Re: ip_defrag is broken (was: Re: test12 lockups -- need feedback)

• Next message: Gerard Beekmans: "Linux 2.4.0-test11/12 freezes when copying large amounts of data to loop file system"
• Previous message: Dr. Kelsey Hudson: "Re: DVD on Linux"
• In reply to: David S. Miller: "Re: ip_defrag is broken (was: Re: test12 lockups -- need feedback)"
• Next in thread: David S. Miller: "Re: ip_defrag is broken (was: Re: test12 lockups -- need feedback)"
• Reply: David S. Miller: "Re: ip_defrag is broken (was: Re: test12 lockups -- need feedback)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 14 Dec 2000, David S. Miller wrote:

> Date: Thu, 14 Dec 2000 10:38:01 -0800
> From: Ion Badulescu <ionut@moisil.cs.columbia.edu>
>
> I won't venture a fix, as I don't know the networking code well
> enough. So far, no networking maintainer has had anything to say
> about this bug on the list...
>
> Because this is the first most of us have heard of the issue, much
> less seen any ksymoops processed OOPS logs of the bug so we can even
> start thinking about what might be wrong.

Oh, there have been at least two ksymoops'ed traces posted on the list, I
thought you'd seen them already.. But never mind, the problem is that
skb->dev can be NULL and the code changed in test12 dereferences it to get
skb->dev->iif.

The oops looks something like this. It was caught on serial console, and
decoded on test11, so it doesn't have translation for module symbols. It
if helps, this box is running ip_conntrack and the oops occurred basically
as soon as an NFS request came in.

Unable to handle kernel NULL pointer dereference at virtual address 0000003c
c01917a6
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c01917a6>]
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010246
eax: 00000000 ebx: 00000000 ecx: c21d8f20 edx: 000003a0
esi: c3e73760 edi: 00000000 ebp: 00001ce8 esp: c16e9c80
ds: 0018 es: 0018 ss: 0018
Process nfsd (pid: 670, stackpage=c16e9000)
Stack: c21d8f20 00000000 c01912cf 01011eac 00002088 c21d8f20 005aac10 c0191b43
       c21d8f20 c3e73760 c1786680 c3e73760 c0194718 c16e9d9c 030011cf 1121e260
       00000000 c48c02d0 c3e73760 c16e9d8c c02358f8 c48bfb4e c3e73760 c16e9d8c
Call Trace: [<c01912cf>] [<c0191b43>] [<c0194718>] [<c48c02d0>] [<c48bfb4e>] [<c0194718>] [<c017b0f8>]
       [<c017f6f4>] [<c017f717>] [<c48c1082>] [<c0194718>] [<c0184388>] [<c0194718>] [<c0194718>] [<c0184597>]
       [<c0194718>] [<c48c2188>] [<c0193cea>] [<c0194718>] [<c0140e85>] [<c0193e0a>] [<c01a834c>] [<c01a878d>]
       [<c01a834c>] [<c01ad918>] [<c01ad956>] [<c0182aed>] [<c01ad918>] [<c487f346>] [<c487f7d5>] [<c4880516>]
       [<c48a7c00>] [<c487ef44>] [<c48a7ae0>] [<c48a75f8>] [<c4897331>] [<c48a75e0>] [<c0107457>]
Code: 8b 40 3c 89 41 3c 8b 46 5c c7 46 18 00 00 00 00 01 41 18 8b

>>EIP; c01917a6 <ip_frag_queue+242/298> <=====
Trace; c01912cf <ip_frag_destroy+2f/8c>
Trace; c0191b43 <ip_defrag+c3/140>
Trace; c0194718 <output_maybe_reroute+0/14>
Trace; c48c02d0 <END_OF_CODE+4689b60/????>
Trace; c48bfb4e <END_OF_CODE+46893de/????>
Trace; c0194718 <output_maybe_reroute+0/14>
Trace; c017b0f8 <dma_timer_expiry+0/70>
Trace; c017f6f4 <via82cxxx_dmaproc+0/2c>
Trace; c017f717 <via82cxxx_dmaproc+23/2c>
Trace; c48c1082 <END_OF_CODE+468a912/????>
Trace; c0194718 <output_maybe_reroute+0/14>
Trace; c0184388 <nf_iterate+34/88>
Trace; c0194718 <output_maybe_reroute+0/14>
Trace; c0194718 <output_maybe_reroute+0/14>
Trace; c0184597 <nf_hook_slow+3f/b4>
Trace; c0194718 <output_maybe_reroute+0/14>
Trace; c48c2188 <END_OF_CODE+468ba18/????>
Trace; c0193cea <ip_build_xmit_slow+3c6/498>
Trace; c0194718 <output_maybe_reroute+0/14>
Trace; c0140e85 <update_atime+4d/54>
Trace; c0193e0a <ip_build_xmit+4e/31c>
Trace; c01a834c <udp_getfrag+0/c4>
Trace; c01a878d <udp_sendmsg+339/3b4>
Trace; c01a834c <udp_getfrag+0/c4>
Trace; c01ad918 <inet_sendmsg+0/44>
Trace; c01ad956 <inet_sendmsg+3e/44>
Trace; c0182aed <sock_sendmsg+81/a4>
Trace; c01ad918 <inet_sendmsg+0/44>
Trace; c487f346 <END_OF_CODE+4648bd6/????>
Trace; c487f7d5 <END_OF_CODE+4649065/????>
Trace; c4880516 <END_OF_CODE+4649da6/????>
Trace; c48a7c00 <END_OF_CODE+4671490/????>
Trace; c487ef44 <END_OF_CODE+46487d4/????>
Trace; c48a7ae0 <END_OF_CODE+4671370/????>
Trace; c48a75f8 <END_OF_CODE+4670e88/????>
Trace; c4897331 <END_OF_CODE+4660bc1/????>
Trace; c48a75e0 <END_OF_CODE+4670e70/????>
Trace; c0107457 <kernel_thread+23/30>
Code; c01917a6 <ip_frag_queue+242/298>
00000000 <_EIP>:
Code; c01917a6 <ip_frag_queue+242/298> <=====
   0: 8b 40 3c mov 0x3c(%eax),%eax <=====
Code; c01917a9 <ip_frag_queue+245/298>
   3: 89 41 3c mov %eax,0x3c(%ecx)
Code; c01917ac <ip_frag_queue+248/298>
   6: 8b 46 5c mov 0x5c(%esi),%eax
Code; c01917af <ip_frag_queue+24b/298>
   9: c7 46 18 00 00 00 00 movl $0x0,0x18(%esi)
Code; c01917b6 <ip_frag_queue+252/298>
  10: 01 41 18 add %eax,0x18(%ecx)
Code; c01917b9 <ip_frag_queue+255/298>
  13: 8b 00 mov (%eax),%eax

Ion

-- 
  It is better to keep your mouth shut and be thought a fool,
            than to open it and remove all doubt.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Gerard Beekmans: "Linux 2.4.0-test11/12 freezes when copying large amounts of data to loop file system"
• Previous message: Dr. Kelsey Hudson: "Re: DVD on Linux"
• In reply to: David S. Miller: "Re: ip_defrag is broken (was: Re: test12 lockups -- need feedback)"
• Next in thread: David S. Miller: "Re: ip_defrag is broken (was: Re: test12 lockups -- need feedback)"
• Reply: David S. Miller: "Re: ip_defrag is broken (was: Re: test12 lockups -- need feedback)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Dec 15 2000 - 21:00:30 EST