Re: Alan's bug catalogue

Andreas Koppenhoefer (koppenas@koppenas.dialup.informatik.uni-stuttgart.de)
31 May 1996 09:54:41 +0200


-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "AC" == Alan Cox <alan@lxorguk.ukuu.org.uk> writes:
In article <m0uOsZW-0005FrC@lightning.swansea.linux.org.uk> alan@lxorguk.ukuu.org.uk (Alan Cox) writes:

AC> What I have at the moment on the bug list for 2.0.9+collected patches
AC> (I'll post these soon).

Please add to category "Nasty" another tunnel driver problem:

All versions of tunnel.c/new_tunnel.c I've check are crashable by the
command

ping -s 1453 <addr>
---> Segmentation fault and kernel Oops
Unable to handle kernel NULL pointer dereference at virtual address c0000000

with <addr> beeing some network address routed through tunnel.
It should be easy to reproduce this bug: try pre2.0.8 with tunnel
support and these commands...
> ifconfig tunl0 1.2.3.4 pointopoint 5.6.7.8
> route add -host 5.6.7.8 dev tunl0
> ping -s 1453 5.6.7.8
PING 5.6.7.8 (5.6.7.8): 1453 data bytes
Segmentation fault

Unable to handle kernel NULL pointer dereference at virtual address c0000000
current->tss.cr3 = 00a18000, |r3 = 00a18000
*pde = 00102067
*pte = 00000027
Oops: 0000
CPU: 0
EIP: 0010:[<00000000>]
EFLAGS: 00010246
eax: 00000000 ebx: 00000001 ecx: 000005b0 edx: 00000000
esi: 00ff5c38 edi: 00000001 ebp: 001d8010 esp: 00dfbd34
ds: 0018 es: 0018 fs: 002b gs: 002b ss: 0018
Process ping (pid: 1200, process nr: 47, stackpage=00dfb000)
Stack: 0013bedf 00ff5c18 001d8010 08070605 00ff5c38 00ff5c45 001d8010 00000001
00ff5c38 00000000 00003b70 00147425 00ff5c38 001d8010 00000001 00abd214
00000000 000005b5 00000000 00093820 00080000 00000040 00093810 00001900
Call Trace: [dev_queue_xmit+95/480] [ip_build_xmit+3669/3840]
[scsi_done+0/1744] [scsi_done+0/1744] [raw_sendto+382/400]
[raw_getfrag+0/64] [raw_sendmsg+52/208]
[inet_sendmsg+161/192] [sys_sendto+318/352]
[filemap_nopage+330/688] [write_chan+271/496] [tty_write+215/256]
[sys_socketcall+563/848] [system_call+82/128]
Code: 01 00 00 00 6f ef 00 f0 c3 e2 00 f0 6f ef 00 f0 6f ef 00 f0
Socket destroy delayed (r=0 w=224)
last message repeated 4 times
-----------------------------------------------------------------------------
Call Trace message reformatted for readability.

I've already sent a bug report to linux-kernel-mailinglist in March
`96 with detailed Oops reports from 1.3.79 and 1.3.57. The bug is still
(maybe again?) present in pre2.0.8!

Thanx,
Andreas

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQBVAwUBMa6ll0VdjNvyndGpAQFVmQH9EiN6Iz75OKNcjVys+1MI/wHf+oMtA8CW
FtuH6+dYGV5iBG+ZE4Gtq4wUVrDT9m7nJxUzMD9BoYApdlfQQH/8aA==
=p7Nz
-----END PGP SIGNATURE-----

-- 
Andreas Koppenhoefer, Student der Universitaet Stuttgart, BR Deutschland 
<koppenas@informatik.uni-stuttgart.de>, <akoppenhoefer@schweinfurt.netsurf.de>
Franz-Schubert-Str. 2, 97616 Bad Neustadt, Germany, +49 9771 7943 (9-21h MEZ)