Red Hat Bugzilla – Bug 54914
(NET TC PATCH)tc causes kernel to dereference NULL pointer
Last modified: 2008-08-01 12:22:51 EDT
From Bugzilla Helper: User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.17-14.ext3 i686) Description of problem: tc can either get the kernel to dereference a NULL pointer, or gets a memory fault. This is a bug in both the kernel (in net/sched/cls_rsvp.c) and tc. The kernel then becomes unstable, eg "netstat -ni" hangs. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: Run these commands: # modprobe ip_gre # ip tunnel add tt mode gre local 1.1.1.1 remote 2.2.2.2 # tc qdisc add tt root handle 1:0 prio # tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp # tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp session 1.1.1.1 # #-- Bad things now happen. Perhaps a memory fault. Kernel network locks are in a knot. Actual Results: Perhaps tc generates a memory fault. Perhaps the kernel will tell you about de-referencing a NULL pointer. Definitely later network commands such as "tc qdisc add ..." or "netstat -ni" hang. Expected Results: I was expecting to be left with a working system :) Additional info: The effects sever bad, but it is very unlikely to happen unless you are manually entering a tc command and hit enter at the wrong time.
I am marking your previous bug you reported as a duplicate if you don't mind as they are both very similar, and keeping track of only one is much easier ;). Read ya, Phil
*** Bug 54723 has been marked as a duplicate of this bug. ***
OK, reproduced even with latest kernel from Red Hat Linux 9. Reassigning to kernel as well as it's obviously a kernel bug in the end. This is the commands entered: modprobe ip_gre ip tunnel add tt mode gre local 1.1.1.1 remote 2.2.2.2 tc qdisc add dev tt root handle 1:0 prio tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp session 1.1.1.1 Thats the kernel Oops: Unable to handle kernel NULL pointer dereference at virtual address 00000000 printing eip: e09e1b0f *pde = 00000000 Oops: 0000 cls_rsvp sch_prio ip_gre via82cxxx_audio uart401 ac97_codec sound soundcore w83781d i2c-proc i2c-isa i2c-core joydev nfs lockd sunrpc cipcb 8139too mii ide-sc CPU: 0 EIP: 0060:[<e09e1b0f>] Not tainted EFLAGS: 00010292 EIP is at rsvp_change [cls_rsvp] 0x3ff (2.4.20-13.9) eax: de0972c4 ebx: de0972c0 ecx: 00000004 edx: 00000000 esi: 00000000 edi: de0979f8 ebp: d4f7f800 esp: c49bbc14 ds: 0068 es: 0068 ss: 0068 Process tc (pid: 10098, stackpage=c49bb000) Stack: de0972c4 de0979f8 00000004 00000008 00000000 ca766d80 00000286 40000c10 00000000 ffffff97 de0979f8 00000010 00000000 de0979f4 00000000 00000000 00000000 c49bbe54 c0109490 c49bbc68 c49bbd18 00000000 00000000 de0979d0 Call Trace: [<c0109490>] error_code [kernel] 0x34 (0xc49bbc5c)) [<c01ff4bf>] tc_ctl_tfilter [kernel] 0x2ef (0xc49bbc74)) [<e09e2700>] cls_rsvp_ops [cls_rsvp] 0x0 (0xc49bbc90)) [<e09dfe80>] prio_class_ops [sch_prio] 0x0 (0xc49bbca4)) [<e09dfec8>] prio_qdisc_ops [sch_prio] 0x8 (0xc49bbcc0)) [<c01f8048>] rtnetlink_rcv_msg [kernel] 0x1a8 (0xc49bbcec)) [<c01f7c93>] rtnetlink_rcv [kernel] 0xa3 (0xc49bbd58)) [<c0201680>] netlink_data_ready [kernel] 0x60 (0xc49bbd7c)) [<c0200ef3>] netlink_unicast [kernel] 0x253 (0xc49bbd8c)) [<c020141b>] netlink_sendmsg [kernel] 0x1eb (0xc49bbdd0)) [<c01ea1a8>] sock_sendmsg [kernel] 0x78 (0xc49bbe04)) [<c01eb747>] sys_sendmsg [kernel] 0x1b7 (0xc49bbe48)) [<c012eaf5>] do_anonymous_page [kernel] 0xf5 (0xc49bbebc)) [<c012ef51>] handle_mm_fault [kernel] 0x81 (0xc49bbed8)) [<c0116ebe>] do_page_fault [kernel] 0x15e (0xc49bbf08)) [<c01e9f98>] sock_map_fd [kernel] 0x58 (0xc49bbf54)) [<c01eab7d>] sys_socket [kernel] 0x3d (0xc49bbf64)) [<c01ebc38>] sys_socketcall [kernel] 0x238 (0xc49bbf80)) [<c0116d60>] do_page_fault [kernel] 0x0 (0xc49bbfb0)) [<c0109490>] error_code [kernel] 0x34 (0xc49bbfb8)) [<c010939f>] system_call [kernel] 0x33 (0xc49bbfc0))
Created attachment 92567 [details] rsvp TC oops fix Fix for TC oops with rsvp, from Jamal Hadi Salim.
To the original bug submitter, you almost certainly meant to specify a flow ID, ie. you meant to do something like: tc filter add dev tt parent 1:0 protocol ip prio 1 rsvp session 1.1.1.1 flowid 1:4 The OOPS still happens even with this correction, so the patch is needed regardless.
Thanks for the bug report. However, Red Hat no longer maintains this version of the product. Please upgrade to the latest version and open a new bug if the problem persists. The Fedora Legacy project (http://fedoralegacy.org/) maintains some older releases, and if you believe this bug is interesting to them, please report the problem in the bug tracker at: http://bugzilla.fedora.us/