: e9 f3 01 00 00 jmp 556 <inet6_create+0x266> 363: 85 ff test %edi,%edi 365: 0f 84 25 02 00 00 je 590 <inet6_create+0x2a0> 36b: 66 85 c0 test %ax,%ax 36e: 66 90 xchg %ax,%ax 370: 74 31 je 3a3 <inet6_create+0xb3> 372: 8b 1b mov (%ebx),%ebx 374: 89 5c 24 1c mov %ebx,0x1c(%esp) 378: 8b 44 24 1c mov 0x1c(%esp),%eax 37c: 8b 00 mov (%eax),%eax 37e: 8d 44 20 00 lea 0x0(%eax),%eax 382: 0f bf c6 movswl %si,%eax 385: 8d 04 c5 00 00 00 00 lea 0x0(,%eax,8),%eax 388: R_386_32 .bss 38c: 39 d8 cmp %ebx,%eax 38e: 0f 84 bd 01 00 00 je 551 <inet6_create+0x261> 394: 0f b7 43 0a movzwl 0xa(%ebx),%eax 398: 0f b7 c8 movzwl %ax,%ecx 39b: 39 cf cmp %ecx,%edi 39d: 75 c4 jne 363 <inet6_create+0x73> 39f: 85 ff test %edi,%edi 3a1: 74 cf je 372 <inet6_create+0x82> 3a3: 8b 43 14 mov 0x14(%ebx),%eax 3a6: 85 c0 test %eax,%eax 3a8: 7e 12 jle 3bc <inet6_create+0xcc> 3aa: e8 fc ff ff ff call 3ab <inet6_create+0xbb> 3ab: R_386_PC32 capable 3af: 85 c0 test %eax,%eax 3b1: bd ff ff ff ff mov $0xffffffff,%ebp 3b6: 0f 84 4d ff ff ff je 309 <inet6_create+0x19> 3bc: 8b 43 10 mov 0x10(%ebx),%eax 3bf: 8b 54 24 10 mov 0x10(%esp),%edx 3c3: 89 42 08 mov %eax,0x8(%edx) 3c6: 0f b6 43 18 movzbl 0x18(%ebx),%eax 3ca: 8b 73 0c mov 0xc(%ebx),%esi 3cd: 88 44 24 17 mov %al,0x17(%esp) 3d1: 0f b6 53 19 movzbl 0x19(%ebx),%edx 3d5: 88 54 24 16 mov %dl,0x16(%esp) 3d9: 8b 56 70 mov 0x70(%esi),%edx 3dc: 85 d2 test %edx,%edx 3de: 0f 84 17 02 00 00 je 5fb <inet6_create+0x30b> 3e4: b9 d0 00 00 00 mov $0xd0,%ecx 3e9: ba 0a 00 00 00 mov $0xa,%edx 3ee: b8 00 00 00 00 mov $0x0,%eax 3ef: R_386_32 init_net 3f3: 89 34 24 mov %esi,(%esp) 3f6: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp) 3fd: 00 3fe: bd 97 ff ff ff mov $0xffffff97,%ebp 403: e8 fc ff ff ff call 404 <inet6_create+0x114> 404: R_386_PC32 sk_alloc 408: 85 c0 test %eax,%eax 40a: 89 c6 mov %eax,%esi 40c: 0f 84 f7 fe ff ff je 309 <inet6_create+0x19> 412: 89 c2 mov %eax,%edx 414: 8b 44 24 10 mov 0x10(%esp),%eax 418: e8 fc ff ff ff call 419 <inet6_create+0x129> 419: R_386_PC32 sock_init_data 41d: 80 64 24 17 03 andb $0x3,0x17(%esp) 422: 0f b6 54 24 17 movzbl 0x17(%esp),%edx 427: 0f b6 46 28 movzbl 0x28(%esi),%eax 42b: c1 e2 02 shl $0x2,%edx 42e: 83 e0 f3 and $0xfffffff3,%eax 431: 09 d0 or %edx,%eax 433: 88 46 28 mov %al,0x28(%esi) 436: 0f b6 44 24 16 movzbl 0x16(%esp),%eax 43b: a8 01 test $0x1,%al 43d: 74 04 je 443 <inet6_create+0x153> 43f: c6 46 03 01 movb $0x1,0x3(%esi) 443: 0f b6 96 5b 01 00 00 movzbl 0x15b(%esi),%edx 44a: c1 e8 02 shr $0x2,%eax 44d: 83 e0 01 and $0x1,%eax 450: 01 c0 add %eax,%eax 452: 83 e2 fd and $0xfffffffd,%edx 455: 09 c2 or %eax,%edx 457: 88 96 5b 01 00 00 mov %dl,0x15b(%esi) 45d: 8b 44 24 10 mov 0x10(%esp),%eax 461: 66 83 78 20 03 cmpw $0x3,0x20(%eax) 466: 0f 84 43 01 00 00 je 5af <inet6_create+0x2bf> 46c: 89 fa mov %edi,%edx 46e: c7 86 34 01 00 00 00 movl $0x0,0x134(%esi) 475: 00 00 00 474: R_386_32 inet_sock_destruct 478: 66 c7 06 0a 00 movw $0xa,(%esi) 47d: 88 56 29 mov %dl,0x29(%esi) 480: 8b 43 0c mov 0xc(%ebx),%eax 483: 8b 40 40 mov 0x40(%eax),%eax 486: 89 86 30 01 00 00 mov %eax,0x130(%esi) 48c: 8b 46 20 mov 0x20(%esi),%eax 48f: 8b 48 74 mov 0x74(%eax),%ecx 492: 83 e9 70 sub $0x70,%ecx 495: 8d 0c 0e lea (%esi,%ecx,1),%ecx 498: 89 8e 38 01 00 00 mov %ecx,0x138(%esi) 49e: 0f b6 41 46 movzbl 0x46(%ecx),%eax 4a2: 66 c7 41 3c ff ff movw $0xffff,0x3c(%ecx) 4a8: 66 c7 41 3e ff ff movw $0xffff,0x3e(%ecx) 4ae: 83 e0 e7 and $0xffffffe7,%eax 4b1: 83 c8 09 or $0x9,%eax 4b4: 88 41 46 mov %al,0x46(%ecx) 4b7: 0f b6 15 00 00 00 00 movzbl 0x0,%edx 4ba: R_386_32 sysctl_ipv6_bindv6only 4be: 83 e0 df and $0xffffffdf,%eax 4c1: 83 e2 01 and $0x1,%edx 4c4: c1 e2 05 shl $0x5,%edx 4c7: 09 d0 or %edx,%eax 4c9: 88 41 46 mov %al,0x46(%ecx) 4cc: 80 8e 5b 01 00 00 10 orb $0x10,0x15b(%esi) 4d3: 66 c7 86 4c 01 00 00 movw $0xffff,0x14c(%esi) 4da: ff ff 4dc: c6 86 59 01 00 00 01 movb $0x1,0x159(%esi) 4e3: c7 86 5c 01 00 00 00 movl $0x0,0x15c(%esi) 4ea: 00 00 00 4ed: c7 86 64 01 00 00 00 movl $0x0,0x164(%esi) 4f4: 00 00 00 4f7: a1 04 00 00 00 mov 0x4,%eax 4f8: R_386_32 ipv4_config 4fc: 85 c0 test %eax,%eax 4fe: 0f b7 86 46 01 00 00 movzwl 0x146(%esi),%eax 505: 0f 94 86 5a 01 00 00 sete 0x15a(%esi) 50c: 66 85 c0 test %ax,%ax 50f: 0f 85 82 00 00 00 jne 597 <inet6_create+0x2a7> 515: 8b 46 20 mov 0x20(%esi),%eax 518: 31 ed xor %ebp,%ebp 51a: 8b 50 14 mov 0x14(%eax),%edx 51d: 85 d2 test %edx,%edx 51f: 0f 84 e4 fd ff ff je 309 <inet6_create+0x19> 525: 89 f0 mov %esi,%eax 527: ff d2 call *%edx 529: 85 c0 test %eax,%eax 52b: 89 c5 mov %eax,%ebp 52d: 0f 84 d6 fd ff ff je 309 <inet6_create+0x19> 533: 89 f0 mov %esi,%eax 535: e8 fc ff ff ff call 536 <inet6_create+0x246> 536: R_386_PC32 sk_common_release 53a: e9 ca fd ff ff jmp 309 <inet6_create+0x19> 53f: 90 nop 540: e8 fc ff ff ff call 541 <inet6_create+0x251> 541: R_386_PC32 build_ehash_secret 545: 8b 44 24 10 mov 0x10(%esp),%eax 549: 8b 70 20 mov 0x20(%eax),%esi 54c: e9 dc fd ff ff jmp 32d <inet6_create+0x3d> 551: bd a3 ff ff ff mov $0xffffffa3,%ebp 556: 83 7c 24 18 02 cmpl $0x2,0x18(%esp) 55b: 0f 84 a8 fd ff ff je 309 <inet6_create+0x19> 561: ff 44 24 18 incl 0x18(%esp) 565: 83 7c 24 18 01 cmpl $0x1,0x18(%esp) 56a: 74 64 je 5d0 <inet6_create+0x2e0> 56c: 89 7c 24 08 mov %edi,0x8(%esp) 570: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) 577: 00 578: c7 04 24 1b 00 00 00 movl $0x1b,(%esp) 57b: R_386_32 .rodata.str1.1 57f: e8 fc ff ff ff call 580 <inet6_create+0x290> 580: R_386_PC32 request_module 584: 8b 44 24 10 mov 0x10(%esp),%eax 588: 8b 70 20 mov 0x20(%eax),%esi 58b: e9 a5 fd ff ff jmp 335 <inet6_create+0x45> 590: 89 cf mov %ecx,%edi 592: e9 0c fe ff ff jmp 3a3 <inet6_create+0xb3> 597: 8b 56 20 mov 0x20(%esi),%edx 59a: 66 c1 c0 08 rol $0x8,%ax 59e: 66 89 86 54 01 00 00 mov %ax,0x154(%esi) 5a5: 89 f0 mov %esi,%eax 5a7: ff 52 44 call *0x44(%edx) 5aa: e9 66 ff ff ff jmp 515 <inet6_create+0x225> 5af: 81 ff ff 00 00 00 cmp $0xff,%edi 5b5: 66 89 be 46 01 00 00 mov %di,0x146(%esi) 5bc: 0f 85 aa fe ff ff jne 46c <inet6_create+0x17c> 5c2: 83 ca 08 or $0x8,%edx 5c5: 88 96 5b 01 00 00 mov %dl,0x15b(%esi) 5cb: e9 9c fe ff ff jmp 46c <inet6_create+0x17c> 5d0: 0f bf c6 movswl %si,%eax 5d3: 89 7c 24 08 mov %edi,0x8(%esp) 5d7: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) 5de: 00 5df: 89 44 24 0c mov %eax,0xc(%esp) 5e3: c7 04 24 00 00 00 00 movl $0x0,(%esp) 5e6: R_386_32 .rodata.str1.1 5ea: e8 fc ff ff ff call 5eb <inet6_create+0x2fb> 5eb: R_386_PC32 request_module 5ef: 8b 54 24 10 mov 0x10(%esp),%edx 5f3: 8b 72 20 mov 0x20(%edx),%esi 5f6: e9 3a fd ff ff jmp 335 <inet6_create+0x45> 5fb: c7 44 24 0c a2 00 00 movl $0xa2,0xc(%esp) 602: 00 603: c7 44 24 08 a0 00 00 movl $0xa0,0x8(%esp) 60a: 00 607: R_386_32 .rodata.str1.4 60b: c7 44 24 04 2e 00 00 movl $0x2e,0x4(%esp) 612: 00 60f: R_386_32 .rodata.str1.1 613: c7 04 24 e0 00 00 00 movl $0xe0,(%esp) 616: R_386_32 .rodata.str1.4 61a: e8 fc ff ff ff call 61b <inet6_create+0x32b> 61b: R_386_PC32 printk 61f: e9 c0 fd ff ff jmp 3e4 <inet6_create+0xf4> 624: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 62a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi 00000630 <inet6_destroy_sock>: ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-06 15:44 ` Roel Kluin @ 2007-11-06 16:06 ` Pavel Emelyanov 2007-11-06 17:31 ` Roel Kluin 0 siblings, 1 reply; 12+ messages in thread From: Pavel Emelyanov @ 2007-11-06 16:06 UTC (permalink / raw) To: Roel Kluin; +Cc: netdev, linux-net Roel Kluin wrote: > Pavel Emelyanov wrote: >> Roel Kluin wrote: >>> Pavel Emelyanov wrote: >>>> Roel Kluin wrote: >>>>> Roel Kluin wrote: >>>>>> I got this bug recently, I am not sure whether this is related to any previously >>>>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my >>>>>> kernel a bit lately, but I think that I haven't got any changes in the currently >>>>>> running kernel. >>>>>> >>>>>> FYI: my network card was not running (module not loaded, and I just started >>>>>> thunderbird) >>>>>> >>>>>> More information needed? >>>> Yes, please. >>>> >>>> Can you send us the disasm (objdump -dr) of your ipv6 module. >>>> More precisely - I need the disassembled inet6_create() function to >>>> figure out where exactly this thing happened. >>> I was very lucky to still be able to produce this: When the bug hit me, I had just >>> recompiled a new kernel, however, since I had previously git-pulled, (but not yet >>> compiled) the old module was not overwritten. >>> >>> to answer the question in your other mail - whether I hacked this kernel - I am not >>> 100% certain, I am certain, however that I did not touch IPv6 code, and my changes >>> to net code were very trivial oneliner changes that I have previously posted, and >>> were generally accepted as fixes. >>> -- >>> 000002f0 <inet6_create>: >> Hm... The oops says that the buggy place is <inet6_create>+0x5f, that is >> (according to this dump) 0x2f0 + 0x5f = 0x34f, but: >> >> 1. there's no instruction at this address (there are 0x34e and 0x355) >> 2. the codeline (... 1c <8b> 00 0f 18 ...) is not present here >> >> There's something wrong with this oops... > > hmmm, I see my mistake: > I _was_ already running the 2.6.24-rc1 kernel. It even says so in the BUG report Brrr... I'm completely confused. What was the kernel that oops-ed? 2.6.24-rc, net-2.6.24-rc1 or net-2.6.24-rc1-with-your-patches? > Since the module is already overwritten, does it still help to make the objdump? > > Ok, I'll check for the address... yes it exists Yup. My first guess was correct - the inetsw6 list is broken - there's some NULL pointer in it. Looking at the code I see that this list is accessed for modifications under the spinlock and that it is properly initialized in the ->init callback before any code gets the access to this list. No ideas why this can happen... :( > Sorry for my mistake, the objdump for this module is below. note however that the > module has been overwritten previously after kernel compilation. > >> Is this reproducible? If yes, can you try the non-patched net-2.6 kernel. > > I'll try to reproduce it. I'll confirm it when it happens again. Yes, please. > -- > 000002f0 <inet6_create>: > 2f0: 55 push %ebp > 2f1: bd 9f ff ff ff mov $0xffffff9f,%ebp > 2f6: 57 push %edi > 2f7: 89 cf mov %ecx,%edi > 2f9: 56 push %esi > 2fa: 53 push %ebx > 2fb: 83 ec 20 sub $0x20,%esp > 2fe: 3d 00 00 00 00 cmp $0x0,%eax > 2ff: R_386_32 init_net > 303: 89 54 24 10 mov %edx,0x10(%esp) > 307: 74 0a je 313 <inet6_create+0x23> > 309: 83 c4 20 add $0x20,%esp > 30c: 89 e8 mov %ebp,%eax > 30e: 5b pop %ebx > 30f: 5e pop %esi > 310: 5f pop %edi > 311: 5d pop %ebp > 312: c3 ret > 313: 8b 72 20 mov 0x20(%edx),%esi > 316: 8d 46 fe lea -0x2(%esi),%eax > 319: 66 83 f8 01 cmp $0x1,%ax > 31d: 76 0e jbe 32d <inet6_create+0x3d> > 31f: 8b 0d 00 00 00 00 mov 0x0,%ecx > 321: R_386_32 inet_ehash_secret > 325: 85 c9 test %ecx,%ecx > 327: 0f 84 12 02 00 00 je 53f <inet6_create+0x24f> > 32d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp) > 334: 00 > 335: 0f bf c6 movswl %si,%eax > 338: c1 e0 03 shl $0x3,%eax > 33b: 8b 98 00 00 00 00 mov 0x0(%eax),%ebx > 33d: R_386_32 .bss > 341: 8d 90 00 00 00 00 lea 0x0(%eax),%edx > 343: R_386_32 .bss > 347: 89 5c 24 1c mov %ebx,0x1c(%esp) > 34b: 8b 44 24 1c mov 0x1c(%esp),%eax > 34f: 8b 00 mov (%eax),%eax > 351: 8d 44 20 00 lea 0x0(%eax),%eax > 355: 39 d3 cmp %edx,%ebx > 357: bd a2 ff ff ff mov $0xffffffa2,%ebp > 35c: 75 36 jne 394 <inet6_create+0xa4> > 35e: e9 f3 01 00 00 jmp 556 <inet6_create+0x266> > 363: 85 ff test %edi,%edi > 365: 0f 84 25 02 00 00 je 590 <inet6_create+0x2a0> > 36b: 66 85 c0 test %ax,%ax > 36e: 66 90 xchg %ax,%ax > 370: 74 31 je 3a3 <inet6_create+0xb3> > 372: 8b 1b mov (%ebx),%ebx > 374: 89 5c 24 1c mov %ebx,0x1c(%esp) > 378: 8b 44 24 1c mov 0x1c(%esp),%eax > 37c: 8b 00 mov (%eax),%eax > 37e: 8d 44 20 00 lea 0x0(%eax),%eax > 382: 0f bf c6 movswl %si,%eax > 385: 8d 04 c5 00 00 00 00 lea 0x0(,%eax,8),%eax > 388: R_386_32 .bss > 38c: 39 d8 cmp %ebx,%eax > 38e: 0f 84 bd 01 00 00 je 551 <inet6_create+0x261> > 394: 0f b7 43 0a movzwl 0xa(%ebx),%eax > 398: 0f b7 c8 movzwl %ax,%ecx > 39b: 39 cf cmp %ecx,%edi > 39d: 75 c4 jne 363 <inet6_create+0x73> > 39f: 85 ff test %edi,%edi > 3a1: 74 cf je 372 <inet6_create+0x82> > 3a3: 8b 43 14 mov 0x14(%ebx),%eax > 3a6: 85 c0 test %eax,%eax > 3a8: 7e 12 jle 3bc <inet6_create+0xcc> > 3aa: e8 fc ff ff ff call 3ab <inet6_create+0xbb> > 3ab: R_386_PC32 capable > 3af: 85 c0 test %eax,%eax > 3b1: bd ff ff ff ff mov $0xffffffff,%ebp > 3b6: 0f 84 4d ff ff ff je 309 <inet6_create+0x19> > 3bc: 8b 43 10 mov 0x10(%ebx),%eax > 3bf: 8b 54 24 10 mov 0x10(%esp),%edx > 3c3: 89 42 08 mov %eax,0x8(%edx) > 3c6: 0f b6 43 18 movzbl 0x18(%ebx),%eax > 3ca: 8b 73 0c mov 0xc(%ebx),%esi > 3cd: 88 44 24 17 mov %al,0x17(%esp) > 3d1: 0f b6 53 19 movzbl 0x19(%ebx),%edx > 3d5: 88 54 24 16 mov %dl,0x16(%esp) > 3d9: 8b 56 70 mov 0x70(%esi),%edx > 3dc: 85 d2 test %edx,%edx > 3de: 0f 84 17 02 00 00 je 5fb <inet6_create+0x30b> > 3e4: b9 d0 00 00 00 mov $0xd0,%ecx > 3e9: ba 0a 00 00 00 mov $0xa,%edx > 3ee: b8 00 00 00 00 mov $0x0,%eax > 3ef: R_386_32 init_net > 3f3: 89 34 24 mov %esi,(%esp) > 3f6: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp) > 3fd: 00 > 3fe: bd 97 ff ff ff mov $0xffffff97,%ebp > 403: e8 fc ff ff ff call 404 <inet6_create+0x114> > 404: R_386_PC32 sk_alloc > 408: 85 c0 test %eax,%eax > 40a: 89 c6 mov %eax,%esi > 40c: 0f 84 f7 fe ff ff je 309 <inet6_create+0x19> > 412: 89 c2 mov %eax,%edx > 414: 8b 44 24 10 mov 0x10(%esp),%eax > 418: e8 fc ff ff ff call 419 <inet6_create+0x129> > 419: R_386_PC32 sock_init_data > 41d: 80 64 24 17 03 andb $0x3,0x17(%esp) > 422: 0f b6 54 24 17 movzbl 0x17(%esp),%edx > 427: 0f b6 46 28 movzbl 0x28(%esi),%eax > 42b: c1 e2 02 shl $0x2,%edx > 42e: 83 e0 f3 and $0xfffffff3,%eax > 431: 09 d0 or %edx,%eax > 433: 88 46 28 mov %al,0x28(%esi) > 436: 0f b6 44 24 16 movzbl 0x16(%esp),%eax > 43b: a8 01 test $0x1,%al > 43d: 74 04 je 443 <inet6_create+0x153> > 43f: c6 46 03 01 movb $0x1,0x3(%esi) > 443: 0f b6 96 5b 01 00 00 movzbl 0x15b(%esi),%edx > 44a: c1 e8 02 shr $0x2,%eax > 44d: 83 e0 01 and $0x1,%eax > 450: 01 c0 add %eax,%eax > 452: 83 e2 fd and $0xfffffffd,%edx > 455: 09 c2 or %eax,%edx > 457: 88 96 5b 01 00 00 mov %dl,0x15b(%esi) > 45d: 8b 44 24 10 mov 0x10(%esp),%eax > 461: 66 83 78 20 03 cmpw $0x3,0x20(%eax) > 466: 0f 84 43 01 00 00 je 5af <inet6_create+0x2bf> > 46c: 89 fa mov %edi,%edx > 46e: c7 86 34 01 00 00 00 movl $0x0,0x134(%esi) > 475: 00 00 00 > 474: R_386_32 inet_sock_destruct > 478: 66 c7 06 0a 00 movw $0xa,(%esi) > 47d: 88 56 29 mov %dl,0x29(%esi) > 480: 8b 43 0c mov 0xc(%ebx),%eax > 483: 8b 40 40 mov 0x40(%eax),%eax > 486: 89 86 30 01 00 00 mov %eax,0x130(%esi) > 48c: 8b 46 20 mov 0x20(%esi),%eax > 48f: 8b 48 74 mov 0x74(%eax),%ecx > 492: 83 e9 70 sub $0x70,%ecx > 495: 8d 0c 0e lea (%esi,%ecx,1),%ecx > 498: 89 8e 38 01 00 00 mov %ecx,0x138(%esi) > 49e: 0f b6 41 46 movzbl 0x46(%ecx),%eax > 4a2: 66 c7 41 3c ff ff movw $0xffff,0x3c(%ecx) > 4a8: 66 c7 41 3e ff ff movw $0xffff,0x3e(%ecx) > 4ae: 83 e0 e7 and $0xffffffe7,%eax > 4b1: 83 c8 09 or $0x9,%eax > 4b4: 88 41 46 mov %al,0x46(%ecx) > 4b7: 0f b6 15 00 00 00 00 movzbl 0x0,%edx > 4ba: R_386_32 sysctl_ipv6_bindv6only > 4be: 83 e0 df and $0xffffffdf,%eax > 4c1: 83 e2 01 and $0x1,%edx > 4c4: c1 e2 05 shl $0x5,%edx > 4c7: 09 d0 or %edx,%eax > 4c9: 88 41 46 mov %al,0x46(%ecx) > 4cc: 80 8e 5b 01 00 00 10 orb $0x10,0x15b(%esi) > 4d3: 66 c7 86 4c 01 00 00 movw $0xffff,0x14c(%esi) > 4da: ff ff > 4dc: c6 86 59 01 00 00 01 movb $0x1,0x159(%esi) > 4e3: c7 86 5c 01 00 00 00 movl $0x0,0x15c(%esi) > 4ea: 00 00 00 > 4ed: c7 86 64 01 00 00 00 movl $0x0,0x164(%esi) > 4f4: 00 00 00 > 4f7: a1 04 00 00 00 mov 0x4,%eax > 4f8: R_386_32 ipv4_config > 4fc: 85 c0 test %eax,%eax > 4fe: 0f b7 86 46 01 00 00 movzwl 0x146(%esi),%eax > 505: 0f 94 86 5a 01 00 00 sete 0x15a(%esi) > 50c: 66 85 c0 test %ax,%ax > 50f: 0f 85 82 00 00 00 jne 597 <inet6_create+0x2a7> > 515: 8b 46 20 mov 0x20(%esi),%eax > 518: 31 ed xor %ebp,%ebp > 51a: 8b 50 14 mov 0x14(%eax),%edx > 51d: 85 d2 test %edx,%edx > 51f: 0f 84 e4 fd ff ff je 309 <inet6_create+0x19> > 525: 89 f0 mov %esi,%eax > 527: ff d2 call *%edx > 529: 85 c0 test %eax,%eax > 52b: 89 c5 mov %eax,%ebp > 52d: 0f 84 d6 fd ff ff je 309 <inet6_create+0x19> > 533: 89 f0 mov %esi,%eax > 535: e8 fc ff ff ff call 536 <inet6_create+0x246> > 536: R_386_PC32 sk_common_release > 53a: e9 ca fd ff ff jmp 309 <inet6_create+0x19> > 53f: 90 nop > 540: e8 fc ff ff ff call 541 <inet6_create+0x251> > 541: R_386_PC32 build_ehash_secret > 545: 8b 44 24 10 mov 0x10(%esp),%eax > 549: 8b 70 20 mov 0x20(%eax),%esi > 54c: e9 dc fd ff ff jmp 32d <inet6_create+0x3d> > 551: bd a3 ff ff ff mov $0xffffffa3,%ebp > 556: 83 7c 24 18 02 cmpl $0x2,0x18(%esp) > 55b: 0f 84 a8 fd ff ff je 309 <inet6_create+0x19> > 561: ff 44 24 18 incl 0x18(%esp) > 565: 83 7c 24 18 01 cmpl $0x1,0x18(%esp) > 56a: 74 64 je 5d0 <inet6_create+0x2e0> > 56c: 89 7c 24 08 mov %edi,0x8(%esp) > 570: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) > 577: 00 > 578: c7 04 24 1b 00 00 00 movl $0x1b,(%esp) > 57b: R_386_32 .rodata.str1.1 > 57f: e8 fc ff ff ff call 580 <inet6_create+0x290> > 580: R_386_PC32 request_module > 584: 8b 44 24 10 mov 0x10(%esp),%eax > 588: 8b 70 20 mov 0x20(%eax),%esi > 58b: e9 a5 fd ff ff jmp 335 <inet6_create+0x45> > 590: 89 cf mov %ecx,%edi > 592: e9 0c fe ff ff jmp 3a3 <inet6_create+0xb3> > 597: 8b 56 20 mov 0x20(%esi),%edx > 59a: 66 c1 c0 08 rol $0x8,%ax > 59e: 66 89 86 54 01 00 00 mov %ax,0x154(%esi) > 5a5: 89 f0 mov %esi,%eax > 5a7: ff 52 44 call *0x44(%edx) > 5aa: e9 66 ff ff ff jmp 515 <inet6_create+0x225> > 5af: 81 ff ff 00 00 00 cmp $0xff,%edi > 5b5: 66 89 be 46 01 00 00 mov %di,0x146(%esi) > 5bc: 0f 85 aa fe ff ff jne 46c <inet6_create+0x17c> > 5c2: 83 ca 08 or $0x8,%edx > 5c5: 88 96 5b 01 00 00 mov %dl,0x15b(%esi) > 5cb: e9 9c fe ff ff jmp 46c <inet6_create+0x17c> > 5d0: 0f bf c6 movswl %si,%eax > 5d3: 89 7c 24 08 mov %edi,0x8(%esp) > 5d7: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp) > 5de: 00 > 5df: 89 44 24 0c mov %eax,0xc(%esp) > 5e3: c7 04 24 00 00 00 00 movl $0x0,(%esp) > 5e6: R_386_32 .rodata.str1.1 > 5ea: e8 fc ff ff ff call 5eb <inet6_create+0x2fb> > 5eb: R_386_PC32 request_module > 5ef: 8b 54 24 10 mov 0x10(%esp),%edx > 5f3: 8b 72 20 mov 0x20(%edx),%esi > 5f6: e9 3a fd ff ff jmp 335 <inet6_create+0x45> > 5fb: c7 44 24 0c a2 00 00 movl $0xa2,0xc(%esp) > 602: 00 > 603: c7 44 24 08 a0 00 00 movl $0xa0,0x8(%esp) > 60a: 00 > 607: R_386_32 .rodata.str1.4 > 60b: c7 44 24 04 2e 00 00 movl $0x2e,0x4(%esp) > 612: 00 > 60f: R_386_32 .rodata.str1.1 > 613: c7 04 24 e0 00 00 00 movl $0xe0,(%esp) > 616: R_386_32 .rodata.str1.4 > 61a: e8 fc ff ff ff call 61b <inet6_create+0x32b> > 61b: R_386_PC32 printk > 61f: e9 c0 fd ff ff jmp 3e4 <inet6_create+0xf4> > 624: 8d b6 00 00 00 00 lea 0x0(%esi),%esi > 62a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi > > 00000630 <inet6_destroy_sock>: > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-06 16:06 ` Pavel Emelyanov @ 2007-11-06 17:31 ` Roel Kluin 0 siblings, 0 replies; 12+ messages in thread From: Roel Kluin @ 2007-11-06 17:31 UTC (permalink / raw) To: Pavel Emelyanov; +Cc: netdev, linux-net Pavel Emelyanov wrote: > Roel Kluin wrote: >> Pavel Emelyanov wrote: >>> Roel Kluin wrote: >>>> Pavel Emelyanov wrote: >>>>> Roel Kluin wrote: >>>>>> Roel Kluin wrote: >>>>>>> I got this bug recently, I am not sure whether this is related to any previously >>>>>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my >>>>>>> kernel a bit lately, but I think that I haven't got any changes in the currently >>>>>>> running kernel. >>>>>>> >>>>>>> FYI: my network card was not running (module not loaded, and I just started >>>>>>> thunderbird) >>>>>>> >>>>>>> More information needed? >>>>> Yes, please. >>>>> >>>>> Can you send us the disasm (objdump -dr) of your ipv6 module. >>>>> More precisely - I need the disassembled inet6_create() function to >>>>> figure out where exactly this thing happened. >>>> I was very lucky to still be able to produce this: When the bug hit me, I had just >>>> recompiled a new kernel, however, since I had previously git-pulled, (but not yet >>>> compiled) the old module was not overwritten. >>>> >>>> to answer the question in your other mail - whether I hacked this kernel - I am not >>>> 100% certain, I am certain, however that I did not touch IPv6 code, and my changes >>>> to net code were very trivial oneliner changes that I have previously posted, and >>>> were generally accepted as fixes. >>>> -- >>>> 000002f0 <inet6_create>: >>> Hm... The oops says that the buggy place is <inet6_create>+0x5f, that is >>> (according to this dump) 0x2f0 + 0x5f = 0x34f, but: >>> >>> 1. there's no instruction at this address (there are 0x34e and 0x355) >>> 2. the codeline (... 1c <8b> 00 0f 18 ...) is not present here >>> >>> There's something wrong with this oops... >> hmmm, I see my mistake: >> I _was_ already running the 2.6.24-rc1 kernel. It even says so in the BUG report > > Brrr... I'm completely confused. What was the kernel that oops-ed? > 2.6.24-rc, net-2.6.24-rc1 or net-2.6.24-rc1-with-your-patches? It was a git kernel, pulled from linus' tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git The version number on the bug was 2.6.24-rc1. I posted here because the bug mentioned inet6_create and ipv6, which is net code. >> Since the module is already overwritten, does it still help to make the objdump? >> >> Ok, I'll check for the address... yes it exists > > Yup. My first guess was correct - the inetsw6 list is broken - there's > some NULL pointer in it. Looking at the code I see that this list > is accessed for modifications under the spinlock and that it is properly > initialized in the ->init callback before any code gets the access to this > list. No ideas why this can happen... :( > >> Sorry for my mistake, the objdump for this module is below. note however that the >> module has been overwritten previously after kernel compilation. >> >>> Is this reproducible? If yes, can you try the non-patched net-2.6 kernel. >> I'll try to reproduce it. I'll confirm it when it happens again. > > Yes, please. Ok, I tried but it did not work. My kernel is very non-modular (which is also called monolithic?) one of the few things that still was a module is my network card. ipv6 was another. You may want to skip the next part: a lengthy explanation of the situation during the bug. In the original situation I had tried to build a kernel: I was trying an adapted version of the profile-likely-unlikely-macros.patch, but due to an error in my code kernel compilation failed, I was using a stupid script which did: make O=$BUILDDIR; sudo make O=$BUILDDIR modules_install install Note that I probably didn't run make mrproper beforehand. Building failed, but modules were removed and I should have recompiled without the error. I forgot that, so after rebooting my modules didn't work. the kernel booted because all necessary code is compiled in. My network card didn't function, however. So I decided to recompile with my network card compiled in. Then I was doing some other stuff, got bored, pressed Thunderbird - it's an automatism - and right at that moment I got the oops. So to try to reproduce this I compiled a new kernel, without compiling and installing the modules. It did not reoccur, however. Roel ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-01 20:07 [BUG] in inet6_create Roel Kluin 2007-11-01 21:14 ` Roel Kluin @ 2007-11-02 9:59 ` Pavel Emelyanov 2007-11-02 12:54 ` Pavel Emelyanov 2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明 2 siblings, 1 reply; 12+ messages in thread From: Pavel Emelyanov @ 2007-11-02 9:59 UTC (permalink / raw) To: Roel Kluin, David Miller; +Cc: netdev Roel Kluin wrote: > I got this bug recently, I am not sure whether this is related to any previously > reported ones. It was a recently pulled git kernel. Also I have been hacking my > kernel a bit lately, but I think that I haven't got any changes in the currently > running kernel. > > FYI: my network card was not running (module not loaded, and I just started > thunderbird) > > Roel > > More information needed? I've tried to objdump my ipv6.ko, and found (at the different offset, but) the same codeline. It showed that the buggy place was in: list_for_each_rcu(p, &inetsw6[sock->type]) { some list_head pointer was NULL. I looked at the inet6_init (which seems to run at the moment of the oops according to the calltrace) and found that the ipv6 protocol is first registered and only after this the inetsw6 lists are properly initialized. I suspect that this is a race: we create the socket right after the new protocol is registered, but before the list heads are ready. The ->init call is called without the stopmachine, so other process run in parallel with it. This patch should help, but I don't think that such a situation is easily reproducible. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> --- diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index ecbd388..f9bd26f 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -769,6 +769,10 @@ static int __init inet6_init(void) #endif #endif + /* Register the socket-side information for inet6_create. */ + for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r) + INIT_LIST_HEAD(r); + err = proto_register(&tcpv6_prot, 1); if (err) goto out; @@ -786,10 +790,6 @@ static int __init inet6_init(void) goto out_unregister_udplite_proto; - /* Register the socket-side information for inet6_create. */ - for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r) - INIT_LIST_HEAD(r); - /* We MUST register RAW sockets before we create the ICMP6, * IGMP6, or NDISC control sockets. */ ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-02 9:59 ` Pavel Emelyanov @ 2007-11-02 12:54 ` Pavel Emelyanov 0 siblings, 0 replies; 12+ messages in thread From: Pavel Emelyanov @ 2007-11-02 12:54 UTC (permalink / raw) To: Roel Kluin, David Miller; +Cc: netdev Pavel Emelyanov wrote: > Roel Kluin wrote: >> I got this bug recently, I am not sure whether this is related to any previously >> reported ones. It was a recently pulled git kernel. Also I have been hacking my >> kernel a bit lately, but I think that I haven't got any changes in the currently >> running kernel. >> >> FYI: my network card was not running (module not loaded, and I just started >> thunderbird) >> >> Roel >> >> More information needed? > > I've tried to objdump my ipv6.ko, and found (at the different offset, > but) the same codeline. It showed that the buggy place was in: > > list_for_each_rcu(p, &inetsw6[sock->type]) { > > some list_head pointer was NULL. > > I looked at the inet6_init (which seems to run at the moment of the > oops according to the calltrace) and found that the ipv6 protocol > is first registered and only after this the inetsw6 lists are > properly initialized. Hm... A deeper look at the code showed that the proto_register() is OK to be called before the list initialization. Nevertheless, the faulty place is found correctly (providing that Roel's objdump looks similar to mine, but it should - this codeline is unique in the ipv6.ko). Roel, are you sure, that the kernel you're running is not hacked by some of you patches :) > I suspect that this is a race: we create the socket right after > the new protocol is registered, but before the list heads are > ready. The ->init call is called without the stopmachine, so > other process run in parallel with it. > > This patch should help, but I don't think that such a situation > is easily reproducible. > > Signed-off-by: Pavel Emelyanov <xemul@openvz.org> > > --- > > diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c > index ecbd388..f9bd26f 100644 > --- a/net/ipv6/af_inet6.c > +++ b/net/ipv6/af_inet6.c > @@ -769,6 +769,10 @@ static int __init inet6_init(void) > #endif > #endif > > + /* Register the socket-side information for inet6_create. */ > + for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r) > + INIT_LIST_HEAD(r); > + > err = proto_register(&tcpv6_prot, 1); > if (err) > goto out; > @@ -786,10 +790,6 @@ static int __init inet6_init(void) > goto out_unregister_udplite_proto; > > > - /* Register the socket-side information for inet6_create. */ > - for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r) > - INIT_LIST_HEAD(r); > - > /* We MUST register RAW sockets before we create the ICMP6, > * IGMP6, or NDISC control sockets. > */ > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-01 20:07 [BUG] in inet6_create Roel Kluin 2007-11-01 21:14 ` Roel Kluin 2007-11-02 9:59 ` Pavel Emelyanov @ 2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明 2007-11-07 10:34 ` David Miller 2 siblings, 1 reply; 12+ messages in thread From: YOSHIFUJI Hideaki / 吉藤英明 @ 2007-11-05 11:00 UTC (permalink / raw) To: 12o3l, davem; +Cc: netdev, yoshfuji In article <472A3218.20708@tiscali.nl> (at Thu, 01 Nov 2007 21:07:52 +0100), Roel Kluin <12o3l@tiscali.nl> says: > I got this bug recently, I am not sure whether this is related to any previously > reported ones. It was a recently pulled git kernel. Also I have been hacking my > kernel a bit lately, but I think that I haven't got any changes in the currently > running kernel. Please try this. ----- [IPV6]: Ensure to initialize inetsw6 array before we start accepting socket. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index ecbd388..9ecd41b 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -789,6 +789,7 @@ static int __init inet6_init(void) /* Register the socket-side information for inet6_create. */ for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r) INIT_LIST_HEAD(r); + synchronize_net(); /* We MUST register RAW sockets before we create the ICMP6, * IGMP6, or NDISC control sockets. -- YOSHIFUJI Hideaki @ USAGI Project <yoshfuji@linux-ipv6.org> GPG-FP : 9022 65EB 1ECF 3AD1 0BDF 80D8 4807 F894 E062 0EEA ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create 2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明 @ 2007-11-07 10:34 ` David Miller 0 siblings, 0 replies; 12+ messages in thread From: David Miller @ 2007-11-07 10:34 UTC (permalink / raw) To: yoshfuji; +Cc: 12o3l, netdev From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org> Date: Mon, 05 Nov 2007 20:00:46 +0900 (JST) > [IPV6]: Ensure to initialize inetsw6 array before we start accepting socket. > > Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> > > diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c > index ecbd388..9ecd41b 100644 > --- a/net/ipv6/af_inet6.c > +++ b/net/ipv6/af_inet6.c > @@ -789,6 +789,7 @@ static int __init inet6_init(void) > /* Register the socket-side information for inet6_create. */ > for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r) > INIT_LIST_HEAD(r); > + synchronize_net(); > > /* We MUST register RAW sockets before we create the ICMP6, > * IGMP6, or NDISC control sockets. > I don't see how this can make a difference. sock_register() takes spinlocks, and therefore provides a full memory barrier. The list initializations MUST appear before any code path can see inet6_create() and friends. I simply cannot see how this crash is even possible. Also, the original bug reporter cannot provide an inet6.o image that matches any of his OOPS traces, so we cannot analyze this bug properly. ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2007-11-07 10:34 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-11-01 20:07 [BUG] in inet6_create Roel Kluin 2007-11-01 21:14 ` Roel Kluin 2007-11-02 9:15 ` Pavel Emelyanov 2007-11-02 17:51 ` Roel Kluin 2007-11-06 8:14 ` Pavel Emelyanov 2007-11-06 15:44 ` Roel Kluin 2007-11-06 16:06 ` Pavel Emelyanov 2007-11-06 17:31 ` Roel Kluin 2007-11-02 9:59 ` Pavel Emelyanov 2007-11-02 12:54 ` Pavel Emelyanov 2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明 2007-11-07 10:34 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).