Only occurs on SMP when tcpdumping forwarded packets. Completely
repeatable on stock 2.3.35.
Looks like skb->head is bogus on freed skb. This makes me wonder about
the af_packet skb `borrowing' code...
Unable to handle kernel NULL pointer dereference at virtual address 00000008
c0133c3e
*pde = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<c0133c3e>]
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010086
eax: c1263160 ebx: c1263140 ecx: 00000000 edx: c1243728
esi: c79fd85c edi: 00000000 ebp: c79fd7c0 esp: c7911e18
ds: 0018 es: 0018 ss: 0018
Process tcpdump (pid: 118, stackpage=c7911000)
Stack: c79fc8a0 0000004a c1263160 00000246 c016fa43 c79fd7c0 c79fc840 c016fc41
c79fc840 c79fc840 c79fc882 c7911efe 0000004a 0000004a c0170b89 c79fc840
c80148fa c127fcc0 c79fc840 c7e86d90 0000061c c7911ebc c7911f6c c127fcc0
Call Trace: [<c016fa43>] [<c016fc41>] [<c0170b89>] [<c80148fa>] [<c016b3c9>] [<c
Code: 8b 47 08 3d 2b 2f c3 a5 0f 85 e4 02 00 00 f6 43 05 01 0f 85
>>EIP; c0133c3e <kfree+c6/460> <=====
Trace; c016fa43 <kfree_skbmem+27/44>
Trace; c016fc41 <__kfree_skb+1e1/1ec>
Trace; c0170b89 <skb_free_datagram+15/1c>
Trace; c80148fa <[parport]parport_ieee1284_epp_read_data+4a/f4>
Trace; c016b3c9 <sock_recvmsg+3d/b0>
Code; c0133c3e <kfree+c6/460>
00000000 <_EIP>:
Code; c0133c3e <kfree+c6/460> <=====
0: 8b 47 08 mov 0x8(%edi),%eax <=====
Code; c0133c41 <kfree+c9/460>
3: 3d 2b 2f c3 a5 cmp $0xa5c32f2b,%eax
Code; c0133c46 <kfree+ce/460>
8: 0f 85 e4 02 00 00 jne 2f2 <_EIP+0x2f2> c0133f30
<kfree+3b8/460>
Code; c0133c4c <kfree+d4/460>
e: f6 43 05 01 testb $0x1,0x5(%ebx)
Code; c0133c50 <kfree+d8/460>
12: 0f 85 00 00 00 00 jne 18 <_EIP+0x18> c0133c56 <kfree+de/460>
--
Hacking time.
|