When I am running the bridge over vlan testing,I got a kernel panic at dev_queue_xmit+0x35/0x4d0, Version-Release number of selected component (if applicable): kernel-2.6.32-216 How reproducible: 100% Actual results: BUG: unable to handle kernel NULL pointer dereference at 0000000000000006 IP: [<ffffffff814309a5>] dev_queue_xmit+0x35/0x6b0 PGD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/module/pktgen/initstate CPU 0 Modules linked in: bonding bridge 8021q garp stp llc pktgen autofs4 sunrpc pcc_cpufreq ipv6 power_meter be2net ixgbe dca mdio netxen_nic microcode serio_raw iTCO_wdt iTCO_vendor_support hpilo hpwdt sg i7core_edac edac_core shpchp ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif lpfc scsi_transport_fc scsi_tgt pata_acpi ata_generic ata_piix hpsa radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: bonding] Pid: 3374, comm: kpktgend_0 Not tainted 2.6.32-214.el6.x86_64 #1 Hewlett-Packard ProLiant DL580 G7 RIP: 0010:[<ffffffff814309a5>] [<ffffffff814309a5>] dev_queue_xmit+0x35/0x6b0 RSP: 0018:ffff88023ac2bbc0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8802360cecf8 RCX: 0000000000000003 RDX: 0000000000000000 RSI: ffff880437b2e6e0 RDI: ffff8802360cecf8 RBP: ffff88023ac2bc00 R08: ffffffffa0483520 R09: ffff88023ac2bcb8 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8802397b5020 R14: ffff880437b2e020 R15: ffff8804385fe540 FS: 0000000000000000(0000) GS:ffff88002f600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b CR2: 0000000000000006 CR3: 0000000001a85000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process kpktgend_0 (pid: 3374, threadinfo ffff88023ac2a000, task ffff8802386e8a80) Stack: ffff88023ac2bbd0 ffffffff00000000 ffff88023ac2bc00 ffff8804385fe540 <0> 0000000000000000 ffff8802397f2dc0 ffff880437b2e020 ffff8804385fe540 <0> ffff88023ac2bc20 ffffffffa047ba34 ffff8802360cecf8 0000000000000000 Call Trace: [<ffffffffa047ba34>] vlan_dev_hwaccel_hard_start_xmit+0x84/0xb0 [8021q] [<ffffffff8142c67f>] dev_hard_start_xmit+0x20f/0x3f0 [<ffffffff81430ec6>] dev_queue_xmit+0x556/0x6b0 [<ffffffffa0483598>] br_dev_queue_push_xmit+0x78/0xe0 [bridge] [<ffffffffa0483658>] br_forward_finish+0x58/0x60 [bridge] [<ffffffffa0483838>] __br_deliver+0xa8/0x110 [bridge] [<ffffffffa0483829>] ? __br_deliver+0x99/0x110 [bridge] [<ffffffffa04838d5>] br_deliver+0x35/0x40 [bridge] [<ffffffffa04825b8>] br_dev_xmit+0xa8/0x120 [bridge] [<ffffffffa04aa8f5>] pktgen_thread_worker+0x835/0x1bf0 [pktgen] [<ffffffffa0482510>] ? br_dev_xmit+0x0/0x120 [bridge] [<ffffffff81090c00>] ? autoremove_wake_function+0x0/0x40 [<ffffffff81090c00>] ? autoremove_wake_function+0x0/0x40 [<ffffffffa04aa0c0>] ? pktgen_thread_worker+0x0/0x1bf0 [pktgen] [<ffffffff81090896>] kthread+0x96/0xa0 [<ffffffff8100c14a>] child_rip+0xa/0x20 [<ffffffff81090800>] ? kthread+0x0/0xa0 [<ffffffff8100c140>] ? child_rip+0x0/0x20 Code: 5d d8 4c 89 65 e0 4c 89 6d e8 4c 89 75 f0 4c 89 7d f8 0f 1f 44 00 00 8b 87 cc 00 00 00 4c 8b 6f 20 48 03 87 d0 00 00 00 48 89 fb <66> 83 78 06 00 0f 84 58 01 00 00 0f b7 50 0a 41 8b 4d 70 c1 e2 RIP [<ffffffff814309a5>] dev_queue_xmit+0x35/0x6b0 RSP <ffff88023ac2bbc0> CR2: 0000000000000006 Expected results: no panic Additional info: Upstream commit: http://git.kernel.org/linus/550fd08c2cebad61c548def135f67aba284c6162 http://git.kernel.org/linus/d8873315065f1f527c7c380402cf59b1e1d0ae36
The panic is on the sending side with pktgen. /proc/net/pktgen/pgctrl is 600 and also CAP_NET_ADMIN only. This is pktgen specific issue. Closing as NOTABUG.
CVE-2011-4112 REJECT request http://www.openwall.com/lists/oss-security/2011/11/24/3
Statement: Red Hat Security Response team does not consider this bug to be security relevant one due to the privileges required to exploit this issue.