1039743 – kernel: panic when unloading ip6_tunnel module

Bug 1039743 - kernel: panic when unloading ip6_tunnel module

Summary: kernel: panic when unloading ip6_tunnel module

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	realtime-kernel
Sub Component:
Version:	2.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	2.4.3
Target Release:	---
Assignee:	John Kacur
QA Contact:	MRG Quality Engineering
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-09 21:46 UTC by Clark Williams
Modified:	2014-01-28 17:42 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Use of pointer in FB tunnel after it has been removed because the module was unloaded Consequence: Panic in the module load test, when unloading the ip6_tunnel module. Fix: A handler is added for dellink that never removes the fb tunnel. Result: Pointer is still available since the FB tunnel is not destroyed when the module is unloaded, and thus no panic occurs
Clone Of:
Environment:
Last Closed:	2014-01-28 17:42:09 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:0100	0	normal	SHIPPED_LIVE	Important: kernel-rt security and bug fix update	2014-01-28 22:38:58 UTC

Description Clark Williams 2013-12-09 21:46:49 UTC

Description of problem:
When running tier1 tests in beaker, the realtime kernel will panic in the module load test, when unloading the ip6_tunnel module.

** Attempting to load ip6_tunnel... **  
** Attempting to unload ip6_tunnel... **  
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 
IP: [<ffffffffa0976b8b>] ip6_tnl_exit_net+0x9b/0xd0 [ip6_tunnel] 
PGD 1646e2067 PUD 1ecad4067 PMD 0  
Oops: 0000 [#1] PREEMPT SMP  
Modules linked in: ip6_tunnel(-) tunnel6 ts_kmp nf_conntrack_ipv4 nf_defrag_ipv4 nls_koi8_u nls_cp932 arc4 ecb md4 nls_utf8 cifs nfsv4 auth_rpcgss nfsv3 nfs_acl nfsv2 nfs lockd sunrpc nfnetlink_queue nfnetlink_log nfnetlink bluetooth rfkill cpufreq_ondemand ipv6 powernow_k8 freq_table pcspkr serio_raw joydev e1000 sg k8temp hwmon amd64_edac_mod edac_core i2c_amd756 amd_rng i2c_amd8111 i2c_core shpchp ext4 jbd2 mbcache sd_mod crc_t10dif sr_mod cdrom mptsas mptscsih mptbase scsi_transport_sas ata_generic pata_acpi pata_amd dm_mirror dm_region_hash dm_log dm_mod [last unloaded: xfrm6_mode_ro] 
CPU 1  
Pid: 5579, comm: modprobe Not tainted 3.8.13-rt25.29.el6rt.x86_64 #1 Sun Microsystems Sun Fire X4200 Server/Sun Fire X4200 Server 
RIP: 0010:[<ffffffffa0976b8b>]  [<ffffffffa0976b8b>] ip6_tnl_exit_net+0x9b/0xd0 [ip6_tunnel] 
RSP: 0018:ffff8801edd33e08  EFLAGS: 00010246 
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81aa1018 
RDX: ffff8801dd7c17e0 RSI: ffff8801edd33e08 RDI: ffffffff81aa2720 
RBP: ffff8801edd33e38 R08: 0000000000000000 R09: 0000000000000000 
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8801edd33e08 
R13: 0000000000000100 R14: ffff880114e9a000 R15: 000000000040f470 
FS:  00007f0d775bf700(0000) GS:ffff8801f7f00000(0000) knlGS:00000000f77a76c0 
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b 
CR2: 0000000000000008 CR3: 0000000114f9d000 CR4: 00000000000007e0 
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 
Process modprobe (pid: 5579, threadinfo ffff8801edd32000, task ffff8801dd7c17e0) 
Stack: 
 ffff8801edd33e08 ffff8801edd33e08 ffffffffa0978cc0 ffffffff81aa0fc0 
 ffff8801edd33e78 0000000000000000 ffff8801edd33e68 ffffffff81474119 
 ffff880100000000 ffff8801edd33e78 ffffffffa0978cc0 ffff8801edd33f18 
Call Trace: 
 [<ffffffff81474119>] ops_exit_list+0x39/0x60 
 [<ffffffff81474323>] unregister_pernet_operations+0x93/0xd0 
 [<ffffffff8147438e>] unregister_pernet_device+0x2e/0x60 
 [<ffffffffa09783f0>] ip6_tunnel_cleanup+0x70/0x72 [ip6_tunnel] 
 [<ffffffff810aa20e>] sys_delete_module+0x19e/0x270 
 [<ffffffff815530de>] ? do_page_fault+0xe/0x10 
 [<ffffffff81556fc2>] system_call_fastpath+0x16/0x1b 
Code: 48 8b 7b 08 4c 89 e6 e8 24 31 b0 e0 48 8b 1b 48 85 db 75 ec 49 83 c5 08 49 81 fd 00 01 00 00 75 cf 49 8b 86 08 01 00 00 4c 89 e6 <48> 8b 78 08 e8 fc 30 b0 e0 4c 89 e7 e8 84 30 b0 e0 e8 3f 42 b1  
RIP  [<ffffffffa0976b8b>] ip6_tnl_exit_net+0x9b/0xd0 [ip6_tunnel] 
 RSP <ffff8801edd33e08> 
CR2: 0000000000000008 

Version-Release number of selected component (if applicable):

Linux version 3.8.13-rt25.29.el6rt.x86_64 

How reproducible:
Consistent across all variants (production, debug, trace and vanilla)

Steps to Reproduce:
1. run beaker tier1 module load test

Additional info:

Possibly related to upstream bug in stable kernel introduced with commit 506cdb8909a1a739c7585c680c6bd4b3d1247564, 
ip6tnl: allow to use rtnl ops on fb tunnel

Comment 1 John Kacur 2013-12-09 22:32:35 UTC

Fix is probably commit 1e9f3d6f1c403dd2b6270f654b4747147aa2306f upstream

Comment 6 errata-xmlrpc 2014-01-28 17:42:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-0100.html

Note You need to log in before you can comment on or make changes to this bug.