Bug 157228

Summary: Kernel crashes on executing ip -6 route add ::/96 dev sit1 if device is not up
Product: Red Hat Enterprise Linux 4 Reporter: Peter Bieringer <pb>
Component: kernelAssignee: David Miller <davem>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: davej
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 16:09:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Bieringer 2005-05-09 16:19:30 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Description of problem:
During trying to enable 6to4 on an RHEL4 box the kernel crashes.

Version-Release number of selected component (if applicable):
kernel-2.6.9-5.EL

How reproducible:
Always

Steps to Reproduce:
0. # rpm -qf `which ip`
iproute-2.6.9-3
1. # uname -a
Linux ***** 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 GNU/Linux
2. # ip tunnel add mode sit local 192.168.1.1 remote any name sit1
3. # ip -6 route add ::/96 dev sit1
Segmentation fault


Actual Results:  Crash:

NET: Registered protocol family 10
Disabled Privacy Extensions on device c0366c20(lo)
IPv6 over IPv4 tunneling driver
divert: not allocating divert_blk for non-ethernet device sit0
ip_tables: (C) 2000-2002 Netfilter core team
divert: not allocating divert_blk for non-ethernet device sit1
Unable to handle kernel NULL pointer dereference at virtual address 00000014
 printing eip:
d09cf769
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: md5 ipv6 autofs4 nfs lockd sunrpc dm_mod uhci_hcd hw_random 8139too mii floppy ext3 jbd
CPU:    0
EIP:    0060:[<d09cf769>]    Not tainted VLI
EFLAGS: 00010202   (2.6.9-5.EL)
EIP is at ip6_route_add+0x531/0x55c [ipv6]
eax: 00000000   ebx: cfefb460   ecx: cd0ce800   edx: 00000000
esi: ffffffed   edi: d09d0353   ebp: ccfb8c70   esp: ccfb8c40
ds: 007b   es: 007b   ss: 0068
Process ip (pid: 2490, threadinfo=ccfb8000 task=ccf4c170)
Stack: ccfb8c70 ccfb8c70 00000000 cd0ce800 00000000 cfefb460 cfed2400 cfefb460
       cfed2400 d09d0353 00000008 d09d037d 00000000 00000000 00000000 00000000
       00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Call Trace:
 [<d09d0353>] inet6_rtm_newroute+0x0/0x35 [ipv6]
 [<d09d037d>] inet6_rtm_newroute+0x2a/0x35 [ipv6]
 [<d09d0353>] inet6_rtm_newroute+0x0/0x35 [ipv6]
 [<c02ae989>] rtnetlink_rcv+0x225/0x313
 [<c02baf2e>] netlink_data_ready+0x14/0x43
 [<c02ba6b1>] netlink_sendskb+0x52/0x6b
 [<c02bad4a>] netlink_sendmsg+0x252/0x261
 [<c029d4af>] sock_sendmsg+0xdb/0xf7
 [<c011d043>] autoremove_wake_function+0x0/0x2d
 [<c02a2e8e>] verify_iovec+0x76/0xc2
 [<c029ec47>] sys_sendmsg+0x1ee/0x23b
 [<c015236d>] handle_mm_fault+0xd5/0x1fd
 [<c015332b>] __vma_link+0x59/0x66
 [<c0153419>] vma_link+0xe1/0x1dd
 [<c0154fce>] do_brk+0x1da/0x213
 [<c029f030>] sys_socketcall+0x1c1/0x1dd
 [<c0301bfb>] syscall_call+0x7/0xb
Code: 14 8b 54 24 18 83 c4 1c 5b 5e 5f 5d e9 cf f1 ff ff be ea ff ff ff 83 7c 24 0c 00 74 0a 8b 4c 24 0c ff 89 84 01 00 00 8b 54 24 10 <83> 7a 14 01 7f 1b 8b 42 04 85 c0 75 0d 89 d0 e8 7a ba 8d ef 85



Expected Results:  No such crash like on FC3:

# uname -a
Linux ******* 2.6.11-1.14_FC3 #1 Thu Apr 7 19:23:49 EDT 2005 i686 i686 i386 GNU/Linux
# ip tunnel add mode sit local 10.3.62.50 remote any name sit1
# ip -6 route add ::/96 dev sit1
RTNETLINK answers: No such device



Additional info:

Note that normally, a device need to be up before such route is added, I'll investigate now, why this is not proper happen in initscripts. Anyway, kernel shouldn't crash either.
Comment 1 Peter Bieringer 2005-09-22 16:04:00 UTC 
Same happen on 2.6.9-11.EL
Comment 2 Peter Bieringer 2006-12-18 12:32:44 UTC 
Same happen on 2.6.9-42.EL
Comment 3 Jiri Pallich 2012-06-20 16:09:08 UTC 
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.