From patchwork Wed Dec 21 20:52:55 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 132732 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 6A5A0B713F for ; Thu, 22 Dec 2011 07:53:22 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752068Ab1LUUxA (ORCPT ); Wed, 21 Dec 2011 15:53:00 -0500 Received: from mail-ww0-f42.google.com ([74.125.82.42]:50701 "EHLO mail-ww0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751418Ab1LUUw7 (ORCPT ); Wed, 21 Dec 2011 15:52:59 -0500 Received: by wgbds13 with SMTP id ds13so11157439wgb.1 for ; Wed, 21 Dec 2011 12:52:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:subject:from:to:cc:date:in-reply-to:references :content-type:x-mailer:content-transfer-encoding:mime-version; bh=eZB7S/d0SoEZ2G04aVmanTm1kqw74UhhVX2/cIaOudo=; b=GY3O4EskC5vCWJYCBByJjwXgtFpejWCWSjeW3gV+4ISaw9JjVqVuv3OEPa+CvLOs+5 x9mQzTKEVNlvkNglFdgNN88zHqT6LuZ9PgAeMRwTuZUroNWydpwObwYL0rMUrlEq9nEp K30NNhv2m3IAUhb2ZWk6PQo9HaPoVhKIxVmyM= Received: by 10.180.8.229 with SMTP id u5mr17410957wia.9.1324500778408; Wed, 21 Dec 2011 12:52:58 -0800 (PST) Received: from [192.168.1.124] (31.237.66.86.rev.sfr.net. [86.66.237.31]) by mx.google.com with ESMTPS id eg7sm16443362wib.8.2011.12.21.12.52.56 (version=SSLv3 cipher=OTHER); Wed, 21 Dec 2011 12:52:57 -0800 (PST) Message-ID: <1324500775.2621.9.camel@edumazet-laptop> Subject: Re: BUG: unable to handle kernel NULL pointer dereference in ipv6_select_ident From: Eric Dumazet To: Chris Boot Cc: lkml , netdev Date: Wed, 21 Dec 2011 21:52:55 +0100 In-Reply-To: <1324499332.2621.7.camel@edumazet-laptop> References: <4EF200BB.7000209@bootc.net> <1324484956.2301.24.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC> <4EF2117F.6000803@bootc.net> <1324488984.2301.45.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC> <1324490401.2301.46.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC> <4EF23BF2.4000601@bootc.net> <1324499332.2621.7.camel@edumazet-laptop> X-Mailer: Evolution 3.2.1- Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Le mercredi 21 décembre 2011 à 21:28 +0100, Eric Dumazet a écrit : > Le mercredi 21 décembre 2011 à 20:05 +0000, Chris Boot a écrit : > > On 21/12/2011 18:00, Eric Dumazet wrote: > > > Le mercredi 21 décembre 2011 à 18:36 +0100, Eric Dumazet a écrit : > > > > > >> Good point, thats a different problem then, since 3.1 is not supposed to > > >> have this bug. > > >> > > >> It seems rt->rt6i_peer points to invalid memory in your crash. > > >> > > >> (RBX=00000000000001f4) > > >> > > >> 8b 83 a4 00 00 00 mov 0xa4(%rbx),%eax p->refcnt > > >> 1f4+a4 -> CR2=0000000000000298 > > >> > > > It would help if you can confirm latest linux tree can reproduce the > > > bug. > > > > Hi Eric, > > > > I just built a v3.2-rc6-140-gb9e26df with the same config as the Debian > > 3.1.0 kernel. I can reproduce the bug just as easily with this kernel as > > with the Debian kernel. Unfortunately I wasn't able to get an entire > > trace, for some reason it didn't appear to be printed to the serial port > > and hung after the (long) list of loaded kernel modules. The crash > > happens at the same offset: > > > > Thanks ! > > Oh well, br_netfilter fake_rtable strikes again. > > I'll cook a patch in a couple of minutes... > Could you try following patch ? Thanks ! include/net/dst.h | 1 + net/bridge/br_netfilter.c | 2 +- net/ipv4/route.c | 4 ++-- net/ipv6/ip6_output.c | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/include/net/dst.h b/include/net/dst.h index 6faec1a..75766b4 100644 --- a/include/net/dst.h +++ b/include/net/dst.h @@ -53,6 +53,7 @@ struct dst_entry { #define DST_NOHASH 0x0008 #define DST_NOCACHE 0x0010 #define DST_NOCOUNT 0x0020 +#define DST_NOPEER 0x0040 short error; short obsolete; diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index d6ec372..5693e5f 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -141,7 +141,7 @@ void br_netfilter_rtable_init(struct net_bridge *br) rt->dst.dev = br->dev; rt->dst.path = &rt->dst; dst_init_metrics(&rt->dst, br_dst_default_metrics, true); - rt->dst.flags = DST_NOXFRM; + rt->dst.flags = DST_NOXFRM | DST_NOPEER; rt->dst.ops = &fake_dst_ops; } diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 46af623..7720403 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1271,7 +1271,7 @@ void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more) { struct rtable *rt = (struct rtable *) dst; - if (rt) { + if (rt && !(rt->dst.flags & DST_NOPEER)) { if (rt->peer == NULL) rt_bind_peer(rt, rt->rt_dst, 1); @@ -1282,7 +1282,7 @@ void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more) iph->id = htons(inet_getid(rt->peer, more)); return; } - } else + } else if (!rt) printk(KERN_DEBUG "rt_bind_peer(0) @%p\n", __builtin_return_address(0)); diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 84d0bd5..ec56271 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -603,7 +603,7 @@ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt) static atomic_t ipv6_fragmentation_id; int old, new; - if (rt) { + if (rt && !(rt->dst.flags & DST_NOPEER)) { struct inet_peer *peer; if (!rt->rt6i_peer)