* [BUG] in inet6_create
@ 2007-11-01 20:07 Roel Kluin
2007-11-01 21:14 ` Roel Kluin
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: Roel Kluin @ 2007-11-01 20:07 UTC (permalink / raw)
To: netdev
I got this bug recently, I am not sure whether this is related to any previously
reported ones. It was a recently pulled git kernel. Also I have been hacking my
kernel a bit lately, but I think that I haven't got any changes in the currently
running kernel.
FYI: my network card was not running (module not loaded, and I just started
thunderbird)
Roel
More information needed?
--
NET: Registered protocol family 10
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
printing eip: f881034f *pde = 00000000
Oops: 0000 [#1]
Modules linked in: ipv6
Pid: 17080, comm: modprobe Not tainted (2.6.24-rc1 #1)
EIP: 0060:[<f881034f>] EFLAGS: 00010293 CPU: 0
EIP is at inet6_create+0x5f/0x340 [ipv6]
EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78
ESI: ffffffff EDI: 0000003a EBP: ffffff9f ESP: d780de74
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process modprobe (pid: 17080, ti=d780c000 task=c3a86000 task.ti=d780c000)
Stack: 00000000 00000246 00000246 00000003 c60e22a0 00000246 00000000 00000000
f88410fc ffffffea 00000003 c063f680 c028d597 00000002 00000001 c028d52c
c60e22a0 00000003 f8842d00 00000032 00000000 c028d6a7 0000003a f88438c0
Call Trace:
[<c028d597>] __sock_create+0xf7/0x1e0
[<c028d52c>] __sock_create+0x8c/0x1e0
[<c028d6a7>] sock_create_kern+0x27/0x30
[<f88457af>] icmpv6_init+0x1f/0xa0 [ipv6]
[<f884513f>] inet6_init+0x13f/0x2f0 [ipv6]
[<c0144f73>] sys_init_module+0x173/0x16c0
[<c0132860>] autoremove_wake_function+0x0/0x50
[<c0171ef1>] sys_read+0x41/0x70
[<c010818e>] syscall_call+0x7/0xb
=======================
Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85
EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:d780de74
BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
printing eip: f881034f *pde = 00000000
Oops: 0000 [#2]
Modules linked in: ipv6
Pid: 17078, comm: thunderbird-bin Tainted: G D (2.6.24-rc1 #1)
EIP: 0060:[<f881034f>] EFLAGS: 00210293 CPU: 0
EIP is at inet6_create+0x5f/0x340 [ipv6]
EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78
ESI: ffffffff EDI: 00000000 EBP: ffffff9f ESP: c2801f00
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process thunderbird-bin (pid: 17078, ti=c2800000 task=c20bf000 task.ti=c2800000)
Stack: c0185024 00200246 00200246 00000001 c60e2000 00200246 00000000 00000000
f88410fc ffffffea 00000001 c063f680 c028d597 00000002 00000001 c028d52c
c60e2000 00000001 0000000a 08b095bc c2800000 c028d6e9 00000000 c2801f74
Call Trace:
[<c0185024>] new_inode+0x24/0x90
[<c028d597>] __sock_create+0xf7/0x1e0
[<c028d52c>] __sock_create+0x8c/0x1e0
[<c028d6e9>] sock_create+0x39/0x50
[<c028d89c>] sys_socket+0x1c/0x50
[<c028e248>] sys_socketcall+0x68/0x280
[<c013da9b>] trace_hardirqs_on+0xbb/0x160
[<c011b80d>] do_sched_setscheduler+0xad/0xc0
[<c01081fb>] restore_nocheck+0x12/0x15
[<c010818e>] syscall_call+0x7/0xb
=======================
Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85
EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:c2801f00
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-01 20:07 [BUG] in inet6_create Roel Kluin
@ 2007-11-01 21:14 ` Roel Kluin
2007-11-02 9:15 ` Pavel Emelyanov
2007-11-02 9:59 ` Pavel Emelyanov
2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明
2 siblings, 1 reply; 12+ messages in thread
From: Roel Kluin @ 2007-11-01 21:14 UTC (permalink / raw)
To: netdev; +Cc: linux-net
Roel Kluin wrote:
> I got this bug recently, I am not sure whether this is related to any previously
> reported ones. It was a recently pulled git kernel. Also I have been hacking my
> kernel a bit lately, but I think that I haven't got any changes in the currently
> running kernel.
>
> FYI: my network card was not running (module not loaded, and I just started
> thunderbird)
>
> Roel
>
> More information needed?
> --
probably mailing to linux-net was more appropriate
>
> NET: Registered protocol family 10
> BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
> printing eip: f881034f *pde = 00000000
> Oops: 0000 [#1]
> Modules linked in: ipv6
>
> Pid: 17080, comm: modprobe Not tainted (2.6.24-rc1 #1)
> EIP: 0060:[<f881034f>] EFLAGS: 00010293 CPU: 0
> EIP is at inet6_create+0x5f/0x340 [ipv6]
> EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78
> ESI: ffffffff EDI: 0000003a EBP: ffffff9f ESP: d780de74
> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> Process modprobe (pid: 17080, ti=d780c000 task=c3a86000 task.ti=d780c000)
> Stack: 00000000 00000246 00000246 00000003 c60e22a0 00000246 00000000 00000000
> f88410fc ffffffea 00000003 c063f680 c028d597 00000002 00000001 c028d52c
> c60e22a0 00000003 f8842d00 00000032 00000000 c028d6a7 0000003a f88438c0
> Call Trace:
> [<c028d597>] __sock_create+0xf7/0x1e0
> [<c028d52c>] __sock_create+0x8c/0x1e0
> [<c028d6a7>] sock_create_kern+0x27/0x30
> [<f88457af>] icmpv6_init+0x1f/0xa0 [ipv6]
> [<f884513f>] inet6_init+0x13f/0x2f0 [ipv6]
> [<c0144f73>] sys_init_module+0x173/0x16c0
> [<c0132860>] autoremove_wake_function+0x0/0x50
> [<c0171ef1>] sys_read+0x41/0x70
> [<c010818e>] syscall_call+0x7/0xb
> =======================
> Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85
> EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:d780de74
> BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
> printing eip: f881034f *pde = 00000000
> Oops: 0000 [#2]
> Modules linked in: ipv6
>
> Pid: 17078, comm: thunderbird-bin Tainted: G D (2.6.24-rc1 #1)
> EIP: 0060:[<f881034f>] EFLAGS: 00210293 CPU: 0
> EIP is at inet6_create+0x5f/0x340 [ipv6]
> EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78
> ESI: ffffffff EDI: 00000000 EBP: ffffff9f ESP: c2801f00
> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
> Process thunderbird-bin (pid: 17078, ti=c2800000 task=c20bf000 task.ti=c2800000)
> Stack: c0185024 00200246 00200246 00000001 c60e2000 00200246 00000000 00000000
> f88410fc ffffffea 00000001 c063f680 c028d597 00000002 00000001 c028d52c
> c60e2000 00000001 0000000a 08b095bc c2800000 c028d6e9 00000000 c2801f74
> Call Trace:
> [<c0185024>] new_inode+0x24/0x90
> [<c028d597>] __sock_create+0xf7/0x1e0
> [<c028d52c>] __sock_create+0x8c/0x1e0
> [<c028d6e9>] sock_create+0x39/0x50
> [<c028d89c>] sys_socket+0x1c/0x50
> [<c028e248>] sys_socketcall+0x68/0x280
> [<c013da9b>] trace_hardirqs_on+0xbb/0x160
> [<c011b80d>] do_sched_setscheduler+0xad/0xc0
> [<c01081fb>] restore_nocheck+0x12/0x15
> [<c010818e>] syscall_call+0x7/0xb
> =======================
> Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85
> EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:c2801f00
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-01 21:14 ` Roel Kluin
@ 2007-11-02 9:15 ` Pavel Emelyanov
2007-11-02 17:51 ` Roel Kluin
0 siblings, 1 reply; 12+ messages in thread
From: Pavel Emelyanov @ 2007-11-02 9:15 UTC (permalink / raw)
To: Roel Kluin; +Cc: netdev, linux-net
Roel Kluin wrote:
> Roel Kluin wrote:
>> I got this bug recently, I am not sure whether this is related to any previously
>> reported ones. It was a recently pulled git kernel. Also I have been hacking my
>> kernel a bit lately, but I think that I haven't got any changes in the currently
>> running kernel.
>>
>> FYI: my network card was not running (module not loaded, and I just started
>> thunderbird)
>>
>> Roel
>>
>> More information needed?
Yes, please.
Can you send us the disasm (objdump -dr) of your ipv6 module.
More precisely - I need the disassembled inet6_create() function to
figure out where exactly this thing happened.
Thanks,
Pavel
>> --
>
> probably mailing to linux-net was more appropriate
>
>> NET: Registered protocol family 10
>> BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
>> printing eip: f881034f *pde = 00000000
>> Oops: 0000 [#1]
>> Modules linked in: ipv6
>>
>> Pid: 17080, comm: modprobe Not tainted (2.6.24-rc1 #1)
>> EIP: 0060:[<f881034f>] EFLAGS: 00010293 CPU: 0
>> EIP is at inet6_create+0x5f/0x340 [ipv6]
>> EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78
>> ESI: ffffffff EDI: 0000003a EBP: ffffff9f ESP: d780de74
>> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
>> Process modprobe (pid: 17080, ti=d780c000 task=c3a86000 task.ti=d780c000)
>> Stack: 00000000 00000246 00000246 00000003 c60e22a0 00000246 00000000 00000000
>> f88410fc ffffffea 00000003 c063f680 c028d597 00000002 00000001 c028d52c
>> c60e22a0 00000003 f8842d00 00000032 00000000 c028d6a7 0000003a f88438c0
>> Call Trace:
>> [<c028d597>] __sock_create+0xf7/0x1e0
>> [<c028d52c>] __sock_create+0x8c/0x1e0
>> [<c028d6a7>] sock_create_kern+0x27/0x30
>> [<f88457af>] icmpv6_init+0x1f/0xa0 [ipv6]
>> [<f884513f>] inet6_init+0x13f/0x2f0 [ipv6]
>> [<c0144f73>] sys_init_module+0x173/0x16c0
>> [<c0132860>] autoremove_wake_function+0x0/0x50
>> [<c0171ef1>] sys_read+0x41/0x70
>> [<c010818e>] syscall_call+0x7/0xb
>> =======================
>> Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85
>> EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:d780de74
>> BUG: unable to handle kernel NULL pointer dereference at virtual address 00000000
>> printing eip: f881034f *pde = 00000000
>> Oops: 0000 [#2]
>> Modules linked in: ipv6
>>
>> Pid: 17078, comm: thunderbird-bin Tainted: G D (2.6.24-rc1 #1)
>> EIP: 0060:[<f881034f>] EFLAGS: 00210293 CPU: 0
>> EIP is at inet6_create+0x5f/0x340 [ipv6]
>> EAX: 00000000 EBX: 00000000 ECX: f7621fd5 EDX: f8842e78
>> ESI: ffffffff EDI: 00000000 EBP: ffffff9f ESP: c2801f00
>> DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
>> Process thunderbird-bin (pid: 17078, ti=c2800000 task=c20bf000 task.ti=c2800000)
>> Stack: c0185024 00200246 00200246 00000001 c60e2000 00200246 00000000 00000000
>> f88410fc ffffffea 00000001 c063f680 c028d597 00000002 00000001 c028d52c
>> c60e2000 00000001 0000000a 08b095bc c2800000 c028d6e9 00000000 c2801f74
>> Call Trace:
>> [<c0185024>] new_inode+0x24/0x90
>> [<c028d597>] __sock_create+0xf7/0x1e0
>> [<c028d52c>] __sock_create+0x8c/0x1e0
>> [<c028d6e9>] sock_create+0x39/0x50
>> [<c028d89c>] sys_socket+0x1c/0x50
>> [<c028e248>] sys_socketcall+0x68/0x280
>> [<c013da9b>] trace_hardirqs_on+0xbb/0x160
>> [<c011b80d>] do_sched_setscheduler+0xad/0xc0
>> [<c01081fb>] restore_nocheck+0x12/0x15
>> [<c010818e>] syscall_call+0x7/0xb
>> =======================
>> Code: c0 85 c9 0f 84 12 02 00 00 c7 44 24 18 00 00 00 00 0f bf c6 c1 e0 03 8b 98 80 2e 84 f8 8d 90 80 2e 84 f8 89 5c 24 1c 8b 44 24 1c <8b> 00 0f 18 00 90 39 d3 bd a2 ff ff ff 75 36 e9 f3 01 00 00 85
>> EIP: [<f881034f>] inet6_create+0x5f/0x340 [ipv6] SS:ESP 0068:c2801f00
>> -
>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
>
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-01 20:07 [BUG] in inet6_create Roel Kluin
2007-11-01 21:14 ` Roel Kluin
@ 2007-11-02 9:59 ` Pavel Emelyanov
2007-11-02 12:54 ` Pavel Emelyanov
2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明
2 siblings, 1 reply; 12+ messages in thread
From: Pavel Emelyanov @ 2007-11-02 9:59 UTC (permalink / raw)
To: Roel Kluin, David Miller; +Cc: netdev
Roel Kluin wrote:
> I got this bug recently, I am not sure whether this is related to any previously
> reported ones. It was a recently pulled git kernel. Also I have been hacking my
> kernel a bit lately, but I think that I haven't got any changes in the currently
> running kernel.
>
> FYI: my network card was not running (module not loaded, and I just started
> thunderbird)
>
> Roel
>
> More information needed?
I've tried to objdump my ipv6.ko, and found (at the different offset,
but) the same codeline. It showed that the buggy place was in:
list_for_each_rcu(p, &inetsw6[sock->type]) {
some list_head pointer was NULL.
I looked at the inet6_init (which seems to run at the moment of the
oops according to the calltrace) and found that the ipv6 protocol
is first registered and only after this the inetsw6 lists are
properly initialized.
I suspect that this is a race: we create the socket right after
the new protocol is registered, but before the list heads are
ready. The ->init call is called without the stopmachine, so
other process run in parallel with it.
This patch should help, but I don't think that such a situation
is easily reproducible.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
---
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index ecbd388..f9bd26f 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -769,6 +769,10 @@ static int __init inet6_init(void)
#endif
#endif
+ /* Register the socket-side information for inet6_create. */
+ for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r)
+ INIT_LIST_HEAD(r);
+
err = proto_register(&tcpv6_prot, 1);
if (err)
goto out;
@@ -786,10 +790,6 @@ static int __init inet6_init(void)
goto out_unregister_udplite_proto;
- /* Register the socket-side information for inet6_create. */
- for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r)
- INIT_LIST_HEAD(r);
-
/* We MUST register RAW sockets before we create the ICMP6,
* IGMP6, or NDISC control sockets.
*/
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-02 9:59 ` Pavel Emelyanov
@ 2007-11-02 12:54 ` Pavel Emelyanov
0 siblings, 0 replies; 12+ messages in thread
From: Pavel Emelyanov @ 2007-11-02 12:54 UTC (permalink / raw)
To: Roel Kluin, David Miller; +Cc: netdev
Pavel Emelyanov wrote:
> Roel Kluin wrote:
>> I got this bug recently, I am not sure whether this is related to any previously
>> reported ones. It was a recently pulled git kernel. Also I have been hacking my
>> kernel a bit lately, but I think that I haven't got any changes in the currently
>> running kernel.
>>
>> FYI: my network card was not running (module not loaded, and I just started
>> thunderbird)
>>
>> Roel
>>
>> More information needed?
>
> I've tried to objdump my ipv6.ko, and found (at the different offset,
> but) the same codeline. It showed that the buggy place was in:
>
> list_for_each_rcu(p, &inetsw6[sock->type]) {
>
> some list_head pointer was NULL.
>
> I looked at the inet6_init (which seems to run at the moment of the
> oops according to the calltrace) and found that the ipv6 protocol
> is first registered and only after this the inetsw6 lists are
> properly initialized.
Hm... A deeper look at the code showed that the proto_register() is
OK to be called before the list initialization.
Nevertheless, the faulty place is found correctly (providing that
Roel's objdump looks similar to mine, but it should - this codeline
is unique in the ipv6.ko).
Roel, are you sure, that the kernel you're running is not hacked
by some of you patches :)
> I suspect that this is a race: we create the socket right after
> the new protocol is registered, but before the list heads are
> ready. The ->init call is called without the stopmachine, so
> other process run in parallel with it.
>
> This patch should help, but I don't think that such a situation
> is easily reproducible.
>
> Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
>
> ---
>
> diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
> index ecbd388..f9bd26f 100644
> --- a/net/ipv6/af_inet6.c
> +++ b/net/ipv6/af_inet6.c
> @@ -769,6 +769,10 @@ static int __init inet6_init(void)
> #endif
> #endif
>
> + /* Register the socket-side information for inet6_create. */
> + for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r)
> + INIT_LIST_HEAD(r);
> +
> err = proto_register(&tcpv6_prot, 1);
> if (err)
> goto out;
> @@ -786,10 +790,6 @@ static int __init inet6_init(void)
> goto out_unregister_udplite_proto;
>
>
> - /* Register the socket-side information for inet6_create. */
> - for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r)
> - INIT_LIST_HEAD(r);
> -
> /* We MUST register RAW sockets before we create the ICMP6,
> * IGMP6, or NDISC control sockets.
> */
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-02 9:15 ` Pavel Emelyanov
@ 2007-11-02 17:51 ` Roel Kluin
2007-11-06 8:14 ` Pavel Emelyanov
0 siblings, 1 reply; 12+ messages in thread
From: Roel Kluin @ 2007-11-02 17:51 UTC (permalink / raw)
To: Pavel Emelyanov; +Cc: netdev, linux-net
Pavel Emelyanov wrote:
> Roel Kluin wrote:
>> Roel Kluin wrote:
>>> I got this bug recently, I am not sure whether this is related to any previously
>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my
>>> kernel a bit lately, but I think that I haven't got any changes in the currently
>>> running kernel.
>>>
>>> FYI: my network card was not running (module not loaded, and I just started
>>> thunderbird)
>>>
>>> Roel
>>>
>>> More information needed?
>
> Yes, please.
>
> Can you send us the disasm (objdump -dr) of your ipv6 module.
> More precisely - I need the disassembled inet6_create() function to
> figure out where exactly this thing happened.
I was very lucky to still be able to produce this: When the bug hit me, I had just
recompiled a new kernel, however, since I had previously git-pulled, (but not yet
compiled) the old module was not overwritten.
to answer the question in your other mail - whether I hacked this kernel - I am not
100% certain, I am certain, however that I did not touch IPv6 code, and my changes
to net code were very trivial oneliner changes that I have previously posted, and
were generally accepted as fixes.
--
000002f0 <inet6_create>:
2f0: 55 push %ebp
2f1: bd 9f ff ff ff mov $0xffffff9f,%ebp
2f6: 57 push %edi
2f7: 56 push %esi
2f8: 89 ce mov %ecx,%esi
2fa: 53 push %ebx
2fb: 83 ec 20 sub $0x20,%esp
2fe: 3d 00 00 00 00 cmp $0x0,%eax
2ff: R_386_32 init_net
303: 89 54 24 10 mov %edx,0x10(%esp)
307: 74 0a je 313 <inet6_create+0x23>
309: 83 c4 20 add $0x20,%esp
30c: 89 e8 mov %ebp,%eax
30e: 5b pop %ebx
30f: 5e pop %esi
310: 5f pop %edi
311: 5d pop %ebp
312: c3 ret
313: 8b 42 3c mov 0x3c(%edx),%eax
316: 83 e8 02 sub $0x2,%eax
319: 66 83 f8 01 cmp $0x1,%ax
31d: 76 0e jbe 32d <inet6_create+0x3d>
31f: 8b 0d 00 00 00 00 mov 0x0,%ecx
321: R_386_32 inet_ehash_secret
325: 85 c9 test %ecx,%ecx
327: 0f 84 76 02 00 00 je 5a3 <inet6_create+0x2b3>
32d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp)
334: 00
335: 31 d2 xor %edx,%edx
337: 31 c9 xor %ecx,%ecx
339: b8 00 00 00 00 mov $0x0,%eax
33a: R_386_32 rcu_lock_map
33e: c7 44 24 08 35 03 00 movl $0x335,0x8(%esp)
345: 00
342: R_386_32 .text
346: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
34d: 00
34e: c7 04 24 02 00 00 00 movl $0x2,(%esp)
355: e8 fc ff ff ff call 356 <inet6_create+0x66>
356: R_386_PC32 lock_acquire
35a: 8b 44 24 10 mov 0x10(%esp),%eax
35e: 8b 78 3c mov 0x3c(%eax),%edi
361: 0f bf c7 movswl %di,%eax
364: c1 e0 03 shl $0x3,%eax
367: 8b 98 00 00 00 00 mov 0x0(%eax),%ebx
369: R_386_32 .bss
36d: 8d 90 00 00 00 00 lea 0x0(%eax),%edx
36f: R_386_32 .bss
373: 89 5c 24 1c mov %ebx,0x1c(%esp)
377: 8b 44 24 1c mov 0x1c(%esp),%eax
37b: 8b 00 mov (%eax),%eax
37d: 8d 44 20 00 lea 0x0(%eax),%eax
381: 39 d3 cmp %edx,%ebx
383: bd a2 ff ff ff mov $0xffffffa2,%ebp
388: 75 3a jne 3c4 <inet6_create+0xd4>
38a: e9 23 02 00 00 jmp 5b2 <inet6_create+0x2c2>
38f: 90 nop
390: 85 f6 test %esi,%esi
392: 0f 84 5d 02 00 00 je 5f5 <inet6_create+0x305>
398: 66 85 c0 test %ax,%ax
39b: 90 nop
39c: 8d 74 26 00 lea 0x0(%esi),%esi
3a0: 74 31 je 3d3 <inet6_create+0xe3>
3a2: 8b 1b mov (%ebx),%ebx
3a4: 89 5c 24 1c mov %ebx,0x1c(%esp)
3a8: 8b 44 24 1c mov 0x1c(%esp),%eax
3ac: 8b 00 mov (%eax),%eax
3ae: 8d 44 20 00 lea 0x0(%eax),%eax
3b2: 0f bf c7 movswl %di,%eax
3b5: 8d 04 c5 00 00 00 00 lea 0x0(,%eax,8),%eax
3b8: R_386_32 .bss
3bc: 39 d8 cmp %ebx,%eax
3be: 0f 84 e9 01 00 00 je 5ad <inet6_create+0x2bd>
3c4: 0f b7 43 0a movzwl 0xa(%ebx),%eax
3c8: 0f b7 c8 movzwl %ax,%ecx
3cb: 39 ce cmp %ecx,%esi
3cd: 75 c1 jne 390 <inet6_create+0xa0>
3cf: 85 f6 test %esi,%esi
3d1: 74 cf je 3a2 <inet6_create+0xb2>
3d3: 8b 43 14 mov 0x14(%ebx),%eax
3d6: 85 c0 test %eax,%eax
3d8: 7e 12 jle 3ec <inet6_create+0xfc>
3da: e8 fc ff ff ff call 3db <inet6_create+0xeb>
3db: R_386_PC32 capable
3df: 85 c0 test %eax,%eax
3e1: bd ff ff ff ff mov $0xffffffff,%ebp
3e6: 0f 84 99 01 00 00 je 585 <inet6_create+0x295>
3ec: 8b 43 10 mov 0x10(%ebx),%eax
3ef: 8b 54 24 10 mov 0x10(%esp),%edx
3f3: b9 ec 03 00 00 mov $0x3ec,%ecx
3f4: R_386_32 .text
3f8: 89 42 08 mov %eax,0x8(%edx)
3fb: 0f b6 43 18 movzbl 0x18(%ebx),%eax
3ff: 8b 7b 0c mov 0xc(%ebx),%edi
402: 88 44 24 17 mov %al,0x17(%esp)
406: 0f b6 53 19 movzbl 0x19(%ebx),%edx
40a: b8 00 00 00 00 mov $0x0,%eax
40b: R_386_32 rcu_lock_map
40f: 88 54 24 16 mov %dl,0x16(%esp)
413: ba 01 00 00 00 mov $0x1,%edx
418: e8 fc ff ff ff call 419 <inet6_create+0x129>
419: R_386_PC32 lock_release
41d: 8b 57 70 mov 0x70(%edi),%edx
420: 85 d2 test %edx,%edx
422: 0f 84 36 02 00 00 je 65e <inet6_create+0x36e>
428: b9 d0 00 00 00 mov $0xd0,%ecx
42d: ba 0a 00 00 00 mov $0xa,%edx
432: b8 00 00 00 00 mov $0x0,%eax
433: R_386_32 init_net
437: 89 3c 24 mov %edi,(%esp)
43a: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
441: 00
442: bd 97 ff ff ff mov $0xffffff97,%ebp
447: e8 fc ff ff ff call 448 <inet6_create+0x158>
448: R_386_PC32 sk_alloc
44c: 85 c0 test %eax,%eax
44e: 89 c7 mov %eax,%edi
450: 0f 84 b3 fe ff ff je 309 <inet6_create+0x19>
456: 89 c2 mov %eax,%edx
458: 8b 44 24 10 mov 0x10(%esp),%eax
45c: e8 fc ff ff ff call 45d <inet6_create+0x16d>
45d: R_386_PC32 sock_init_data
461: 80 64 24 17 03 andb $0x3,0x17(%esp)
466: 0f b6 54 24 17 movzbl 0x17(%esp),%edx
46b: 0f b6 47 28 movzbl 0x28(%edi),%eax
46f: c1 e2 02 shl $0x2,%edx
472: 83 e0 f3 and $0xfffffff3,%eax
475: 09 d0 or %edx,%eax
477: 88 47 28 mov %al,0x28(%edi)
47a: 0f b6 44 24 16 movzbl 0x16(%esp),%eax
47f: a8 01 test $0x1,%al
481: 74 04 je 487 <inet6_create+0x197>
483: c6 47 03 01 movb $0x1,0x3(%edi)
487: 0f b6 97 3f 02 00 00 movzbl 0x23f(%edi),%edx
48e: c1 e8 02 shr $0x2,%eax
491: 83 e0 01 and $0x1,%eax
494: 01 c0 add %eax,%eax
496: 83 e2 fd and $0xfffffffd,%edx
499: 09 c2 or %eax,%edx
49b: 88 97 3f 02 00 00 mov %dl,0x23f(%edi)
4a1: 8b 44 24 10 mov 0x10(%esp),%eax
4a5: 66 83 78 3c 03 cmpw $0x3,0x3c(%eax)
4aa: 0f 84 64 01 00 00 je 614 <inet6_create+0x324>
4b0: 89 f2 mov %esi,%edx
4b2: c7 87 18 02 00 00 00 movl $0x0,0x218(%edi)
4b9: 00 00 00
4b8: R_386_32 inet_sock_destruct
4bc: 66 c7 07 0a 00 movw $0xa,(%edi)
4c1: 88 57 29 mov %dl,0x29(%edi)
4c4: 8b 43 0c mov 0xc(%ebx),%eax
4c7: 8b 40 40 mov 0x40(%eax),%eax
4ca: 89 87 14 02 00 00 mov %eax,0x214(%edi)
4d0: 8b 47 20 mov 0x20(%edi),%eax
4d3: 8b 48 74 mov 0x74(%eax),%ecx
4d6: 83 e9 70 sub $0x70,%ecx
4d9: 8d 0c 0f lea (%edi,%ecx,1),%ecx
4dc: 89 8f 1c 02 00 00 mov %ecx,0x21c(%edi)
4e2: 0f b6 41 46 movzbl 0x46(%ecx),%eax
4e6: 66 c7 41 3c ff ff movw $0xffff,0x3c(%ecx)
4ec: 66 c7 41 3e ff ff movw $0xffff,0x3e(%ecx)
4f2: 83 e0 e7 and $0xffffffe7,%eax
4f5: 83 c8 09 or $0x9,%eax
4f8: 88 41 46 mov %al,0x46(%ecx)
4fb: 0f b6 15 00 00 00 00 movzbl 0x0,%edx
4fe: R_386_32 sysctl_ipv6_bindv6only
502: 83 e0 df and $0xffffffdf,%eax
505: 83 e2 01 and $0x1,%edx
508: c1 e2 05 shl $0x5,%edx
50b: 09 d0 or %edx,%eax
50d: 88 41 46 mov %al,0x46(%ecx)
510: 80 8f 3f 02 00 00 10 orb $0x10,0x23f(%edi)
517: 66 c7 87 30 02 00 00 movw $0xffff,0x230(%edi)
51e: ff ff
520: c6 87 3d 02 00 00 01 movb $0x1,0x23d(%edi)
527: c7 87 40 02 00 00 00 movl $0x0,0x240(%edi)
52e: 00 00 00
531: c7 87 48 02 00 00 00 movl $0x0,0x248(%edi)
538: 00 00 00
53b: a1 04 00 00 00 mov 0x4,%eax
53c: R_386_32 ipv4_config
540: 85 c0 test %eax,%eax
542: 0f b7 87 2a 02 00 00 movzwl 0x22a(%edi),%eax
549: 0f 94 87 3e 02 00 00 sete 0x23e(%edi)
550: 66 85 c0 test %ax,%ax
553: 0f 85 a3 00 00 00 jne 5fc <inet6_create+0x30c>
559: 8b 47 20 mov 0x20(%edi),%eax
55c: 31 ed xor %ebp,%ebp
55e: 8b 50 14 mov 0x14(%eax),%edx
561: 85 d2 test %edx,%edx
563: 0f 84 a0 fd ff ff je 309 <inet6_create+0x19>
569: 89 f8 mov %edi,%eax
56b: ff d2 call *%edx
56d: 85 c0 test %eax,%eax
56f: 89 c5 mov %eax,%ebp
571: 0f 84 92 fd ff ff je 309 <inet6_create+0x19>
577: 89 f8 mov %edi,%eax
579: e8 fc ff ff ff call 57a <inet6_create+0x28a>
57a: R_386_PC32 sk_common_release
57e: 66 90 xchg %ax,%ax
580: e9 84 fd ff ff jmp 309 <inet6_create+0x19>
585: b8 00 00 00 00 mov $0x0,%eax
586: R_386_32 rcu_lock_map
58a: b9 85 05 00 00 mov $0x585,%ecx
58b: R_386_32 .text
58f: ba 01 00 00 00 mov $0x1,%edx
594: e8 fc ff ff ff call 595 <inet6_create+0x2a5>
595: R_386_PC32 lock_release
599: 83 c4 20 add $0x20,%esp
59c: 89 e8 mov %ebp,%eax
59e: 5b pop %ebx
59f: 5e pop %esi
5a0: 5f pop %edi
5a1: 5d pop %ebp
5a2: c3 ret
5a3: e8 fc ff ff ff call 5a4 <inet6_create+0x2b4>
5a4: R_386_PC32 build_ehash_secret
5a8: e9 80 fd ff ff jmp 32d <inet6_create+0x3d>
5ad: bd a3 ff ff ff mov $0xffffffa3,%ebp
5b2: 83 7c 24 18 02 cmpl $0x2,0x18(%esp)
5b7: 74 cc je 585 <inet6_create+0x295>
5b9: b9 b9 05 00 00 mov $0x5b9,%ecx
5ba: R_386_32 .text
5be: ba 01 00 00 00 mov $0x1,%edx
5c3: b8 00 00 00 00 mov $0x0,%eax
5c4: R_386_32 rcu_lock_map
5c8: e8 fc ff ff ff call 5c9 <inet6_create+0x2d9>
5c9: R_386_PC32 lock_release
5cd: ff 44 24 18 incl 0x18(%esp)
5d1: 83 7c 24 18 01 cmpl $0x1,0x18(%esp)
5d6: 74 5d je 635 <inet6_create+0x345>
5d8: 89 74 24 08 mov %esi,0x8(%esp)
5dc: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp)
5e3: 00
5e4: c7 04 24 1b 00 00 00 movl $0x1b,(%esp)
5e7: R_386_32 .rodata.str1.1
5eb: e8 fc ff ff ff call 5ec <inet6_create+0x2fc>
5ec: R_386_PC32 request_module
5f0: e9 40 fd ff ff jmp 335 <inet6_create+0x45>
5f5: 89 ce mov %ecx,%esi
5f7: e9 d7 fd ff ff jmp 3d3 <inet6_create+0xe3>
5fc: 8b 57 20 mov 0x20(%edi),%edx
5ff: 66 c1 c0 08 rol $0x8,%ax
603: 66 89 87 38 02 00 00 mov %ax,0x238(%edi)
60a: 89 f8 mov %edi,%eax
60c: ff 52 44 call *0x44(%edx)
60f: e9 45 ff ff ff jmp 559 <inet6_create+0x269>
614: 81 fe ff 00 00 00 cmp $0xff,%esi
61a: 66 89 b7 2a 02 00 00 mov %si,0x22a(%edi)
621: 0f 85 89 fe ff ff jne 4b0 <inet6_create+0x1c0>
627: 83 ca 08 or $0x8,%edx
62a: 88 97 3f 02 00 00 mov %dl,0x23f(%edi)
630: e9 7b fe ff ff jmp 4b0 <inet6_create+0x1c0>
635: 8b 54 24 10 mov 0x10(%esp),%edx
639: 0f bf 42 3c movswl 0x3c(%edx),%eax
63d: 89 74 24 08 mov %esi,0x8(%esp)
641: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp)
648: 00
649: c7 04 24 00 00 00 00 movl $0x0,(%esp)
64c: R_386_32 .rodata.str1.1
650: 89 44 24 0c mov %eax,0xc(%esp)
654: e8 fc ff ff ff call 655 <inet6_create+0x365>
655: R_386_PC32 request_module
659: e9 d7 fc ff ff jmp 335 <inet6_create+0x45>
65e: c7 44 24 0c a2 00 00 movl $0xa2,0xc(%esp)
665: 00
666: c7 44 24 08 a0 00 00 movl $0xa0,0x8(%esp)
66d: 00
66a: R_386_32 .rodata.str1.4
66e: c7 44 24 04 2e 00 00 movl $0x2e,0x4(%esp)
675: 00
672: R_386_32 .rodata.str1.1
676: c7 04 24 e0 00 00 00 movl $0xe0,(%esp)
679: R_386_32 .rodata.str1.4
67d: e8 fc ff ff ff call 67e <inet6_create+0x38e>
67e: R_386_PC32 printk
682: e9 a1 fd ff ff jmp 428 <inet6_create+0x138>
687: 89 f6 mov %esi,%esi
689: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
00000690 <inet6_destroy_sock>:
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-01 20:07 [BUG] in inet6_create Roel Kluin
2007-11-01 21:14 ` Roel Kluin
2007-11-02 9:59 ` Pavel Emelyanov
@ 2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明
2007-11-07 10:34 ` David Miller
2 siblings, 1 reply; 12+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2007-11-05 11:00 UTC (permalink / raw)
To: 12o3l, davem; +Cc: netdev, yoshfuji
In article <472A3218.20708@tiscali.nl> (at Thu, 01 Nov 2007 21:07:52 +0100), Roel Kluin <12o3l@tiscali.nl> says:
> I got this bug recently, I am not sure whether this is related to any previously
> reported ones. It was a recently pulled git kernel. Also I have been hacking my
> kernel a bit lately, but I think that I haven't got any changes in the currently
> running kernel.
Please try this.
-----
[IPV6]: Ensure to initialize inetsw6 array before we start accepting socket.
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index ecbd388..9ecd41b 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -789,6 +789,7 @@ static int __init inet6_init(void)
/* Register the socket-side information for inet6_create. */
for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r)
INIT_LIST_HEAD(r);
+ synchronize_net();
/* We MUST register RAW sockets before we create the ICMP6,
* IGMP6, or NDISC control sockets.
--
YOSHIFUJI Hideaki @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG-FP : 9022 65EB 1ECF 3AD1 0BDF 80D8 4807 F894 E062 0EEA
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-02 17:51 ` Roel Kluin
@ 2007-11-06 8:14 ` Pavel Emelyanov
2007-11-06 15:44 ` Roel Kluin
0 siblings, 1 reply; 12+ messages in thread
From: Pavel Emelyanov @ 2007-11-06 8:14 UTC (permalink / raw)
To: Roel Kluin; +Cc: netdev, linux-net
Roel Kluin wrote:
> Pavel Emelyanov wrote:
>> Roel Kluin wrote:
>>> Roel Kluin wrote:
>>>> I got this bug recently, I am not sure whether this is related to any previously
>>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my
>>>> kernel a bit lately, but I think that I haven't got any changes in the currently
>>>> running kernel.
>>>>
>>>> FYI: my network card was not running (module not loaded, and I just started
>>>> thunderbird)
>>>>
>>>> Roel
>>>>
>>>> More information needed?
>> Yes, please.
>>
>> Can you send us the disasm (objdump -dr) of your ipv6 module.
>> More precisely - I need the disassembled inet6_create() function to
>> figure out where exactly this thing happened.
>
> I was very lucky to still be able to produce this: When the bug hit me, I had just
> recompiled a new kernel, however, since I had previously git-pulled, (but not yet
> compiled) the old module was not overwritten.
>
> to answer the question in your other mail - whether I hacked this kernel - I am not
> 100% certain, I am certain, however that I did not touch IPv6 code, and my changes
> to net code were very trivial oneliner changes that I have previously posted, and
> were generally accepted as fixes.
> --
> 000002f0 <inet6_create>:
Hm... The oops says that the buggy place is <inet6_create>+0x5f, that is
(according to this dump) 0x2f0 + 0x5f = 0x34f, but:
1. there's no instruction at this address (there are 0x34e and 0x355)
2. the codeline (... 1c <8b> 00 0f 18 ...) is not present here
There's something wrong with this oops...
Is this reproducible? If yes, can you try the non-patched net-2.6 kernel.
Thanks,
Pavel
> 2f0: 55 push %ebp
> 2f1: bd 9f ff ff ff mov $0xffffff9f,%ebp
> 2f6: 57 push %edi
> 2f7: 56 push %esi
> 2f8: 89 ce mov %ecx,%esi
> 2fa: 53 push %ebx
> 2fb: 83 ec 20 sub $0x20,%esp
> 2fe: 3d 00 00 00 00 cmp $0x0,%eax
> 2ff: R_386_32 init_net
> 303: 89 54 24 10 mov %edx,0x10(%esp)
> 307: 74 0a je 313 <inet6_create+0x23>
> 309: 83 c4 20 add $0x20,%esp
> 30c: 89 e8 mov %ebp,%eax
> 30e: 5b pop %ebx
> 30f: 5e pop %esi
> 310: 5f pop %edi
> 311: 5d pop %ebp
> 312: c3 ret
> 313: 8b 42 3c mov 0x3c(%edx),%eax
> 316: 83 e8 02 sub $0x2,%eax
> 319: 66 83 f8 01 cmp $0x1,%ax
> 31d: 76 0e jbe 32d <inet6_create+0x3d>
> 31f: 8b 0d 00 00 00 00 mov 0x0,%ecx
> 321: R_386_32 inet_ehash_secret
> 325: 85 c9 test %ecx,%ecx
> 327: 0f 84 76 02 00 00 je 5a3 <inet6_create+0x2b3>
> 32d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp)
> 334: 00
> 335: 31 d2 xor %edx,%edx
> 337: 31 c9 xor %ecx,%ecx
> 339: b8 00 00 00 00 mov $0x0,%eax
> 33a: R_386_32 rcu_lock_map
> 33e: c7 44 24 08 35 03 00 movl $0x335,0x8(%esp)
> 345: 00
> 342: R_386_32 .text
> 346: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
> 34d: 00
> 34e: c7 04 24 02 00 00 00 movl $0x2,(%esp)
> 355: e8 fc ff ff ff call 356 <inet6_create+0x66>
> 356: R_386_PC32 lock_acquire
> 35a: 8b 44 24 10 mov 0x10(%esp),%eax
> 35e: 8b 78 3c mov 0x3c(%eax),%edi
> 361: 0f bf c7 movswl %di,%eax
> 364: c1 e0 03 shl $0x3,%eax
> 367: 8b 98 00 00 00 00 mov 0x0(%eax),%ebx
> 369: R_386_32 .bss
> 36d: 8d 90 00 00 00 00 lea 0x0(%eax),%edx
> 36f: R_386_32 .bss
> 373: 89 5c 24 1c mov %ebx,0x1c(%esp)
> 377: 8b 44 24 1c mov 0x1c(%esp),%eax
> 37b: 8b 00 mov (%eax),%eax
> 37d: 8d 44 20 00 lea 0x0(%eax),%eax
> 381: 39 d3 cmp %edx,%ebx
> 383: bd a2 ff ff ff mov $0xffffffa2,%ebp
> 388: 75 3a jne 3c4 <inet6_create+0xd4>
> 38a: e9 23 02 00 00 jmp 5b2 <inet6_create+0x2c2>
> 38f: 90 nop
> 390: 85 f6 test %esi,%esi
> 392: 0f 84 5d 02 00 00 je 5f5 <inet6_create+0x305>
> 398: 66 85 c0 test %ax,%ax
> 39b: 90 nop
> 39c: 8d 74 26 00 lea 0x0(%esi),%esi
> 3a0: 74 31 je 3d3 <inet6_create+0xe3>
> 3a2: 8b 1b mov (%ebx),%ebx
> 3a4: 89 5c 24 1c mov %ebx,0x1c(%esp)
> 3a8: 8b 44 24 1c mov 0x1c(%esp),%eax
> 3ac: 8b 00 mov (%eax),%eax
> 3ae: 8d 44 20 00 lea 0x0(%eax),%eax
> 3b2: 0f bf c7 movswl %di,%eax
> 3b5: 8d 04 c5 00 00 00 00 lea 0x0(,%eax,8),%eax
> 3b8: R_386_32 .bss
> 3bc: 39 d8 cmp %ebx,%eax
> 3be: 0f 84 e9 01 00 00 je 5ad <inet6_create+0x2bd>
> 3c4: 0f b7 43 0a movzwl 0xa(%ebx),%eax
> 3c8: 0f b7 c8 movzwl %ax,%ecx
> 3cb: 39 ce cmp %ecx,%esi
> 3cd: 75 c1 jne 390 <inet6_create+0xa0>
> 3cf: 85 f6 test %esi,%esi
> 3d1: 74 cf je 3a2 <inet6_create+0xb2>
> 3d3: 8b 43 14 mov 0x14(%ebx),%eax
> 3d6: 85 c0 test %eax,%eax
> 3d8: 7e 12 jle 3ec <inet6_create+0xfc>
> 3da: e8 fc ff ff ff call 3db <inet6_create+0xeb>
> 3db: R_386_PC32 capable
> 3df: 85 c0 test %eax,%eax
> 3e1: bd ff ff ff ff mov $0xffffffff,%ebp
> 3e6: 0f 84 99 01 00 00 je 585 <inet6_create+0x295>
> 3ec: 8b 43 10 mov 0x10(%ebx),%eax
> 3ef: 8b 54 24 10 mov 0x10(%esp),%edx
> 3f3: b9 ec 03 00 00 mov $0x3ec,%ecx
> 3f4: R_386_32 .text
> 3f8: 89 42 08 mov %eax,0x8(%edx)
> 3fb: 0f b6 43 18 movzbl 0x18(%ebx),%eax
> 3ff: 8b 7b 0c mov 0xc(%ebx),%edi
> 402: 88 44 24 17 mov %al,0x17(%esp)
> 406: 0f b6 53 19 movzbl 0x19(%ebx),%edx
> 40a: b8 00 00 00 00 mov $0x0,%eax
> 40b: R_386_32 rcu_lock_map
> 40f: 88 54 24 16 mov %dl,0x16(%esp)
> 413: ba 01 00 00 00 mov $0x1,%edx
> 418: e8 fc ff ff ff call 419 <inet6_create+0x129>
> 419: R_386_PC32 lock_release
> 41d: 8b 57 70 mov 0x70(%edi),%edx
> 420: 85 d2 test %edx,%edx
> 422: 0f 84 36 02 00 00 je 65e <inet6_create+0x36e>
> 428: b9 d0 00 00 00 mov $0xd0,%ecx
> 42d: ba 0a 00 00 00 mov $0xa,%edx
> 432: b8 00 00 00 00 mov $0x0,%eax
> 433: R_386_32 init_net
> 437: 89 3c 24 mov %edi,(%esp)
> 43a: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
> 441: 00
> 442: bd 97 ff ff ff mov $0xffffff97,%ebp
> 447: e8 fc ff ff ff call 448 <inet6_create+0x158>
> 448: R_386_PC32 sk_alloc
> 44c: 85 c0 test %eax,%eax
> 44e: 89 c7 mov %eax,%edi
> 450: 0f 84 b3 fe ff ff je 309 <inet6_create+0x19>
> 456: 89 c2 mov %eax,%edx
> 458: 8b 44 24 10 mov 0x10(%esp),%eax
> 45c: e8 fc ff ff ff call 45d <inet6_create+0x16d>
> 45d: R_386_PC32 sock_init_data
> 461: 80 64 24 17 03 andb $0x3,0x17(%esp)
> 466: 0f b6 54 24 17 movzbl 0x17(%esp),%edx
> 46b: 0f b6 47 28 movzbl 0x28(%edi),%eax
> 46f: c1 e2 02 shl $0x2,%edx
> 472: 83 e0 f3 and $0xfffffff3,%eax
> 475: 09 d0 or %edx,%eax
> 477: 88 47 28 mov %al,0x28(%edi)
> 47a: 0f b6 44 24 16 movzbl 0x16(%esp),%eax
> 47f: a8 01 test $0x1,%al
> 481: 74 04 je 487 <inet6_create+0x197>
> 483: c6 47 03 01 movb $0x1,0x3(%edi)
> 487: 0f b6 97 3f 02 00 00 movzbl 0x23f(%edi),%edx
> 48e: c1 e8 02 shr $0x2,%eax
> 491: 83 e0 01 and $0x1,%eax
> 494: 01 c0 add %eax,%eax
> 496: 83 e2 fd and $0xfffffffd,%edx
> 499: 09 c2 or %eax,%edx
> 49b: 88 97 3f 02 00 00 mov %dl,0x23f(%edi)
> 4a1: 8b 44 24 10 mov 0x10(%esp),%eax
> 4a5: 66 83 78 3c 03 cmpw $0x3,0x3c(%eax)
> 4aa: 0f 84 64 01 00 00 je 614 <inet6_create+0x324>
> 4b0: 89 f2 mov %esi,%edx
> 4b2: c7 87 18 02 00 00 00 movl $0x0,0x218(%edi)
> 4b9: 00 00 00
> 4b8: R_386_32 inet_sock_destruct
> 4bc: 66 c7 07 0a 00 movw $0xa,(%edi)
> 4c1: 88 57 29 mov %dl,0x29(%edi)
> 4c4: 8b 43 0c mov 0xc(%ebx),%eax
> 4c7: 8b 40 40 mov 0x40(%eax),%eax
> 4ca: 89 87 14 02 00 00 mov %eax,0x214(%edi)
> 4d0: 8b 47 20 mov 0x20(%edi),%eax
> 4d3: 8b 48 74 mov 0x74(%eax),%ecx
> 4d6: 83 e9 70 sub $0x70,%ecx
> 4d9: 8d 0c 0f lea (%edi,%ecx,1),%ecx
> 4dc: 89 8f 1c 02 00 00 mov %ecx,0x21c(%edi)
> 4e2: 0f b6 41 46 movzbl 0x46(%ecx),%eax
> 4e6: 66 c7 41 3c ff ff movw $0xffff,0x3c(%ecx)
> 4ec: 66 c7 41 3e ff ff movw $0xffff,0x3e(%ecx)
> 4f2: 83 e0 e7 and $0xffffffe7,%eax
> 4f5: 83 c8 09 or $0x9,%eax
> 4f8: 88 41 46 mov %al,0x46(%ecx)
> 4fb: 0f b6 15 00 00 00 00 movzbl 0x0,%edx
> 4fe: R_386_32 sysctl_ipv6_bindv6only
> 502: 83 e0 df and $0xffffffdf,%eax
> 505: 83 e2 01 and $0x1,%edx
> 508: c1 e2 05 shl $0x5,%edx
> 50b: 09 d0 or %edx,%eax
> 50d: 88 41 46 mov %al,0x46(%ecx)
> 510: 80 8f 3f 02 00 00 10 orb $0x10,0x23f(%edi)
> 517: 66 c7 87 30 02 00 00 movw $0xffff,0x230(%edi)
> 51e: ff ff
> 520: c6 87 3d 02 00 00 01 movb $0x1,0x23d(%edi)
> 527: c7 87 40 02 00 00 00 movl $0x0,0x240(%edi)
> 52e: 00 00 00
> 531: c7 87 48 02 00 00 00 movl $0x0,0x248(%edi)
> 538: 00 00 00
> 53b: a1 04 00 00 00 mov 0x4,%eax
> 53c: R_386_32 ipv4_config
> 540: 85 c0 test %eax,%eax
> 542: 0f b7 87 2a 02 00 00 movzwl 0x22a(%edi),%eax
> 549: 0f 94 87 3e 02 00 00 sete 0x23e(%edi)
> 550: 66 85 c0 test %ax,%ax
> 553: 0f 85 a3 00 00 00 jne 5fc <inet6_create+0x30c>
> 559: 8b 47 20 mov 0x20(%edi),%eax
> 55c: 31 ed xor %ebp,%ebp
> 55e: 8b 50 14 mov 0x14(%eax),%edx
> 561: 85 d2 test %edx,%edx
> 563: 0f 84 a0 fd ff ff je 309 <inet6_create+0x19>
> 569: 89 f8 mov %edi,%eax
> 56b: ff d2 call *%edx
> 56d: 85 c0 test %eax,%eax
> 56f: 89 c5 mov %eax,%ebp
> 571: 0f 84 92 fd ff ff je 309 <inet6_create+0x19>
> 577: 89 f8 mov %edi,%eax
> 579: e8 fc ff ff ff call 57a <inet6_create+0x28a>
> 57a: R_386_PC32 sk_common_release
> 57e: 66 90 xchg %ax,%ax
> 580: e9 84 fd ff ff jmp 309 <inet6_create+0x19>
> 585: b8 00 00 00 00 mov $0x0,%eax
> 586: R_386_32 rcu_lock_map
> 58a: b9 85 05 00 00 mov $0x585,%ecx
> 58b: R_386_32 .text
> 58f: ba 01 00 00 00 mov $0x1,%edx
> 594: e8 fc ff ff ff call 595 <inet6_create+0x2a5>
> 595: R_386_PC32 lock_release
> 599: 83 c4 20 add $0x20,%esp
> 59c: 89 e8 mov %ebp,%eax
> 59e: 5b pop %ebx
> 59f: 5e pop %esi
> 5a0: 5f pop %edi
> 5a1: 5d pop %ebp
> 5a2: c3 ret
> 5a3: e8 fc ff ff ff call 5a4 <inet6_create+0x2b4>
> 5a4: R_386_PC32 build_ehash_secret
> 5a8: e9 80 fd ff ff jmp 32d <inet6_create+0x3d>
> 5ad: bd a3 ff ff ff mov $0xffffffa3,%ebp
> 5b2: 83 7c 24 18 02 cmpl $0x2,0x18(%esp)
> 5b7: 74 cc je 585 <inet6_create+0x295>
> 5b9: b9 b9 05 00 00 mov $0x5b9,%ecx
> 5ba: R_386_32 .text
> 5be: ba 01 00 00 00 mov $0x1,%edx
> 5c3: b8 00 00 00 00 mov $0x0,%eax
> 5c4: R_386_32 rcu_lock_map
> 5c8: e8 fc ff ff ff call 5c9 <inet6_create+0x2d9>
> 5c9: R_386_PC32 lock_release
> 5cd: ff 44 24 18 incl 0x18(%esp)
> 5d1: 83 7c 24 18 01 cmpl $0x1,0x18(%esp)
> 5d6: 74 5d je 635 <inet6_create+0x345>
> 5d8: 89 74 24 08 mov %esi,0x8(%esp)
> 5dc: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp)
> 5e3: 00
> 5e4: c7 04 24 1b 00 00 00 movl $0x1b,(%esp)
> 5e7: R_386_32 .rodata.str1.1
> 5eb: e8 fc ff ff ff call 5ec <inet6_create+0x2fc>
> 5ec: R_386_PC32 request_module
> 5f0: e9 40 fd ff ff jmp 335 <inet6_create+0x45>
> 5f5: 89 ce mov %ecx,%esi
> 5f7: e9 d7 fd ff ff jmp 3d3 <inet6_create+0xe3>
> 5fc: 8b 57 20 mov 0x20(%edi),%edx
> 5ff: 66 c1 c0 08 rol $0x8,%ax
> 603: 66 89 87 38 02 00 00 mov %ax,0x238(%edi)
> 60a: 89 f8 mov %edi,%eax
> 60c: ff 52 44 call *0x44(%edx)
> 60f: e9 45 ff ff ff jmp 559 <inet6_create+0x269>
> 614: 81 fe ff 00 00 00 cmp $0xff,%esi
> 61a: 66 89 b7 2a 02 00 00 mov %si,0x22a(%edi)
> 621: 0f 85 89 fe ff ff jne 4b0 <inet6_create+0x1c0>
> 627: 83 ca 08 or $0x8,%edx
> 62a: 88 97 3f 02 00 00 mov %dl,0x23f(%edi)
> 630: e9 7b fe ff ff jmp 4b0 <inet6_create+0x1c0>
> 635: 8b 54 24 10 mov 0x10(%esp),%edx
> 639: 0f bf 42 3c movswl 0x3c(%edx),%eax
> 63d: 89 74 24 08 mov %esi,0x8(%esp)
> 641: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp)
> 648: 00
> 649: c7 04 24 00 00 00 00 movl $0x0,(%esp)
> 64c: R_386_32 .rodata.str1.1
> 650: 89 44 24 0c mov %eax,0xc(%esp)
> 654: e8 fc ff ff ff call 655 <inet6_create+0x365>
> 655: R_386_PC32 request_module
> 659: e9 d7 fc ff ff jmp 335 <inet6_create+0x45>
> 65e: c7 44 24 0c a2 00 00 movl $0xa2,0xc(%esp)
> 665: 00
> 666: c7 44 24 08 a0 00 00 movl $0xa0,0x8(%esp)
> 66d: 00
> 66a: R_386_32 .rodata.str1.4
> 66e: c7 44 24 04 2e 00 00 movl $0x2e,0x4(%esp)
> 675: 00
> 672: R_386_32 .rodata.str1.1
> 676: c7 04 24 e0 00 00 00 movl $0xe0,(%esp)
> 679: R_386_32 .rodata.str1.4
> 67d: e8 fc ff ff ff call 67e <inet6_create+0x38e>
> 67e: R_386_PC32 printk
> 682: e9 a1 fd ff ff jmp 428 <inet6_create+0x138>
> 687: 89 f6 mov %esi,%esi
> 689: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
>
> 00000690 <inet6_destroy_sock>:
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-06 8:14 ` Pavel Emelyanov
@ 2007-11-06 15:44 ` Roel Kluin
2007-11-06 16:06 ` Pavel Emelyanov
0 siblings, 1 reply; 12+ messages in thread
From: Roel Kluin @ 2007-11-06 15:44 UTC (permalink / raw)
To: Pavel Emelyanov; +Cc: netdev, linux-net
Pavel Emelyanov wrote:
> Roel Kluin wrote:
>> Pavel Emelyanov wrote:
>>> Roel Kluin wrote:
>>>> Roel Kluin wrote:
>>>>> I got this bug recently, I am not sure whether this is related to any previously
>>>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my
>>>>> kernel a bit lately, but I think that I haven't got any changes in the currently
>>>>> running kernel.
>>>>>
>>>>> FYI: my network card was not running (module not loaded, and I just started
>>>>> thunderbird)
>>>>>
>>>>> More information needed?
>>> Yes, please.
>>>
>>> Can you send us the disasm (objdump -dr) of your ipv6 module.
>>> More precisely - I need the disassembled inet6_create() function to
>>> figure out where exactly this thing happened.
>> I was very lucky to still be able to produce this: When the bug hit me, I had just
>> recompiled a new kernel, however, since I had previously git-pulled, (but not yet
>> compiled) the old module was not overwritten.
>>
>> to answer the question in your other mail - whether I hacked this kernel - I am not
>> 100% certain, I am certain, however that I did not touch IPv6 code, and my changes
>> to net code were very trivial oneliner changes that I have previously posted, and
>> were generally accepted as fixes.
>> --
>> 000002f0 <inet6_create>:
>
> Hm... The oops says that the buggy place is <inet6_create>+0x5f, that is
> (according to this dump) 0x2f0 + 0x5f = 0x34f, but:
>
> 1. there's no instruction at this address (there are 0x34e and 0x355)
> 2. the codeline (... 1c <8b> 00 0f 18 ...) is not present here
>
> There's something wrong with this oops...
hmmm, I see my mistake:
I _was_ already running the 2.6.24-rc1 kernel. It even says so in the BUG report
Since the module is already overwritten, does it still help to make the objdump?
Ok, I'll check for the address... yes it exists
Sorry for my mistake, the objdump for this module is below. note however that the
module has been overwritten previously after kernel compilation.
> Is this reproducible? If yes, can you try the non-patched net-2.6 kernel.
I'll try to reproduce it. I'll confirm it when it happens again.
--
000002f0 <inet6_create>:
2f0: 55 push %ebp
2f1: bd 9f ff ff ff mov $0xffffff9f,%ebp
2f6: 57 push %edi
2f7: 89 cf mov %ecx,%edi
2f9: 56 push %esi
2fa: 53 push %ebx
2fb: 83 ec 20 sub $0x20,%esp
2fe: 3d 00 00 00 00 cmp $0x0,%eax
2ff: R_386_32 init_net
303: 89 54 24 10 mov %edx,0x10(%esp)
307: 74 0a je 313 <inet6_create+0x23>
309: 83 c4 20 add $0x20,%esp
30c: 89 e8 mov %ebp,%eax
30e: 5b pop %ebx
30f: 5e pop %esi
310: 5f pop %edi
311: 5d pop %ebp
312: c3 ret
313: 8b 72 20 mov 0x20(%edx),%esi
316: 8d 46 fe lea -0x2(%esi),%eax
319: 66 83 f8 01 cmp $0x1,%ax
31d: 76 0e jbe 32d <inet6_create+0x3d>
31f: 8b 0d 00 00 00 00 mov 0x0,%ecx
321: R_386_32 inet_ehash_secret
325: 85 c9 test %ecx,%ecx
327: 0f 84 12 02 00 00 je 53f <inet6_create+0x24f>
32d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp)
334: 00
335: 0f bf c6 movswl %si,%eax
338: c1 e0 03 shl $0x3,%eax
33b: 8b 98 00 00 00 00 mov 0x0(%eax),%ebx
33d: R_386_32 .bss
341: 8d 90 00 00 00 00 lea 0x0(%eax),%edx
343: R_386_32 .bss
347: 89 5c 24 1c mov %ebx,0x1c(%esp)
34b: 8b 44 24 1c mov 0x1c(%esp),%eax
34f: 8b 00 mov (%eax),%eax
351: 8d 44 20 00 lea 0x0(%eax),%eax
355: 39 d3 cmp %edx,%ebx
357: bd a2 ff ff ff mov $0xffffffa2,%ebp
35c: 75 36 jne 394 <inet6_create+0xa4>
35e: e9 f3 01 00 00 jmp 556 <inet6_create+0x266>
363: 85 ff test %edi,%edi
365: 0f 84 25 02 00 00 je 590 <inet6_create+0x2a0>
36b: 66 85 c0 test %ax,%ax
36e: 66 90 xchg %ax,%ax
370: 74 31 je 3a3 <inet6_create+0xb3>
372: 8b 1b mov (%ebx),%ebx
374: 89 5c 24 1c mov %ebx,0x1c(%esp)
378: 8b 44 24 1c mov 0x1c(%esp),%eax
37c: 8b 00 mov (%eax),%eax
37e: 8d 44 20 00 lea 0x0(%eax),%eax
382: 0f bf c6 movswl %si,%eax
385: 8d 04 c5 00 00 00 00 lea 0x0(,%eax,8),%eax
388: R_386_32 .bss
38c: 39 d8 cmp %ebx,%eax
38e: 0f 84 bd 01 00 00 je 551 <inet6_create+0x261>
394: 0f b7 43 0a movzwl 0xa(%ebx),%eax
398: 0f b7 c8 movzwl %ax,%ecx
39b: 39 cf cmp %ecx,%edi
39d: 75 c4 jne 363 <inet6_create+0x73>
39f: 85 ff test %edi,%edi
3a1: 74 cf je 372 <inet6_create+0x82>
3a3: 8b 43 14 mov 0x14(%ebx),%eax
3a6: 85 c0 test %eax,%eax
3a8: 7e 12 jle 3bc <inet6_create+0xcc>
3aa: e8 fc ff ff ff call 3ab <inet6_create+0xbb>
3ab: R_386_PC32 capable
3af: 85 c0 test %eax,%eax
3b1: bd ff ff ff ff mov $0xffffffff,%ebp
3b6: 0f 84 4d ff ff ff je 309 <inet6_create+0x19>
3bc: 8b 43 10 mov 0x10(%ebx),%eax
3bf: 8b 54 24 10 mov 0x10(%esp),%edx
3c3: 89 42 08 mov %eax,0x8(%edx)
3c6: 0f b6 43 18 movzbl 0x18(%ebx),%eax
3ca: 8b 73 0c mov 0xc(%ebx),%esi
3cd: 88 44 24 17 mov %al,0x17(%esp)
3d1: 0f b6 53 19 movzbl 0x19(%ebx),%edx
3d5: 88 54 24 16 mov %dl,0x16(%esp)
3d9: 8b 56 70 mov 0x70(%esi),%edx
3dc: 85 d2 test %edx,%edx
3de: 0f 84 17 02 00 00 je 5fb <inet6_create+0x30b>
3e4: b9 d0 00 00 00 mov $0xd0,%ecx
3e9: ba 0a 00 00 00 mov $0xa,%edx
3ee: b8 00 00 00 00 mov $0x0,%eax
3ef: R_386_32 init_net
3f3: 89 34 24 mov %esi,(%esp)
3f6: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
3fd: 00
3fe: bd 97 ff ff ff mov $0xffffff97,%ebp
403: e8 fc ff ff ff call 404 <inet6_create+0x114>
404: R_386_PC32 sk_alloc
408: 85 c0 test %eax,%eax
40a: 89 c6 mov %eax,%esi
40c: 0f 84 f7 fe ff ff je 309 <inet6_create+0x19>
412: 89 c2 mov %eax,%edx
414: 8b 44 24 10 mov 0x10(%esp),%eax
418: e8 fc ff ff ff call 419 <inet6_create+0x129>
419: R_386_PC32 sock_init_data
41d: 80 64 24 17 03 andb $0x3,0x17(%esp)
422: 0f b6 54 24 17 movzbl 0x17(%esp),%edx
427: 0f b6 46 28 movzbl 0x28(%esi),%eax
42b: c1 e2 02 shl $0x2,%edx
42e: 83 e0 f3 and $0xfffffff3,%eax
431: 09 d0 or %edx,%eax
433: 88 46 28 mov %al,0x28(%esi)
436: 0f b6 44 24 16 movzbl 0x16(%esp),%eax
43b: a8 01 test $0x1,%al
43d: 74 04 je 443 <inet6_create+0x153>
43f: c6 46 03 01 movb $0x1,0x3(%esi)
443: 0f b6 96 5b 01 00 00 movzbl 0x15b(%esi),%edx
44a: c1 e8 02 shr $0x2,%eax
44d: 83 e0 01 and $0x1,%eax
450: 01 c0 add %eax,%eax
452: 83 e2 fd and $0xfffffffd,%edx
455: 09 c2 or %eax,%edx
457: 88 96 5b 01 00 00 mov %dl,0x15b(%esi)
45d: 8b 44 24 10 mov 0x10(%esp),%eax
461: 66 83 78 20 03 cmpw $0x3,0x20(%eax)
466: 0f 84 43 01 00 00 je 5af <inet6_create+0x2bf>
46c: 89 fa mov %edi,%edx
46e: c7 86 34 01 00 00 00 movl $0x0,0x134(%esi)
475: 00 00 00
474: R_386_32 inet_sock_destruct
478: 66 c7 06 0a 00 movw $0xa,(%esi)
47d: 88 56 29 mov %dl,0x29(%esi)
480: 8b 43 0c mov 0xc(%ebx),%eax
483: 8b 40 40 mov 0x40(%eax),%eax
486: 89 86 30 01 00 00 mov %eax,0x130(%esi)
48c: 8b 46 20 mov 0x20(%esi),%eax
48f: 8b 48 74 mov 0x74(%eax),%ecx
492: 83 e9 70 sub $0x70,%ecx
495: 8d 0c 0e lea (%esi,%ecx,1),%ecx
498: 89 8e 38 01 00 00 mov %ecx,0x138(%esi)
49e: 0f b6 41 46 movzbl 0x46(%ecx),%eax
4a2: 66 c7 41 3c ff ff movw $0xffff,0x3c(%ecx)
4a8: 66 c7 41 3e ff ff movw $0xffff,0x3e(%ecx)
4ae: 83 e0 e7 and $0xffffffe7,%eax
4b1: 83 c8 09 or $0x9,%eax
4b4: 88 41 46 mov %al,0x46(%ecx)
4b7: 0f b6 15 00 00 00 00 movzbl 0x0,%edx
4ba: R_386_32 sysctl_ipv6_bindv6only
4be: 83 e0 df and $0xffffffdf,%eax
4c1: 83 e2 01 and $0x1,%edx
4c4: c1 e2 05 shl $0x5,%edx
4c7: 09 d0 or %edx,%eax
4c9: 88 41 46 mov %al,0x46(%ecx)
4cc: 80 8e 5b 01 00 00 10 orb $0x10,0x15b(%esi)
4d3: 66 c7 86 4c 01 00 00 movw $0xffff,0x14c(%esi)
4da: ff ff
4dc: c6 86 59 01 00 00 01 movb $0x1,0x159(%esi)
4e3: c7 86 5c 01 00 00 00 movl $0x0,0x15c(%esi)
4ea: 00 00 00
4ed: c7 86 64 01 00 00 00 movl $0x0,0x164(%esi)
4f4: 00 00 00
4f7: a1 04 00 00 00 mov 0x4,%eax
4f8: R_386_32 ipv4_config
4fc: 85 c0 test %eax,%eax
4fe: 0f b7 86 46 01 00 00 movzwl 0x146(%esi),%eax
505: 0f 94 86 5a 01 00 00 sete 0x15a(%esi)
50c: 66 85 c0 test %ax,%ax
50f: 0f 85 82 00 00 00 jne 597 <inet6_create+0x2a7>
515: 8b 46 20 mov 0x20(%esi),%eax
518: 31 ed xor %ebp,%ebp
51a: 8b 50 14 mov 0x14(%eax),%edx
51d: 85 d2 test %edx,%edx
51f: 0f 84 e4 fd ff ff je 309 <inet6_create+0x19>
525: 89 f0 mov %esi,%eax
527: ff d2 call *%edx
529: 85 c0 test %eax,%eax
52b: 89 c5 mov %eax,%ebp
52d: 0f 84 d6 fd ff ff je 309 <inet6_create+0x19>
533: 89 f0 mov %esi,%eax
535: e8 fc ff ff ff call 536 <inet6_create+0x246>
536: R_386_PC32 sk_common_release
53a: e9 ca fd ff ff jmp 309 <inet6_create+0x19>
53f: 90 nop
540: e8 fc ff ff ff call 541 <inet6_create+0x251>
541: R_386_PC32 build_ehash_secret
545: 8b 44 24 10 mov 0x10(%esp),%eax
549: 8b 70 20 mov 0x20(%eax),%esi
54c: e9 dc fd ff ff jmp 32d <inet6_create+0x3d>
551: bd a3 ff ff ff mov $0xffffffa3,%ebp
556: 83 7c 24 18 02 cmpl $0x2,0x18(%esp)
55b: 0f 84 a8 fd ff ff je 309 <inet6_create+0x19>
561: ff 44 24 18 incl 0x18(%esp)
565: 83 7c 24 18 01 cmpl $0x1,0x18(%esp)
56a: 74 64 je 5d0 <inet6_create+0x2e0>
56c: 89 7c 24 08 mov %edi,0x8(%esp)
570: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp)
577: 00
578: c7 04 24 1b 00 00 00 movl $0x1b,(%esp)
57b: R_386_32 .rodata.str1.1
57f: e8 fc ff ff ff call 580 <inet6_create+0x290>
580: R_386_PC32 request_module
584: 8b 44 24 10 mov 0x10(%esp),%eax
588: 8b 70 20 mov 0x20(%eax),%esi
58b: e9 a5 fd ff ff jmp 335 <inet6_create+0x45>
590: 89 cf mov %ecx,%edi
592: e9 0c fe ff ff jmp 3a3 <inet6_create+0xb3>
597: 8b 56 20 mov 0x20(%esi),%edx
59a: 66 c1 c0 08 rol $0x8,%ax
59e: 66 89 86 54 01 00 00 mov %ax,0x154(%esi)
5a5: 89 f0 mov %esi,%eax
5a7: ff 52 44 call *0x44(%edx)
5aa: e9 66 ff ff ff jmp 515 <inet6_create+0x225>
5af: 81 ff ff 00 00 00 cmp $0xff,%edi
5b5: 66 89 be 46 01 00 00 mov %di,0x146(%esi)
5bc: 0f 85 aa fe ff ff jne 46c <inet6_create+0x17c>
5c2: 83 ca 08 or $0x8,%edx
5c5: 88 96 5b 01 00 00 mov %dl,0x15b(%esi)
5cb: e9 9c fe ff ff jmp 46c <inet6_create+0x17c>
5d0: 0f bf c6 movswl %si,%eax
5d3: 89 7c 24 08 mov %edi,0x8(%esp)
5d7: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp)
5de: 00
5df: 89 44 24 0c mov %eax,0xc(%esp)
5e3: c7 04 24 00 00 00 00 movl $0x0,(%esp)
5e6: R_386_32 .rodata.str1.1
5ea: e8 fc ff ff ff call 5eb <inet6_create+0x2fb>
5eb: R_386_PC32 request_module
5ef: 8b 54 24 10 mov 0x10(%esp),%edx
5f3: 8b 72 20 mov 0x20(%edx),%esi
5f6: e9 3a fd ff ff jmp 335 <inet6_create+0x45>
5fb: c7 44 24 0c a2 00 00 movl $0xa2,0xc(%esp)
602: 00
603: c7 44 24 08 a0 00 00 movl $0xa0,0x8(%esp)
60a: 00
607: R_386_32 .rodata.str1.4
60b: c7 44 24 04 2e 00 00 movl $0x2e,0x4(%esp)
612: 00
60f: R_386_32 .rodata.str1.1
613: c7 04 24 e0 00 00 00 movl $0xe0,(%esp)
616: R_386_32 .rodata.str1.4
61a: e8 fc ff ff ff call 61b <inet6_create+0x32b>
61b: R_386_PC32 printk
61f: e9 c0 fd ff ff jmp 3e4 <inet6_create+0xf4>
624: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
62a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
00000630 <inet6_destroy_sock>:
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-06 15:44 ` Roel Kluin
@ 2007-11-06 16:06 ` Pavel Emelyanov
2007-11-06 17:31 ` Roel Kluin
0 siblings, 1 reply; 12+ messages in thread
From: Pavel Emelyanov @ 2007-11-06 16:06 UTC (permalink / raw)
To: Roel Kluin; +Cc: netdev, linux-net
Roel Kluin wrote:
> Pavel Emelyanov wrote:
>> Roel Kluin wrote:
>>> Pavel Emelyanov wrote:
>>>> Roel Kluin wrote:
>>>>> Roel Kluin wrote:
>>>>>> I got this bug recently, I am not sure whether this is related to any previously
>>>>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my
>>>>>> kernel a bit lately, but I think that I haven't got any changes in the currently
>>>>>> running kernel.
>>>>>>
>>>>>> FYI: my network card was not running (module not loaded, and I just started
>>>>>> thunderbird)
>>>>>>
>>>>>> More information needed?
>>>> Yes, please.
>>>>
>>>> Can you send us the disasm (objdump -dr) of your ipv6 module.
>>>> More precisely - I need the disassembled inet6_create() function to
>>>> figure out where exactly this thing happened.
>>> I was very lucky to still be able to produce this: When the bug hit me, I had just
>>> recompiled a new kernel, however, since I had previously git-pulled, (but not yet
>>> compiled) the old module was not overwritten.
>>>
>>> to answer the question in your other mail - whether I hacked this kernel - I am not
>>> 100% certain, I am certain, however that I did not touch IPv6 code, and my changes
>>> to net code were very trivial oneliner changes that I have previously posted, and
>>> were generally accepted as fixes.
>>> --
>>> 000002f0 <inet6_create>:
>> Hm... The oops says that the buggy place is <inet6_create>+0x5f, that is
>> (according to this dump) 0x2f0 + 0x5f = 0x34f, but:
>>
>> 1. there's no instruction at this address (there are 0x34e and 0x355)
>> 2. the codeline (... 1c <8b> 00 0f 18 ...) is not present here
>>
>> There's something wrong with this oops...
>
> hmmm, I see my mistake:
> I _was_ already running the 2.6.24-rc1 kernel. It even says so in the BUG report
Brrr... I'm completely confused. What was the kernel that oops-ed?
2.6.24-rc, net-2.6.24-rc1 or net-2.6.24-rc1-with-your-patches?
> Since the module is already overwritten, does it still help to make the objdump?
>
> Ok, I'll check for the address... yes it exists
Yup. My first guess was correct - the inetsw6 list is broken - there's
some NULL pointer in it. Looking at the code I see that this list
is accessed for modifications under the spinlock and that it is properly
initialized in the ->init callback before any code gets the access to this
list. No ideas why this can happen... :(
> Sorry for my mistake, the objdump for this module is below. note however that the
> module has been overwritten previously after kernel compilation.
>
>> Is this reproducible? If yes, can you try the non-patched net-2.6 kernel.
>
> I'll try to reproduce it. I'll confirm it when it happens again.
Yes, please.
> --
> 000002f0 <inet6_create>:
> 2f0: 55 push %ebp
> 2f1: bd 9f ff ff ff mov $0xffffff9f,%ebp
> 2f6: 57 push %edi
> 2f7: 89 cf mov %ecx,%edi
> 2f9: 56 push %esi
> 2fa: 53 push %ebx
> 2fb: 83 ec 20 sub $0x20,%esp
> 2fe: 3d 00 00 00 00 cmp $0x0,%eax
> 2ff: R_386_32 init_net
> 303: 89 54 24 10 mov %edx,0x10(%esp)
> 307: 74 0a je 313 <inet6_create+0x23>
> 309: 83 c4 20 add $0x20,%esp
> 30c: 89 e8 mov %ebp,%eax
> 30e: 5b pop %ebx
> 30f: 5e pop %esi
> 310: 5f pop %edi
> 311: 5d pop %ebp
> 312: c3 ret
> 313: 8b 72 20 mov 0x20(%edx),%esi
> 316: 8d 46 fe lea -0x2(%esi),%eax
> 319: 66 83 f8 01 cmp $0x1,%ax
> 31d: 76 0e jbe 32d <inet6_create+0x3d>
> 31f: 8b 0d 00 00 00 00 mov 0x0,%ecx
> 321: R_386_32 inet_ehash_secret
> 325: 85 c9 test %ecx,%ecx
> 327: 0f 84 12 02 00 00 je 53f <inet6_create+0x24f>
> 32d: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp)
> 334: 00
> 335: 0f bf c6 movswl %si,%eax
> 338: c1 e0 03 shl $0x3,%eax
> 33b: 8b 98 00 00 00 00 mov 0x0(%eax),%ebx
> 33d: R_386_32 .bss
> 341: 8d 90 00 00 00 00 lea 0x0(%eax),%edx
> 343: R_386_32 .bss
> 347: 89 5c 24 1c mov %ebx,0x1c(%esp)
> 34b: 8b 44 24 1c mov 0x1c(%esp),%eax
> 34f: 8b 00 mov (%eax),%eax
> 351: 8d 44 20 00 lea 0x0(%eax),%eax
> 355: 39 d3 cmp %edx,%ebx
> 357: bd a2 ff ff ff mov $0xffffffa2,%ebp
> 35c: 75 36 jne 394 <inet6_create+0xa4>
> 35e: e9 f3 01 00 00 jmp 556 <inet6_create+0x266>
> 363: 85 ff test %edi,%edi
> 365: 0f 84 25 02 00 00 je 590 <inet6_create+0x2a0>
> 36b: 66 85 c0 test %ax,%ax
> 36e: 66 90 xchg %ax,%ax
> 370: 74 31 je 3a3 <inet6_create+0xb3>
> 372: 8b 1b mov (%ebx),%ebx
> 374: 89 5c 24 1c mov %ebx,0x1c(%esp)
> 378: 8b 44 24 1c mov 0x1c(%esp),%eax
> 37c: 8b 00 mov (%eax),%eax
> 37e: 8d 44 20 00 lea 0x0(%eax),%eax
> 382: 0f bf c6 movswl %si,%eax
> 385: 8d 04 c5 00 00 00 00 lea 0x0(,%eax,8),%eax
> 388: R_386_32 .bss
> 38c: 39 d8 cmp %ebx,%eax
> 38e: 0f 84 bd 01 00 00 je 551 <inet6_create+0x261>
> 394: 0f b7 43 0a movzwl 0xa(%ebx),%eax
> 398: 0f b7 c8 movzwl %ax,%ecx
> 39b: 39 cf cmp %ecx,%edi
> 39d: 75 c4 jne 363 <inet6_create+0x73>
> 39f: 85 ff test %edi,%edi
> 3a1: 74 cf je 372 <inet6_create+0x82>
> 3a3: 8b 43 14 mov 0x14(%ebx),%eax
> 3a6: 85 c0 test %eax,%eax
> 3a8: 7e 12 jle 3bc <inet6_create+0xcc>
> 3aa: e8 fc ff ff ff call 3ab <inet6_create+0xbb>
> 3ab: R_386_PC32 capable
> 3af: 85 c0 test %eax,%eax
> 3b1: bd ff ff ff ff mov $0xffffffff,%ebp
> 3b6: 0f 84 4d ff ff ff je 309 <inet6_create+0x19>
> 3bc: 8b 43 10 mov 0x10(%ebx),%eax
> 3bf: 8b 54 24 10 mov 0x10(%esp),%edx
> 3c3: 89 42 08 mov %eax,0x8(%edx)
> 3c6: 0f b6 43 18 movzbl 0x18(%ebx),%eax
> 3ca: 8b 73 0c mov 0xc(%ebx),%esi
> 3cd: 88 44 24 17 mov %al,0x17(%esp)
> 3d1: 0f b6 53 19 movzbl 0x19(%ebx),%edx
> 3d5: 88 54 24 16 mov %dl,0x16(%esp)
> 3d9: 8b 56 70 mov 0x70(%esi),%edx
> 3dc: 85 d2 test %edx,%edx
> 3de: 0f 84 17 02 00 00 je 5fb <inet6_create+0x30b>
> 3e4: b9 d0 00 00 00 mov $0xd0,%ecx
> 3e9: ba 0a 00 00 00 mov $0xa,%edx
> 3ee: b8 00 00 00 00 mov $0x0,%eax
> 3ef: R_386_32 init_net
> 3f3: 89 34 24 mov %esi,(%esp)
> 3f6: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
> 3fd: 00
> 3fe: bd 97 ff ff ff mov $0xffffff97,%ebp
> 403: e8 fc ff ff ff call 404 <inet6_create+0x114>
> 404: R_386_PC32 sk_alloc
> 408: 85 c0 test %eax,%eax
> 40a: 89 c6 mov %eax,%esi
> 40c: 0f 84 f7 fe ff ff je 309 <inet6_create+0x19>
> 412: 89 c2 mov %eax,%edx
> 414: 8b 44 24 10 mov 0x10(%esp),%eax
> 418: e8 fc ff ff ff call 419 <inet6_create+0x129>
> 419: R_386_PC32 sock_init_data
> 41d: 80 64 24 17 03 andb $0x3,0x17(%esp)
> 422: 0f b6 54 24 17 movzbl 0x17(%esp),%edx
> 427: 0f b6 46 28 movzbl 0x28(%esi),%eax
> 42b: c1 e2 02 shl $0x2,%edx
> 42e: 83 e0 f3 and $0xfffffff3,%eax
> 431: 09 d0 or %edx,%eax
> 433: 88 46 28 mov %al,0x28(%esi)
> 436: 0f b6 44 24 16 movzbl 0x16(%esp),%eax
> 43b: a8 01 test $0x1,%al
> 43d: 74 04 je 443 <inet6_create+0x153>
> 43f: c6 46 03 01 movb $0x1,0x3(%esi)
> 443: 0f b6 96 5b 01 00 00 movzbl 0x15b(%esi),%edx
> 44a: c1 e8 02 shr $0x2,%eax
> 44d: 83 e0 01 and $0x1,%eax
> 450: 01 c0 add %eax,%eax
> 452: 83 e2 fd and $0xfffffffd,%edx
> 455: 09 c2 or %eax,%edx
> 457: 88 96 5b 01 00 00 mov %dl,0x15b(%esi)
> 45d: 8b 44 24 10 mov 0x10(%esp),%eax
> 461: 66 83 78 20 03 cmpw $0x3,0x20(%eax)
> 466: 0f 84 43 01 00 00 je 5af <inet6_create+0x2bf>
> 46c: 89 fa mov %edi,%edx
> 46e: c7 86 34 01 00 00 00 movl $0x0,0x134(%esi)
> 475: 00 00 00
> 474: R_386_32 inet_sock_destruct
> 478: 66 c7 06 0a 00 movw $0xa,(%esi)
> 47d: 88 56 29 mov %dl,0x29(%esi)
> 480: 8b 43 0c mov 0xc(%ebx),%eax
> 483: 8b 40 40 mov 0x40(%eax),%eax
> 486: 89 86 30 01 00 00 mov %eax,0x130(%esi)
> 48c: 8b 46 20 mov 0x20(%esi),%eax
> 48f: 8b 48 74 mov 0x74(%eax),%ecx
> 492: 83 e9 70 sub $0x70,%ecx
> 495: 8d 0c 0e lea (%esi,%ecx,1),%ecx
> 498: 89 8e 38 01 00 00 mov %ecx,0x138(%esi)
> 49e: 0f b6 41 46 movzbl 0x46(%ecx),%eax
> 4a2: 66 c7 41 3c ff ff movw $0xffff,0x3c(%ecx)
> 4a8: 66 c7 41 3e ff ff movw $0xffff,0x3e(%ecx)
> 4ae: 83 e0 e7 and $0xffffffe7,%eax
> 4b1: 83 c8 09 or $0x9,%eax
> 4b4: 88 41 46 mov %al,0x46(%ecx)
> 4b7: 0f b6 15 00 00 00 00 movzbl 0x0,%edx
> 4ba: R_386_32 sysctl_ipv6_bindv6only
> 4be: 83 e0 df and $0xffffffdf,%eax
> 4c1: 83 e2 01 and $0x1,%edx
> 4c4: c1 e2 05 shl $0x5,%edx
> 4c7: 09 d0 or %edx,%eax
> 4c9: 88 41 46 mov %al,0x46(%ecx)
> 4cc: 80 8e 5b 01 00 00 10 orb $0x10,0x15b(%esi)
> 4d3: 66 c7 86 4c 01 00 00 movw $0xffff,0x14c(%esi)
> 4da: ff ff
> 4dc: c6 86 59 01 00 00 01 movb $0x1,0x159(%esi)
> 4e3: c7 86 5c 01 00 00 00 movl $0x0,0x15c(%esi)
> 4ea: 00 00 00
> 4ed: c7 86 64 01 00 00 00 movl $0x0,0x164(%esi)
> 4f4: 00 00 00
> 4f7: a1 04 00 00 00 mov 0x4,%eax
> 4f8: R_386_32 ipv4_config
> 4fc: 85 c0 test %eax,%eax
> 4fe: 0f b7 86 46 01 00 00 movzwl 0x146(%esi),%eax
> 505: 0f 94 86 5a 01 00 00 sete 0x15a(%esi)
> 50c: 66 85 c0 test %ax,%ax
> 50f: 0f 85 82 00 00 00 jne 597 <inet6_create+0x2a7>
> 515: 8b 46 20 mov 0x20(%esi),%eax
> 518: 31 ed xor %ebp,%ebp
> 51a: 8b 50 14 mov 0x14(%eax),%edx
> 51d: 85 d2 test %edx,%edx
> 51f: 0f 84 e4 fd ff ff je 309 <inet6_create+0x19>
> 525: 89 f0 mov %esi,%eax
> 527: ff d2 call *%edx
> 529: 85 c0 test %eax,%eax
> 52b: 89 c5 mov %eax,%ebp
> 52d: 0f 84 d6 fd ff ff je 309 <inet6_create+0x19>
> 533: 89 f0 mov %esi,%eax
> 535: e8 fc ff ff ff call 536 <inet6_create+0x246>
> 536: R_386_PC32 sk_common_release
> 53a: e9 ca fd ff ff jmp 309 <inet6_create+0x19>
> 53f: 90 nop
> 540: e8 fc ff ff ff call 541 <inet6_create+0x251>
> 541: R_386_PC32 build_ehash_secret
> 545: 8b 44 24 10 mov 0x10(%esp),%eax
> 549: 8b 70 20 mov 0x20(%eax),%esi
> 54c: e9 dc fd ff ff jmp 32d <inet6_create+0x3d>
> 551: bd a3 ff ff ff mov $0xffffffa3,%ebp
> 556: 83 7c 24 18 02 cmpl $0x2,0x18(%esp)
> 55b: 0f 84 a8 fd ff ff je 309 <inet6_create+0x19>
> 561: ff 44 24 18 incl 0x18(%esp)
> 565: 83 7c 24 18 01 cmpl $0x1,0x18(%esp)
> 56a: 74 64 je 5d0 <inet6_create+0x2e0>
> 56c: 89 7c 24 08 mov %edi,0x8(%esp)
> 570: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp)
> 577: 00
> 578: c7 04 24 1b 00 00 00 movl $0x1b,(%esp)
> 57b: R_386_32 .rodata.str1.1
> 57f: e8 fc ff ff ff call 580 <inet6_create+0x290>
> 580: R_386_PC32 request_module
> 584: 8b 44 24 10 mov 0x10(%esp),%eax
> 588: 8b 70 20 mov 0x20(%eax),%esi
> 58b: e9 a5 fd ff ff jmp 335 <inet6_create+0x45>
> 590: 89 cf mov %ecx,%edi
> 592: e9 0c fe ff ff jmp 3a3 <inet6_create+0xb3>
> 597: 8b 56 20 mov 0x20(%esi),%edx
> 59a: 66 c1 c0 08 rol $0x8,%ax
> 59e: 66 89 86 54 01 00 00 mov %ax,0x154(%esi)
> 5a5: 89 f0 mov %esi,%eax
> 5a7: ff 52 44 call *0x44(%edx)
> 5aa: e9 66 ff ff ff jmp 515 <inet6_create+0x225>
> 5af: 81 ff ff 00 00 00 cmp $0xff,%edi
> 5b5: 66 89 be 46 01 00 00 mov %di,0x146(%esi)
> 5bc: 0f 85 aa fe ff ff jne 46c <inet6_create+0x17c>
> 5c2: 83 ca 08 or $0x8,%edx
> 5c5: 88 96 5b 01 00 00 mov %dl,0x15b(%esi)
> 5cb: e9 9c fe ff ff jmp 46c <inet6_create+0x17c>
> 5d0: 0f bf c6 movswl %si,%eax
> 5d3: 89 7c 24 08 mov %edi,0x8(%esp)
> 5d7: c7 44 24 04 0a 00 00 movl $0xa,0x4(%esp)
> 5de: 00
> 5df: 89 44 24 0c mov %eax,0xc(%esp)
> 5e3: c7 04 24 00 00 00 00 movl $0x0,(%esp)
> 5e6: R_386_32 .rodata.str1.1
> 5ea: e8 fc ff ff ff call 5eb <inet6_create+0x2fb>
> 5eb: R_386_PC32 request_module
> 5ef: 8b 54 24 10 mov 0x10(%esp),%edx
> 5f3: 8b 72 20 mov 0x20(%edx),%esi
> 5f6: e9 3a fd ff ff jmp 335 <inet6_create+0x45>
> 5fb: c7 44 24 0c a2 00 00 movl $0xa2,0xc(%esp)
> 602: 00
> 603: c7 44 24 08 a0 00 00 movl $0xa0,0x8(%esp)
> 60a: 00
> 607: R_386_32 .rodata.str1.4
> 60b: c7 44 24 04 2e 00 00 movl $0x2e,0x4(%esp)
> 612: 00
> 60f: R_386_32 .rodata.str1.1
> 613: c7 04 24 e0 00 00 00 movl $0xe0,(%esp)
> 616: R_386_32 .rodata.str1.4
> 61a: e8 fc ff ff ff call 61b <inet6_create+0x32b>
> 61b: R_386_PC32 printk
> 61f: e9 c0 fd ff ff jmp 3e4 <inet6_create+0xf4>
> 624: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
> 62a: 8d bf 00 00 00 00 lea 0x0(%edi),%edi
>
> 00000630 <inet6_destroy_sock>:
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-06 16:06 ` Pavel Emelyanov
@ 2007-11-06 17:31 ` Roel Kluin
0 siblings, 0 replies; 12+ messages in thread
From: Roel Kluin @ 2007-11-06 17:31 UTC (permalink / raw)
To: Pavel Emelyanov; +Cc: netdev, linux-net
Pavel Emelyanov wrote:
> Roel Kluin wrote:
>> Pavel Emelyanov wrote:
>>> Roel Kluin wrote:
>>>> Pavel Emelyanov wrote:
>>>>> Roel Kluin wrote:
>>>>>> Roel Kluin wrote:
>>>>>>> I got this bug recently, I am not sure whether this is related to any previously
>>>>>>> reported ones. It was a recently pulled git kernel. Also I have been hacking my
>>>>>>> kernel a bit lately, but I think that I haven't got any changes in the currently
>>>>>>> running kernel.
>>>>>>>
>>>>>>> FYI: my network card was not running (module not loaded, and I just started
>>>>>>> thunderbird)
>>>>>>>
>>>>>>> More information needed?
>>>>> Yes, please.
>>>>>
>>>>> Can you send us the disasm (objdump -dr) of your ipv6 module.
>>>>> More precisely - I need the disassembled inet6_create() function to
>>>>> figure out where exactly this thing happened.
>>>> I was very lucky to still be able to produce this: When the bug hit me, I had just
>>>> recompiled a new kernel, however, since I had previously git-pulled, (but not yet
>>>> compiled) the old module was not overwritten.
>>>>
>>>> to answer the question in your other mail - whether I hacked this kernel - I am not
>>>> 100% certain, I am certain, however that I did not touch IPv6 code, and my changes
>>>> to net code were very trivial oneliner changes that I have previously posted, and
>>>> were generally accepted as fixes.
>>>> --
>>>> 000002f0 <inet6_create>:
>>> Hm... The oops says that the buggy place is <inet6_create>+0x5f, that is
>>> (according to this dump) 0x2f0 + 0x5f = 0x34f, but:
>>>
>>> 1. there's no instruction at this address (there are 0x34e and 0x355)
>>> 2. the codeline (... 1c <8b> 00 0f 18 ...) is not present here
>>>
>>> There's something wrong with this oops...
>> hmmm, I see my mistake:
>> I _was_ already running the 2.6.24-rc1 kernel. It even says so in the BUG report
>
> Brrr... I'm completely confused. What was the kernel that oops-ed?
> 2.6.24-rc, net-2.6.24-rc1 or net-2.6.24-rc1-with-your-patches?
It was a git kernel, pulled from linus' tree:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
The version number on the bug was 2.6.24-rc1. I posted here because the bug mentioned
inet6_create and ipv6, which is net code.
>> Since the module is already overwritten, does it still help to make the objdump?
>>
>> Ok, I'll check for the address... yes it exists
>
> Yup. My first guess was correct - the inetsw6 list is broken - there's
> some NULL pointer in it. Looking at the code I see that this list
> is accessed for modifications under the spinlock and that it is properly
> initialized in the ->init callback before any code gets the access to this
> list. No ideas why this can happen... :(
>
>> Sorry for my mistake, the objdump for this module is below. note however that the
>> module has been overwritten previously after kernel compilation.
>>
>>> Is this reproducible? If yes, can you try the non-patched net-2.6 kernel.
>> I'll try to reproduce it. I'll confirm it when it happens again.
>
> Yes, please.
Ok, I tried but it did not work.
My kernel is very non-modular (which is also called monolithic?) one of the few
things that still was a module is my network card. ipv6 was another.
You may want to skip the next part: a lengthy explanation of the situation during
the bug.
In the original situation I had tried to build a kernel: I was trying an adapted
version of the profile-likely-unlikely-macros.patch, but due to an error in my code
kernel compilation failed,
I was using a stupid script which did:
make O=$BUILDDIR;
sudo make O=$BUILDDIR modules_install install
Note that I probably didn't run make mrproper beforehand.
Building failed, but modules were removed and I should have recompiled without the
error. I forgot that, so after rebooting my modules didn't work. the kernel booted
because all necessary code is compiled in.
My network card didn't function, however. So I decided to recompile with my
network card compiled in.
Then I was doing some other stuff, got bored, pressed Thunderbird - it's an
automatism - and right at that moment I got the oops.
So to try to reproduce this I compiled a new kernel, without compiling and
installing the modules. It did not reoccur, however.
Roel
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [BUG] in inet6_create
2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明
@ 2007-11-07 10:34 ` David Miller
0 siblings, 0 replies; 12+ messages in thread
From: David Miller @ 2007-11-07 10:34 UTC (permalink / raw)
To: yoshfuji; +Cc: 12o3l, netdev
From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
Date: Mon, 05 Nov 2007 20:00:46 +0900 (JST)
> [IPV6]: Ensure to initialize inetsw6 array before we start accepting socket.
>
> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
>
> diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
> index ecbd388..9ecd41b 100644
> --- a/net/ipv6/af_inet6.c
> +++ b/net/ipv6/af_inet6.c
> @@ -789,6 +789,7 @@ static int __init inet6_init(void)
> /* Register the socket-side information for inet6_create. */
> for(r = &inetsw6[0]; r < &inetsw6[SOCK_MAX]; ++r)
> INIT_LIST_HEAD(r);
> + synchronize_net();
>
> /* We MUST register RAW sockets before we create the ICMP6,
> * IGMP6, or NDISC control sockets.
>
I don't see how this can make a difference.
sock_register() takes spinlocks, and therefore provides
a full memory barrier. The list initializations MUST
appear before any code path can see inet6_create() and
friends.
I simply cannot see how this crash is even possible.
Also, the original bug reporter cannot provide an inet6.o image that
matches any of his OOPS traces, so we cannot analyze this bug properly.
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2007-11-07 10:34 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-01 20:07 [BUG] in inet6_create Roel Kluin
2007-11-01 21:14 ` Roel Kluin
2007-11-02 9:15 ` Pavel Emelyanov
2007-11-02 17:51 ` Roel Kluin
2007-11-06 8:14 ` Pavel Emelyanov
2007-11-06 15:44 ` Roel Kluin
2007-11-06 16:06 ` Pavel Emelyanov
2007-11-06 17:31 ` Roel Kluin
2007-11-02 9:59 ` Pavel Emelyanov
2007-11-02 12:54 ` Pavel Emelyanov
2007-11-05 11:00 ` YOSHIFUJI Hideaki / 吉藤英明
2007-11-07 10:34 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).