[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#585770: a collection of NULL pointer dereference [ipv6 and vlans?]



On Sun, Jun 13, 2010 at 08:45:19PM +0200, Peter Palfrader wrote:
> | Set name-type for VLAN subsystem.[   30.676029] Virtual device eth0.221 asks to queue packet!
> |  Should be visib[   30.802271] BUG: unable to handle kernel le in /proc/net/paging requestvlan/config
> | Add at 00000000815eab98
> | ed VLAN with VID[   30.806244] IP: == 221 to IF -: [<ffffffff812b7581>] ip6_output2+0x2c/0x28b
> | eth0:-
> | [   30.806244] PGD 0 
> | [   30.806244] Thread overran stack, or stack corrupted

Okay, this is already bad.

> | [   30.806244] Oops: 0000 [#1] SMP 
> | [   30.806244] last sysfs file: /sys/devices/virtual/net/eth0.221/dev_id
> | [   30.806244] CPU 0 
> | [   30.806244] Modules linked in: 8021q garp stp uhci_hcd shpchp tpm_tis tpm tpm_bios snd_pcsp psmouse snd_pcm snd_timer serio_raw snd soundcore snd_page_alloc amd64_edac_mod edac_core edac_mce_amd k8temp evdev processor i2c_piix4 i2c_core button pci_hotplug usbhid hid ext3 jbd mbcache sg sr_mod cdrom sd_mod crc_t10dif pata_serverworks ehci_hcd ohci_hcd ata_generic aacraid libata tg3 usbcore nls_base libphy scsi_mod thermal fan thermal_sys [last unloaded: scsi_wait_scan]
> | [   30.806244] Pid: 0, comm: swapper Not tainted 2.6.32-bpo.5-amd64 #1 IBM eServer 326m -[796966U]-
> | [   32.307829] tg3: eth0: Link is up at 1000 Mbps, full duplex.
> | [   32.307833] tg3: eth0: Flow control is on for TX and on for RX.
> | [   32.309540] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
> | [   30.806244] RIP: 0010:[<ffffffff812b7581>]  [<ffffffff812b7581>] ip6_output2+0x2c/0x28b

Code:
| 0xffffffff812b7555 <+0>:     push   %r13
| 0xffffffff812b7557 <+2>:     push   %r12
| 0xffffffff812b7559 <+4>:     push   %rbp
| 0xffffffff812b755a <+5>:     mov    %rdi,%rbp
| 0xffffffff812b755d <+8>:     push   %rbx
| 0xffffffff812b755e <+9>:     sub    $0x8,%rsp
| 0xffffffff812b7562 <+13>:    mov    0x28(%rdi),%rax
| 0xffffffff812b7566 <+17>:    mov    0xc0(%rdi),%ecx
| 0xffffffff812b756c <+23>:    add    0xd0(%rdi),%rcx
| 0xffffffff812b7573 <+30>:    mov    0x18(%rax),%r13
| 0xffffffff812b7577 <+34>:    movw   $0xdd86,0x7e(%rdi)
| 0xffffffff812b757d <+40>:    mov    %r13,0x20(%rdi)
| 0xffffffff812b7581 <+44>:    cmpb   $0xff,0x18(%rcx)

%rdi is the skb argument, %rcx seems to be not initialized (but as this
function is static, the compiler can use that knowledge).

> | [   30.806244] RSP: 0018:ffff880005403bf0  EFLAGS: 00010202
> | [   30.806244] RAX: ffff88011ef5c500 RBX: ffff88021e25e400 RCX: 00000000815eab80
> | [   30.806244] RDX: 0000000000000000 RSI: ffff880005403d18 RDI: ffff88011e7c0900
> | [   30.806244] RBP: ffff88011e7c0900 R08: 0000000000000000 R09: ffffffff8144b200
> | [   30.806244] R10: 000000009ad7942b R11: ffff88011ef5c500 R12: ffff88011e7c0900
> | [   30.806244] R13: ffff88021edec800 R14: ffffffff816763a0 R15: ffff880005403d20
> | [   30.806244] FS:  00007f3dc5f476e0(0000) GS:ffff880005400000(0000) knlGS:0000000000000000
> | [   30.806244] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
> | [   30.806244] CR2: 00000000815eab98 CR3: 0000000001001000 CR4: 00000000000006f0
> | [   30.806244] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> | [   30.806244] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> | [   30.806244] Process swapper (pid: 0, threadinfo ffffffff81422000, task ffffffff814571f0)
> | [   30.806244] Stack:
> | [   30.806244]  ffff88021fac2f40 ffff88021e25e400 ffff88011e7c0900 ffff88011e7c0900
> | [   30.806244] <0> 0000000000000000 ffffffff812b853c 0000000000000000 ffff88021edec800
> | [   30.806244] <0> ffff880005403e20 0000000000000010 ffffffff8149d894 0000001081254a36
> | [   30.806244] Call Trace:
> | [   30.806244]  <IRQ> 
> | [   30.806244]  [<ffffffff812b853c>] ? ip6_output+0xd5c/0xd74
> | [   30.806244]  [<ffffffff812c6c55>] ? ndisc_send_skb+0x196/0x2d1
> | [   30.806244]  [<ffffffff812c8333>] ? ndisc_send_ns+0x81/0xa3
> | [   30.806244]  [<ffffffff8105aa26>] ? __mod_timer+0x141/0x153
> | [   30.806244]  [<ffffffff812bbc6a>] ? addrconf_dad_timer+0x0/0x110
> | [   30.806244]  [<ffffffff812bbd54>] ? addrconf_dad_timer+0xea/0x110
> | [   30.806244]  [<ffffffff8105a257>] ? run_timer_softirq+0x1c9/0x268
> | [   30.806244]  [<ffffffff810539d1>] ? __do_softirq+0xdd/0x1a0
> | [   30.806244]  [<ffffffff81024d62>] ? lapic_next_event+0x18/0x1d
> | [   30.806244]  [<ffffffff81011cac>] ? call_softirq+0x1c/0x30
> | [   30.806244]  [<ffffffff81013903>] ? do_softirq+0x3f/0x7c
> | [   30.806244]  [<ffffffff81053840>] ? irq_exit+0x36/0x76
> | [   30.806244]  [<ffffffff81025827>] ? smp_apic_timer_interrupt+0x87/0x95
> | [   30.806244]  [<ffffffff81011673>] ? apic_timer_interrupt+0x13/0x20
> | [   30.806244]  <EOI> 
> | [   30.806244]  [<ffffffff8102c574>] ? native_safe_halt+0x2/0x3
> | [   30.806244]  [<ffffffff81017cc5>] ? default_idle+0x34/0x51
> | [   30.806244]  [<ffffffff8100feb1>] ? cpu_idle+0xa2/0xda
> | [   30.806244]  [<ffffffff814e8140>] ? early_idt_handler+0x0/0x71
> | [   30.806244]  [<ffffffff814e8cd1>] ? start_kernel+0x3dc/0x3e8
> | [   30.806244]  [<ffffffff814e83b7>] ? x86_64_start_kernel+0xf9/0x106
> | [   30.806244] Code: 55 41 54 55 48 89 fd 53 48 83 ec 08 48 8b 47 28 8b 8f c0 00 00 00 48 03 8f d0 00 00 00 4c 8b 68 18 66 c7 47 7e 86 dd 4c 89 6f 20 <80> 79 18 ff 0f 85 01 02 00 00 48 8b 47 10 31 d2 48 85 c0 74 07 
> | [   30.806244] RIP  [<ffffffff812b7581>] ip6_output2+0x2c/0x28b
> | [   30.806244]  RSP <ffff880005403bf0>
> | [   30.806244] CR2: 00000000815eab98
> | [   37.912810] ---[ end trace 92c25082da12cbfb ]---

Bastian

-- 
	"Get back to your stations!"
	"We're beaming down to the planet, sir."
		-- Kirk and Mr. Leslie, "This Side of Paradise",
		   stardate 3417.3



Reply to: