[OOPS][3.12] BUG: unable to handle kernel NULL pointer dereference at 0000000c

[OOPS][3.12] BUG: unable to handle kernel NULL pointer dereference at 0000000c

[Ian Kumlien]

Hi, 

After a lot of wondering i finally tracked down the bug that was hitting
me since 3.12-rc7. Since this is a firewall I haven't actually noticed
it all the time. But when i saw that it rebooted too often, i enabled
netconsole and this is the output:

BUG: unable to handle kernel NULL pointer dereference at 0000000c
IP: [<c18196db>] _decode_session6+0x8b/0x370
*pde = 00000000
Oops: 0000 [#1] SMP
Modules linked in: netconsole tun
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.12.0 #55
Hardware name: MICRO-STAR INTERNATIONAL CO., LTD MS-9632/MS-9632, BIOS 6.00 PG 05/16/2007
task: c1b64880 ti: f600a000 task.ti: c1b5a000
EIP: 0060:[<c18196db>] EFLAGS: 00210202 CPU: 0
EIP is at _decode_session6+0x8b/0x370
EAX: 00000000 EBX: f2c42c00 ECX: 00000001 EDX: e351a0a2
ESI: 00000000 EDI: f600be70 EBP: f600be34 ESP: f600bdfc
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 8005003b CR2: 0000000c CR3: 235e8000 CR4: 000007d0
Stack:
 f600be30 00282c00 00000001 c1bb24e0 f63f8000 c1baa780 f2c42c00 c17d653f
 f2c42c00 c1807178 00000001 00000000 e3791f00 e3791f00 00000000 00000000
 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Call Trace:
 [<c17d653f>] ? __xfrm_decode_session+0x1f/0x30
 [<c1807178>] ? icmpv6_route_lookup+0xa8/0x170
 [<c1807693>] ? icmp6_send+0x453/0x6e0
 [<c177dd7c>] ? ip_local_deliver_finish+0x7c/0x1f0
 [<c177dd00>] ? ip_rcv_finish+0x310/0x310
 [<c177db03>] ? ip_rcv_finish+0x113/0x310
 [<c1807240>] ? icmpv6_route_lookup+0x170/0x170
 [<c182dc64>] ? icmpv6_send+0x24/0x30
 [<c180df2f>] ? ip6_expire_frag_queue+0x16f/0x180
 [<c1823390>] ? nf_ct_net_init+0x60/0x60
 [<c1075efc>] ? call_timer_fn.isra.27+0x1c/0x80
 [<c155ff1b>] ? e1000e_poll+0x13b/0x2e0
 [<c1823390>] ? nf_ct_net_init+0x60/0x60
 [<c1076094>] ? run_timer_softirq+0x134/0x1d0
 [<c1071255>] ? __do_softirq+0xa5/0x160
 [<c10711b0>] ? remote_softirq_cpu_notify+0xa0/0xa0
 <IRQ>
 [<c1071416>] ? irq_exit+0x66/0x90
 [<c105dff5>] ? smp_apic_timer_interrupt+0x35/0x50
 [<c187196d>] ? apic_timer_interrupt+0x2d/0x34
 [<c103d8d2>] ? default_idle+0x2/0x10
 [<c103df26>] ? arch_cpu_idle+0x16/0x20
 [<c10a1ed9>] ? cpu_startup_entry+0x49/0x130
 [<c1bc4948>] ? start_kernel+0x29e/0x2a3
 [<c1bc44ef>] ? repair_env_string+0x4d/0x4d
Code: 00 00 f3 ab 74 08 66 c7 07 00 00 83 c7 02 83 e6 01 74 03 c6 07 00 8b 83 90 00 00 00 8b 4c 24 08 89 45 08 8b 43 48 83 e0 fe 85 c9 <8b> 40 0c 8b 80 88 00 00 00 89 45 00 0f 84 1b 01 00 00 8b 42 08
EIP: [<c18196db>] _decode_session6+0x8b/0x370 SS:ESP 0068:f600bdfc
CR2: 000000000000000c
---[ end trace 0cbf7fb6e6aa1f45 ]---
Kernel panic - not syncing: Fatal exception in interrupt
---

Any clue besides just disabling ipv6? ;)

Re: [OOPS][3.12] BUG: unable to handle kernel NULL pointer dereference at 0000000c

[Bjorn Helgaas]

[+cc David, Eric, Alex, netdev]

Alex reported a similar issue at
http://marc.info/?l=linux-netdev&m=138355719901790&w=4

On Fri, Nov 15, 2013 at 11:34 AM, Ian Kumlien <pomac@vapor.com> wrote:
> Hi,
>
> After a lot of wondering i finally tracked down the bug that was hitting
> me since 3.12-rc7. Since this is a firewall I haven't actually noticed
> it all the time. But when i saw that it rebooted too often, i enabled
> netconsole and this is the output:
>
> BUG: unable to handle kernel NULL pointer dereference at 0000000c
> IP: [<c18196db>] _decode_session6+0x8b/0x370
> *pde = 00000000
> Oops: 0000 [#1] SMP
> Modules linked in: netconsole tun
> CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.12.0 #55
> Hardware name: MICRO-STAR INTERNATIONAL CO., LTD MS-9632/MS-9632, BIOS 6.00 PG 05/16/2007
> task: c1b64880 ti: f600a000 task.ti: c1b5a000
> EIP: 0060:[<c18196db>] EFLAGS: 00210202 CPU: 0
> EIP is at _decode_session6+0x8b/0x370
> EAX: 00000000 EBX: f2c42c00 ECX: 00000001 EDX: e351a0a2
> ESI: 00000000 EDI: f600be70 EBP: f600be34 ESP: f600bdfc
>  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
> CR0: 8005003b CR2: 0000000c CR3: 235e8000 CR4: 000007d0
> Stack:
>  f600be30 00282c00 00000001 c1bb24e0 f63f8000 c1baa780 f2c42c00 c17d653f
>  f2c42c00 c1807178 00000001 00000000 e3791f00 e3791f00 00000000 00000000
>  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> Call Trace:
>  [<c17d653f>] ? __xfrm_decode_session+0x1f/0x30
>  [<c1807178>] ? icmpv6_route_lookup+0xa8/0x170
>  [<c1807693>] ? icmp6_send+0x453/0x6e0
>  [<c177dd7c>] ? ip_local_deliver_finish+0x7c/0x1f0
>  [<c177dd00>] ? ip_rcv_finish+0x310/0x310
>  [<c177db03>] ? ip_rcv_finish+0x113/0x310
>  [<c1807240>] ? icmpv6_route_lookup+0x170/0x170
>  [<c182dc64>] ? icmpv6_send+0x24/0x30
>  [<c180df2f>] ? ip6_expire_frag_queue+0x16f/0x180
>  [<c1823390>] ? nf_ct_net_init+0x60/0x60
>  [<c1075efc>] ? call_timer_fn.isra.27+0x1c/0x80
>  [<c155ff1b>] ? e1000e_poll+0x13b/0x2e0
>  [<c1823390>] ? nf_ct_net_init+0x60/0x60
>  [<c1076094>] ? run_timer_softirq+0x134/0x1d0
>  [<c1071255>] ? __do_softirq+0xa5/0x160
>  [<c10711b0>] ? remote_softirq_cpu_notify+0xa0/0xa0
>  <IRQ>
>  [<c1071416>] ? irq_exit+0x66/0x90
>  [<c105dff5>] ? smp_apic_timer_interrupt+0x35/0x50
>  [<c187196d>] ? apic_timer_interrupt+0x2d/0x34
>  [<c103d8d2>] ? default_idle+0x2/0x10
>  [<c103df26>] ? arch_cpu_idle+0x16/0x20
>  [<c10a1ed9>] ? cpu_startup_entry+0x49/0x130
>  [<c1bc4948>] ? start_kernel+0x29e/0x2a3
>  [<c1bc44ef>] ? repair_env_string+0x4d/0x4d
> Code: 00 00 f3 ab 74 08 66 c7 07 00 00 83 c7 02 83 e6 01 74 03 c6 07 00 8b 83 90 00 00 00 8b 4c 24 08 89 45 08 8b 43 48 83 e0 fe 85 c9 <8b> 40 0c 8b 80 88 00 00 00 89 45 00 0f 84 1b 01 00 00 8b 42 08
> EIP: [<c18196db>] _decode_session6+0x8b/0x370 SS:ESP 0068:f600bdfc
> CR2: 000000000000000c
> ---[ end trace 0cbf7fb6e6aa1f45 ]---
> Kernel panic - not syncing: Fatal exception in interrupt
> ---
>
> Any clue besides just disabling ipv6? ;)
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [OOPS][3.12] BUG: unable to handle kernel NULL pointer dereference at 0000000c

[David Miller]

From: Bjorn Helgaas <bhelgaas@google.com>
Date: Fri, 15 Nov 2013 15:29:53 -0700

> [+cc David, Eric, Alex, netdev]
> 
> Alex reported a similar issue at
> http://marc.info/?l=linux-netdev&m=138355719901790&w=4

Fixed by:

commit 84502b5ef9849a9694673b15c31bd3ac693010ae
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date:   Wed Oct 30 11:16:28 2013 +0100

    xfrm: Fix null pointer dereference when decoding sessions
    
    On some codepaths the skb does not have a dst entry
    when xfrm_decode_session() is called. So check for
    a valid skb_dst() before dereferencing the device
    interface index. We use 0 as the device index if
    there is no valid skb_dst(), or at reverse decoding
    we use skb_iif as device interface index.
    
    Bug was introduced with git commit bafd4bd4dc
    ("xfrm: Decode sessions with output interface.").
    
    Reported-by: Meelis Roos <mroos@linux.ee>
    Tested-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 4764ee4..e1a6393 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -104,10 +104,14 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 	const struct iphdr *iph = ip_hdr(skb);
 	u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
 	struct flowi4 *fl4 = &fl->u.ip4;
+	int oif = 0;
+
+	if (skb_dst(skb))
+		oif = skb_dst(skb)->dev->ifindex;
 
 	memset(fl4, 0, sizeof(struct flowi4));
 	fl4->flowi4_mark = skb->mark;
-	fl4->flowi4_oif = skb_dst(skb)->dev->ifindex;
+	fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
 
 	if (!ip_is_fragment(iph)) {
 		switch (iph->protocol) {
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index dd503a3..5f8e128 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -135,10 +135,14 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
 	struct ipv6_opt_hdr *exthdr;
 	const unsigned char *nh = skb_network_header(skb);
 	u8 nexthdr = nh[IP6CB(skb)->nhoff];
+	int oif = 0;
+
+	if (skb_dst(skb))
+		oif = skb_dst(skb)->dev->ifindex;
 
 	memset(fl6, 0, sizeof(struct flowi6));
 	fl6->flowi6_mark = skb->mark;
-	fl6->flowi6_oif = skb_dst(skb)->dev->ifindex;
+	fl6->flowi6_oif = reverse ? skb->skb_iif : oif;
 
 	fl6->daddr = reverse ? hdr->saddr : hdr->daddr;
 	fl6->saddr = reverse ? hdr->daddr : hdr->saddr;

Re: [OOPS][3.12] BUG: unable to handle kernel NULL pointer dereference at 0000000c

[Ian Kumlien]

On Fri, Nov 15, 2013 at 05:44:26PM -0500, David Miller wrote:
> From: Bjorn Helgaas <bhelgaas@google.com>
> Date: Fri, 15 Nov 2013 15:29:53 -0700
> 
> > [+cc David, Eric, Alex, netdev]
> > 
> > Alex reported a similar issue at
> > http://marc.info/?l=linux-netdev&m=138355719901790&w=4
> 
> Fixed by:
> 
> commit 84502b5ef9849a9694673b15c31bd3ac693010ae
> Author: Steffen Klassert <steffen.klassert@secunet.com>
> Date:   Wed Oct 30 11:16:28 2013 +0100

Cherry-picked, compiled and preparing for reboot - thanks!

Shouldn't this be queued up in stable sometime soonish?

(Sorry for the change of email address, i had forgot to switch the
configurations in mutt)

Re: [OOPS][3.12] BUG: unable to handle kernel NULL pointer dereference at 0000000c

[David Miller]

From: Ian Kumlien <pomac@demius.net>
Date: Sat, 16 Nov 2013 00:39:19 +0100

> On Fri, Nov 15, 2013 at 05:44:26PM -0500, David Miller wrote:
>> From: Bjorn Helgaas <bhelgaas@google.com>
>> Date: Fri, 15 Nov 2013 15:29:53 -0700
>> 
>> > [+cc David, Eric, Alex, netdev]
>> > 
>> > Alex reported a similar issue at
>> > http://marc.info/?l=linux-netdev&m=138355719901790&w=4
>> 
>> Fixed by:
>> 
>> commit 84502b5ef9849a9694673b15c31bd3ac693010ae
>> Author: Steffen Klassert <steffen.klassert@secunet.com>
>> Date:   Wed Oct 30 11:16:28 2013 +0100
> 
> Cherry-picked, compiled and preparing for reboot - thanks!
> 
> Shouldn't this be queued up in stable sometime soonish?
> 
> (Sorry for the change of email address, i had forgot to switch the
> configurations in mutt)

Steffen is in charge of IPSEC -stable submissions, please ask him
:-)

Re: [OOPS][3.12] BUG: unable to handle kernel NULL pointer dereference at 0000000c

[Steffen Klassert]

On Fri, Nov 15, 2013 at 06:57:55PM -0500, David Miller wrote:
> From: Ian Kumlien <pomac@demius.net>
> Date: Sat, 16 Nov 2013 00:39:19 +0100
> 
> > On Fri, Nov 15, 2013 at 05:44:26PM -0500, David Miller wrote:
> >> From: Bjorn Helgaas <bhelgaas@google.com>
> >> Date: Fri, 15 Nov 2013 15:29:53 -0700
> >> 
> >> > [+cc David, Eric, Alex, netdev]
> >> > 
> >> > Alex reported a similar issue at
> >> > http://marc.info/?l=linux-netdev&m=138355719901790&w=4
> >> 
> >> Fixed by:
> >> 
> >> commit 84502b5ef9849a9694673b15c31bd3ac693010ae
> >> Author: Steffen Klassert <steffen.klassert@secunet.com>
> >> Date:   Wed Oct 30 11:16:28 2013 +0100
> > 
> > Cherry-picked, compiled and preparing for reboot - thanks!
> > 
> > Shouldn't this be queued up in stable sometime soonish?
> > 
> > (Sorry for the change of email address, i had forgot to switch the
> > configurations in mutt)
> 
> Steffen is in charge of IPSEC -stable submissions, please ask him
> :-)

It was intended for v3.12 but the release came before it was merged
into the manline. So yes, it should go to the v3.12 stable tree.

I've always did stable submissions just by marking them as a
candidate for stable, this did not happen here because I hoped
it will make it into v3.12. It should apply cleanly to v3.12
stable, you could just pick it into you stable queue, or
alternatively I can submit to stable.

Re: [OOPS][3.12] BUG: unable to handle kernel NULL pointer dereference at 0000000c

[Kirill A. Shutemov]

On Mon, Nov 18, 2013 at 10:22:55AM +0100, Steffen Klassert wrote:
> On Fri, Nov 15, 2013 at 06:57:55PM -0500, David Miller wrote:
> > From: Ian Kumlien <pomac@demius.net>
> > Date: Sat, 16 Nov 2013 00:39:19 +0100
> > 
> > > On Fri, Nov 15, 2013 at 05:44:26PM -0500, David Miller wrote:
> > >> From: Bjorn Helgaas <bhelgaas@google.com>
> > >> Date: Fri, 15 Nov 2013 15:29:53 -0700
> > >> 
> > >> > [+cc David, Eric, Alex, netdev]
> > >> > 
> > >> > Alex reported a similar issue at
> > >> > http://marc.info/?l=linux-netdev&m=138355719901790&w=4
> > >> 
> > >> Fixed by:
> > >> 
> > >> commit 84502b5ef9849a9694673b15c31bd3ac693010ae
> > >> Author: Steffen Klassert <steffen.klassert@secunet.com>
> > >> Date:   Wed Oct 30 11:16:28 2013 +0100
> > > 
> > > Cherry-picked, compiled and preparing for reboot - thanks!
> > > 
> > > Shouldn't this be queued up in stable sometime soonish?
> > > 
> > > (Sorry for the change of email address, i had forgot to switch the
> > > configurations in mutt)
> > 
> > Steffen is in charge of IPSEC -stable submissions, please ask him
> > :-)
> 
> It was intended for v3.12 but the release came before it was merged
> into the manline. So yes, it should go to the v3.12 stable tree.
> 
> I've always did stable submissions just by marking them as a
> candidate for stable, this did not happen here because I hoped
> it will make it into v3.12. It should apply cleanly to v3.12
> stable, you could just pick it into you stable queue, or
> alternatively I can submit to stable.

Any progress with getting the patch into stable?

It's not in v3.12.1 and I don't see it in stable queue.

-- 
 Kirill A. Shutemov