| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Sep 2008 19:03:38 +0300
From: Rémi Denis-Courmont <rdenis@...phalempin.com>
To: Evgeniy Polyakov <johnpol@....mipt.ru>
Cc: Andrew Morton <akpm@...ux-foundation.org>, netdev@...r.kernel.org,
bugme-daemon@...zilla.kernel.org
Subject: Re: [Bugme-new] [Bug 11469] New: TUN with 1024 neighbours: ip6_dst_lookup_tail NULL crash
Le vendredi 5 septembre 2008 14:41:50 Evgeniy Polyakov, vous avez écrit :
> Hi.
>
> On Sun, Aug 31, 2008 at 11:13:04AM -0700, Andrew Morton
(akpm@...ux-foundation.org) wrote:
> > > When an IFF_TUN (/dev/net/tun) device has more than 1023 IPv6
> > > neighbors, a process context crash occurs. Backtrace follows:
>
> Does this problem still exist?
Yes. With 2.6.27-rc5-b380b0d4f7dffcc235c0facefa537d4655619101, I get this:
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@...lcomm.com>
tun0: Disabled Privacy Extensions
BUG: unable to handle kernel NULL pointer dereference at 0000001d
IP: [<f8b205a0>] :ipv6:ip6_dst_lookup_tail+0x9e/0x166
*pde = 00000000
Oops: 0000 [#1] SMP
Modules linked in: tun fuse nf_conntrack_ftp nf_conntrack_ipv6
nf_conntrack_ipv4 nf_conntrack ipv6 snd_intel8x0 snd_ac97_codec ac97_bus
snd_pcm_oss snd_mixer_oss snd_pcm snd_se
q_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer
snd_seq_device snd soundcore intel_agp agpgart snd_page_alloc psmouse
iTCO_wdt evdev button parport_pc proce
ssor parport pcspkr dm_mirror dm_log dm_snapshot sg sr_mod cdrom e100 ehci_hcd
uhci_hcd usbcore unix
Pid: 2313, comm: tunload Not tainted (2.6.27-rc5-00132-gb380b0d #13)
EIP: 0060:[<f8b205a0>] EFLAGS: 00010246 CPU: 0
EIP is at ip6_dst_lookup_tail+0x9e/0x166 [ipv6]
EAX: 00000000 EBX: f7d7fd38 ECX: f678e800 EDX: f7cb9600
ESI: f67aa400 EDI: 00000000 EBP: f7d7fcb4 ESP: f7d7fc5c
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process tunload (pid: 2313, ti=f7d7e000 task=f66a3b60 task.ti=f7d7e000)
Stack: 00000000 f7d7fd54 f7d7fda8 f67aa400 f7d7fc7c f8b1f8e8 00000000 f6528e40
f7d7fcbc f8b211b2 f7d7fdb8 f67aa400 f7cb8900 f67aa624 00000000 00000246
f7d7fca4 c03124da f7d7fcbc 00000000 f7d7fed0 00000000 f7d7fcbc f8b207bd
Call Trace:
[<f8b1f8e8>] ? ip6_cork_release+0x2e/0x52 [ipv6]
[<f8b211b2>] ? ip6_push_pending_frames+0x1c9/0x3d9 [ipv6]
[<c03124da>] ? _spin_unlock_bh+0xd/0xf
[<f8b207bd>] ? ip6_dst_lookup+0xe/0x10 [ipv6]
[<f8b353fa>] ? rawv6_sendmsg+0x25d/0xc08 [ipv6]
[<c01401e6>] ? clockevents_program_event+0x92/0x119
[<c02eed00>] ? inet_sendmsg+0x2e/0x50
[<c02a7bad>] ? sock_sendmsg+0xcc/0xf0
[<c011d3a9>] ? find_busiest_group+0x160/0x7a0
[<c01372a5>] ? autoremove_wake_function+0x0/0x3a
[<c02ad2ba>] ? __kfree_skb+0x31/0x76
[<c02ad2ba>] ? __kfree_skb+0x31/0x76
[<c0137449>] ? remove_wait_queue+0x30/0x34
[<c021ba5f>] ? copy_from_user+0x2a/0x114
[<c02a7e85>] ? sys_sendto+0xa5/0xc5
[<c01401e6>] ? clockevents_program_event+0x92/0x119
[<c01372a5>] ? autoremove_wake_function+0x0/0x3a
[<c02a8d31>] ? sys_socketcall+0x176/0x295
[<c0103061>] ? sysenter_do_call+0x12/0x25
=======================
Code: 22 83 ff 9b 74 37 8b 55 b0 8b 02 e8 24 63 79 c7 8b 4d b0 c7 01 00 00 00
00 89 f8 83 c4 4c 5b 5e 5f 5d c3 8b 45 b0 8b 10 8b 42 2c <f6> 40 1d de 74 23
31 ff 89 f8 83 c4 4c 5b 5e 5f 5d c3 64 a1 04
EIP: [<f8b205a0>] ip6_dst_lookup_tail+0x9e/0x166 [ipv6] SS:ESP 0068:f7d7fc5c
---[ end trace fd93373c6fb8880e ]---
> > > Pid: 9950, comm: tunload Tainted: G D (2.6.26.3 #8)
>
> By whom it was tainted?
Its own self. I just failed to copy the very first crash trace.
Regards,
--
Rémi Denis-Courmont
http://www.remlab.net/
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists