triggerable Oops since 3.0.72, vlan_group_get_device

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hello,

since kernel 3.0.72 I can trigger below Oops when I execute something
like:

 vconfig rem bond0.13

Problem did not exist in 3.0.71 and lower, and a quick check showed
it does not exist in 3.2.43 or 3.8.7. So it seems to be a 3.0.x only problem. 


Reverting this commit, which is in 3.0.72, removes the problem:

commit 9829fe9806e22d7a822f4c947cc432c8d1774b54
Author: Cong Wang <amwang@xxxxxxxxxx>
Date:   Fri Mar 22 19:14:07 2013 +0000

    8021q: fix a potential use-after-free

    [ Upstream commit 4a7df340ed1bac190c124c1601bfc10cde9fb4fb ]




[   89.464282] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[   89.467361] IP: [<ffffffffa01c4090>] vlan_group_get_device+0xf/0x29 [bonding]
[ 89.468142] PGD 568c2067 PUD 66f8f067 PMD 0 [ 89.468142] Oops: 0000 [#1] SMP [ 89.468142] CPU 0 [ 89.468142] Modules linked in: ip6_tables autofs4 rpcsec_gss_krb5 nfsd nfs lockd fscache auth_rpcgss nfs_acl sunrpc kvm_intel kvm xfrm_user 8021q garp bridge stp llc bonding dummy ipt_REJECT xt_NOTRACK xt_TCPMSS ipv6 xt_conntrack xt_connmark xt_state xt_addrtype xt_policy iptable_raw iptable_mangle iptable_nat iptable_filter ip_tables nf_nat_tftp nf_conntrack_tftp nf_nat_pptp nf_nat_proto_gre nf_conntrack_pptp nf_conntrack_proto_gre nf_nat_irc nf_conntrack_irc nf_nat_sip nf_conntrack_sip nf_nat_ftp nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack_ftp nf_conntrack ipt_ULOG ipmi_devintf ipmi_msghandler 8139too lcd_module ppdev parport_pc parport st processor thermal_sys floppy hwmon tpm_tis tpm tpm_bios i2c_piix4 button i6300esb i2c_core virtio_net virtio_balloon evdev sg [last unloaded: microcode] [ 89.468142] [ 89.468142] Pid: 4222, comm: vconfig Not tainted 3.0.72 #1 Bochs Bochs 
[   89.468142] RIP: 0010:[<ffffffffa01c4090>]  [<ffffffffa01c4090>] vlan_group_get_device+0xf/0x29 [bonding]
[   89.468142] RSP: 0018:ffff880066c6fd18  EFLAGS: 00010203
[   89.468142] RAX: 0000000000000002 RBX: ffff880079c1b000 RCX: 0000000000000539
[   89.468142] RDX: 00000000ffff3268 RSI: 0000000000000539 RDI: 0000000000000000
[   89.468142] RBP: ffff880066c6fd18 R08: 0000000000000000 R09: 0000000000000020
[   89.468142] R10: ffff88005698d150 R11: dead000000200200 R12: ffff880079c1b740
[   89.468142] R13: ffff88007a2a6000 R14: 0000000000000539 R15: ffff88007a778400
[   89.468142] FS:  00007eff999906f0(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
[   89.468142] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   89.468142] CR2: 0000000000000030 CR3: 00000000568df000 CR4: 00000000000006f0
[   89.468142] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   89.468142] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   89.468142] Process vconfig (pid: 4222, threadinfo ffff880066c6e000, task ffff88006f7241c0)
[   89.468142] Stack:
[   89.468142]  ffff880066c6fd78 ffffffffa01c69fa ffff880066c6fd38 0539ffff8104d74a
[   89.468142]  ffff880079c1b000 ffffffffa001bfc9 0000000079c1b000 ffff880079c1b000
[   89.468142]  ffff880079a3b1c0 0000000000000539 ffff88007992e000 0000000000010539
[   89.468142] Call Trace:
[   89.468142]  [<ffffffffa01c69fa>] bond_vlan_rx_kill_vid+0x69/0x184 [bonding]
[   89.468142]  [<ffffffffa001bfc9>] ? start_xmit+0x27f/0x27f [virtio_net]
[   89.468142]  [<ffffffffa01f0438>] unregister_vlan_dev+0x104/0x11d [8021q]
[   89.468142]  [<ffffffffa01f0b0d>] vlan_ioctl_handler+0x2da/0x349 [8021q]
[   89.468142]  [<ffffffff814eb2a2>] sock_ioctl+0x17c/0x1fa
[   89.468142]  [<ffffffff810faf54>] vfs_ioctl+0x18/0x2f
[   89.468142]  [<ffffffff810fb3f4>] do_vfs_ioctl+0x3e9/0x422
[   89.468142]  [<ffffffff814ed7ad>] ? sock_alloc_file+0xb0/0x10e
[   89.468142]  [<ffffffff810ec24f>] ? spin_lock+0x9/0xb
[   89.468142]  [<ffffffff810ec280>] ? fd_install+0x2f/0x65
[   89.468142]  [<ffffffff810fb484>] sys_ioctl+0x57/0x7a
[   89.468142]  [<ffffffff815b7c92>] system_call_fastpath+0x16/0x1b
[ 89.468142] Code: c0 c3 31 c0 f6 07 01 55 48 89 e5 75 0d e8 d3 ff ff ff 85 c0 0f 94 c0 0f b6 c0 c9 c3 89 f0 55 89 f1 66 c1 e8 09 0f b7 c0 48 89 e5 [ 89.468142] 8b 54 c7 20 31 c0 48 85 d2 74 0c 48 89 c8 25 ff 01 00 00 48 [ 89.468142] RIP [<ffffffffa01c4090>] vlan_group_get_device+0xf/0x29 [bonding] 
[   89.468142]  RSP <ffff880066c6fd18>
[   89.468142] CR2: 0000000000000030
[   89.529090] ---[ end trace 1c72308f27f53865 ]---

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]