From patchwork Sun Feb 24 04:01:07 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 222754 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 7FDF72C007C for ; Sun, 24 Feb 2013 15:01:46 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759244Ab3BXEBd (ORCPT ); Sat, 23 Feb 2013 23:01:33 -0500 Received: from plane.gmane.org ([80.91.229.3]:53864 "EHLO plane.gmane.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758970Ab3BXEBc (ORCPT ); Sat, 23 Feb 2013 23:01:32 -0500 Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1U9SmX-0001fX-J6 for netdev@vger.kernel.org; Sun, 24 Feb 2013 05:01:45 +0100 Received: from 14.205.10.47 ([14.205.10.47]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 24 Feb 2013 05:01:45 +0100 Received: from xiyou.wangcong by 14.205.10.47 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 24 Feb 2013 05:01:45 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: netdev@vger.kernel.org From: Cong Wang Subject: Re: Fw: [Bug 54281] New: kernel NULL pointer dereference on deleting a vlan interface Date: Sun, 24 Feb 2013 04:01:07 +0000 (UTC) Lines: 84 Message-ID: References: <20130223072603.594c45e1@samsung-9> Mime-Version: 1.0 X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 14.205.10.47 User-Agent: slrn/0.9.9p1 (Linux) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Sat, 23 Feb 2013 at 15:26 GMT, Stephen Hemminger wrote: > # ip link del em1.57 > BUG: unable to handle kernel NULL pointer dereference at (null) > IP: [] garp_uninit_applicant+0x2f/0xd0 [garp] > PGD 47ce2f1067 PUD 47cbc15067 PMD 0 > Oops: 0000 [#1] SMP > last sysfs file: /sys/devices/system/cpu/cpu23/cache/index2/shared_cpu_map > CPU 15 > Modules linked in: bridge xt_comment ipt_LOG xt_limit fuse bonding 8021q garp > stp llc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables > ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack > ip6table_filter ip6_tables ipv6 xfs exportfs power_meter dcdbas microcode > sb_edac edac_core iTCO_wdt iTCO_vendor_support shpchp sg tg3 ext4 mbcache jbd2 > sr_mod cdrom sd_mod crc_t10dif ahci wmi megaraid_sas dm_mirror dm_region_hash > dm_log dm_mod [last unloaded: speedstep_lib] > > Pid: 27564, comm: ip Not tainted 2.6.32-279.el6.x86_64 #1 Dell Inc. PowerEdge > R720/0VWT90 > RIP: 0010:[] [] > garp_uninit_applicant+0x2f/0xd0 [garp] > RSP: 0018:ffff8847ce2e38a8 EFLAGS: 00010282 > RAX: 0000000000000000 RBX: ffff8823cdc8e020 RCX: ffff8847cc6c0080 > RDX: ffffffff81b12200 RSI: ffffffffa03cfa20 RDI: ffff8823cdc8e020 > RBP: ffff8847ce2e38c8 R08: ffffffff81b12200 R09: 00000000ffffffff > R10: 0000000000000000 R11: 0000000000000000 R12: ffff8823cdc8e020 > R13: ffffffffa03cfa20 R14: 0000000000000000 R15: ffff8823cdab26c0 > FS: 00007fe26eef1700(0000) GS:ffff8824aece0000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > CR2: 0000000000000000 CR3: 00000047cce94000 CR4: 00000000000406e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Process ip (pid: 27564, threadinfo ffff8847ce2e2000, task ffff8847cc6c0080) > Stack: > ffff8823cdc8e020 0000000000000039 ffff8847cf7b4020 ffffffffa0141d80 > ffff8847ce2e38d8 ffffffffa03ce085 ffff8847ce2e3918 ffffffffa03cb420 > 00000000ffffffa6 ffffffff8200cec0 ffff8847cc914810 0000000000000001 > Call Trace: > [] vlan_gvrp_uninit_applicant+0x15/0x20 [8021q] > [] unregister_vlan_dev+0xf0/0x190 [8021q] > [] rtnl_dellink+0xd0/0x110 > [] rtnetlink_rcv_msg+0x177/0x290 > [] ? rtnetlink_rcv_msg+0x0/0x290 > [] netlink_rcv_skb+0xa9/0xd0 > [] rtnetlink_rcv+0x25/0x40 > [] netlink_unicast+0x2e6/0x300 > [] netlink_sendmsg+0x200/0x2e0 > [] sock_sendmsg+0x123/0x150 > [] ? autoremove_wake_function+0x0/0x40 > [] ? move_addr_to_kernel+0x64/0x70 > [] __sys_sendmsg+0x406/0x420 > [] ? __do_page_fault+0x1ec/0x480 > [] ? vma_link+0x9b/0xf0 > [] ? do_brk+0x26c/0x350 > [] sys_sendmsg+0x49/0x90 > [] system_call_fastpath+0x16/0x1b > Code: 48 83 ec 20 48 89 1c 24 4c 89 64 24 08 4c 89 6c 24 10 4c 89 74 24 18 0f > 1f 44 00 00 8b 06 4c 8b b7 28 04 00 00 49 89 fc 49 89 f5 <49> 8b 1c c6 e8 38 46 > 08 e1 85 c0 74 6f 41 8b 45 00 49 c7 04 c6 > RIP [] garp_uninit_applicant+0x2f/0xd0 [garp] > RSP > CR2: 0000000000000000 > I think we miss some locking... ----- dev_mc_delete(dev,appl->proto.group_address, ETH_ALEN, 0); --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/802/garp.c b/net/802/garp.c index 1dcb066..5f72212 100644 --- a/net/802/garp.c +++ b/net/802/garp.c @@ -611,8 +611,10 @@ void garp_uninit_applicant(struct net_device *dev, struct garp_application *appl /* Delete timer and generate a final TRANSMIT_PDU event to flush out * all pending messages before the applicant is gone. */ del_timer_sync(&app->join_timer); + spin_lock_bh(&app->lock); garp_gid_event(app, GARP_EVENT_TRANSMIT_PDU); garp_pdu_queue(app); + spin_unlock_bh(&app->lock); garp_queue_xmit(app);