diff mbox

BUG: unable to handle kernel NULL pointer dereference at 000002c0 / IP: [<c04c70f2>] in6_dev_finish_destroy+0x35/0x8c

Message ID 1302873876.3613.11.camel@edumazet-laptop
State Not Applicable, archived
Delegated to: David Miller
Headers show

Commit Message

Eric Dumazet April 15, 2011, 1:24 p.m. UTC 
Le vendredi 15 avril 2011 à 15:09 +0200, Eric Dumazet a écrit :
> Le vendredi 15 avril 2011 à 12:30 +0100, Simon Arlott a écrit :
> > On Thu, April 14, 2011 23:53, Simon Arlott wrote:
> > > [19258502.086131] BUG: unable to handle kernel paging request at 676e7543
> > > [19258502.087007] IP: [<c04d89a7>] icmpv6_send+0x5c3/0x6e2
> > 
> 
> CC netfilter-devel
> 
> > This happened again in a different part of icmpv6_send:
> > 
> > [31890.810491] BUG: unable to handle kernel NULL pointer dereference at 000002c0
> > [31890.814522] IP: [<c04c70f2>] in6_dev_finish_destroy+0x35/0x8c
> > [31890.814522] *pdpt = 00000000160fb001 *pde = 0000000000000000
> > [31890.814522] Oops: 0002 [#1] PREEMPT SMP
> > [31890.814522] last sysfs file: /sys/devices/platform/it87.552/cpu0_vid
> > [31890.814522] Modules linked in: xt_tcpmss xt_length xt_TCPMSS ppp_synctty sch_sfq xt_u32 xt_CLASSIFY
> > sch_htb ppp_async bnep nfsd lockd sunrpc rfcomm l2cap crc16 exportfs nf_conntrack_ipv6 xt_state ip6t_LOG ipm
> > [31890.889345]
> > [31890.889345] Pid: 3, comm: ksoftirqd/0 Tainted: G        W   2.6.35.4-git+ #git+ GA-MA69VM-S2/GA-MA69VM-S2
> > [31890.889345] EIP: 0060:[<c04c70f2>] EFLAGS: 00010246 CPU: 0
> > [31890.917900] EIP is at in6_dev_finish_destroy+0x35/0x8c
> > [31890.917900] EAX: 00000009 EBX: d6997fa3 ECX: c0513fcd EDX: 00000000
> > [31890.917900] ESI: 00000000 EDI: f7483bd4 EBP: f7483b40 ESP: f7483b38
> > [31890.917900]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> > [31890.917900] Process ksoftirqd/0 (pid: 3, ti=f7482000 task=f74800a0 task.ti=f7482000)
> > [31890.917900] Stack:
> > [31890.917900]  d6997fa3 00000159 f7483c4c c04d8a8b efb86cc0 c067f614 f7483b58 c067f614
> > [31890.917900] <0> f7483b68 c0513fe0 0021c090 0021c086 f7483b88 c022e74d 00000046 0101ff2f
> > [31890.917900] <0> ef87e04c 00000151 f6e1fac0 f6e1fdb4 ef87e05c 00000000 00000040 f6e1faf0
> > [31890.917900] Call Trace:
> > [31890.917900]  [<c04d8a8b>] ? icmpv6_send+0x6a7/0x6e2
> > [31890.917900]  [<c0513fe0>] ? _raw_spin_unlock_irqrestore+0x42/0x58
> > [31890.917900]  [<c022e74d>] ? release_console_sem+0x197/0x1c4
> > [31890.917900]  [<fa7ab0b5>] ? reject_tg6+0x70/0x43f [ip6t_REJECT]
> > [31890.917900]  [<fa7d09b1>] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG]
> > [31890.917900]  [<c024e201>] ? trace_hardirqs_on+0xb/0xd
> > [31890.917900]  [<c0232a72>] ? local_bh_enable_ip+0x97/0xad
> > [31890.917900]  [<c0513f59>] ? _raw_spin_unlock_bh+0x2f/0x32
> > [31890.917900]  [<fa7d09b1>] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG]
> > [31890.917900]  [<fa6981a0>] ? ipv6_find_hdr+0xf8/0x164 [ip6_tables]
> > [31890.917900]  [<fa6987c1>] ? ip6t_do_table+0x4c8/0x53e [ip6_tables]
> > [31890.917900]  [<fa73e0f0>] ? ip6table_mangle_hook+0xf0/0x100 [ip6table_mangle]
> > [31890.917900]  [<fa6a3018>] ? ip6table_filter_hook+0x18/0x20 [ip6table_filter]
> > [31890.917900]  [<c046ee87>] ? nf_iterate+0x2f/0x62
> > [31890.917900]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
> > [31890.917900]  [<c046f088>] ? nf_hook_slow+0x63/0xeb
> > [31890.917900]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
> > [31890.917900]  [<c04c44d6>] ? ip6_input+0x33/0x47
> > [31890.917900]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
> > [31890.917900]  [<c04c4775>] ? ip6_rcv_finish+0x8b/0x8e
> > [31890.917900]  [<fc22aa3a>] ? nf_ct_frag6_output+0x7c/0x95 [nf_conntrack_ipv6]
> > [31890.917900]  [<fc22a45c>] ? ipv6_defrag+0x87/0x9f [nf_conntrack_ipv6]
> > [31890.917900]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
> > [31890.917900]  [<c046ee87>] ? nf_iterate+0x2f/0x62
> > [31890.917900]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
> > [31890.917900]  [<c046f088>] ? nf_hook_slow+0x63/0xeb
> > [31890.917900]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
> > [31890.917900]  [<c04c4aff>] ? ipv6_rcv+0x387/0x47c
> > [31890.917900]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
> > [31890.917900]  [<c0455065>] ? __netif_receive_skb+0x367/0x3b6
> > [31890.917900]  [<c0455142>] ? process_backlog+0x8e/0x146
> > [31890.917900]  [<c0455c3b>] ? net_rx_action+0x62/0x119
> > [31890.917900]  [<c0232750>] ? __do_softirq+0x8b/0x10a
> > [31890.917900]  [<c02327fa>] ? do_softirq+0x2b/0x43
> > [31890.917900]  [<c0232885>] ? run_ksoftirqd+0x73/0x155
> > [31890.917900]  [<c0232812>] ? run_ksoftirqd+0x0/0x155
> > [31890.917900]  [<c023fdbd>] ? kthread+0x61/0x66
> > [31890.917900]  [<c023fd5c>] ? kthread+0x0/0x66
> > [31890.917900]  [<c0202c7a>] ? kernel_thread_helper+0x6/0x1a
> > [31890.917900] Code: 40 04 39 43 04 74 0f ba 45 01 00 00 b8 7a a1 63 c0 e8 32 70 d6 ff 83 7b 0c 00 74 0f ba
> > 46 01 00 00 b8 7a a1 63 c0 e8 1d 70 d6 ff <f0> ff 8e c0 02 00 00 83 bb e4 00 00 00 00 75 0f 53 68 b5 a
> > [31890.917900] EIP: [<c04c70f2>] in6_dev_finish_destroy+0x35/0x8c SS:ESP 0068:f7483b38
> > [31890.917900] CR2: 00000000000002c0
> > [31891.236446] ---[ end trace 830bf5b3286acea0 ]---
> > [31891.241375] Kernel panic - not syncing: Fatal exception in interrupt
> > [31891.248085] Pid: 3, comm: ksoftirqd/0 Tainted: G      D W   2.6.35.4-git+ #git+
> > [31891.255918] Call Trace:
> > [31891.258474]  [<c0511194>] ? printk+0xf/0x13
> > [31891.262911]  [<c0511116>] panic+0x55/0xc4
> > [31891.267130]  [<c02050ed>] oops_end+0x6e/0x7c
> > [31891.271619]  [<c021a514>] no_context+0x13f/0x149
> > [31891.276496]  [<c021a657>] __bad_area_nosemaphore+0x139/0x141
> > [31891.282461]  [<c0207360>] ? native_sched_clock+0x42/0x8d
> > [31891.288090]  [<c024468d>] ? sched_clock_local+0x17/0x104
> > [31891.293699]  [<c021a66c>] bad_area_nosemaphore+0xd/0x10
> > [31891.299206]  [<c021a910>] do_page_fault+0x14e/0x302
> > [31891.304356]  [<c0205311>] ? show_trace+0x10/0x14
> > [31891.309219]  [<c05110b7>] ? dump_stack+0x57/0x61
> > [31891.314102]  [<c021a7c2>] ? do_page_fault+0x0/0x302
> > [31891.319236]  [<c051499b>] error_code+0x6b/0x70
> > [31891.323934]  [<c0513fcd>] ? _raw_spin_unlock_irqrestore+0x2f/0x58
> > [31891.330370]  [<c021a7c2>] ? do_page_fault+0x0/0x302
> > [31891.335536]  [<c04c70f2>] ? in6_dev_finish_destroy+0x35/0x8c
> > [31891.341512]  [<c04d8a8b>] icmpv6_send+0x6a7/0x6e2
> > [31891.346471]  [<c0513fe0>] ? _raw_spin_unlock_irqrestore+0x42/0x58
> > [31891.352853]  [<c022e74d>] ? release_console_sem+0x197/0x1c4
> > [31891.358740]  [<fa7ab0b5>] reject_tg6+0x70/0x43f [ip6t_REJECT]
> > [31891.364821]  [<fa7d09b1>] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG]
> > [31891.371340]  [<c024e201>] ? trace_hardirqs_on+0xb/0xd
> > [31891.376604]  [<c0232a72>] ? local_bh_enable_ip+0x97/0xad
> > [31891.382205]  [<c0513f59>] ? _raw_spin_unlock_bh+0x2f/0x32
> > [31891.387945]  [<fa7d09b1>] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG]
> > [31891.394444]  [<fa6981a0>] ? ipv6_find_hdr+0xf8/0x164 [ip6_tables]
> > [31891.400896]  [<fa6987c1>] ip6t_do_table+0x4c8/0x53e [ip6_tables]
> > [31891.407260]  [<fa73e0f0>] ? ip6table_mangle_hook+0xf0/0x100 [ip6table_mangle]
> > [31891.414819]  [<fa6a3018>] ip6table_filter_hook+0x18/0x20 [ip6table_filter]
> > [31891.422118]  [<c046ee87>] nf_iterate+0x2f/0x62
> > [31891.426800]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
> > [31891.432267]  [<c046f088>] nf_hook_slow+0x63/0xeb
> > [31891.437147]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
> > [31891.442583]  [<c04c44d6>] ip6_input+0x33/0x47
> > [31891.447195]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
> > [31891.452608]  [<c04c4775>] ip6_rcv_finish+0x8b/0x8e
> > [31891.457655]  [<fc22aa3a>] nf_ct_frag6_output+0x7c/0x95 [nf_conntrack_ipv6]
> > [31891.464929]  [<fc22a45c>] ipv6_defrag+0x87/0x9f [nf_conntrack_ipv6]
> > [31891.471561]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
> > [31891.476693]  [<c046ee87>] nf_iterate+0x2f/0x62
> > [31891.481377]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
> > [31891.486501]  [<c046f088>] nf_hook_slow+0x63/0xeb
> > [31891.491383]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
> > [31891.496501]  [<c04c4aff>] ipv6_rcv+0x387/0x47c
> > [31891.501227]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
> > [31891.506394]  [<c0455065>] __netif_receive_skb+0x367/0x3b6
> > [31891.512081]  [<c0455142>] process_backlog+0x8e/0x146
> > [31891.517328]  [<c0455c3b>] net_rx_action+0x62/0x119
> > [31891.522402]  [<c0232750>] __do_softirq+0x8b/0x10a
> > [31891.527386]  [<c02327fa>] do_softirq+0x2b/0x43
> > [31891.532078]  [<c0232885>] run_ksoftirqd+0x73/0x155
> > [31891.537136]  [<c0232812>] ? run_ksoftirqd+0x0/0x155
> > [31891.542294]  [<c023fdbd>] kthread+0x61/0x66
> > [31891.546708]  [<c023fd5c>] ? kthread+0x0/0x66
> > [31891.551211]  [<c0202c7a>] kernel_thread_helper+0x6/0x1a
> > [31891.556747] Rebooting in 10 seconds..
> > 
> 
> 
> Hmm... net/ipv6/netfilter/nf_conntrack_reasm.c happily keep references
> to devices, on queued skb (so can escape RCU read side section)
> 
> Maybe try following patch ?
> 
> 
> diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
> index 0857272..57f158e 100644
> --- a/net/ipv6/netfilter/nf_conntrack_reasm.c
> +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
> @@ -582,6 +582,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
>  	spin_unlock_bh(&fq->q.lock);
>  
>  	fq_put(fq);
> +	ret_skb->dev = dev;
>  	return ret_skb;
>  
>  ret_orig:


Hmm.. a more complete patch :



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Simon Arlott April 15, 2011, 4:18 p.m. UTC | #1 
On 15/04/11 14:24, Eric Dumazet wrote:
> Hmm.. a more complete patch :
> 
> diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
> index 0857272..6f0bed0 100644

I applied the patch by recompiling and then reloading the nf_conntrack_ipv6
module (temporarily flushing and then restoring all ip6tables rules).
Then this happened 10 minutes later:

[33876.950100] BUG: unable to handle kernel NULL pointer dereference at 00000014
[33876.951060] IP: [<f9b012bb>] nf_ct_frag6_gather+0x864/0x881 [nf_conntrack_ipv6]
[33876.951060] *pdpt = 0000000033491001 *pde = 0000000000000000 
[33876.951060] Oops: 0002 [#1] PREEMPT SMP 
[33876.951060] last sysfs file: /sys/devices/platform/it87.552/cpu0_vid
[33876.951060] Modules linked in: nf_conntrack_ipv6 xt_tcpmss xt_length xt_TCPMSS ppp_synctty sch_sfq xt_u32 xt_CLASSIFY sch_htb ppp_async nfsd lockd sunrpc bnep exportfs rfcomm l2cap crc16 xt_state ip6t_LOG ip]
[33876.951060] 
[33876.951060] Pid: 7, comm: ksoftirqd/1 Not tainted 2.6.35.4-git+ #git+ GA-MA69VM-S2/GA-MA69VM-S2
[33876.951060] EIP: 0060:[<f9b012bb>] EFLAGS: 00010246 CPU: 1
[33876.951060] EIP is at nf_ct_frag6_gather+0x864/0x881 [nf_conntrack_ipv6]
[33877.071165] EAX: f68e1800 EBX: 00000000 ECX: f560f3c0 EDX: f74921a0
[33877.071165] ESI: 00000000 EDI: f636f200 EBP: f7495e34 ESP: f7495ddc
[33877.071165]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[33877.071165] Process ksoftirqd/1 (pid: 7, ti=f7494000 task=f74921a0 task.ti=f7494000)
[33877.071165] Stack:
[33877.071165]  00000001 f5d6c8c0 f636f218 726b4c79 f68e1800 062c1158 f226d06c f560f3c0
[33877.071165] <0> f560f3d4 000005a8 00000000 f74921a0 00000001 00000000 00000000 726b4c79
[33877.071165] <0> 00000001 f226d04c f226d05c f5d6c8c0 00000000 f68e1800 f7495e48 f9b0043e
[33877.071165] Call Trace:
[33877.071165]  [<f9b0043e>] ? ipv6_defrag+0x69/0x9f [nf_conntrack_ipv6]
[33877.071165]  [<c046ee87>] ? nf_iterate+0x2f/0x62
[33877.071165]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[33877.071165]  [<c046f088>] ? nf_hook_slow+0x63/0xeb
[33877.071165]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[33877.071165]  [<c04c4aff>] ? ipv6_rcv+0x387/0x47c
[33877.071165]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[33877.071165]  [<c0455065>] ? __netif_receive_skb+0x367/0x3b6
[33877.071165]  [<c0455142>] ? process_backlog+0x8e/0x146
[33877.071165]  [<c0455c3b>] ? net_rx_action+0x62/0x119
[33877.071165]  [<c0232750>] ? __do_softirq+0x8b/0x10a
[33877.071165]  [<c02327fa>] ? do_softirq+0x2b/0x43
[33877.071165]  [<c0232885>] ? run_ksoftirqd+0x73/0x155
[33877.071165]  [<c0232812>] ? run_ksoftirqd+0x0/0x155
[33877.071165]  [<c023fdbd>] ? kthread+0x61/0x66
[33877.071165]  [<c023fd5c>] ? kthread+0x0/0x66
[33877.071165]  [<c0202c7a>] ? kernel_thread_helper+0x6/0x1a
[33877.071165] Code: 02 31 db 8b 45 c8 e8 8f 2c a1 c6 8b 4d c4 f0 ff 49 30 0f 94 c0 84 c0 74 0f 8b 45 c4 31 c9 ba 78 1a b0 f9 e8 38 fe 99 c6 8b 45 b8 <89> 43 14 89 5d ac eb 07 89 f8 e8 11 e3 94 c6 8b 45 ac 8d 6 
[33877.071165] EIP: [<f9b012bb>] nf_ct_frag6_gather+0x864/0x881 [nf_conntrack_ipv6] SS:ESP 0068:f7495ddc
[33877.071165] CR2: 0000000000000014
[33877.253064] ---[ end trace 91cffe982fd021cc ]---
[33877.257847] Kernel panic - not syncing: Fatal exception in interrupt
[33877.264339] Pid: 7, comm: ksoftirqd/1 Tainted: G      D     2.6.35.4-git+ #git+
[33877.271842] Call Trace:
[33877.274420]  [<c0511194>] ? printk+0xf/0x13
[33877.278743]  [<c0511116>] panic+0x55/0xc4
[33877.282860]  [<c02050ed>] oops_end+0x6e/0x7c
[33877.287239]  [<c021a514>] no_context+0x13f/0x149
[33877.291988]  [<c021a657>] __bad_area_nosemaphore+0x139/0x141
[33877.297802]  [<c0224fb6>] ? task_rq_lock+0x36/0x60
[33877.302760]  [<c021a66c>] bad_area_nosemaphore+0xd/0x10
[33877.308107]  [<c021a910>] do_page_fault+0x14e/0x302
[33877.313119]  [<c0513a46>] ? _raw_spin_lock_irqsave+0x35/0x3e
[33877.318985]  [<c0513fe0>] ? _raw_spin_unlock_irqrestore+0x42/0x58
[33877.325261]  [<c021a7c2>] ? do_page_fault+0x0/0x302
[33877.330306]  [<c051499b>] error_code+0x6b/0x70
[33877.334854]  [<c021a7c2>] ? do_page_fault+0x0/0x302
[33877.339926]  [<f9b012bb>] ? nf_ct_frag6_gather+0x864/0x881 [nf_conntrack_ipv6]
[33877.347451]  [<f9b0043e>] ipv6_defrag+0x69/0x9f [nf_conntrack_ipv6]
[33877.353958]  [<c046ee87>] nf_iterate+0x2f/0x62
[33877.358560]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[33877.363588]  [<c046f088>] nf_hook_slow+0x63/0xeb
[33877.368322]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[33877.373388]  [<c04c4aff>] ipv6_rcv+0x387/0x47c
[33877.377965]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[33877.383022]  [<c0455065>] __netif_receive_skb+0x367/0x3b6
[33877.388558]  [<c0455142>] process_backlog+0x8e/0x146
[33877.393715]  [<c0455c3b>] net_rx_action+0x62/0x119
[33877.398664]  [<c0232750>] __do_softirq+0x8b/0x10a
[33877.403554]  [<c02327fa>] do_softirq+0x2b/0x43
[33877.408154]  [<c0232885>] run_ksoftirqd+0x73/0x155
[33877.413051]  [<c0232812>] ? run_ksoftirqd+0x0/0x155
[33877.418053]  [<c023fdbd>] kthread+0x61/0x66
[33877.422360]  [<c023fd5c>] ? kthread+0x0/0x66
[33877.426735]  [<c0202c7a>] kernel_thread_helper+0x6/0x1a
Simon Arlott April 15, 2011, 4:28 p.m. UTC | #2 
and again with the patch reverted...

[  470.965098] BUG: unable to handle kernel paging request at a1fd3e8b
[  470.966008] IP: [<c04d89a7>] icmpv6_send+0x5c3/0x6e2
[  470.966008] *pdpt = 00000000318f2001 *pde = 0000000000000000 
[  470.966008] Oops: 0002 [#1] PREEMPT SMP 
[  470.966008] last sysfs file: /sys/devices/platform/it87.552/cpu0_vid
[  470.966008] Modules linked in: nf_conntrack_ipv6 xt_tcpmss xt_length xt_TCPMSS ppp_synctty sch_sfq xt_u32 xt_CLASSIFY sch_htb ppp_async rfcomm bnep l2cap crc16 nfsd lockd sunrpc exportfs xt_state ip6t_LOG ip]
[  470.966008] 
[  470.966008] Pid: 3, comm: ksoftirqd/0 Not tainted 2.6.35.4-git+ #git+ GA-MA69VM-S2/GA-MA69VM-S2
[  470.966008] EIP: 0060:[<c04d89a7>] EFLAGS: 00010286 CPU: 0
[  470.966008] EIP is at icmpv6_send+0x5c3/0x6e2
[  470.966008] EAX: 00000000 EBX: a1fd3daf ECX: 00000000 EDX: 00000001
[  470.966008] ESI: f6f1adb4 EDI: 00000000 EBP: f7483c4c ESP: f7483b48
[  470.966008]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[  470.966008] Process ksoftirqd/0 (pid: 3, ti=f7482000 task=f74800a0 task.ti=f7482000)
[  470.966008] Stack:
[  470.966008]  f493fec0 f7483b5c c0513fe0 00033acf 00033ab5 f7483b7c c022e74d 00000046
[  470.966008] <0> fffffd8a 00033acf 00000001 0101001a f1a2984c 00000500 f6f1aac0 f6f1adb4
[  470.966008] <0> f1a2985c 00000000 00000040 f6f1aaf0 00000000 00000000 00000000 b0060120
[  470.966008] Call Trace:
[  470.966008]  [<c0513fe0>] ? _raw_spin_unlock_irqrestore+0x42/0x58
[  470.966008]  [<c022e74d>] ? release_console_sem+0x197/0x1c4
[  470.966008]  [<fa73c0b5>] ? reject_tg6+0x70/0x43f [ip6t_REJECT]
[  470.966008]  [<fa7619b1>] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG]
[  470.966008]  [<c024e201>] ? trace_hardirqs_on+0xb/0xd
[  470.966008]  [<c0232a72>] ? local_bh_enable_ip+0x97/0xad
[  470.966008]  [<c0513f59>] ? _raw_spin_unlock_bh+0x2f/0x32
[  470.966008]  [<fa7619b1>] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG]
[  470.966008]  [<fa6290f0>] ? ipv6_find_hdr+0x48/0x164 [ip6_tables]
[  470.966008]  [<fa6297c1>] ? ip6t_do_table+0x4c8/0x53e [ip6_tables]
[  470.966008]  [<fa6cf0f0>] ? ip6table_mangle_hook+0xf0/0x100 [ip6table_mangle]
[  470.966008]  [<fa634018>] ? ip6table_filter_hook+0x18/0x20 [ip6table_filter]
[  470.966008]  [<c046ee87>] ? nf_iterate+0x2f/0x62
[  470.966008]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
[  470.966008]  [<c046f088>] ? nf_hook_slow+0x63/0xeb
[  470.966008]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
[  470.966008]  [<c04c44d6>] ? ip6_input+0x33/0x47
[  470.966008]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
[  470.966008]  [<c04c4775>] ? ip6_rcv_finish+0x8b/0x8e
[  470.966008]  [<fc81ea3a>] ? nf_ct_frag6_output+0x7c/0x95 [nf_conntrack_ipv6]
[  470.966008]  [<fc81e45c>] ? ipv6_defrag+0x87/0x9f [nf_conntrack_ipv6]
[  470.966008]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[  470.966008]  [<c046ee87>] ? nf_iterate+0x2f/0x62
[  470.966008]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[  470.966008]  [<c046f088>] ? nf_hook_slow+0x63/0xeb
[  470.966008]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[  470.966008]  [<c04c4aff>] ? ipv6_rcv+0x387/0x47c
[  470.966008]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[  470.966008]  [<c0455065>] ? __netif_receive_skb+0x367/0x3b6
[  470.966008]  [<c0455142>] ? process_backlog+0x8e/0x146
[  470.966008]  [<c0455c3b>] ? net_rx_action+0x62/0x119
[  470.966008]  [<c0232750>] ? __do_softirq+0x8b/0x10a
[  470.966008]  [<c02327fa>] ? do_softirq+0x2b/0x43
[  470.966008]  [<c0232885>] ? run_ksoftirqd+0x73/0x155
[  470.966008]  [<c0232812>] ? run_ksoftirqd+0x0/0x155
[  470.966008]  [<c023fdbd>] ? kthread+0x61/0x66
[  470.966008]  [<c023fd5c>] ? kthread+0x0/0x66
[  470.966008]  [<c0202c7a>] ? kernel_thread_helper+0x6/0x1a
[  470.966008] Code: e8 1b da d4 ff 68 48 89 4d c0 31 c9 31 d2 b8 58 11 68 c0 6a 00 6a 01 6a 02 e8 37 76 d7 ff 8b 9b 60 01 00 00 83 c4 10 85 db 74 07 <f0> ff 83 dc 00 00 00 b9 ae 89 4d c0 ba 01 00 00 00 b8 58 1 
[  470.966008] EIP: [<c04d89a7>] icmpv6_send+0x5c3/0x6e2 SS:ESP 0068:f7483b48
[  470.966008] CR2: 00000000a1fd3e8b
[  471.387732] ---[ end trace a325ca681eff783c ]---
[  471.388770] __iptables__: l2tp_2 IN=aaisp3 OUT= MAC= SRC=2001:0678:0001:0000:0000:0000:0000:0001 DST=2001:08b0:ffea:0000:0053:4150:5841:0001 LEN=430 TC=0 HOPLIMIT=60 FLOWLBL=0 PROTO=UDP SPT=53 DPT=22008 LEN= 
[  471.388833] __iptables__: l2tp_2 IN=aaisp3 OUT= MAC= SRC=80.68.89.159 DST=81.2.80.67 LEN=143 TOS=0x00 PREC=0x00 TTL=59 ID=12462 PROTO=UDP SPT=53 DPT=36911 LEN=123 
[  471.388874] __iptables__: l2tp_2 IN=aaisp3 OUT= MAC= SRC=208.94.149.2 DST=81.2.80.67 LEN=116 TOS=0x00 PREC=0x00 TTL=58 ID=22935 PROTO=UDP SPT=53 DPT=10068 LEN=96 
[  471.443611] Kernel panic - not syncing: Fatal exception in interrupt
[  471.444704] __iptables__: l2tp_2 IN=aaisp3 OUT= MAC= SRC=208.94.148.2 DST=81.2.80.67 LEN=120 TOS=0x00 PREC=0x00 TTL=58 ID=41552 PROTO=UDP SPT=53 DPT=27444 LEN=100 
[  471.444739] __iptables__: l2tp_2 IN=aaisp3 OUT= MAC= SRC=2a01:06d0:0001:0000:0000:0000:0000:0002 DST=2001:08b0:ffea:0000:0053:4150:5841:0001 LEN=109 TC=0 HOPLIMIT=56 FLOWLBL=0 PROTO=UDP SPT=53 DPT=31279 LEN= 
[  471.484694] Pid: 3, comm: ksoftirqd/0 Tainted: G      D     2.6.35.4-git+ #git+
[  471.492318] Call Trace:
[  471.494885]  [<c0511194>] ? printk+0xf/0x13
[  471.499161]  [<c0511116>] panic+0x55/0xc4
[  471.503331]  [<c02050ed>] oops_end+0x6e/0x7c
[  471.507768]  [<c021a514>] no_context+0x13f/0x149
[  471.512534]  [<c021a657>] __bad_area_nosemaphore+0x139/0x141
[  471.518341]  [<c04cef8d>] ? fib6_lookup+0x48/0x5c
[  471.523203]  [<c04cdd75>] ? ip6_pol_route+0x208/0x223
[  471.528422]  [<c024e201>] ? trace_hardirqs_on+0xb/0xd
[  471.533608]  [<c0232a72>] ? local_bh_enable_ip+0x97/0xad
[  471.539055]  [<c0513d08>] ? _raw_read_unlock_bh+0x2f/0x32
[  471.544620]  [<c04cdd75>] ? ip6_pol_route+0x208/0x223
[  471.549821]  [<c021a66c>] bad_area_nosemaphore+0xd/0x10
[  471.555192]  [<c021a910>] do_page_fault+0x14e/0x302
[  471.560145]  [<c04b3486>] ? __xfrm_lookup+0x32d/0x38b
[  471.565396]  [<c04e8bbe>] ? fib6_rule_lookup+0x35/0x77
[  471.570720]  [<c021a7c2>] ? do_page_fault+0x0/0x302
[  471.575807]  [<c051499b>] error_code+0x6b/0x70
[  471.580443]  [<c021a7c2>] ? do_page_fault+0x0/0x302
[  471.585476]  [<c04d89a7>] ? icmpv6_send+0x5c3/0x6e2
[  471.590527]  [<c0513fe0>] ? _raw_spin_unlock_irqrestore+0x42/0x58
[  471.596755]  [<c022e74d>] ? release_console_sem+0x197/0x1c4
[  471.602547]  [<fa73c0b5>] reject_tg6+0x70/0x43f [ip6t_REJECT]
[  471.608472]  [<fa7619b1>] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG]
[  471.614834]  [<c024e201>] ? trace_hardirqs_on+0xb/0xd
[  471.620120]  [<c0232a72>] ? local_bh_enable_ip+0x97/0xad
[  471.625575]  [<c0513f59>] ? _raw_spin_unlock_bh+0x2f/0x32
[  471.631145]  [<fa7619b1>] ? ip6t_log_packet+0x15d/0x167 [ip6t_LOG]
[  471.637519]  [<fa6290f0>] ? ipv6_find_hdr+0x48/0x164 [ip6_tables]
[  471.643794]  [<fa6297c1>] ip6t_do_table+0x4c8/0x53e [ip6_tables]
[  471.650014]  [<fa6cf0f0>] ? ip6table_mangle_hook+0xf0/0x100 [ip6table_mangle]
[  471.657364]  [<fa634018>] ip6table_filter_hook+0x18/0x20 [ip6table_filter]
[  471.664419]  [<c046ee87>] nf_iterate+0x2f/0x62
[  471.668935]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
[  471.674231]  [<c046f088>] nf_hook_slow+0x63/0xeb
[  471.678999]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
[  471.684321]  [<c04c44d6>] ip6_input+0x33/0x47
[  471.688851]  [<c04c40c8>] ? ip6_input_finish+0x0/0x3db
[  471.694097]  [<c04c4775>] ip6_rcv_finish+0x8b/0x8e
[  471.699002]  [<fc81ea3a>] nf_ct_frag6_output+0x7c/0x95 [nf_conntrack_ipv6]
[  471.706039]  [<fc81e45c>] ipv6_defrag+0x87/0x9f [nf_conntrack_ipv6]
[  471.712470]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[  471.717471]  [<c046ee87>] nf_iterate+0x2f/0x62
[  471.722013]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[  471.727013]  [<c046f088>] nf_hook_slow+0x63/0xeb
[  471.731703]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[  471.736764]  [<c04c4aff>] ipv6_rcv+0x387/0x47c
[  471.741384]  [<c04c46ea>] ? ip6_rcv_finish+0x0/0x8e
[  471.746438]  [<c0455065>] __netif_receive_skb+0x367/0x3b6
[  471.752011]  [<c0455142>] process_backlog+0x8e/0x146
[  471.757063]  [<c0455c3b>] net_rx_action+0x62/0x119
[  471.761994]  [<c0232750>] __do_softirq+0x8b/0x10a
[  471.766822]  [<c02327fa>] do_softirq+0x2b/0x43
[  471.771354]  [<c0232885>] run_ksoftirqd+0x73/0x155
[  471.776252]  [<c0232812>] ? run_ksoftirqd+0x0/0x155
[  471.781253]  [<c023fdbd>] kthread+0x61/0x66
[  471.785544]  [<c023fd5c>] ? kthread+0x0/0x66
[  471.789957]  [<c0202c7a>] kernel_thread_helper+0x6/0x1a
[  471.795306] Rebooting in 10 seconds..
diff mbox

Patch

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 0857272..6f0bed0 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -582,6 +582,7 @@  struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
 	spin_unlock_bh(&fq->q.lock);
 
 	fq_put(fq);
+	ret_skb->dev = dev;
 	return ret_skb;
 
 ret_orig:
@@ -602,7 +603,7 @@  void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
 
 		s2 = s->next;
 		s->next = NULL;
-
+		s->dev = in;
 		NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s, in, out, okfn,
 			       NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
 		s = s2;