lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 7 Oct 2007 14:06:53 +0200
From:	Andreas Mohr <andi@...as.de>
To:	isdn4linux@...tserv.isdn4linux.de
Cc:	netdev@...r.kernel.org, akpm@...ux-foundation.org
Subject: 2.6.23-rc8-mm2 BUG: register_netdevice() issue as (ab)used by ISDN

[not necessarily a very recent regression, used 2.6.19 kernels before...]

Hi all,

wondered why my main internet server (headless!) didn't come up properly
on a new 2.6.23-rc8-mm2
(connections almost completely refused: firewalling not executed due to
earlier OOPS?).
Upon LILO emergency fallback into an older version (2.6.16...) saw this
in /var/log/messages:

Oct  7 13:07:34 gate kernel: e100: Intel(R) PRO/100 Network Driver, 3.5.23-k4-NAPI
Oct  7 13:07:34 gate kernel: e100: Copyright(c) 1999-2006 Intel Corporation
Oct  7 13:07:34 gate kernel: Atmel at76x USB Wireless LAN Driver 0.16 loading
Oct  7 13:07:34 gate kernel: eth2: MAC address 00:05:5d:95:ab:f0
Oct  7 13:07:34 gate kernel: eth2: firmware version 1.101.5-84
Oct  7 13:07:34 gate kernel: eth2: regulatory domain 0x30: ETSI (most of Europe)
Oct  7 13:07:34 gate kernel: usbcore: registered new interface driver at76_usb
Oct  7 13:07:34 gate kernel: Netfilter messages via NETLINK v0.30.
Oct  7 13:07:34 gate kernel: nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
Oct  7 13:07:34 gate kernel: nf_conntrack_ipv4: Unknown parameter `hashsize'
Oct  7 13:07:34 gate kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Oct  7 13:07:34 gate kernel: process `syslogd' is using obsolete setsockopt SO_BSD
COMPAT
Oct  7 13:07:40 gate kernel: ------------[ cut here ]------------
Oct  7 13:07:40 gate kernel: kernel BUG at net/core/dev.c:3485!
Oct  7 13:07:40 gate kernel: invalid opcode: 0000 [#1]
Oct  7 13:07:40 gate kernel: last sysfs file: /devices/platform/sis5595.656/temp1_
max
Oct  7 13:07:40 gate kernel: Modules linked in: xt_state xt_limit xt_tcpudp xt_mul
tiport iptable_mangle iptable_nat nf_conntrack_ipv4 iptable_filter ip_tables nf_na
t_tftp nf_conntrack_tftp nf_nat_h323 nf_conntrack_h323 nf_nat_irc nf_nat_ftp nf_co
nntrack_irc nf_conntrack_ftp ipt_MASQUERADE nf_nat nf_conntrack nfnetlink ipt_REJE
CT ipt_LOG x_tables at76_usb firmware_class e100 ohci_hcd usbcore i2c_sis630 i2c_s
is5595 i2c_core sis5595 hisax isdn eepro100
Oct  7 13:07:40 gate kernel:
Oct  7 13:07:40 gate kernel: Pid: 2235, comm: isdnctrl Not tainted (2.6.23-rc8-mm2
-gate #1)
Oct  7 13:07:40 gate kernel: EIP: 0060:[<c029ad8a>] EFLAGS: 00010246 CPU: 0
Oct  7 13:07:40 gate kernel: EIP is at register_netdevice+0x6d/0x2c1
Oct  7 13:07:40 gate kernel: EAX: 00000000 EBX: c786501c ECX: 00000000 EDX: 00000d
99
Oct  7 13:07:40 gate kernel: ESI: c786501c EDI: 00000000 EBP: c1657d08 ESP: c1657c
ec
Oct  7 13:07:40 gate kernel:  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Oct  7 13:07:40 gate kernel: Process isdnctrl (pid: 2235, ti=c1656000 task=c14c306
0 task.ti=c1656000)
Oct  7 13:07:40 gate kernel: Stack: c786501c 00000000 c1657d00 c0309ec6 c1657d68 c
786501c 00000000 c1657d18
Oct  7 13:07:40 gate kernel:        c029b010 c1657d68 c7865000 c1657d38 c885a0fa c
884e39c c8864598 c786501c
Oct  7 13:07:40 gate kernel:        c1657d68 00000000 bfbf779d c1657f60 c886484d c
212ef80 c1561980 c1805ab0
Oct  7 13:07:40 gate kernel: Call Trace:
Oct  7 13:07:40 gate kernel:  [<c029b010>] register_netdev+0x32/0x3f
Oct  7 13:07:40 gate kernel:  [<c885a0fa>] isdn_net_new+0x111/0x2ca [isdn]
Oct  7 13:07:40 gate kernel:  [<c886484d>] isdn_ioctl+0x2b5/0xb46 [isdn]
Oct  7 13:07:40 gate kernel:  [<c015f53c>] do_ioctl+0x40/0x50
Oct  7 13:07:40 gate kernel:  [<c015f738>] vfs_ioctl+0x1ec/0x203
Oct  7 13:07:40 gate kernel:  [<c015f780>] sys_ioctl+0x31/0x49
Oct  7 13:07:40 gate kernel:  [<c0103e12>] syscall_call+0x7/0xb
Oct  7 13:07:40 gate kernel:  [<b7f54de4>] 0xb7f54de4
Oct  7 13:07:40 gate kernel:  =======================
Oct  7 13:07:40 gate kernel: Code: e8 3f a5 e6 ff ba 99 0d 00 00 b8 b4 3c 38 c0 e8
 96 82 e7 ff 83 bb 20 02 00 00 00 74 04 0f 0b eb fe 8b 83 80 02 00 00 85 c0 75 04
<0f> 0b eb fe 89 45 f0 b9 4c 2e 48 c0 ba 8e 3e 38 c0 8d 83 78 01
Oct  7 13:07:40 gate kernel: EIP: [<c029ad8a>] register_netdevice+0x6d/0x2c1 SS:ES
P 0068:c1657cec
Oct  7 13:18:17 gate syslogd 1.4.1#20: restart.
Oct  7 13:18:17 gate kernel: klogd 1.4.1#20, log source = /proc/kmsg started.
Oct  7 13:18:17 gate kernel: Linux version 2.6.16-cks11-gate (root@...e) (gcc vers
ion 4.0.4 20060507 (prerelease) (Debian 4.0.3-3)) #1 Sat May 27 14:45:18 CEST 2006

[logging was then back into 2.6.16 above]


2.6.23-rc8-mm2/net/core/dev.c/register_netdevice():

int register_netdevice(struct net_device *dev)
{
        struct hlist_head *head;
        struct hlist_node *p;
        int ret;
        struct net *net;

        BUG_ON(dev_boot_phase);
        ASSERT_RTNL();

        might_sleep();

        /* When net_device's are persistent, this will be fatal. */
        BUG_ON(dev->reg_state != NETREG_UNINITIALIZED);
        BUG_ON(!dev->nd_net);
        net = dev->nd_net;

        spin_lock_init(&dev->queue_lock);
        spin_lock_init(&dev->_xmit_lock);
        netdev_set_lockdep_class(&dev->_xmit_lock, dev->type);
        dev->xmit_lock_owner = -1;
        spin_lock_init(&dev->ingress_lock);

        dev->iflink = -1;

        /* Init, if this function is available */
        if (dev->init) {
                ret = dev->init(dev);
                if (ret) {
                        if (ret > 0)
                                ret = -EIO;
                        goto out;
                }
        }


objdump -D linux-2.6.23-rc8-mm2/vmlinux|less :

c029ad1d <register_netdevice>:
c029ad1d:       55                      push   %ebp
c029ad1e:       89 e5                   mov    %esp,%ebp
c029ad20:       57                      push   %edi
c029ad21:       56                      push   %esi
c029ad22:       53                      push   %ebx
c029ad23:       89 c3                   mov    %eax,%ebx
c029ad25:       83 ec 10                sub    $0x10,%esp
c029ad28:       83 3d 4c fa 41 c0 00    cmpl   $0x0,0xc041fa4c
c029ad2f:       74 04                   je     c029ad35 <register_netdevice+0x18>
c029ad31:       0f 0b                   ud2a
c029ad33:       eb fe                   jmp    c029ad33 <register_netdevice+0x16>
c029ad35:       e8 7e 7f 00 00          call   c02a2cb8 <rtnl_trylock>
c029ad3a:       85 c0                   test   %eax,%eax
c029ad3c:       74 26                   je     c029ad64 <register_netdevice+0x47>
c029ad3e:       e8 79 78 00 00          call   c02a25bc <rtnl_unlock>
c029ad43:       c7 44 24 08 97 0d 00    movl   $0xd97,0x8(%esp)
c029ad4a:       00
c029ad4b:       c7 44 24 04 b4 3c 38    movl   $0xc0383cb4,0x4(%esp)
c029ad52:       c0
c029ad53:       c7 04 24 c3 3c 38 c0    movl   $0xc0383cc3,(%esp)
c029ad5a:       e8 13 e3 e7 ff          call   c0119072 <printk>
c029ad5f:       e8 3f a5 e6 ff          call   c01052a3 <dump_stack>
c029ad64:       ba 99 0d 00 00          mov    $0xd99,%edx
c029ad69:       b8 b4 3c 38 c0          mov    $0xc0383cb4,%eax
c029ad6e:       e8 96 82 e7 ff          call   c0113009 <__might_sleep>
c029ad73:       83 bb 20 02 00 00 00    cmpl   $0x0,0x220(%ebx)
c029ad7a:       74 04                   je     c029ad80 <register_netdevice+0x63>
c029ad7c:       0f 0b                   ud2a
c029ad7e:       eb fe                   jmp    c029ad7e <register_netdevice+0x61>
c029ad80:       8b 83 80 02 00 00       mov    0x280(%ebx),%eax
c029ad86:       85 c0                   test   %eax,%eax
c029ad88:       75 04                   jne    c029ad8e <register_netdevice+0x71>
c029ad8a:       0f 0b                   ud2a
c029ad8c:       eb fe                   jmp    c029ad8c <register_netdevice+0x6f>
c029ad8e:       89 45 f0                mov    %eax,0xfffffff0(%ebp)
c029ad91:       b9 4c 2e 48 c0          mov    $0xc0482e4c,%ecx
c029ad96:       ba 8e 3e 38 c0          mov    $0xc0383e8e,%edx
c029ad9b:       8d 83 78 01 00 00       lea    0x178(%ebx),%eax
c029ada1:       e8 8e d9 f7 ff          call   c0218734 <__spin_lock_init>
c029ada6:       8d 83 b4 01 00 00       lea    0x1b4(%ebx),%eax
c029adac:       b9 4c 2e 48 c0          mov    $0xc0482e4c,%ecx
c029adb1:       ba 9f 3e 38 c0          mov    $0xc0383e9f,%edx
c029adb6:       e8 79 d9 f7 ff          call   c0218734 <__spin_lock_init>
c029adbb:       ba b0 3e 38 c0          mov    $0xc0383eb0,%edx
c029adc0:       b9 4c 2e 48 c0          mov    $0xc0482e4c,%ecx
c029adc5:       c7 83 c4 01 00 00 ff    movl   $0xffffffff,0x1c4(%ebx)
c029adcc:       ff ff ff
c029adcf:       8d 83 a0 01 00 00       lea    0x1a0(%ebx),%eax
c029add5:       e8 5a d9 f7 ff          call   c0218734 <__spin_lock_init>
c029adda:       8b 53 40                mov    0x40(%ebx),%edx
c029addd:       c7 43 50 ff ff ff ff    movl   $0xffffffff,0x50(%ebx)
c029ade4:       85 d2                   test   %edx,%edx
c029ade6:       74 1b                   je     c029ae03 <register_netdevice+0xe6>

Since EIP is c029ad8a, following the code flow it clearly looks to me
as if it's the
        BUG_ON(!dev->nd_net);
check which caused the BUG message.

This is a K6-3/450@150 running Debian stable.

lsmod (NOTE: this is on 2.6.16!!):

Module                  Size  Used by
sch_ingress             4356  1
cls_u32                 7044  5
sch_tbf                 6272  1
sch_sfq                 5632  4
sch_htb                15616  1
ppp_async              11648  1
crc_ccitt               2176  1 ppp_async
ipt_ULOG                7712  1
xt_state                2176  4
xt_limit                2688  11
xt_tcpudp               3328  48
ipt_multiport           2560  10
iptable_mangle          2816  0
iptable_nat             7684  1
iptable_filter          3072  1
ip_tables              11736  3 iptable_mangle,iptable_nat,iptable_filter
ip_nat_tftp             1920  0
ip_conntrack_tftp       4244  1 ip_nat_tftp
ip_nat_irc              2688  0
ip_nat_ftp              3200  0
ip_conntrack_irc        6680  1 ip_nat_irc
ip_conntrack_ftp        7324  1 ip_nat_ftp
ipt_MASQUERADE          3712  1
ip_nat                 15764  5 iptable_nat,ip_nat_tftp,ip_nat_irc,ip_nat_ftp,ipt_MASQUERADE
ip_conntrack           44196  10 xt_state,iptable_nat,ip_nat_tftp,ip_conntrack_tftp,ip_nat_irc,ip_nat_ftp,ip_conntrack_irc,ip_conntrack_ftp,ipt_MASQUERADE,ip_nat
ipt_REJECT              5248  0
ipt_LOG                 6144  11
x_tables               12292  10 ipt_ULOG,xt_state,xt_limit,xt_tcpudp,ipt_multiport,iptable_nat,ip_tables,ipt_MASQUERADE,ipt_REJECT,ipt_LOG
e100                   33284  0
at76c503_rfmd           5260  0
firmware_class         10112  1 at76c503_rfmd
at76c503               79840  1 at76c503_rfmd
at76_usbdfu             4996  1 at76c503
ohci_hcd               29700  0
usbcore               126240  5 at76c503_rfmd,at76c503,at76_usbdfu,ohci_hcd
i2c_sis630              8844  0
i2c_sis5595             7940  0
sis5595                14216  0
i2c_isa                 5888  1 sis5595
i2c_core               22144  4 i2c_sis630,i2c_sis5595,sis5595,i2c_isa
hisax                 175100  2
isdn                  108864  5 hisax
eepro100               29456  0

root@...e:/usr/src/linux-2.6.23-rc8-mm2/net# dpkg -l|grep isdn
ii  isdnlog                          3.9.20060704-3                   ISDN connection logger
ii  isdnlog-data                     3.9.20060704-3                   data for isdnlog users
ii  isdnutils                        3.9.20060704-3                   Most important ISDN-related packages and uti
ii  isdnutils-base                   3.9.20060704-3                   ISDN utilities, the basic (minimal) set
ii  isdnutils-xtools                 3.9.20060704-3                   ISDN utilities that use X
ii  isdnvboxclient                   3.9.20060704-3                   ISDN answering machine, client
ii  isdnvboxserver                   3.9.20060704-3                   ISDN answering machine, server

CONFIG_ISDN=m
CONFIG_ISDN_I4L=m
CONFIG_ISDN_PPP=y
CONFIG_ISDN_PPP_VJ=y
CONFIG_ISDN_MPP=y
# CONFIG_IPPP_FILTER is not set
CONFIG_ISDN_PPP_BSDCOMP=m
CONFIG_ISDN_AUDIO=y
# CONFIG_ISDN_TTY_FAX is not set

#
# ISDN feature submodules
#
CONFIG_ISDN_DRV_LOOP=m
# CONFIG_ISDN_DIVERSION is not set

#
# ISDN4Linux hardware drivers
#

#
# Passive cards
#
CONFIG_ISDN_DRV_HISAX=m

#
# D-channel protocol features
#
CONFIG_HISAX_EURO=y
CONFIG_DE_AOC=y
# CONFIG_HISAX_NO_SENDCOMPLETE is not set
# CONFIG_HISAX_NO_LLC is not set
# CONFIG_HISAX_NO_KEYPAD is not set
# CONFIG_HISAX_1TR6 is not set
# CONFIG_HISAX_NI1 is not set
CONFIG_HISAX_MAX_CARDS=8

#
# HiSax supported cards
#
# CONFIG_HISAX_16_0 is not set
CONFIG_HISAX_16_3=y
CONFIG_HISAX_TELESPCI=y
# CONFIG_HISAX_S0BOX is not set
# CONFIG_HISAX_AVM_A1 is not set
CONFIG_HISAX_FRITZPCI=y
# CONFIG_HISAX_AVM_A1_PCMCIA is not set
# CONFIG_HISAX_ELSA is not set
# CONFIG_HISAX_IX1MICROR2 is not set
# CONFIG_HISAX_DIEHLDIVA is not set
# CONFIG_HISAX_ASUSCOM is not set
# CONFIG_HISAX_TELEINT is not set
# CONFIG_HISAX_HFCS is not set
# CONFIG_HISAX_SEDLBAUER is not set
CONFIG_HISAX_SPORTSTER=y
# CONFIG_HISAX_MIC is not set
# CONFIG_HISAX_NETJET is not set
# CONFIG_HISAX_NETJET_U is not set
# CONFIG_HISAX_NICCY is not set
# CONFIG_HISAX_ISURF is not set
# CONFIG_HISAX_HSTSAPHIR is not set
# CONFIG_HISAX_BKM_A4T is not set
# CONFIG_HISAX_SCT_QUADRO is not set
# CONFIG_HISAX_GAZEL is not set
CONFIG_HISAX_HFC_PCI=y
CONFIG_HISAX_W6692=y
# CONFIG_HISAX_HFC_SX is not set
# CONFIG_HISAX_DEBUG is not set

#
# HiSax PCMCIA card service modules
#

#
# HiSax sub driver modules
#
# CONFIG_HISAX_ST5481 is not set
# CONFIG_HISAX_HFCUSB is not set
# CONFIG_HISAX_HFC4S8S is not set
CONFIG_HISAX_FRITZ_PCIPNP=m

#
# Active cards
#
# CONFIG_ISDN_DRV_ICN is not set
# CONFIG_ISDN_DRV_PCBIT is not set
# CONFIG_ISDN_DRV_SC is not set
# CONFIG_ISDN_DRV_ACT2000 is not set
# CONFIG_HYSDN is not set
# CONFIG_ISDN_DRV_GIGASET is not set
# CONFIG_ISDN_CAPI is not set
# CONFIG_PHONE is not set


lspci (NOTE: on 2.6.16!!):
00:09.0 Network controller: Cologne Chip Designs GmbH ISDN network controller [HFC-PCI] (rev 02)

I used to have an ISA-based card (Teles?) in there, replaced by the PCI one
about 2 years ago.

grep isdnctrl /etc/isdn/*:

/etc/isdn/device.ippp0:# Read the isdnctrl manpage for more info.
/etc/isdn/device.ippp0: isdnctrl addif ${device}
/etc/isdn/device.ippp0: isdnctrl eaz ${device} $LOCALMSN
/etc/isdn/device.ippp0: # "name". More than one number can be set by calling isdnc
trl addphone
/etc/isdn/device.ippp0:                 isdnctrl addphone ${device} out $LEADINGZE
RO$MSN
/etc/isdn/device.ippp0: # disabled. More than one number can be set by calling isd
nctrl addphone
/etc/isdn/device.ippp0: #               isdnctrl addphone ${device} in $MSN
/etc/isdn/device.ippp0: # been added to the access list with isdnctrl addphone nam
e in.
/etc/isdn/device.ippp0: isdnctrl secure ${device} on
/etc/isdn/device.ippp0: isdnctrl huptimeout ${device} 180       # XXX_
/etc/isdn/device.ippp0: #isdnctrl dialmax ${device} 3
/etc/isdn/device.ippp0: #isdnctrl ihup ${device} on
/etc/isdn/device.ippp0: isdnctrl encap ${device} $ENCAP
/etc/isdn/device.ippp0: isdnctrl l2_prot ${device} hdlc
/etc/isdn/device.ippp0: isdnctrl l3_prot ${device} trans
/etc/isdn/device.ippp0: isdnctrl verbose 2
/etc/isdn/device.ippp0: #isdnctrl chargehup ${device} on
/etc/isdn/device.ippp0: #isdnctrl chargeint ${device} NUM
/etc/isdn/device.ippp0: #isdnctrl callback ${device} MODE
/etc/isdn/device.ippp0: #isdnctrl cbdelay ${device} SECONDS
/etc/isdn/device.ippp0: #isdnctrl cbhup ${device} MODE
/etc/isdn/device.ippp0: # See also : isdnctrl(8), isdnctrl help text
/etc/isdn/device.ippp0:         isdnctrl pppbind ${device} $bindnum
/etc/isdn/device.ippp0: isdnctrl dialmode $device $DIALMODE >/dev/null 2>&1
/etc/isdn/device.ippp0: isdnctrl dialmode $device off >/dev/null 2>&1
/etc/isdn/device.ippp0: isdnctrl delif $device  2> /dev/null
/etc/isdn/init.d.functions:    # can't count on "isdnctrl status all" working yet,
 unfortunately...
/etc/isdn/init.d.functions:     DEVS=`/usr/sbin/isdnctrl list all | grep 'Current
setup' | cut -f2 -d"'" | sort`
/etc/isdn/init.d.functions:         if [ ! -e /dev/isdnctrl ]; then
/etc/isdn/init.d.functions:             cd /dev && ln -s isdnctrl0 isdnctrl
/etc/isdn/init.d.functions:    cardnum=0   # counts in channels, just like /dev/is
dnctrlX
/etc/isdn/init.d.functions:    for optionfile in /etc/isdn/isdnlog.isdnctrl[02468]
; do
/etc/isdn/init.d.functions:        devicenum=${device#isdnctrl}
/etc/isdn/init.d.functions:        # test for isdnctrl dualmode. With dualmode, on
e isdnlog listens to
/etc/isdn/init.d.functions:    for optionfile in /etc/isdn/isdnlog.isdnctrl?; do
/etc/isdn/init.d.functions:    for optionfile in /etc/isdn/isdnlog.isdnctrl?; do
/etc/isdn/init.d.functions:                    /usr/sbin/isdnctrl delif $device >/
dev/null 2>&1 || true
/etc/isdn/init.d.functions:            /usr/sbin/isdnctrl delif $device >/dev/null
 2>&1 || true
/etc/isdn/netdown.old:eval `grep '^     isdnctrl addphone' /etc/isdn/device.ippp0
| sed 's,addphone,delphone,'`
/etc/isdn/netdown.old:/sbin/isdnctrl hangup ippp0
/etc/isdn/netup.old:eval `grep '^       isdnctrl addphone' /etc/isdn/device.ippp0`
/etc/isdn/stop:        /usr/sbin/isdnctrl system off
/etc/isdn/xisdnload-netdown:# script again). So, putting "isdnctrl dialmode all of
f" here is not that
/etc/isdn/xisdnload-netdown:# useful, as you have to do "isdnctrl dialmode all aut
o" manually...
/etc/isdn/xisdnload-netdown:/usr/sbin/isdnctrl hangup ippp0 > /dev/null
/etc/isdn/xmonisdn-netdown:/usr/sbin/isdnctrl dialmode all off
/etc/isdn/xmonisdn-netup:/usr/sbin/isdnctrl dialmode all auto


I intend to still try to get it up and running with 2.6.23-rc8-mm2 today
(with some workarounds hopefully, maybe even disabling ISDN completely)...

The last running kernel (I didn't have newer ones in between), up for some 110
days was 2.6.19-cks2 (IOW, I cannot quite say that
"this is an important regression, it has been broken very recently").

Thanks,

Andreas Mohr
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists