2.0.29 Oops - NULL deref in ip_defrag

Benjamin C R LaHaise (blah@dot.superaje.com)
Sat, 5 Apr 1997 00:00:47 +0000 ( )

This cropped up a number of days ago on one of our
machines... Looks like the following line in
net/ipv4/ip_fragment.c:570 executed with tfp=NULL

--> if (tfp->next != NULL)
tmp->next->prev = tmp->prev;

Looks like a fairly trivial bug, but I claim no
knowledge of the code in ip_fragment.c, so perhaps
someone else can look into it, and see if it's
indicative of something deeper. (I'm too busy...)

Oh, the relavent parts of config seem to be
IP_ALWAYS_DEFRAG is set, machine runs packets through
the eql driver to 3 ppp lines, which are set to use an
mtu of 576. The 3 ether cards on the machine use an mtu
of 1500, so the fragmenting code is exercised quite a bit.


Here's the actual oops & ksymoops output:

Unable to handle kernel NULL pointer dereference at virtual address c0000014
current->tss.cr3 = 00101000, r3 = 00101000
*pde = 00102067
*pte = 00000027
Oops: 0000
CPU: 0
EIP: 0010:[<00143d7a>]
EFLAGS: 00010202
eax: 00000000 ebx: 00254498 ecx: 00000000 edx: 00254298
esi: 00001a60 edi: 00000000 ebp: 00254598 esp: 001aaf50
ds: 0018 es: 0018 fs: 002b gs: 0018 ss: 0018
Process swapper (pid: 0, process nr: 0, stackpage=001a90ac)
Stack: 0000016c 004c1c1c 004c1d8c 001c0008 00254298 00000000 00001a60 00000014
000019e0 00000000 004c1d08 00254298 00143205 004c1c1c 004c1d8c 004fd0f4
00000000 001ae63c 004c1d8c 001c0008 0079f31c 0079f51c 00000002 00000000
Call Trace: [<00143205>] [<0013b5a0>] [<00116f9b>] [<0010a7bb>]
Code: 83 7f 14 00 74 09 8b 53 14 8b 43 18 89 42 18 8b 54 24 14 8b
Aiee, killing interrupt handler
kfree of non-kmalloced memory: 001ab0f4, next= fffffc18, order=1749128
kfree of non-kmalloced memory: 001ab0e4, next= fffffc18, order=1749128
kfree of non-kmalloced memory: 001ab5f8, next= fffffc18, order=1749128
idle task may not sleep

--- after running this through ksymoops....

Using `System.map' to map addresses to symbols.

>>EIP: 143d7a <ip_defrag+26a/370>
Trace: 143205 <ip_rcv+1a5/550>
Trace: 13b5a0 <net_bh+f0/120>
Trace: 116f9b <do_bottom_half+3b/70>
Trace: 10a7bb <handle_bottom_half+b/20>

Code: 143d7a <ip_defrag+26a/370> cmpl $0x0,0x14(%edi)
Code: 143d7e <ip_defrag+26e/370> je 143d89 <ip_defrag+279/370>
Code: 143d80 <ip_defrag+270/370> movl 0x14(%ebx),%edx
Code: 143d83 <ip_defrag+273/370> movl 0x18(%ebx),%eax
Code: 143d86 <ip_defrag+276/370> movl %eax,0x18(%edx)
Code: 143d89 <ip_defrag+279/370> movl 0x14(%esp,1),%edx
Code: 143d8d <ip_defrag+27d/370> movl (%eax),%eax
Code: 143d8f <ip_defrag+27f/370> nop
Code: 143d90 <ip_defrag+280/370> nop