lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200809051903.41103.rdenis@simphalempin.com>
Date:	Fri, 5 Sep 2008 19:03:38 +0300
From:	Rémi Denis-Courmont <rdenis@...phalempin.com>
To:	Evgeniy Polyakov <johnpol@....mipt.ru>
Cc:	Andrew Morton <akpm@...ux-foundation.org>, netdev@...r.kernel.org,
	bugme-daemon@...zilla.kernel.org
Subject: Re: [Bugme-new] [Bug 11469] New: TUN with 1024 neighbours: ip6_dst_lookup_tail NULL crash

Le vendredi 5 septembre 2008 14:41:50 Evgeniy Polyakov, vous avez écrit :
> Hi.
>
> On Sun, Aug 31, 2008 at 11:13:04AM -0700, Andrew Morton 
(akpm@...ux-foundation.org) wrote:
> > > When an IFF_TUN (/dev/net/tun) device has more than 1023 IPv6
> > > neighbors, a process context crash occurs. Backtrace follows:
>
> Does this problem still exist?

Yes. With 2.6.27-rc5-b380b0d4f7dffcc235c0facefa537d4655619101, I get this:

tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@...lcomm.com>
tun0: Disabled Privacy Extensions
BUG: unable to handle kernel NULL pointer dereference at 0000001d
IP: [<f8b205a0>] :ipv6:ip6_dst_lookup_tail+0x9e/0x166
*pde = 00000000
Oops: 0000 [#1] SMP
Modules linked in: tun fuse nf_conntrack_ftp nf_conntrack_ipv6 
nf_conntrack_ipv4 nf_conntrack ipv6 snd_intel8x0 snd_ac97_codec ac97_bus 
snd_pcm_oss snd_mixer_oss snd_pcm snd_se
q_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer 
snd_seq_device snd soundcore intel_agp agpgart snd_page_alloc psmouse 
iTCO_wdt evdev button parport_pc proce
ssor parport pcspkr dm_mirror dm_log dm_snapshot sg sr_mod cdrom e100 ehci_hcd 
uhci_hcd usbcore unix

Pid: 2313, comm: tunload Not tainted (2.6.27-rc5-00132-gb380b0d #13)
EIP: 0060:[<f8b205a0>] EFLAGS: 00010246 CPU: 0
EIP is at ip6_dst_lookup_tail+0x9e/0x166 [ipv6]
EAX: 00000000 EBX: f7d7fd38 ECX: f678e800 EDX: f7cb9600
ESI: f67aa400 EDI: 00000000 EBP: f7d7fcb4 ESP: f7d7fc5c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process tunload (pid: 2313, ti=f7d7e000 task=f66a3b60 task.ti=f7d7e000)
Stack: 00000000 f7d7fd54 f7d7fda8 f67aa400 f7d7fc7c f8b1f8e8 00000000 f6528e40
       f7d7fcbc f8b211b2 f7d7fdb8 f67aa400 f7cb8900 f67aa624 00000000 00000246
       f7d7fca4 c03124da f7d7fcbc 00000000 f7d7fed0 00000000 f7d7fcbc f8b207bd
Call Trace:
 [<f8b1f8e8>] ? ip6_cork_release+0x2e/0x52 [ipv6]
 [<f8b211b2>] ? ip6_push_pending_frames+0x1c9/0x3d9 [ipv6]
 [<c03124da>] ? _spin_unlock_bh+0xd/0xf
 [<f8b207bd>] ? ip6_dst_lookup+0xe/0x10 [ipv6]
 [<f8b353fa>] ? rawv6_sendmsg+0x25d/0xc08 [ipv6]
 [<c01401e6>] ? clockevents_program_event+0x92/0x119
 [<c02eed00>] ? inet_sendmsg+0x2e/0x50
 [<c02a7bad>] ? sock_sendmsg+0xcc/0xf0
 [<c011d3a9>] ? find_busiest_group+0x160/0x7a0
 [<c01372a5>] ? autoremove_wake_function+0x0/0x3a
 [<c02ad2ba>] ? __kfree_skb+0x31/0x76
 [<c02ad2ba>] ? __kfree_skb+0x31/0x76
 [<c0137449>] ? remove_wait_queue+0x30/0x34
 [<c021ba5f>] ? copy_from_user+0x2a/0x114
 [<c02a7e85>] ? sys_sendto+0xa5/0xc5
 [<c01401e6>] ? clockevents_program_event+0x92/0x119
 [<c01372a5>] ? autoremove_wake_function+0x0/0x3a
 [<c02a8d31>] ? sys_socketcall+0x176/0x295
 [<c0103061>] ? sysenter_do_call+0x12/0x25
 =======================
Code: 22 83 ff 9b 74 37 8b 55 b0 8b 02 e8 24 63 79 c7 8b 4d b0 c7 01 00 00 00 
00 89 f8 83 c4 4c 5b 5e 5f 5d c3 8b 45 b0 8b 10 8b 42 2c <f6> 40 1d de 74 23 
31 ff 89 f8 83 c4 4c 5b 5e 5f 5d c3 64 a1 04
EIP: [<f8b205a0>] ip6_dst_lookup_tail+0x9e/0x166 [ipv6] SS:ESP 0068:f7d7fc5c
---[ end trace fd93373c6fb8880e ]---

> > > Pid: 9950, comm: tunload Tainted: G      D   (2.6.26.3 #8)
>
> By whom it was tainted?

Its own self. I just failed to copy the very first crash trace.

Regards,

-- 
Rémi Denis-Courmont
http://www.remlab.net/
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ