[OOPS] kernel panic due to bug in tcp_ipv6.c

[YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@xxxxxxxxxxxxxxxxx>]

Hi,

We've found a rather silly bug in net/ipv6/tcp_ipv6.c in linux-2.4.x 
that causes kernel panic (reporeted by Hiroyuki YAMAMORI 
<h-yamamo@xxxxxxxxxxxxxxxx>) like this (this ksymopps log was 
created by <mk@xxxxxxxxxxxxxx>):

***** cut here *****
ksymoops 2.3.4 on i686 2.4.0-bSTABLE200102.  Options used
     -v /usr/src/linux24-bSTABLE200102/vmlinux (specified)
     -K (specified)
     -L (specified)
     -O (specified)
     -m /usr/src/linux24-bSTABLE200102/System.map (specified)

Deactivating swap... done.
invalid operand: 0000
CPU:    0
EIP:    0010:[<c0110054>]
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00000282
eax: 0000001b   ebx: c1eb2000   ecx: c2aba000   edx: 00000001
esi: c2577554   edi: 7fffffff   ebp: c1eb3e7c   esp: c1eb3e58
ds: 0018   es: 0018   ss: 0018
Process ftpd (pid: 271, stackpage=c1eb3000)
Stack: c01c9f35 c01ca096 000002b0 7fffffff c2577554 7fffffff 00000000 c2577520 
       c2bfb280 c1eb3ea0 c010fc5f c2577520 c2577554 c2577600 c2577650 c1eb3f14 
       00000286 c2577520 c2313ae4 c019fc18 c2577520 ffffff8d 7fffffff 00000000 
Call Trace: [<c010fc5f>] [<c019fc18>] [<c019fdb7>] [<c017881e>] [<c011dbf2>] 
[<c011dbfb>] [<c011ce22>] 
       [<c010d125>] [<c0179144>] [<c0108e0f>] 
Code: 0f 0b 8d 65 e8 5b 5e 5f 89 ec 5d c3 55 89 e5 83 ec 18 57 56 

>>EIP; c0110054 <schedule+368/374>   <=====
Trace; c010fc5f <schedule_timeout+17/94>
Trace; c019fc18 <inet_wait_for_connect+b0/124>
Trace; c019fdb7 <inet_stream_connect+12b/1f0>
Trace; c017881e <sys_connect+5e/7c>
Trace; c011dbf2 <insert_vm_struct+1a/29>
Trace; c011dbfb <insert_vm_struct+23/29>
Trace; c011ce22 <do_mmap_pgoff+322/3e0>
Trace; c010d125 <old_mmap+c9/f8>
Trace; c0179144 <sys_socketcall+98/210>
Trace; c0108e0f <system_call+33/38>
Code;  c0110054 <schedule+368/374>
00000000 <_EIP>:
Code;  c0110054 <schedule+368/374>   <=====
   0:   0f 0b                     ud2a      <=====
Code;  c0110056 <schedule+36a/374>
   2:   8d 65 e8                  lea    0xffffffe8(%ebp),%esp
Code;  c0110059 <schedule+36d/374>
   5:   5b                        pop    %ebx
Code;  c011005a <schedule+36e/374>
   6:   5e                        pop    %esi
Code;  c011005b <schedule+36f/374>
   7:   5f                        pop    %edi
Code;  c011005c <schedule+370/374>
   8:   89 ec                     mov    %ebp,%esp
Code;  c011005e <schedule+372/374>
   a:   5d                        pop    %ebp
Code;  c011005f <schedule+373/374>
   b:   c3                        ret    
Code;  c0110060 <__wake_up+0/130>
   c:   55                        push   %ebp
Code;  c0110061 <__wake_up+1/130>
   d:   89 e5                     mov    %esp,%ebp
Code;  c0110063 <__wake_up+3/130>
   f:   83 ec 18                  sub    $0x18,%esp
Code;  c0110066 <__wake_up+6/130>
  12:   57                        push   %edi
Code;  c0110067 <__wake_up+7/130>
  13:   56                        push   %esi

Kernel panic: Aiee, killing interrupt handler!
***** cut here *****

Our fix was:

Index: net/ipv6/tcp_ipv6.c
===================================================================
RCS file: /cvsroot/usagi/usagi/kernel/linux24/net/ipv6/tcp_ipv6.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- net/ipv6/tcp_ipv6.c 2001/01/05 06:00:59     1.22
+++ net/ipv6/tcp_ipv6.c 2001/02/18 01:44:46     1.23
@@ -1,4 +1,4 @@
-/* $USAGI: tcp_ipv6.c,v 1.22 2001/01/05 06:00:59 yoshfuji Exp $ */
+/* $USAGI: tcp_ipv6.c,v 1.23 2001/02/18 01:44:46 yoshfuji Exp $ */
 
 /*
  *     TCP over IPv6
@@ -458,7 +458,7 @@
        struct sock *sk2, **skp;
        struct tcp_tw_bucket *tw;
 
-       write_lock(&head->lock);
+       write_lock_bh(&head->lock);
 
        for(skp = &(head + tcp_ehash_size)->chain; (sk2=*skp)!=NULL; skp = 
&sk2->next) {
                tw = (struct tcp_tw_bucket*)sk2;

-- 
Hideaki YOSHIFUJI @ USAGI Project  <yoshfuji@xxxxxxxxxxxxxx>
PGP5i FP: F731 6599 5EB2 BBA7 1515  1323 1806 A96F 5700 6B25