748746 – Unable to handle NULL pointer dereference in ipv4_dst_check

Bug 748746 - Unable to handle NULL pointer dereference in ipv4_dst_check

Summary: Unable to handle NULL pointer dereference in ipv4_dst_check

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	15
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-25 09:12 UTC by Benny Amorsen
Modified:	2011-11-29 09:22 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-11-29 09:22:17 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Benny Amorsen 2011-10-25 09:12:58 UTC

The NULL pointer dereference has happened twice in one day in the same place, possibly three times. The third possible time resulted in a system crash, but the backtrace was unreadable so I am not sure it is the same problem.

I do not know how to reproduce. Kernel is kernel-2.6.40.6-0.fc15.x86_64 and the system is now upgraded to kernel-2.6.40.7-0.fc15.x86_64 from updates-testing but has not been rebooted yet.

kernel: [357306.194805] BUG: unable to handle kernel NULL pointer dereference at 000000000000002c
kernel: [357306.206371] IP: [<ffffffff81403788>] ipv4_dst_check+0xaf/0x158
kernel: [357306.214445] PGD 0 
kernel: [357306.218327] Oops: 0002 [#2] SMP 
kernel: [357306.222413] CPU 9 
kernel: [357306.224472] Modules linked in: 8021q garp stp llc serio_raw ipmi_si ipmi_msghandler iTCO_wdt hpilo hpwdt iTCO_vendor_support acpi_power_meter igb i7core_eda
c edac_core dca ipv6 raid1 radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded: scsi_wait_scan]
kernel: [357306.260270] 
kernel: [357306.262305] Pid: 12418, comm: httpd Tainted: G      D     2.6.40.6-0.fc15.x86_64 #1 HP ProLiant BL280c G6
kernel: [357306.276283] RIP: 0010:[<ffffffff81403788>]  [<ffffffff81403788>] ipv4_dst_check+0xaf/0x158
kernel: [357306.288281] RSP: 0018:ffff88011c095d18  EFLAGS: 00010286
kernel: [357306.294455] RAX: ffff88030b8c12c0 RBX: ffff880139a4a800 RCX: ffff88018e434c00
kernel: [357306.306281] RDX: 000000011549fb79 RSI: ffff88018b940840 RDI: 0000000000000000
kernel: [357306.316312] RBP: ffff88011c095d38 R08: ffff8801b416d280 R09: ffff88018e434d00
kernel: [357306.326350] R10: 00000000000006d9 R11: 0000000000000000 R12: 00000000c1bac3d9
kernel: [357306.336383] R13: ffff88018b940840 R14: 0000000000000000 R15: ffff8801b416d558
kernel: [357306.346418] FS:  00007f9191ae0820(0000) GS:ffff880197c80000(0000) knlGS:0000000000000000
kernel: [357306.358386] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: [357306.366415] CR2: 000000000000002c CR3: 000000018b3b6000 CR4: 00000000000006e0
kernel: [357306.378303] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: [357306.388286] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
kernel: [357306.398310] Process httpd (pid: 12418, threadinfo ffff88011c094000, task ffff88010b8d0000)
kernel: [357306.410310] Stack:
kernel: [357306.414199]  ffff88018e434c00 ffff880139a4a800 ffff8801b416d280 0000000000000014
kernel: [357306.424285]  ffff88011c095d58 ffffffff813cc62e ffff8801b416d280 ffff8800df0660f0
kernel: [357306.434359]  ffff88011c095da8 ffffffff81408c8f ffff88011c095d98 0000000000000000
kernel: [357306.446223] Call Trace: 
kernel: [357306.448388]  [<ffffffff813cc62e>] __sk_dst_check+0x2c/0x58
kernel: [357306.456387]  [<ffffffff81408c8f>] ip_queue_xmit+0x43/0x32a
kernel: [357306.464384]  [<ffffffff8141b53b>] tcp_transmit_skb+0x71f/0x750
kernel: [357306.474217]  [<ffffffff8141c03d>] tcp_write_xmit+0x6bd/0x7af
kernel: [357306.482252]  [<ffffffff811188ec>] ? __kmalloc_node_track_caller+0x103/0x13b
kernel: [357306.492251]  [<ffffffff8141c916>] ? tcp_send_fin+0x6b/0x129
kernel: [357306.500261]  [<ffffffff8141c186>] __tcp_push_pending_frames+0x23/0x51
kernel: [357306.510191]  [<ffffffff8141c9cb>] tcp_send_fin+0x120/0x129
kernel: [357306.518187]  [<ffffffff814108b5>] tcp_shutdown+0x49/0x4e
kernel: [357306.526134]  [<ffffffff8142d021>] inet_shutdown+0xa1/0xf2
kernel: [357306.532349]  [<ffffffff813ca9f7>] sys_shutdown+0x45/0x62
kernel: [357306.540312]  [<ffffffff8148ed02>] system_call_fastpath+0x16/0x1b
kernel: [357306.550188] Code: a3 cc 00 00 00 44 39 e0 0f 84 ab 00 00 00 48 85 db 74 14 48 8b 43 40 48 85 c0 74 0b 48 8b 15 00 e5 74 00 48 89 50 18 48 8b 7b 40 <f0> ff 4 
f 2c 0f 94 c0 84 c0 74 05 e8 d3 ff fd ff 48 c7 43 40 00 
kernel: [357306.576312] RIP  [<ffffffff81403788>] ipv4_dst_check+0xaf/0x158
kernel: [357306.586163]  RSP <ffff88011c095d18>
kernel: [357306.590263] CR2: 000000000000002c
kernel: [357306.612098] ---[ end trace b6b14aa23007eba1 ]---

Comment 1 Chuck Ebbert 2011-11-29 09:22:17 UTC

Looks like this was fixed in 3.1 (F15 2.6.41)

commit f2c31e32b378a6653f8de606149d963baf11d7d3
Author: Eric Dumazet <eric.dumazet>
Date:   Fri Jul 29 19:00:53 2011 +0000

    net: fix NULL dereferences in check_peer_redir()

Note You need to log in before you can comment on or make changes to this bug.