Bug 126334 - kernel crashes during `tracepath6 ::1`
kernel crashes during `tracepath6 ::1`
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
2
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Dave Jones
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-18 23:56 EDT by Neal McBurnett
Modified: 2015-01-04 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-16 01:33:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
output of dmesg - from boot to crash (14.32 KB, text/plain)
2004-06-19 00:01 EDT, Neal McBurnett
no flags Details

  None (edit)
Description Neal McBurnett 2004-06-18 23:56:21 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030625

Description of problem:
Just fooling around with ipv6.  ping6 worked fine.  Did a `traceroute6
::1` to see what it would do.  Crashed....  Repeatable: always crashes
eventually, usually right away.


Version-Release number of selected component (if applicable):
kernel-2.6.6-1.435

How reproducible:
Always

Steps to Reproduce:
1. bring up a normal eth0 network connection
2. run "tracepath6 ::1"
3. watch it output several lines then crash

Actual Results:  It starts giving kernel errors on the console
beginning with, e.g.,
 Unable to handle kernel NULL pointer dereference at virtual address
00000000

then usually crashes right away.  Sometimes continues responding
to console, with interspersed "BUG: dst underflow 0: 02234f4d" lines

saw crashes with eip in skb_drop_fraglist+0x13/0x38 or
udp_v6_push_pending_frames+0xbf, etc.

Sample dmesg output in the case where it didn't crash right away:
eth0: no IPv6 routers present
Unable to handle kernel NULL pointer dereference at virtual address
00000000
 printing eip:
12954179
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: parport_pc lp parport ipv6 autofs4 8139too mii
floppy sg scsi_mod microcode nls_utf8 loop dm_mod uhci_hcd button
battery asus_acpi ac ext3 jbd
CPU:    0
EIP:    0060:[<12954179>]    Not tainted
EFLAGS: 00010286   (2.6.6-1.435) 
EIP is at udp_v6_push_pending_frames+0xbf/0x167 [ipv6]
eax: cdd028c9   ebx: 00000000   ecx: cdd028c9   edx: 00000000
esi: 0f218954   edi: 11e3c440   ebp: 0f218900   esp: 0dbb8d40
ds: 007b   es: 007b   ss: 0068
Process tracepath6 (pid: 1692, threadinfo=0dbb8000 task=0dbfc710)
Stack: 129547ab 0f218a88 0f218ad0 00000000 0f218aec 0dbb8ebc 0f218afc
129547d3 
       00002000 0dbb8f1c 00000000 0000400c 00000000 0f218a88 00000000
00000000 
       0f218adc 0f218a30 0f218ad0 0dbb8ebc 0f218900 0f263e40 00000006
00000000 
Call Trace:
 [<129547ab>] udpv6_sendmsg+0x58a/0x6c8 [ipv6]
 [<129547d3>] udpv6_sendmsg+0x5b2/0x6c8 [ipv6]
 [<02232312>] sock_recvmsg+0x9c/0xb7
 [<0226c11f>] inet_recvmsg+0x30/0x46
 [<0226c16d>] inet_sendmsg+0x38/0x42
 [<0223225c>] sock_sendmsg+0x88/0xa2
 [<02140096>] get_user_size+0x2e/0x55
 [<02233816>] sys_recvmsg+0x111/0x1e6
 [<022338dc>] sys_recvmsg+0x1d7/0x1e6
 [<022332df>] sys_sendto+0xc7/0xe2
 [<0214fdec>] poll_freewait+0x33/0x3a
 [<02150199>] do_select+0x265/0x279
 [<0213639b>] follow_page_pfn+0xec/0xfd
 [<0213639b>] follow_page_pfn+0xec/0xfd
 [<02233313>] sys_send+0x19/0x1d
 [<022339bd>] sys_socketcall+0xd2/0x179
 [<0211a856>] sys_gettimeofday+0x25/0x55

Code: 8b 03 0f 18 00 90 8d 45 54 39 c3 75 e3 51 6a 08 57 e8 e1 e7 

[...see attachment for more]


Expected Results:  well, I'm not sure, but certainly not a crash :-)


Additional info:

My network does not have an ipv6 router on it.

Full dmesg output (starting with the boot messages) available on request.
Comment 1 Neal McBurnett 2004-06-19 00:01:24 EDT
Created attachment 101256 [details]
output of dmesg - from boot to crash
Comment 2 Sahil Verma 2004-06-20 02:22:33 EDT
Does the patch in bug 126021 fix the problem?
Comment 3 Dave Jones 2005-04-16 01:33:25 EDT
Fedora Core 2 has now reached end of life, and no further updates will be
provided by Red Hat.  The Fedora legacy project will be producing further kernel
updates for security problems only.

If this bug has not been fixed in the latest Fedora Core 2 update kernel, please
try to reproduce it under Fedora Core 3, and reopen if necessary, changing the
product version accordingly.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.