Bug 748746

Summary: Unable to handle NULL pointer dereference in ipv4_dst_check
Product: [Fedora] Fedora Reporter: Benny Amorsen <benny+bugzilla>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-29 09:22:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Benny Amorsen 2011-10-25 09:12:58 UTC 
The NULL pointer dereference has happened twice in one day in the same place, possibly three times. The third possible time resulted in a system crash, but the backtrace was unreadable so I am not sure it is the same problem.

I do not know how to reproduce. Kernel is kernel-2.6.40.6-0.fc15.x86_64 and the system is now upgraded to kernel-2.6.40.7-0.fc15.x86_64 from updates-testing but has not been rebooted yet.

kernel: [357306.194805] BUG: unable to handle kernel NULL pointer dereference at 000000000000002c
kernel: [357306.206371] IP: [<ffffffff81403788>] ipv4_dst_check+0xaf/0x158
kernel: [357306.214445] PGD 0 
kernel: [357306.218327] Oops: 0002 [#2] SMP 
kernel: [357306.222413] CPU 9 
kernel: [357306.224472] Modules linked in: 8021q garp stp llc serio_raw ipmi_si ipmi_msghandler iTCO_wdt hpilo hpwdt iTCO_vendor_support acpi_power_meter igb i7core_eda
c edac_core dca ipv6 raid1 radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded: scsi_wait_scan]
kernel: [357306.260270] 
kernel: [357306.262305] Pid: 12418, comm: httpd Tainted: G      D     2.6.40.6-0.fc15.x86_64 #1 HP ProLiant BL280c G6
kernel: [357306.276283] RIP: 0010:[<ffffffff81403788>]  [<ffffffff81403788>] ipv4_dst_check+0xaf/0x158
kernel: [357306.288281] RSP: 0018:ffff88011c095d18  EFLAGS: 00010286
kernel: [357306.294455] RAX: ffff88030b8c12c0 RBX: ffff880139a4a800 RCX: ffff88018e434c00
kernel: [357306.306281] RDX: 000000011549fb79 RSI: ffff88018b940840 RDI: 0000000000000000
kernel: [357306.316312] RBP: ffff88011c095d38 R08: ffff8801b416d280 R09: ffff88018e434d00
kernel: [357306.326350] R10: 00000000000006d9 R11: 0000000000000000 R12: 00000000c1bac3d9
kernel: [357306.336383] R13: ffff88018b940840 R14: 0000000000000000 R15: ffff8801b416d558
kernel: [357306.346418] FS:  00007f9191ae0820(0000) GS:ffff880197c80000(0000) knlGS:0000000000000000
kernel: [357306.358386] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: [357306.366415] CR2: 000000000000002c CR3: 000000018b3b6000 CR4: 00000000000006e0
kernel: [357306.378303] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: [357306.388286] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
kernel: [357306.398310] Process httpd (pid: 12418, threadinfo ffff88011c094000, task ffff88010b8d0000)
kernel: [357306.410310] Stack:
kernel: [357306.414199]  ffff88018e434c00 ffff880139a4a800 ffff8801b416d280 0000000000000014
kernel: [357306.424285]  ffff88011c095d58 ffffffff813cc62e ffff8801b416d280 ffff8800df0660f0
kernel: [357306.434359]  ffff88011c095da8 ffffffff81408c8f ffff88011c095d98 0000000000000000
kernel: [357306.446223] Call Trace: 
kernel: [357306.448388]  [<ffffffff813cc62e>] __sk_dst_check+0x2c/0x58
kernel: [357306.456387]  [<ffffffff81408c8f>] ip_queue_xmit+0x43/0x32a
kernel: [357306.464384]  [<ffffffff8141b53b>] tcp_transmit_skb+0x71f/0x750
kernel: [357306.474217]  [<ffffffff8141c03d>] tcp_write_xmit+0x6bd/0x7af
kernel: [357306.482252]  [<ffffffff811188ec>] ? __kmalloc_node_track_caller+0x103/0x13b
kernel: [357306.492251]  [<ffffffff8141c916>] ? tcp_send_fin+0x6b/0x129
kernel: [357306.500261]  [<ffffffff8141c186>] __tcp_push_pending_frames+0x23/0x51
kernel: [357306.510191]  [<ffffffff8141c9cb>] tcp_send_fin+0x120/0x129
kernel: [357306.518187]  [<ffffffff814108b5>] tcp_shutdown+0x49/0x4e
kernel: [357306.526134]  [<ffffffff8142d021>] inet_shutdown+0xa1/0xf2
kernel: [357306.532349]  [<ffffffff813ca9f7>] sys_shutdown+0x45/0x62
kernel: [357306.540312]  [<ffffffff8148ed02>] system_call_fastpath+0x16/0x1b
kernel: [357306.550188] Code: a3 cc 00 00 00 44 39 e0 0f 84 ab 00 00 00 48 85 db 74 14 48 8b 43 40 48 85 c0 74 0b 48 8b 15 00 e5 74 00 48 89 50 18 48 8b 7b 40 <f0> ff 4 
f 2c 0f 94 c0 84 c0 74 05 e8 d3 ff fd ff 48 c7 43 40 00 
kernel: [357306.576312] RIP  [<ffffffff81403788>] ipv4_dst_check+0xaf/0x158
kernel: [357306.586163]  RSP <ffff88011c095d18>
kernel: [357306.590263] CR2: 000000000000002c
kernel: [357306.612098] ---[ end trace b6b14aa23007eba1 ]---
Comment 1 Chuck Ebbert 2011-11-29 09:22:17 UTC 
Looks like this was fixed in 3.1 (F15 2.6.41)

commit f2c31e32b378a6653f8de606149d963baf11d7d3
Author: Eric Dumazet <eric.dumazet>
Date:   Fri Jul 29 19:00:53 2011 +0000

    net: fix NULL dereferences in check_peer_redir()