Bug 157228 - Kernel crashes on executing ip -6 route add ::/96 dev sit1 if device is not up
Kernel crashes on executing ip -6 route add ::/96 dev sit1 if device is not up
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: David Miller
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-05-09 12:19 EDT by Peter Bieringer
Modified: 2012-06-20 12:09 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 12:09:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2005-05-09 12:19:30 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Description of problem:
During trying to enable 6to4 on an RHEL4 box the kernel crashes.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0. # rpm -qf `which ip`
1. # uname -a
Linux ***** 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 GNU/Linux
2. # ip tunnel add mode sit local remote any name sit1
3. # ip -6 route add ::/96 dev sit1
Segmentation fault

Actual Results:  Crash:

NET: Registered protocol family 10
Disabled Privacy Extensions on device c0366c20(lo)
IPv6 over IPv4 tunneling driver
divert: not allocating divert_blk for non-ethernet device sit0
ip_tables: (C) 2000-2002 Netfilter core team
divert: not allocating divert_blk for non-ethernet device sit1
Unable to handle kernel NULL pointer dereference at virtual address 00000014
 printing eip:
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: md5 ipv6 autofs4 nfs lockd sunrpc dm_mod uhci_hcd hw_random 8139too mii floppy ext3 jbd
CPU:    0
EIP:    0060:[<d09cf769>]    Not tainted VLI
EFLAGS: 00010202   (2.6.9-5.EL)
EIP is at ip6_route_add+0x531/0x55c [ipv6]
eax: 00000000   ebx: cfefb460   ecx: cd0ce800   edx: 00000000
esi: ffffffed   edi: d09d0353   ebp: ccfb8c70   esp: ccfb8c40
ds: 007b   es: 007b   ss: 0068
Process ip (pid: 2490, threadinfo=ccfb8000 task=ccf4c170)
Stack: ccfb8c70 ccfb8c70 00000000 cd0ce800 00000000 cfefb460 cfed2400 cfefb460
       cfed2400 d09d0353 00000008 d09d037d 00000000 00000000 00000000 00000000
       00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Call Trace:
 [<d09d0353>] inet6_rtm_newroute+0x0/0x35 [ipv6]
 [<d09d037d>] inet6_rtm_newroute+0x2a/0x35 [ipv6]
 [<d09d0353>] inet6_rtm_newroute+0x0/0x35 [ipv6]
 [<c02ae989>] rtnetlink_rcv+0x225/0x313
 [<c02baf2e>] netlink_data_ready+0x14/0x43
 [<c02ba6b1>] netlink_sendskb+0x52/0x6b
 [<c02bad4a>] netlink_sendmsg+0x252/0x261
 [<c029d4af>] sock_sendmsg+0xdb/0xf7
 [<c011d043>] autoremove_wake_function+0x0/0x2d
 [<c02a2e8e>] verify_iovec+0x76/0xc2
 [<c029ec47>] sys_sendmsg+0x1ee/0x23b
 [<c015236d>] handle_mm_fault+0xd5/0x1fd
 [<c015332b>] __vma_link+0x59/0x66
 [<c0153419>] vma_link+0xe1/0x1dd
 [<c0154fce>] do_brk+0x1da/0x213
 [<c029f030>] sys_socketcall+0x1c1/0x1dd
 [<c0301bfb>] syscall_call+0x7/0xb
Code: 14 8b 54 24 18 83 c4 1c 5b 5e 5f 5d e9 cf f1 ff ff be ea ff ff ff 83 7c 24 0c 00 74 0a 8b 4c 24 0c ff 89 84 01 00 00 8b 54 24 10 <83> 7a 14 01 7f 1b 8b 42 04 85 c0 75 0d 89 d0 e8 7a ba 8d ef 85

Expected Results:  No such crash like on FC3:

# uname -a
Linux ******* 2.6.11-1.14_FC3 #1 Thu Apr 7 19:23:49 EDT 2005 i686 i686 i386 GNU/Linux
# ip tunnel add mode sit local remote any name sit1
# ip -6 route add ::/96 dev sit1
RTNETLINK answers: No such device

Additional info:

Note that normally, a device need to be up before such route is added, I'll investigate now, why this is not proper happen in initscripts. Anyway, kernel shouldn't crash either.
Comment 1 Peter Bieringer 2005-09-22 12:04:00 EDT
Same happen on 2.6.9-11.EL
Comment 2 Peter Bieringer 2006-12-18 07:32:44 EST
Same happen on 2.6.9-42.EL
Comment 3 Jiri Pallich 2012-06-20 12:09:08 EDT
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.