Bug 196264

Summary: Kernel crash during ifdown/ifup test
Product: Red Hat Enterprise Linux 3 Reporter: Garik E <kiragon>
Component: kernelAssignee: Red Hat Kernel Manager <kernel-mgr>
Status: CLOSED CANTFIX QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 3.0CC: petrides
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-13 12:52:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Reproduction and patch none

Description Garik E 2006-06-22 09:59:40 UTC 
Description of problem:
Linux kernel crashes/freezes during continues ifdown/ifup test on interface
added to a multicast group 

Version-Release number of selected component (if applicable):
from 2.4.21-37.EL up to 2.4.21-44.EL both UP and SMP

How reproducible:
always 
after 1-10 sec from the beginning of the test

Steps to Reproduce:
1. unpack attached crashfiles.tar.bz2 
2. run `sh ifflip'
  
Actual results:
------------[ cut here ]------------
kernel BUG at timer.c:453!
invalid operand: 0000
nfs lockd sunrpc audit usbserial parport_pc lp parport autofs4 tg3 floppy sg
microcode keybdev mousedev input hid ehci-hcd usb-uhci usbcore ext3 jbd mptscsih
mptbase diskdumplib sd_mod scsi_mod  
CPU:    1
EIP:    0060:[<c0134925>]    Not tainted
EFLAGS: 00010007

EIP is at cascade [kernel] 0x85 (2.4.21-37.EL.smp.kdb/i686)
eax: 00000000   ebx: c37312d0   ecx: 00007e00   edx: c37312d0
esi: c03a4cfc   edi: c03a4300   ebp: 0000003e   esp: f7dabf04
ds: 0068   es: 0068   ss: 0068
Process mccrashdev (pid: 1940, stackpage=f7dab000)
Stack: c03a4300 f6c8ffc4 00000000 00000001 c03a4300 f7dabf2c c0135bb5 c03a4300 
       c03a4b0c 0000003e f7dabf2c f7dabf2c c0135017 c03a4300 00000001 00000080 
       0000000a c0135862 c03a4300 f7daa000 00000000 00000000 c0130455 c04a2700 
Call Trace:   [<c0135bb5>] __run_timers [kernel] 0x125 (0xf7dabf1c)
[<c0135017>] update_process_time_intertick [kernel] 0x117 (0xf7dabf34)
[<c0135862>] timer_bh [kernel] 0x62 (0xf7dabf48)
[<c0130455>] bh_action [kernel] 0x55 (0xf7dabf5c)
[<c01302f7>] tasklet_hi_action [kernel] 0x67 (0xf7dabf64)
[<c0130085>] do_softirq [kernel] 0x105 (0xf7dabf78)
[<c010e078>] do_IRQ [kernel] 0x148 (0xf7dabf98)
[<c010df30>] do_IRQ [kernel] 0x0 (0xf7dabfbc)

Code: 0f 0b c5 01 47 44 2d c0 eb aa 90 83 ec 04 81 3d 08 32 3a c0


Entering kdb (current=0xf7daa000, pid 1940) on processor 1 Oops: invalid operand
due to oops @ 0xc0134925
eax = 0x00000000 ebx = 0xc37312d0 ecx = 0x00007e00 edx = 0xc37312d0 
esi = 0xc03a4cfc edi = 0xc03a4300 esp = 0xf7dabf04 eip = 0xc0134925 
ebp = 0x0000003e xss = 0xc02b0068 xcs = 0x00000060 eflags = 0x00010007 
xds = 0xc4e80068 xes = 0x00000068 origeax = 0xffffffff &regs = 0xf7dabed0

Expected results:


Additional info:
1 The crash was reproduced on the following machines:
    HP ML350
    DELL 750

2 On most reproductions the ebx register points to the mr_ifc_timer with the
following contents:
[1]kdb> mds %ebx
0xc37312d0 00000000   ....
0xc37312d4 00000000   ....
0xc37312d8 00007f52   ...R
0xc37312dc c3731280   Ö³s..
0xc37312e0 c02815b0 igmp_ifc_timer_expire
                       kernel .text 0xc0100000 0xc02815b0 0xc02815f0  
0xc37312e4 00000000   ....
0xc37312e8 00000000   ....
0xc37312ec 00000000 

from the data member on the timer I traced dump of netdevice:
0xc35d7000 30687465 00000000 00000000 00000000   0hte............
0xc35d7010 00000000 00000000 00000000 00000000   ................
0xc35d7020 00000000 00000011 00000000 00000015   ................
0xc35d7030 00000000 00000000 00000000 00000003   ................
0xc35d7040 00000003 f89ce220 00000000 00000000   ....ר.× ........
0xc35d7050 f89d6920 000046e1 00003f9e *00001002*   ר.i ..F×..?.....
0xc35d7060 00000000 000005dc 000e0001 c35d71c0   .......ï¢....Ö³]qÖ°
0xc35d7070 00000000 ffffffff 0000ffff 00000000   ....ï¢ï¢ï¢ï¢..ï¢ï¢....
0xc35d7080 00000000 00000000 00000000 00000000   ................
0xc35d7090 00000000 20211300 0000d528 00000000   .... !....×±(....

note, that IFF_UP flag is down:  dev->flags = 0x00001002
Comment 1 Garik E 2006-06-22 09:59:40 UTC 
Created attachment 131337 [details]
Reproduction and patch
Comment 2 Ernie Petrides 2006-06-22 17:27:50 UTC 
RHEL3 is now closed.
Comment 3 Garik E 2006-06-22 19:05:34 UTC 
Will there be no more Linux kernel updates for the RHEL-3 ?
Comment 4 Ernie Petrides 2006-06-22 20:54:21 UTC 
It probably would be better for you to discuss this with Customer Support.
Comment 5 Garik E 2006-06-23 02:58:00 UTC 
Can you verify that the binary Iâve attached crashes Linux kernel ?
Comment 6 Prarit Bhargava 2007-09-13 12:52:02 UTC 
Closing re: Comment #2.

P.