Created attachment 332882 [details] backtrace Description of problem: The kernel panics in __inet_hash_connect. It is reproducable by building the minirpc RPM package. It panics when running one of the tests. This happens on both x86_64 and i386. Version-Release number of selected component (if applicable): kernel-2.6.29-0.137.rc5.git4.fc11.x86_64 How reproducible: Always. Steps to Reproduce: 1. Get minirpc 0.3.2 2. Run make check Screen capture attached.
This is a local DoS, adding Security keyword.
The triggering test case is test/test_simultaneous_clients. Full backtrace from an i386 system: ====== BUG: unable to handle kernel NULL pointer dereference at 00000024 IP: [<c06d3366>] __inet6_check_established+0x24f/0x2b1 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/virtual/misc/fuse/dev Modules linked in: fuse bridge stp llc bnep sco l2cap bluetooth sunrpc ip6t_REJECT nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 dm_multipath uinput ppdev pcspkr i2c_piix4 i2c_core pcnet32 mii parport_pc parport ata_generic pata_acpi ext4 jbd2 crc16 [last unloaded: microcode] Pid: 8212, comm: lt-test_simulta Not tainted (2.6.29-0.137.rc5.git4.fc11.i586 #1) VirtualBox EIP: 0060:[<c06d3366>] EFLAGS: 00210282 CPU: 0 EIP is at __inet6_check_established+0x24f/0x2b1 EAX: dfb74000 EBX: cae41b28 ECX: 00000001 EDX: d2f26dec ESI: cae41500 EDI: 00000000 EBP: d2f26db4 ESP: d2f26d80 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process lt-test_simulta (pid: 8212, ti=d2f26000 task=cad8a9e0 task.ti=d2f26000) Stack: c0696885 c093cdfc 00000000 000089dc 89dceec8 c107a798 89dc6f8d fa467c59 df174c84 df19e2c8 cae41500 cadbbbc0 c107bc00 d2f26e04 c06968cc d2f26dec 000089dc 000089dc e9dac8e1 01820f4f 89dc0000 c093cdfc 000089dc c107a798 Call Trace: [<c0696885>] ? __inet_hash_connect+0xaa/0x259 [<c06968cc>] ? __inet_hash_connect+0xf1/0x259 [<c06d3008>] ? inet6_hash_connect+0x3b/0x42 [<c06d3117>] ? __inet6_check_established+0x0/0x2b1 [<c06d300f>] ? __inet6_hash+0x0/0x108 [<e167ae54>] ? tcp_v6_connect+0x40f/0x49b [ipv6] [<c0518b24>] ? selinux_socket_connect+0xfa/0x109 [<c06b32b4>] ? inet_stream_connect+0x8a/0x1f9 [<c06618fc>] ? sys_connect+0x65/0x7f [<c044e4f8>] ? lock_release_holdtime+0x2b/0x123 [<c04513e7>] ? lock_release_non_nested+0xad/0x1a4 [<c049104f>] ? might_fault+0x48/0x85 [<c049104f>] ? might_fault+0x48/0x85 [<c0661f80>] ? sys_socketcall+0x96/0x18a [<c0403f92>] ? syscall_call+0x7/0xb Code: 50 04 8b 45 e8 89 46 1c 8b 45 ec e8 3a d1 01 00 8b 56 20 b9 01 00 00 00 8b 46 24 e8 3f f0 f8 ff 83 7d 08 00 74 1f 8b 55 08 89 3a <8b> 47 24 64 8b 15 04 d0 9d c0 8b 80 a8 00 00 00 f7 d0 8b 04 90 EIP: [<c06d3366>] __inet6_check_established+0x24f/0x2b1 SS:ESP 0068:d2f26d80 ---[ end trace a9cd1e2945a3fc54 ]--- Kernel panic - not syncing: Fatal exception in interrupt
Does not happen on a 2.6.27 kernel.
2.6.28.1 is okay too
Reported to netdev list: http://marc.info/?t=123551783700006&r=1&w=2
Fixed upstream, commit 3f53a38131a4e7a053c0aa060aba0411242fb6b9 This will be in the next rawhide kernel.