Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157228 - Kernel crashes on executing ip -6 route add ::/96 dev sit1 if device is not up
Summary: Kernel crashes on executing ip -6 route add ::/96 dev sit1 if device is not up
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.0
Hardware: i386
OS: Linux
Target Milestone: ---
: ---
Assignee: David Miller
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-05-09 16:19 UTC by Peter Bieringer
Modified: 2012-06-20 16:09 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-06-20 16:09:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Peter Bieringer 2005-05-09 16:19:30 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

Description of problem:
During trying to enable 6to4 on an RHEL4 box the kernel crashes.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0. # rpm -qf `which ip`
1. # uname -a
Linux ***** 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 GNU/Linux
2. # ip tunnel add mode sit local remote any name sit1
3. # ip -6 route add ::/96 dev sit1
Segmentation fault

Actual Results:  Crash:

NET: Registered protocol family 10
Disabled Privacy Extensions on device c0366c20(lo)
IPv6 over IPv4 tunneling driver
divert: not allocating divert_blk for non-ethernet device sit0
ip_tables: (C) 2000-2002 Netfilter core team
divert: not allocating divert_blk for non-ethernet device sit1
Unable to handle kernel NULL pointer dereference at virtual address 00000014
 printing eip:
*pde = 00000000
Oops: 0000 [#1]
Modules linked in: md5 ipv6 autofs4 nfs lockd sunrpc dm_mod uhci_hcd hw_random 8139too mii floppy ext3 jbd
CPU:    0
EIP:    0060:[<d09cf769>]    Not tainted VLI
EFLAGS: 00010202   (2.6.9-5.EL)
EIP is at ip6_route_add+0x531/0x55c [ipv6]
eax: 00000000   ebx: cfefb460   ecx: cd0ce800   edx: 00000000
esi: ffffffed   edi: d09d0353   ebp: ccfb8c70   esp: ccfb8c40
ds: 007b   es: 007b   ss: 0068
Process ip (pid: 2490, threadinfo=ccfb8000 task=ccf4c170)
Stack: ccfb8c70 ccfb8c70 00000000 cd0ce800 00000000 cfefb460 cfed2400 cfefb460
       cfed2400 d09d0353 00000008 d09d037d 00000000 00000000 00000000 00000000
       00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Call Trace:
 [<d09d0353>] inet6_rtm_newroute+0x0/0x35 [ipv6]
 [<d09d037d>] inet6_rtm_newroute+0x2a/0x35 [ipv6]
 [<d09d0353>] inet6_rtm_newroute+0x0/0x35 [ipv6]
 [<c02ae989>] rtnetlink_rcv+0x225/0x313
 [<c02baf2e>] netlink_data_ready+0x14/0x43
 [<c02ba6b1>] netlink_sendskb+0x52/0x6b
 [<c02bad4a>] netlink_sendmsg+0x252/0x261
 [<c029d4af>] sock_sendmsg+0xdb/0xf7
 [<c011d043>] autoremove_wake_function+0x0/0x2d
 [<c02a2e8e>] verify_iovec+0x76/0xc2
 [<c029ec47>] sys_sendmsg+0x1ee/0x23b
 [<c015236d>] handle_mm_fault+0xd5/0x1fd
 [<c015332b>] __vma_link+0x59/0x66
 [<c0153419>] vma_link+0xe1/0x1dd
 [<c0154fce>] do_brk+0x1da/0x213
 [<c029f030>] sys_socketcall+0x1c1/0x1dd
 [<c0301bfb>] syscall_call+0x7/0xb
Code: 14 8b 54 24 18 83 c4 1c 5b 5e 5f 5d e9 cf f1 ff ff be ea ff ff ff 83 7c 24 0c 00 74 0a 8b 4c 24 0c ff 89 84 01 00 00 8b 54 24 10 <83> 7a 14 01 7f 1b 8b 42 04 85 c0 75 0d 89 d0 e8 7a ba 8d ef 85

Expected Results:  No such crash like on FC3:

# uname -a
Linux ******* 2.6.11-1.14_FC3 #1 Thu Apr 7 19:23:49 EDT 2005 i686 i686 i386 GNU/Linux
# ip tunnel add mode sit local remote any name sit1
# ip -6 route add ::/96 dev sit1
RTNETLINK answers: No such device

Additional info:

Note that normally, a device need to be up before such route is added, I'll investigate now, why this is not proper happen in initscripts. Anyway, kernel shouldn't crash either.

Comment 1 Peter Bieringer 2005-09-22 16:04:00 UTC
Same happen on 2.6.9-11.EL

Comment 2 Peter Bieringer 2006-12-18 12:32:44 UTC
Same happen on 2.6.9-42.EL

Comment 3 Jiri Pallich 2012-06-20 16:09:08 UTC
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.