Bug#597904: phonet crahes when network namespace is destroyed

To: submit@bugs.debian.org
Subject: Bug#597904: phonet crahes when network namespace is destroyed
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 24 Sep 2010 05:18:49 +0100
Message-id: <[🔎] 1285301929.2697.171.camel@localhost>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 597904@bugs.debian.org

Package: linux-2.6
Version: 2.6.32-23

If the phonet module is loaded, destroying a network namespace crashes
the kernel.  This bug is known to be triggered by using Chromium (which
creates a network namespace) and some Nokia phones (which trigger
loading of phonet):

http://code.google.com/p/chromium/issues/detail?id=54617#c18

Oops messages below.

Ben.

[   73.925565] BUG: unable to handle kernel NULL pointer dereference at
(null)
[   73.927385] IP: [<d0823135>] phonet_device_destroy+0x81/0xf8 [phonet]
[   73.928020] *pde = 00000000 
[   73.928020] Oops: 0000 [#1] SMP 
[   73.928020] last sysfs file: /sys/devices/virtual/vc/vcsa7/uevent
[   73.928020] Modules linked in: phonet loop processor snd_pcm
snd_timer button serio_raw snd soundcore snd_page_alloc psmouse
parport_pc evdev parport i2c_piix4 pcspkr i2c_core ext3 jbd mbcache fan
sg sr_mod cdrom sd_mod crc_t10dif ata_generic ata_piix thermal libata
thermal_sys floppy e1000 scsi_mod [last unloaded: scsi_wait_scan]
[   73.928020] 
[   73.928020] Pid: 9, comm: netns Not tainted (2.6.32-5-686 #1) Bochs
[   73.928020] EIP: 0060:[<d0823135>] EFLAGS: 00010207 CPU: 0
[   73.928020] EIP is at phonet_device_destroy+0x81/0xf8 [phonet]
[   73.928020] EAX: ce6ec1c0 EBX: 00000000 ECX: ce32fc00 EDX: 00000000
[   73.928020] ESI: ce6ec1c8 EDI: 00000000 EBP: ce32fc00 ESP: cf453f00
[   73.928020]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   73.928020] Process netns (pid: 9, ti=cf452000 task=cf426200
task.ti=cf452000)
[   73.928020] Stack:
[   73.928020]  d0825694 ce32fc00 00000000 00000000 d08234ef fffffff2
00000000 ce32fc00
[   73.928020] <0> c11e5b27 c13ad2fc e6064da0 d0825694 fffffff1 c126ec00
ce32fc00 00000006
[   73.928020] <0> ce32fc00 cf838000 cf453fb0 cf838010 c1046fd2 ffffffff
00000000 c11d9920
[   73.928020] Call Trace:
[   73.928020]  [<d08234ef>] ? phonet_device_notify+0x94/0xae [phonet]
[   73.928020]  [<c11e5b27>] ? dropmon_net_event+0xf5/0x114
[   73.928020]  [<c126ec00>] ? notifier_call_chain+0x2a/0x47
[   73.928020]  [<c1046fd2>] ? raw_notifier_call_chain+0x9/0xc
[   73.928020]  [<c11d9920>] ? rollback_registered+0x9a/0xec
[   73.928020]  [<c11d99a1>] ? unregister_netdevice+0x2f/0x54
[   73.928020]  [<c11d99d5>] ? unregister_netdev+0xf/0x15
[   73.928020]  [<c11d5773>] ? cleanup_net+0x43/0x7d
[   73.928020]  [<c1040c33>] ? worker_thread+0x141/0x1bd
[   73.928020]  [<c11d5730>] ? cleanup_net+0x0/0x7d
[   73.928020]  [<c104396a>] ? autoremove_wake_function+0x0/0x2d
[   73.928020]  [<c1040af2>] ? worker_thread+0x0/0x1bd
[   73.928020]  [<c1043738>] ? kthread+0x61/0x66
[   73.928020]  [<c10436d7>] ? kthread+0x0/0x66
[   73.928020]  [<c1003d47>] ? kernel_thread_helper+0x7/0x10
[   73.928020] Code: b8 59 82 d0 8b 85 44 02 00 00 85 d2 8b 80 98 04 00
00 74 04 3b 10 76 04 0f 0b eb fe 8b 44 90 08 8b 18 eb 07 39 6b 08 74 10
89 d3 <8b> 13 0f 18 02 90 39 c3 75 ef 31 db eb 19 85 db 74 15 8b 43 04 
[   73.928020] EIP: [<d0823135>] phonet_device_destroy+0x81/0xf8
[phonet] SS:ESP 0068:cf453f00
[   73.928020] CR2: 0000000000000000
[   74.003675] ---[ end trace 0efbc7b3acd94bdf ]---
[   74.006363] Kernel panic - not syncing: Fatal exception in interrupt
[   74.009738] Pid: 9, comm: netns Tainted: G      D    2.6.32-5-686 #1
[   74.013033] Call Trace:
[   74.014327]  [<c126b429>] ? panic+0x38/0xe4
[   74.016595]  [<c126da31>] ? oops_end+0x91/0x9d
[   74.018894]  [<c101b5db>] ? no_context+0x105/0x10e
[   74.021384]  [<c101b6f9>] ? __bad_area_nosemaphore+0x115/0x11d
[   74.028368]  [<c12188b8>] ? snmp_mib_free+0x1a/0x29
[   74.032077]  [<c1238b09>] ? addrconf_ifdown+0x23f/0x260
[   74.034725]  [<c123a20c>] ? addrconf_notify+0x6a4/0x776
[   74.038354]  [<c126e8cf>] ? do_page_fault+0x0/0x307
[   74.040046]  [<c101b70b>] ? bad_area_nosemaphore+0xa/0xc
[   74.041325]  [<c126d123>] ? error_code+0x73/0x78
[   74.042515]  [<d0823135>] ? phonet_device_destroy+0x81/0xf8 [phonet]
[   74.044350]  [<d08234ef>] ? phonet_device_notify+0x94/0xae [phonet]
[   74.045958]  [<c11e5b27>] ? dropmon_net_event+0xf5/0x114
[   74.047361]  [<c126ec00>] ? notifier_call_chain+0x2a/0x47
[   74.048789]  [<c1046fd2>] ? raw_notifier_call_chain+0x9/0xc
[   74.050221]  [<c11d9920>] ? rollback_registered+0x9a/0xec
[   74.051651]  [<c11d99a1>] ? unregister_netdevice+0x2f/0x54
[   74.053111]  [<c11d99d5>] ? unregister_netdev+0xf/0x15
[   74.054635]  [<c11d5773>] ? cleanup_net+0x43/0x7d
[   74.055942]  [<c1040c33>] ? worker_thread+0x141/0x1bd
[   74.057183]  [<c11d5730>] ? cleanup_net+0x0/0x7d
[   74.058275]  [<c104396a>] ? autoremove_wake_function+0x0/0x2d
[   74.059737]  [<c1040af2>] ? worker_thread+0x0/0x1bd
[   74.060935]  [<c1043738>] ? kthread+0x61/0x66
[   74.062014]  [<c10436d7>] ? kthread+0x0/0x66
[   74.063097]  [<c1003d47>] ? kernel_thread_helper+0x7/0x10


-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#597904: marked as done (phonet crahes when network namespace is destroyed)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#597828: linux-image-2.6.32-5-amd64: [xen] debug options + sysrq-t => sending NMI to all CPUs: BUG: unable to handle kernel paging request
Next by Date: Bug#597828: linux-image-2.6.32-5-amd64: [xen] debug options + sysrq-t => sending NMI to all CPUs: BUG: unable to handle kernel paging request
Previous by thread: Bug#597729: #7303: linux-image-2.6-amd64: page allocation, failure. order:0, mode:0x20
Next by thread: Bug#597904: marked as done (phonet crahes when network namespace is destroyed)
Index(es):
- Date
- Thread