Bug#585770: a collection of NULL pointer dereference [ipv6 and vlans?]

To: Bastian Blank <waldi@debian.org>
Cc: 585770@bugs.debian.org
Subject: Bug#585770: a collection of NULL pointer dereference [ipv6 and vlans?]
From: Ben Hutchings <ben@decadent.org.uk>
Date: Mon, 14 Jun 2010 01:10:08 +0100
Message-id: <1276474208.14011.274.camel@localhost>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 585770@bugs.debian.org
In-reply-to: <20100613211541.GA8241@wavehammer.waldi.eu.org>
References: <20100613184519.4111.15444.reportbug@intrepid.palfrader.org> <20100613211541.GA8241@wavehammer.waldi.eu.org>

On Sun, 2010-06-13 at 23:15 +0200, Bastian Blank wrote:
> On Sun, Jun 13, 2010 at 08:45:19PM +0200, Peter Palfrader wrote:
> > | Set name-type for VLAN subsystem.[   30.676029] Virtual device eth0.221 asks to queue packet!
> > |  Should be visib[   30.802271] BUG: unable to handle kernel le in /proc/net/paging requestvlan/config
> > | Add at 00000000815eab98
> > | ed VLAN with VID[   30.806244] IP: == 221 to IF -: [<ffffffff812b7581>] ip6_output2+0x2c/0x28b
> > | eth0:-
> > | [   30.806244] PGD 0 
> > | [   30.806244] Thread overran stack, or stack corrupted
> 
> Okay, this is already bad.
>
> > | [   30.806244] Oops: 0000 [#1] SMP 
> > | [   30.806244] last sysfs file: /sys/devices/virtual/net/eth0.221/dev_id
> > | [   30.806244] CPU 0 
> > | [   30.806244] Modules linked in: 8021q garp stp uhci_hcd shpchp tpm_tis tpm tpm_bios snd_pcsp psmouse snd_pcm snd_timer serio_raw snd soundcore snd_page_alloc amd64_edac_mod edac_core edac_mce_amd k8temp evdev processor i2c_piix4 i2c_core button pci_hotplug usbhid hid ext3 jbd mbcache sg sr_mod cdrom sd_mod crc_t10dif pata_serverworks ehci_hcd ohci_hcd ata_generic aacraid libata tg3 usbcore nls_base libphy scsi_mod thermal fan thermal_sys [last unloaded: scsi_wait_scan]
> > | [   30.806244] Pid: 0, comm: swapper Not tainted 2.6.32-bpo.5-amd64 #1 IBM eServer 326m -[796966U]-
> > | [   32.307829] tg3: eth0: Link is up at 1000 Mbps, full duplex.
> > | [   32.307833] tg3: eth0: Flow control is on for TX and on for RX.
> > | [   32.309540] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
> > | [   30.806244] RIP: 0010:[<ffffffff812b7581>]  [<ffffffff812b7581>] ip6_output2+0x2c/0x28b
> 
> Code:
> | 0xffffffff812b7555 <+0>:     push   %r13
> | 0xffffffff812b7557 <+2>:     push   %r12
> | 0xffffffff812b7559 <+4>:     push   %rbp
> | 0xffffffff812b755a <+5>:     mov    %rdi,%rbp
> | 0xffffffff812b755d <+8>:     push   %rbx
> | 0xffffffff812b755e <+9>:     sub    $0x8,%rsp
> | 0xffffffff812b7562 <+13>:    mov    0x28(%rdi),%rax
> | 0xffffffff812b7566 <+17>:    mov    0xc0(%rdi),%ecx
> | 0xffffffff812b756c <+23>:    add    0xd0(%rdi),%rcx
> | 
> | 0xffffffff812b7577 <+34>:    movw   $0xdd86,0x7e(%rdi)
> | 0xffffffff812b757d <+40>:    mov    %r13,0x20(%rdi)
> | 0xffffffff812b7581 <+44>:    cmpb   $0xff,0x18(%rcx)
> 
> %rdi is the skb argument, %rcx seems to be not initialized (but as this
> function is static, the compiler can use that knowledge).

It is initialised; a destination of %ecx really means %rcx with
zero-extension.

Matching this up with the source:

	struct dst_entry *dst = skb_dst(skb);
0xffffffff812b7562 <+13>:    mov    0x28(%rdi),%rax

	struct net_device *dev = dst->dev;
0xffffffff812b7573 <+30>:    mov    0x18(%rax),%r13

	skb->protocol = htons(ETH_P_IPV6);
0xffffffff812b7577 <+34>:    movw   $0xdd86,0x7e(%rdi)

	skb->dev = dev;
0xffffffff812b757d <+40>:    mov    %r13,0x20(%rdi)

	if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) {
[ipv6_hdr(skb) defined as (struct ipv6hdr *)(skb->head + skb->network_header)]
[ipv6_addr_is_multicast(addr) defined as (addr->s6_addr32[0] & htonl(0xFF000000)) == htonl(0xFF000000)]
0xffffffff812b7566 <+17>:    mov    0xc0(%rdi),%ecx
0xffffffff812b756c <+23>:    add    0xd0(%rdi),%rcx
0xffffffff812b7581 <+44>:    cmpb   $0xff,0x18(%rcx)

So skb->head (or possibly skb->network_header) was invalid here.

Looking at the other oops:

	__be16 type = hh->hh_type;
    ffe7:	8b 56 40             	mov    0x40(%rsi),%edx

	struct ethhdr *eth;
	const struct net_device *dev = neigh->dev;
    ffed:	4c 8b 47 18          	mov    0x18(%rdi),%r8

	eth = (struct ethhdr *)
	    (((u8 *) hh->hh_data) + (HH_DATA_OFF(sizeof(*eth))));
    fff8:	48 8d 4e 5a          	lea    0x5a(%rsi),%rcx

	if (type == htons(ETH_P_802_3))
		return -1;
    ffea:	83 c8 ff             	or     $0xffffffffffffffff,%eax
    fff1:	66 81 fa 00 01       	cmp    $0x100,%dx
    fff6:	74 31                	je     0x10029

	eth->h_proto = type;
    fffc:	66 89 51 0c          	mov    %dx,0xc(%rcx)

	memcpy(eth->h_source, dev->dev_addr, ETH_ALEN);
   10000:	49 8b 90 20 02 00 00 	mov    0x220(%r8),%rdx
   10007:	8b 02                	mov    (%rdx),%eax
   10009:	89 46 60             	mov    %eax,0x60(%rsi)
   1000c:	66 8b 42 04          	mov    0x4(%rdx),%ax
   10010:	66 89 46 64          	mov    %ax,0x64(%rsi)

So neigh->dev was NULL here.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Bug#585770: a collection of NULL pointer dereference [ipv6 and vlans?]
  - From: Peter Palfrader <weasel@debian.org>
- Bug#585770: a collection of NULL pointer dereference [ipv6 and vlans?]
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Bug#585790: linux-image-2.6.32-5-kirkwood: Oops in mv_cesa
Next by Date: Processed: reassign 585806 linux-source-2.6.32 2.6.32-15
Previous by thread: Bug#585770: a collection of NULL pointer dereference [ipv6 and vlans?]
Next by thread: Bug#585770: a collection of NULL pointer dereference [ipv6 and vlans?]
Index(es):
- Date
- Thread