54914 – (NET TC PATCH)tc causes kernel to dereference NULL pointer

Bug 54914 - (NET TC PATCH)tc causes kernel to dereference NULL pointer

Summary: (NET TC PATCH)tc causes kernel to dereference NULL pointer

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	kernel
Sub Component:
Version:	9
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Arjan van de Ven
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	54723 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-10-23 05:48 UTC by Russell Stuart
Modified:	2008-08-01 16:22 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2004-09-30 15:39:12 UTC
Embargoed:

Attachments	(Terms of Use)
rsvp TC oops fix (857 bytes, patch) 2003-06-23 19:51 UTC, David Miller	no flags	Details \| Diff
View All

Description Russell Stuart 2001-10-23 05:48:29 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.17-14.ext3 i686)

Description of problem:
tc can either get the kernel to dereference a NULL pointer, or gets a
memory fault.  This is a bug in both the kernel (in net/sched/cls_rsvp.c)
and tc.  The kernel then becomes unstable, eg "netstat -ni" hangs.	

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Run these commands:

# modprobe ip_gre
# ip tunnel add tt mode gre local 1.1.1.1 remote 2.2.2.2
# tc qdisc add tt root handle 1:0 prio
# tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp
# tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp session 1.1.1.1
# #-- Bad things now happen.  Perhaps a memory fault.  Kernel network locks
are in a knot.	

Actual Results:  Perhaps tc generates a memory fault.  Perhaps the kernel
will tell you about de-referencing a NULL pointer.  Definitely later
network commands such as "tc qdisc add ..." or "netstat -ni" hang.

Expected Results:  I was expecting to be left with a working system :)

Additional info:

The effects sever bad, but it is very unlikely to happen unless you are
manually entering a tc command and hit enter at the wrong time.

Comment 1 Phil Knirsch 2001-10-25 14:25:22 UTC

I am marking your previous bug you reported as a duplicate if you don't mind as
they are both very similar, and keeping track of only one is much easier ;).

Read ya, Phil

Comment 2 Phil Knirsch 2001-10-25 14:25:54 UTC

*** Bug 54723 has been marked as a duplicate of this bug. ***

Comment 3 Phil Knirsch 2003-06-20 11:45:07 UTC

OK, reproduced even with latest kernel from Red Hat Linux 9. Reassigning to
kernel as well as it's obviously a kernel bug in the end.

This is the commands entered:

modprobe ip_gre
ip tunnel add tt mode gre local 1.1.1.1 remote 2.2.2.2
tc qdisc add dev tt root handle 1:0 prio
tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp
tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp session 1.1.1.1


Thats the kernel Oops:

Unable to handle kernel NULL pointer dereference at virtual address 00000000
 printing eip:
e09e1b0f
*pde = 00000000
Oops: 0000
cls_rsvp sch_prio ip_gre via82cxxx_audio uart401 ac97_codec sound soundcore
w83781d i2c-proc i2c-isa i2c-core joydev nfs lockd sunrpc cipcb 8139too mii ide-sc
CPU:    0
EIP:    0060:[<e09e1b0f>]    Not tainted
EFLAGS: 00010292

EIP is at rsvp_change [cls_rsvp] 0x3ff (2.4.20-13.9)
eax: de0972c4   ebx: de0972c0   ecx: 00000004   edx: 00000000
esi: 00000000   edi: de0979f8   ebp: d4f7f800   esp: c49bbc14
ds: 0068   es: 0068   ss: 0068
Process tc (pid: 10098, stackpage=c49bb000)
Stack: de0972c4 de0979f8 00000004 00000008 00000000 ca766d80 00000286 40000c10 
       00000000 ffffff97 de0979f8 00000010 00000000 de0979f4 00000000 00000000 
       00000000 c49bbe54 c0109490 c49bbc68 c49bbd18 00000000 00000000 de0979d0 
Call Trace:   [<c0109490>] error_code [kernel] 0x34 (0xc49bbc5c))
[<c01ff4bf>] tc_ctl_tfilter [kernel] 0x2ef (0xc49bbc74))
[<e09e2700>] cls_rsvp_ops [cls_rsvp] 0x0 (0xc49bbc90))
[<e09dfe80>] prio_class_ops [sch_prio] 0x0 (0xc49bbca4))
[<e09dfec8>] prio_qdisc_ops [sch_prio] 0x8 (0xc49bbcc0))
[<c01f8048>] rtnetlink_rcv_msg [kernel] 0x1a8 (0xc49bbcec))
[<c01f7c93>] rtnetlink_rcv [kernel] 0xa3 (0xc49bbd58))
[<c0201680>] netlink_data_ready [kernel] 0x60 (0xc49bbd7c))
[<c0200ef3>] netlink_unicast [kernel] 0x253 (0xc49bbd8c))
[<c020141b>] netlink_sendmsg [kernel] 0x1eb (0xc49bbdd0))
[<c01ea1a8>] sock_sendmsg [kernel] 0x78 (0xc49bbe04))
[<c01eb747>] sys_sendmsg [kernel] 0x1b7 (0xc49bbe48))
[<c012eaf5>] do_anonymous_page [kernel] 0xf5 (0xc49bbebc))
[<c012ef51>] handle_mm_fault [kernel] 0x81 (0xc49bbed8))
[<c0116ebe>] do_page_fault [kernel] 0x15e (0xc49bbf08))
[<c01e9f98>] sock_map_fd [kernel] 0x58 (0xc49bbf54))
[<c01eab7d>] sys_socket [kernel] 0x3d (0xc49bbf64))
[<c01ebc38>] sys_socketcall [kernel] 0x238 (0xc49bbf80))
[<c0116d60>] do_page_fault [kernel] 0x0 (0xc49bbfb0))
[<c0109490>] error_code [kernel] 0x34 (0xc49bbfb8))
[<c010939f>] system_call [kernel] 0x33 (0xc49bbfc0))

Comment 4 David Miller 2003-06-23 19:51:06 UTC

Created attachment 92567 [details]
rsvp TC oops fix

Fix for TC oops with rsvp, from Jamal Hadi Salim.

Comment 5 David Miller 2003-06-23 19:52:55 UTC

To the original bug submitter, you almost certainly meant
to specify a flow ID, ie. you meant to do something like:

tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp session 1.1.1.1
flowid 1:4

The OOPS still happens even with this correction, so the patch
is needed regardless.

Comment 6 Bugzilla owner 2004-09-30 15:39:12 UTC

Thanks for the bug report. However, Red Hat no longer maintains this version of
the product. Please upgrade to the latest version and open a new bug if the problem
persists.

The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, 
and if you believe this bug is interesting to them, please report the problem in
the bug tracker at: http://bugzilla.fedora.us/

Note You need to log in before you can comment on or make changes to this bug.