Bug 700374 - sctp bind cause kernel panic when loading transform
Summary: sctp bind cause kernel panic when loading transform
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel
Version: 6.1
Hardware: i386
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Herbert Xu
QA Contact: Network QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-28 09:06 UTC by Hushan Jia
Modified: 2011-10-06 19:43 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-06 19:43:10 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Hushan Jia 2011-04-28 09:06:22 UTC 
Description of problem:
when doing a sctp test, the kernel panics when starting the server to listen.

Version-Release number of selected component (if applicable):
2.6.32-131.0.1.el6

How reproducible:
once, not reproduced later

Steps to Reproduce:
1. start sctp_test listen mode
2.
3.
  
Actual results:
panic

Expected results:
run well

Additional info:
SCTP: Hash tables configured (established 65536 bind 65536) 
alg: Unexpected test result for hmac(md5-generic): 0 
SCTP: failed to load transform for hmac(md5): -4 
BUG: unable to handle kernel paging request at 00200200 
IP: [<c05fe1c6>] list_del+0x6/0x90 
*pdpt = 0000000034b76001 *pde = 0000000000000000  
Oops: 0000 [#1] SMP  
last sysfs file: /sys/devices/system/cpu/cpu3/topology/core_siblings 
Modules linked in: sctp libcrc32c sunrpc p4_clockmod ipv6 dm_mirror dm_region_hash dm_log microcode sg tg3 i2c_piix4 i2c_core cfi_probe gen_probe cfi_util scb2_flash hpilo hpwdt ext4 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi pata_serverworks hpsa cciss dm_mod [last unloaded: scsi_wait_scan] 
 
Pid: 2179, comm: sctp_test Not tainted (2.6.32-131.0.1.el6.i686 #1) ProLiant DL360 G3 
EIP: 0060:[<c05fe1c6>] EFLAGS: 00010286 CPU: 2 
EIP is at list_del+0x6/0x90 
EAX: c15a2280 EBX: c15a2280 ECX: 00000000 EDX: 00200200 
ESI: fffffffe EDI: 0000008e EBP: f902765f ESP: f2483ef0 
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 
Process sctp_test (pid: 2179, ti=f2482000 task=f4bf8030 task.ti=f2482000) 
Stack: 
 fffffffe c15a2280 fffffffe 0000008e c0823ae8 c15a2280 c05bfcc4 fffffffe 
<0> c05c0345 f2f4ab00 00000008 c05c03ae 00000000 f4bf8030 f2f4ab00 00000001 
<0> f2c79880 f902765f f901bc74 00000000 00000000 8887fe3d 00000001 00000001 
Call Trace: 
 [<c0823ae8>] ? down_write+0x8/0x20 
 [<c05bfcc4>] ? crypto_larval_kill+0x14/0x50 
 [<c05c0345>] ? crypto_alg_mod_lookup+0x55/0x70 
 [<c05c03ae>] ? crypto_alloc_base+0x2e/0x90 
 [<f901bc74>] ? sctp_inet_listen+0x104/0x190 [sctp] 
 [<c076ffb2>] ? sys_listen+0x62/0x80 
 [<c0771799>] ? sys_socketcall+0x279/0x2c0 
 [<c0824894>] ? syscall_call+0x7/0xb 
Code: b5 97 c0 e8 bc 3c 22 00 83 6c 24 0c 01 8b 54 24 0c 89 54 24 10 e9 69 fe ff ff 8b 5c 24 18 e9 8b fe ff ff 90 90 83 ec 18 8b 50 04 <8b> 12 39 d0 75 22 8b 10 8b 4a 04 39 c8 75 47 8b 48 04 89 4a 04  
EIP: [<c05fe1c6>] list_del+0x6/0x90 SS:ESP 0068:f2483ef0 
CR2: 0000000000200200 
---[ end trace f1d17837eb257ae7 ]--- 
Kernel panic - not syncing: Fatal exception 
Pid: 2179, comm: sctp_test Tainted: G      D    ----------------   2.6.32-131.0.1.el6.i686 #1 
Call Trace: 
 [<c0821da8>] ? panic+0x42/0xf9 
 [<c0825bac>] ? oops_end+0xbc/0xd0 
 [<c0432462>] ? no_context+0xc2/0x190 
 [<c04326db>] ? bad_area+0x3b/0x50 
 [<c0432b7e>] ? __do_page_fault+0x34e/0x420 
 [<c0462ca7>] ? lock_timer_base+0x27/0x50 
 [<c04636d2>] ? try_to_del_timer_sync+0x62/0xb0 
 [<c0463731>] ? del_timer_sync+0x11/0x20 
 [<c0822f53>] ? schedule_timeout+0x133/0x250 
 [<c082754a>] ? do_page_fault+0x2a/0x90 
 [<c0827520>] ? do_page_fault+0x0/0x90 
 [<c0824f97>] ? error_code+0x73/0x78 
 [<c05fe1c6>] ? list_del+0x6/0x90 
 [<c0823ae8>] ? down_write+0x8/0x20 
 [<c05bfcc4>] ? crypto_larval_kill+0x14/0x50 
 [<c05c0345>] ? crypto_alg_mod_lookup+0x55/0x70 
 [<c05c03ae>] ? crypto_alloc_base+0x2e/0x90 
 [<f901bc74>] ? sctp_inet_listen+0x104/0x190 [sctp] 
 [<c076ffb2>] ? sys_listen+0x62/0x80 
 [<c0771799>] ? sys_socketcall+0x279/0x2c0 
 [<c0824894>] ? syscall_call+0x7/0xb
Comment 2 RHEL Program Management 2011-04-29 06:02:12 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 3 Thomas Graf 2011-07-21 09:33:02 UTC 
alg: Unexpected test result for hmac(md5-generic): 0 
SCTP: failed to load transform for hmac(md5): -4 
BUG: unable to handle kernel paging request at 00200200 
EIP is at list_del+0x6/0x90 

Looks like a double list_del() in crypto API. Herbert?
Comment 4 Herbert Xu 2011-07-26 08:13:07 UTC 
Unfortunately I wasn't able to reproduce that here.  I did take a look at the source code and can't see anything obvious that could cause this.

Essentially what happened is that the larval state created for testing hmac(md5-generic) was somehow deleted before the test's completion.

So unless we can find a way to reproduce this there isn't much that I can do.
Comment 6 Dayong Tian 2011-07-26 10:07:32 UTC 
I can't reproduce the panic, either.
Note You need to log in before you can comment on or make changes to this bug.