Bug#766195: linux: Network-related panic in Linux 3.2.63

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#766195: linux: Network-related panic in Linux 3.2.63
From: Julien Cristau <jcristau@debian.org>
Date: Tue, 21 Oct 2014 15:02:54 +0200
Message-id: <[🔎] 20141021130254.GA10619@betterave.cristau.org>
Reply-to: Julien Cristau <jcristau@debian.org>, 766195@bugs.debian.org

Source: linux
Version: 3.2.63-2
Severity: important
User: debian-admin@lists.debian.org
Usertags: needed-by-DSA-Team
X-Debbugs-Cc: debian-admin@lists.debian.org, mika@debian.org

Hi,

after the latest point release some debian.org hosts became unreliable.
That was tracked down to a panic in the networking code. Ben provided a
test patch:

From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 21 Oct 2014 00:49:22 +0100
Subject: ipv6: ipv6_select_ident: handle null rt
Forwarded: not-needed

In Linux 3.2, ipv6_select_ident() can apparently still be called with
rt == NULL and must avoid dereferencing it in this case.

We should probably fix the callers, so WARN_ON_ONCE to get a clue
about how this happens.

---
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -604,13 +604,18 @@ void ipv6_select_ident(struct frag_hdr *
 	static bool hashrnd_initialized = false;
 	u32 hash, id;
 
+	if (WARN_ON_ONCE(!rt)) {
+		hash = 0;
+		goto reserve;
+	}
+
 	if (unlikely(!hashrnd_initialized)) {
 		hashrnd_initialized = true;
 		get_random_bytes(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
 	}
 	hash = __ipv6_addr_jhash(&rt->rt6i_dst.addr, ip6_idents_hashrnd);
 	hash = __ipv6_addr_jhash(&rt->rt6i_src.addr, hash);
-
+reserve:
 	id = ip_idents_reserve(hash, 1);
 	fhdr->identification = htonl(id);
 }

which resulted in the following trace:

[  436.375412] ------------[ cut here ]------------
[  436.375439] WARNING: at /usr/src/linux-3.2.63/net/ipv6/ip6_output.c:607 ipv6_select_ident+0x28/0x8b()
[  436.375446] Hardware name: ProLiant DL585 G2   
[  436.375451] Modules linked in: ipmi_devintf ip6t_REJECT ip6t_LOG nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables ipt_REJECT ipt_ULOG xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ses xt_hashlimit enclosure xt_multiport iptable_filter ip_tables x_tables crc32c ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi bridge sd_mod dm_round_robin crc_t10dif bonding xfs ext4 crc16 jbd2 hmac drbd lru_cache 8021q garp stp dm_snapshot loop dm_multipath scsi_dh vhost_net tun macvtap macvlan kvm_amd kvm radeon ttm ipmi_si drm_kms_helper ipmi_msghandler k8temp powernow_k8 mperf hpilo drm power_supply i2c_algo_bit shpchp amd64_edac_mod edac_mce_amd edac_core psmouse hpwdt i2c_core snd_pcm snd_page_alloc snd_timer snd soundcore processor cdc_acm pcspkr evdev serio_raw container button thermal_sys ext3 mbcache jbd dm_mod usbhid hid sg sr_mod cdrom hpsa ata_generic lpfc pata_amd uhci_hcd libata scsi_transport_fc scsi_tgt ohci_hcd bnx2 ehci_hcd cciss scsi_mod usbcore usb_common [last unloaded: scsi_wait_scan]
[  436.375642] Pid: 12085, comm: unbound Not tainted 3.2.0-4-amd64 #1 Debian 3.2.63-2a~test
[  436.375647] Call Trace:
[  436.375666]  [<ffffffff81046d61>] ? warn_slowpath_common+0x78/0x8c
[  436.375676]  [<ffffffff812ff40f>] ? ipv6_select_ident+0x28/0x8b
[  436.375685]  [<ffffffff81311411>] ? udp6_ufo_fragment+0x124/0x1a2
[  436.375696]  [<ffffffff812fd569>] ? ipv6_gso_segment+0xb8/0x14e
[  436.375705]  [<ffffffff81036273>] ? __wake_up_common+0x40/0x77
[  436.375715]  [<ffffffff812905b4>] ? skb_gso_segment+0x208/0x28b
[  436.375725]  [<ffffffff81037f7b>] ? __wake_up+0x35/0x46
[  436.375734]  [<ffffffff81071295>] ? arch_local_irq_save+0x11/0x17
[  436.375746]  [<ffffffff813508f9>] ? _raw_spin_lock_irqsave+0x9/0x25
[  436.375756]  [<ffffffff8105266a>] ? lock_timer_base.isra.29+0x23/0x47
[  436.375764]  [<ffffffff81350937>] ? _raw_spin_unlock_irqrestore+0xe/0xf
[  436.375771]  [<ffffffff81052926>] ? __mod_timer+0x139/0x14b
[  436.375781]  [<ffffffff8104c2c9>] ? _local_bh_enable_ip.isra.11+0x1e/0x88
[  436.375794]  [<ffffffffa06b159a>] ? ip6t_do_table+0x5b2/0x5e4 [ip6_tables]
[  436.375805]  [<ffffffff81292337>] ? dev_hard_start_xmit+0x32d/0x518
[  436.375814]  [<ffffffff812b28bd>] ? nf_iterate+0x41/0x77
[  436.375823]  [<ffffffff812a8a63>] ? sch_direct_xmit+0x61/0x135
[  436.375833]  [<ffffffff812927e4>] ? dev_queue_xmit+0x2c2/0x46b
[  436.375856]  [<ffffffffa05db84b>] ? br_dev_queue_push_xmit+0x9b/0x9f [bridge]
[  436.375871]  [<ffffffffa05da31d>] ? br_dev_xmit+0x12e/0x142 [bridge]
[  436.375880]  [<ffffffff812923dc>] ? dev_hard_start_xmit+0x3d2/0x518
[  436.375888]  [<ffffffff812ffc73>] ? ip6_fragment+0x801/0x801
[  436.375897]  [<ffffffff812928e3>] ? dev_queue_xmit+0x3c1/0x46b
[  436.375906]  [<ffffffff812fe8b6>] ? ip6_finish_output2+0x216/0x26a
[  436.375916]  [<ffffffff81300d08>] ? ip6_push_pending_frames+0x307/0x391
[  436.375925]  [<ffffffff813117f1>] ? udp_v6_push_pending_frames+0x284/0x2fc
[  436.375934]  [<ffffffff81312855>] ? udpv6_sendmsg+0x6e0/0x8a0
[  436.375942]  [<ffffffff810411d9>] ? find_busiest_group+0x1f5/0x805
[  436.375956]  [<ffffffff81280461>] ? sock_sendmsg+0xc1/0xde
[  436.375965]  [<ffffffff812de4c2>] ? inet_recvmsg+0x5b/0x6f
[  436.375974]  [<ffffffff81280340>] ? sock_recvmsg+0xcd/0xec
[  436.375982]  [<ffffffff8128382c>] ? sock_kmalloc+0x41/0x63
[  436.375989]  [<ffffffff8128382c>] ? sock_kmalloc+0x41/0x63
[  436.375999]  [<ffffffff810ed0ca>] ? __kmalloc+0x100/0x112
[  436.376032]  [<ffffffff81036618>] ? should_resched+0x5/0x23
[  436.376040]  [<ffffffff81036618>] ? should_resched+0x5/0x23
[  436.376048]  [<ffffffff8134f56c>] ? _cond_resched+0x7/0x1c
[  436.376056]  [<ffffffff8127eeaf>] ? copy_from_user+0x18/0x30
[  436.376065]  [<ffffffff81280717>] ? ___sys_sendmsg+0x209/0x2a9
[  436.376075]  [<ffffffff812d6e79>] ? udp_poll+0xf/0x42
[  436.376082]  [<ffffffff81036618>] ? should_resched+0x5/0x23
[  436.376089]  [<ffffffff8134f56c>] ? _cond_resched+0x7/0x1c
[  436.376106]  [<ffffffff8128125c>] ? move_addr_to_user+0x70/0x8a
[  436.376123]  [<ffffffff81281e90>] ? sys_recvfrom+0xfd/0x12a
[  436.376139]  [<ffffffff81350937>] ? _raw_spin_unlock_irqrestore+0xe/0xf
[  436.376159]  [<ffffffff810fc3b6>] ? fget_light+0x2e/0x7b
[  436.376175]  [<ffffffff81282087>] ? __sys_sendmsg+0x39/0x58
[  436.376192]  [<ffffffff813559d2>] ? system_call_fastpath+0x16/0x1b
[  436.376203] ---[ end trace dfa37d448a0a925f ]---

It looks like that ipv6_select_ident call in udp6_ufo_fragment was
removed in 3.14 by
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=916e4cf46d0204806c062c8c6c4d1f633852c5b6

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Processed: found 705618 in 3.2.60-1+deb7u1
Next by Date: Bug#766105: 486 kernel doesn't boot on net4501; CC_STACKPROTECTOR_NONE helps
Previous by thread: Processed: found 705618 in 3.2.60-1+deb7u1
Next by thread: Processed: severity of 766195 is serious
Index(es):
- Date
- Thread