Bug 244026 - [RHEL4]: Kernel crash when adding an IPv4 route with NLM_F_ECHO
Summary: [RHEL4]: Kernel crash when adding an IPv4 route with NLM_F_ECHO
Status: CLOSED DUPLICATE of bug 216752
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel   
(Show other bugs)
Version: 4.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Chris Lalancette
QA Contact: Martin Jenner
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-13 13:24 UTC by Chris Lalancette
Modified: 2010-07-19 13:20 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-13 14:51:23 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Example program that can reproduce the kernel crash (2.70 KB, text/x-csrc)
2007-06-13 13:25 UTC, Chris Lalancette
no flags Details
[NETLINK]: Orphan SKBs in netlink_trim(). (1.24 KB, patch)
2007-06-13 13:35 UTC, Chris Lalancette
no flags Details | Diff
[NETLINK]: Unshare SKB, as necessary, in netlink_trim() (1.60 KB, patch)
2007-06-13 13:36 UTC, Chris Lalancette
no flags Details | Diff

Description Chris Lalancette 2007-06-13 13:24:39 UTC
Description of problem:

It seems that the kernel crashes every time an IPv4 route is being added trough
netlink socket if the NLM_F_ECHO is specified. The'routeexample.c' demonstrates
this problem: when executed with root privileges in 2.6.9-55.ELsmp kernel.

Here is one demonstration:

------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:592!
invalid operand: 0000 [#1]
Modules linked in: md5 ipv6 parport_pc lp parport autofs4 i2c_dev i2c_core nfs
lockd nfs_acl sunrpc uhci_hcd hw_random snd_intel8x0 snd_ac97_codec snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_mpu401_uart snd_rawmidi
snd_seq_device snd soundcore 3c59x e100 mii floppy ata_piix libata scsi_mod
dm_snapshot dm_zero dm_mirror ext3 jbd dm_mod
CPU:    0
EIP:    0060:[<c027cfd2>]    Not tainted VLI
EFLAGS: 00010202   (2.6.9-55.ELsmp)
EIP is at pskb_expand_head+0x2c/0x114
eax: 00000001   ebx: cdd6e7a0   ecx: fffffeac   edx: 000000d0
esi: cffb4dc0   edi: cfd10400   ebp: 0000002c   esp: cce47c20
ds: 007b   es: 007b   ss: 0068
Process routeexample (pid: 4005, threadinfo=cce47000 task=cba9ae70)
Stack: cfd10400 00000000 00000154 cffb4dc0 cfd10400 cdd6e7a0 c0293507 000000d0
      00000000 cffb4dc0 00000fa5 00000040 00000000 00000000 00000000 000000d0
      cdd6e7a0 00000000 00000fa5 c02c2db0 00000018 cdd6e7a0 ce285360 cfd10400
Call Trace:
[<c0293507>] netlink_broadcast+0x7d/0x2ce
[<c02c2db0>] rtmsg_fib+0x7e/0x108
[<c02c2e0d>] rtmsg_fib+0xdb/0x108
[<c02c2877>] fn_hash_insert+0x375/0x39d
[<c02c00c6>] inet_rtm_newroute+0x5a/0x66
[<c02c006c>] inet_rtm_newroute+0x0/0x66
[<c0289093>] rtnetlink_rcv+0x226/0x327
[<c0293c32>] netlink_data_ready+0x14/0x44
[<c029333f>] netlink_sendskb+0x52/0x6c
[<c0293a4d>] netlink_sendmsg+0x271/0x280
[<c02791dd>] sock_sendmsg+0xdb/0xf7
[<c0141759>] filemap_nopage+0x194/0x302
[<c012052d>] autoremove_wake_function+0x0/0x2d
[<c015be7c>] fget+0x3b/0x42
[<c027a4a3>] sys_sendto+0xc7/0xe2
[<c011b01b>] do_page_fault+0x1ae/0x5c6
[<c0278f2a>] sock_map_file+0x98/0x107
[<c0292c3a>] netlink_create+0x90/0xf0
[<c027a4d7>] sys_send+0x19/0x1d
[<c027aca1>] sys_socketcall+0x151/0x1fb
[<c02d5ee3>] syscall_call+0x7/0xb
Code: 57 56 53 89 c3 57 57 89 54 24 04 8b 80 ac 00 00 00 8b 54 24 1c 2b 83 a0 00
00 00 03 44 24 04 8d 2c 08 8b 83 9c 00 00 00 48 74 08 <0f> 0b 50 02 ca 98 30 c0
83 c5 7f 83 e5 80 8d 85 a0 00 00 00 e8
<0>Fatal exception: panic in 5 seconds
Kernel panic - not syncing: Fatal exception

This problem does not happen on RHEL-5.

Comment 1 Chris Lalancette 2007-06-13 13:25:49 UTC
Created attachment 156871 [details]
Example program that can reproduce the kernel crash

This example program can reproduce the RHEL-4 kernel crash.  Just build it and
run it (possibly a few times), and the problem will reproduce.

Chris Lalancette

Comment 2 Chris Lalancette 2007-06-13 13:27:28 UTC
Two upstream changesets look like they address the problem:


I'll be attaching backported versions of these soon.

Chris Lalancette

Comment 3 Chris Lalancette 2007-06-13 13:35:28 UTC
Created attachment 156874 [details]
[NETLINK]: Orphan SKBs in netlink_trim().

Patch 1/2 that seems to fix this problem.

Comment 4 Chris Lalancette 2007-06-13 13:36:04 UTC
Created attachment 156875 [details]
[NETLINK]: Unshare SKB, as necessary, in netlink_trim()

Patch 2/2 that seems to solve this problem.

Comment 5 Chris Lalancette 2007-07-13 14:51:23 UTC

*** This bug has been marked as a duplicate of 216752 ***

Comment 6 Chris Lalancette 2010-07-19 13:20:44 UTC
Clearing out bogus flags for reporting purposes.

Chris Lalancette

Note You need to log in before you can comment on or make changes to this bug.