From patchwork Fri Apr 15 13:24:36 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 91374 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id B8E37B6F08 for ; Fri, 15 Apr 2011 23:25:03 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754736Ab1DONYn (ORCPT ); Fri, 15 Apr 2011 09:24:43 -0400 Received: from mail-ww0-f44.google.com ([74.125.82.44]:43594 "EHLO mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752337Ab1DONYl (ORCPT ); Fri, 15 Apr 2011 09:24:41 -0400 Received: by wwa36 with SMTP id 36so3206945wwa.1 for ; Fri, 15 Apr 2011 06:24:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:from:to:cc:in-reply-to:references :content-type:date:message-id:mime-version:x-mailer :content-transfer-encoding; bh=bU+b29386JP4r5PJFeJaqRwQUfmr7XDykbdkMuE/nqo=; b=U/SwcuDEsi1MTOFAzn44HoPO66Syp6gAtZkpW/tM8JuEXb1jvxeb528iODlEBhN25r udMdgUQQ87Ejt/lwB96Hwaprd7pm2YppGYKt7KtKyeh6eZvl7hE8I6wIhaYMpiaRFrow zJHxn975F2gBW1L/eVo5J5VZKvNnAR7uueuWQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=wXtyx5TKIipHDOSX8kpltxA6oEbvZRj1OxRxTB5wKfN+k4pkjA+3ywwjR0FaZ0cya6 w19EfmBojhpWMQGTNGw0zyyB7HiO0m6gBaJEpEAGjTgc1Q9AXKSgzDylvU6CVo12V9tj L1yfuQ1BHcE2tnWifnPsxkRXiZc1kPUPxiQ4U= Received: by 10.216.241.66 with SMTP id f44mr2063910wer.37.1302873879923; Fri, 15 Apr 2011 06:24:39 -0700 (PDT) Received: from [10.150.51.211] (gw0.net.jmsp.net [212.23.165.14]) by mx.google.com with ESMTPS id n2sm1311957wej.46.2011.04.15.06.24.38 (version=SSLv3 cipher=OTHER); Fri, 15 Apr 2011 06:24:39 -0700 (PDT) Subject: Re: BUG: unable to handle kernel NULL pointer dereference at 000002c0 / IP: [] in6_dev_finish_destroy+0x35/0x8c From: Eric Dumazet To: Simon Arlott Cc: Linux Kernel Mailing List , netdev , Netfilter Development Mailinglist In-Reply-To: <1302872983.3613.10.camel@edumazet-laptop> References: <4DA77AE5.9060501@simon.arlott.org.uk> <0b5f315dd0f6e8eefabbd8b38b1d43e181fdd728@8b5064a13e22126c1b9329f0dc35b8915774b7c3.invalid> <1302872983.3613.10.camel@edumazet-laptop> Date: Fri, 15 Apr 2011 15:24:36 +0200 Message-ID: <1302873876.3613.11.camel@edumazet-laptop> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Le vendredi 15 avril 2011 à 15:09 +0200, Eric Dumazet a écrit : > Le vendredi 15 avril 2011 à 12:30 +0100, Simon Arlott a écrit : > > On Thu, April 14, 2011 23:53, Simon Arlott wrote: > > > [19258502.086131] BUG: unable to handle kernel paging request at 676e7543 > > > [19258502.087007] IP: [] icmpv6_send+0x5c3/0x6e2 > > > > CC netfilter-devel > > > This happened again in a different part of icmpv6_send: > > > > [31890.810491] BUG: unable to handle kernel NULL pointer dereference at 000002c0 > > [31890.814522] IP: [] in6_dev_finish_destroy+0x35/0x8c > > [31890.814522] *pdpt = 00000000160fb001 *pde = 0000000000000000 > > [31890.814522] Oops: 0002 [#1] PREEMPT SMP > > [31890.814522] last sysfs file: /sys/devices/platform/it87.552/cpu0_vid > > [31890.814522] Modules linked in: xt_tcpmss xt_length xt_TCPMSS ppp_synctty sch_sfq xt_u32 xt_CLASSIFY > > sch_htb ppp_async bnep nfsd lockd sunrpc rfcomm l2cap crc16 exportfs nf_conntrack_ipv6 xt_state ip6t_LOG ipm > > [31890.889345] > > [31890.889345] Pid: 3, comm: ksoftirqd/0 Tainted: G W 2.6.35.4-git+ #git+ GA-MA69VM-S2/GA-MA69VM-S2 > > [31890.889345] EIP: 0060:[] EFLAGS: 00010246 CPU: 0 > > [31890.917900] EIP is at in6_dev_finish_destroy+0x35/0x8c > > [31890.917900] EAX: 00000009 EBX: d6997fa3 ECX: c0513fcd EDX: 00000000 > > [31890.917900] ESI: 00000000 EDI: f7483bd4 EBP: f7483b40 ESP: f7483b38 > > [31890.917900] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 > > [31890.917900] Process ksoftirqd/0 (pid: 3, ti=f7482000 task=f74800a0 task.ti=f7482000) > > [31890.917900] Stack: > > [31890.917900] d6997fa3 00000159 f7483c4c c04d8a8b efb86cc0 c067f614 f7483b58 c067f614 > > [31890.917900] <0> f7483b68 c0513fe0 0021c090 0021c086 f7483b88 c022e74d 00000046 0101ff2f > > [31890.917900] <0> ef87e04c 00000151 f6e1fac0 f6e1fdb4 ef87e05c 00000000 00000040 f6e1faf0 > > [31890.917900] Call Trace: > > [31890.917900] [] ? icmpv6_send+0x6a7/0x6e2 > > [31890.917900] [] ? _raw_spin_unlock_irqrestore+0x42/0x58 > > [31890.917900] [] ? release_console_sem+0x197/0x1c4 > > [31890.917900] [] ? reject_tg6+0x70/0x43f [ip6t_REJECT] > > [31890.917900] [] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG] > > [31890.917900] [] ? trace_hardirqs_on+0xb/0xd > > [31890.917900] [] ? local_bh_enable_ip+0x97/0xad > > [31890.917900] [] ? _raw_spin_unlock_bh+0x2f/0x32 > > [31890.917900] [] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG] > > [31890.917900] [] ? ipv6_find_hdr+0xf8/0x164 [ip6_tables] > > [31890.917900] [] ? ip6t_do_table+0x4c8/0x53e [ip6_tables] > > [31890.917900] [] ? ip6table_mangle_hook+0xf0/0x100 [ip6table_mangle] > > [31890.917900] [] ? ip6table_filter_hook+0x18/0x20 [ip6table_filter] > > [31890.917900] [] ? nf_iterate+0x2f/0x62 > > [31890.917900] [] ? ip6_input_finish+0x0/0x3db > > [31890.917900] [] ? nf_hook_slow+0x63/0xeb > > [31890.917900] [] ? ip6_input_finish+0x0/0x3db > > [31890.917900] [] ? ip6_input+0x33/0x47 > > [31890.917900] [] ? ip6_input_finish+0x0/0x3db > > [31890.917900] [] ? ip6_rcv_finish+0x8b/0x8e > > [31890.917900] [] ? nf_ct_frag6_output+0x7c/0x95 [nf_conntrack_ipv6] > > [31890.917900] [] ? ipv6_defrag+0x87/0x9f [nf_conntrack_ipv6] > > [31890.917900] [] ? ip6_rcv_finish+0x0/0x8e > > [31890.917900] [] ? nf_iterate+0x2f/0x62 > > [31890.917900] [] ? ip6_rcv_finish+0x0/0x8e > > [31890.917900] [] ? nf_hook_slow+0x63/0xeb > > [31890.917900] [] ? ip6_rcv_finish+0x0/0x8e > > [31890.917900] [] ? ipv6_rcv+0x387/0x47c > > [31890.917900] [] ? ip6_rcv_finish+0x0/0x8e > > [31890.917900] [] ? __netif_receive_skb+0x367/0x3b6 > > [31890.917900] [] ? process_backlog+0x8e/0x146 > > [31890.917900] [] ? net_rx_action+0x62/0x119 > > [31890.917900] [] ? __do_softirq+0x8b/0x10a > > [31890.917900] [] ? do_softirq+0x2b/0x43 > > [31890.917900] [] ? run_ksoftirqd+0x73/0x155 > > [31890.917900] [] ? run_ksoftirqd+0x0/0x155 > > [31890.917900] [] ? kthread+0x61/0x66 > > [31890.917900] [] ? kthread+0x0/0x66 > > [31890.917900] [] ? kernel_thread_helper+0x6/0x1a > > [31890.917900] Code: 40 04 39 43 04 74 0f ba 45 01 00 00 b8 7a a1 63 c0 e8 32 70 d6 ff 83 7b 0c 00 74 0f ba > > 46 01 00 00 b8 7a a1 63 c0 e8 1d 70 d6 ff ff 8e c0 02 00 00 83 bb e4 00 00 00 00 75 0f 53 68 b5 a > > [31890.917900] EIP: [] in6_dev_finish_destroy+0x35/0x8c SS:ESP 0068:f7483b38 > > [31890.917900] CR2: 00000000000002c0 > > [31891.236446] ---[ end trace 830bf5b3286acea0 ]--- > > [31891.241375] Kernel panic - not syncing: Fatal exception in interrupt > > [31891.248085] Pid: 3, comm: ksoftirqd/0 Tainted: G D W 2.6.35.4-git+ #git+ > > [31891.255918] Call Trace: > > [31891.258474] [] ? printk+0xf/0x13 > > [31891.262911] [] panic+0x55/0xc4 > > [31891.267130] [] oops_end+0x6e/0x7c > > [31891.271619] [] no_context+0x13f/0x149 > > [31891.276496] [] __bad_area_nosemaphore+0x139/0x141 > > [31891.282461] [] ? native_sched_clock+0x42/0x8d > > [31891.288090] [] ? sched_clock_local+0x17/0x104 > > [31891.293699] [] bad_area_nosemaphore+0xd/0x10 > > [31891.299206] [] do_page_fault+0x14e/0x302 > > [31891.304356] [] ? show_trace+0x10/0x14 > > [31891.309219] [] ? dump_stack+0x57/0x61 > > [31891.314102] [] ? do_page_fault+0x0/0x302 > > [31891.319236] [] error_code+0x6b/0x70 > > [31891.323934] [] ? _raw_spin_unlock_irqrestore+0x2f/0x58 > > [31891.330370] [] ? do_page_fault+0x0/0x302 > > [31891.335536] [] ? in6_dev_finish_destroy+0x35/0x8c > > [31891.341512] [] icmpv6_send+0x6a7/0x6e2 > > [31891.346471] [] ? _raw_spin_unlock_irqrestore+0x42/0x58 > > [31891.352853] [] ? release_console_sem+0x197/0x1c4 > > [31891.358740] [] reject_tg6+0x70/0x43f [ip6t_REJECT] > > [31891.364821] [] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG] > > [31891.371340] [] ? trace_hardirqs_on+0xb/0xd > > [31891.376604] [] ? local_bh_enable_ip+0x97/0xad > > [31891.382205] [] ? _raw_spin_unlock_bh+0x2f/0x32 > > [31891.387945] [] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG] > > [31891.394444] [] ? ipv6_find_hdr+0xf8/0x164 [ip6_tables] > > [31891.400896] [] ip6t_do_table+0x4c8/0x53e [ip6_tables] > > [31891.407260] [] ? ip6table_mangle_hook+0xf0/0x100 [ip6table_mangle] > > [31891.414819] [] ip6table_filter_hook+0x18/0x20 [ip6table_filter] > > [31891.422118] [] nf_iterate+0x2f/0x62 > > [31891.426800] [] ? ip6_input_finish+0x0/0x3db > > [31891.432267] [] nf_hook_slow+0x63/0xeb > > [31891.437147] [] ? ip6_input_finish+0x0/0x3db > > [31891.442583] [] ip6_input+0x33/0x47 > > [31891.447195] [] ? ip6_input_finish+0x0/0x3db > > [31891.452608] [] ip6_rcv_finish+0x8b/0x8e > > [31891.457655] [] nf_ct_frag6_output+0x7c/0x95 [nf_conntrack_ipv6] > > [31891.464929] [] ipv6_defrag+0x87/0x9f [nf_conntrack_ipv6] > > [31891.471561] [] ? ip6_rcv_finish+0x0/0x8e > > [31891.476693] [] nf_iterate+0x2f/0x62 > > [31891.481377] [] ? ip6_rcv_finish+0x0/0x8e > > [31891.486501] [] nf_hook_slow+0x63/0xeb > > [31891.491383] [] ? ip6_rcv_finish+0x0/0x8e > > [31891.496501] [] ipv6_rcv+0x387/0x47c > > [31891.501227] [] ? ip6_rcv_finish+0x0/0x8e > > [31891.506394] [] __netif_receive_skb+0x367/0x3b6 > > [31891.512081] [] process_backlog+0x8e/0x146 > > [31891.517328] [] net_rx_action+0x62/0x119 > > [31891.522402] [] __do_softirq+0x8b/0x10a > > [31891.527386] [] do_softirq+0x2b/0x43 > > [31891.532078] [] run_ksoftirqd+0x73/0x155 > > [31891.537136] [] ? run_ksoftirqd+0x0/0x155 > > [31891.542294] [] kthread+0x61/0x66 > > [31891.546708] [] ? kthread+0x0/0x66 > > [31891.551211] [] kernel_thread_helper+0x6/0x1a > > [31891.556747] Rebooting in 10 seconds.. > > > > > Hmm... net/ipv6/netfilter/nf_conntrack_reasm.c happily keep references > to devices, on queued skb (so can escape RCU read side section) > > Maybe try following patch ? > > > diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c > index 0857272..57f158e 100644 > --- a/net/ipv6/netfilter/nf_conntrack_reasm.c > +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c > @@ -582,6 +582,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user) > spin_unlock_bh(&fq->q.lock); > > fq_put(fq); > + ret_skb->dev = dev; > return ret_skb; > > ret_orig: Hmm.. a more complete patch : --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 0857272..6f0bed0 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -582,6 +582,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user) spin_unlock_bh(&fq->q.lock); fq_put(fq); + ret_skb->dev = dev; return ret_skb; ret_orig: @@ -602,7 +603,7 @@ void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, s2 = s->next; s->next = NULL; - + s->dev = in; NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s, in, out, okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1); s = s2;