Net iovec Oops

Daniel Schepler (
24 Jan 1997 01:04:58 -0600

Under 2.1.22, playing with SCM_CREDENTIALS, I once accidentally put
msg.msg_iov = NULL but msg.msg_iovlen = 1 in a call to sendmsg. This
created a reproducible oops:

Unable to handle kernel NULL pointer dereference at virtual address 00000004
current->tss.cr3 = 011c3000, \r3 = 011c3000
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c013ab94>]
EFLAGS: 00010202
eax: c1203418 ebx: 00000000 ecx: c1203410 edx: c1203408
esi: c0c02940 edi: 00000008 ebp: 00000008 esp: c0aeadc8
ds: 0018 es: 0018 ss: 0018
Process cred (pid: 2348, process nr: 67, stackpage=c0aea000)
Stack: c1203418 c0c02940 00000008 c0aeae08 c1ea4018 c013eda2 c1203408 00000000
00000008 00000000 c0c02940 c013ec28 c0aeae00 00000000 c1ea4018 c0aeae50
c0aeae78 c01379c8 c0c02940 c0aeae78 00000008 c0aeae3c c0aeae94 00000003
Call Trace: [<c013eda2>] [<c013ec28>] [<c01379c8>] [<c013ec28>] [<c01390a7>] [<c011b498>] [<c011b986>]
[<c011ba07>] [<c011b878>] [<c013967c>] [<c0117020>] [<c010a4ac>]
Code: 8b 43 04 85 c0 74 64 39 c5 7f 02 89 e8 89 c2 8b 33 89 74 24

The ksymoops analysis was

Using `/usr/src/linux/' to map addresses to symbols.

>>EIP: c013ab94 <memcpy_fromiovec+14/90>
Trace: c013eda2 <unix_stream_sendmsg+17a/220>
Trace: c013eda2 <unix_stream_sendmsg+17a/220>
Trace: c01379c8 <sock_sendmsg+a0/c4>
Trace: c013eda2 <unix_stream_sendmsg+17a/220>
Trace: c01390a7 <sys_sendmsg+22f/278>
Trace: c011b498 <do_wp_page>
Trace: c011b986 <do_no_page+10e/330>
Trace: c011ba07 <do_no_page+18f/330>
Trace: c011ba07 <do_no_page+18f/330>
Trace: c013967c <sys_socketcall+2e4/318>
Trace: c0117020 <notify_parent+3c/44>
Trace: c010a4ac <tracesys+18/26>

Code: c013ab94 <memcpy_fromiovec+14/90> movl 0x4(%ebx),%eax
Code: c013ab97 <memcpy_fromiovec+17/90> testl %eax,%eax
Code: c013ab99 <memcpy_fromiovec+19/90> je c013abff <memcpy_fromiovec+7f/90>
Code: c013ab9b <memcpy_fromiovec+1b/90> cmpl %eax,%ebp
Code: c013ab9d <memcpy_fromiovec+1d/90> jg c013aba1 <memcpy_fromiovec+21/90>
Code: c013ab9f <memcpy_fromiovec+1f/90> movl %ebp,%eax
Code: c013aba1 <memcpy_fromiovec+21/90> movl %eax,%edx
Code: c013aba3 <memcpy_fromiovec+23/90> movl (%ebx),%esi
Code: c013aba5 <memcpy_fromiovec+25/90> movl %esi,0x0(%esp,1)
Code: c013aba9 <memcpy_fromiovec+29/90> nop
Code: c013abaa <memcpy_fromiovec+2a/90> nop
Code: c013abab <memcpy_fromiovec+2b/90> nop

