Crash on "ip link add foo type ipip"

Bug #1811803 reported by Witold Krecicki on 2019-01-15
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Disco
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned
Disco
High
Juerg Haefliger

Bug Description

On 4.18.0-13-generic #14-Ubuntu SMP Wed Dec 5 09:04:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

When I executed "sudo ip link add foo type ipip" kernel crashed, leaving the system working but mostly unusable (networking was flaky). dmesg showed:

[156541.500970] ipip: IPv4 and MPLS over IPv4 tunneling driver
[156541.502201] BUG: unable to handle kernel NULL pointer dereference at 0000000000000108
[156541.502207] PGD 0 P4D 0
[156541.502210] Oops: 0000 [#1] SMP PTI
[156541.502213] CPU: 9 PID: 29001 Comm: ip Tainted: G OE 4.18.0-13-generic #14-Ubuntu
[156541.502215] Hardware name: Dell Inc. XPS 15 9570/0HWTMH, BIOS 1.6.0 11/02/2018
[156541.502223] RIP: 0010:ipip_netlink_fan.isra.11+0x5/0x250 [ipip]
[156541.502224] Code: d9 fe ff ff 48 8d 93 78 09 00 00 eb 93 48 89 de 4c 89 e7 e8 cd 78 fe ff eb c3 e8 c6 79 5d e8 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 87 08 01 00 00 48 85 c0 0f 84 1a 02 00 00 8b 12 85 d2 0f 85
[156541.502245] RSP: 0018:ffffbac005a2b588 EFLAGS: 00010246
[156541.502246] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[156541.502248] RDX: ffffbac005a2b5d0 RSI: ffff9c1122439900 RDI: 0000000000000000
[156541.502249] RBP: ffffbac005a2b600 R08: 0000000000000000 R09: ffffbac005a2b594
[156541.502250] R10: ffffffffc0cb9120 R11: 0000000000000000 R12: ffff9c1122439000
[156541.502251] R13: ffff9c1122439900 R14: ffffbac005a2b930 R15: ffffffffaa805780
[156541.502253] FS: 00007fe219348680(0000) GS:ffff9c136be40000(0000) knlGS:0000000000000000
[156541.502254] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[156541.502255] CR2: 0000000000000108 CR3: 000000010f724001 CR4: 00000000003606e0
[156541.502257] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[156541.502258] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[156541.502259] Call Trace:
[156541.502265] ? ipip_newlink+0x8c/0xc6 [ipip]
[156541.502273] rtnl_newlink+0x67b/0x8c0
[156541.502279] ? nla_parse+0x35/0xe0
[156541.502280] ? rtnl_newlink+0x12e/0x8c0
[156541.502288] ? get_page_from_freelist+0xf7e/0x1320
[156541.502298] ? mem_cgroup_commit_charge+0x82/0x530
[156541.502302] ? lru_cache_add_active_or_unevictable+0x39/0xb0
[156541.502309] ? handle_pte_fault+0x52c/0xbe0
[156541.502313] rtnetlink_rcv_msg+0x213/0x300
[156541.502318] ? copy_user_generic_unrolled+0x89/0xc0
[156541.502320] ? rtnl_calcit.isra.33+0x100/0x100
[156541.502327] netlink_rcv_skb+0x52/0x130
[156541.502329] rtnetlink_rcv+0x15/0x20
[156541.502331] netlink_unicast+0x1a4/0x260
[156541.502333] netlink_sendmsg+0x20b/0x3d0
[156541.502340] sock_sendmsg+0x3e/0x50
[156541.502342] ___sys_sendmsg+0x295/0x2f0
[156541.502344] ? handle_pte_fault+0x539/0xbe0
[156541.502347] ? __handle_mm_fault+0x42c/0x5b0
[156541.502350] __sys_sendmsg+0x5c/0xa0
[156541.502353] __x64_sys_sendmsg+0x1f/0x30
[156541.502358] do_syscall_64+0x5a/0x110
[156541.502361] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[156541.502364] RIP: 0033:0x7fe219682234
[156541.502365] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 48 8d 05 c9 d4 0c 00 8b 00 85 c0 75 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 41 89 d4 55 48 89 f5 53
[156541.502390] RSP: 002b:00007ffe5887fbe8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[156541.502392] RAX: ffffffffffffffda RBX: 000000005c3dbcf0 RCX: 00007fe219682234
[156541.502393] RDX: 0000000000000000 RSI: 00007ffe5887fc50 RDI: 0000000000000003
[156541.502394] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
[156541.502396] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[156541.502397] R13: 00005597e7c6c020 R14: 00007ffe5887fd4c R15: 0000000000000000
[156541.502399] Modules linked in: ipip tunnel4 ip_tunnel veth sctp libcrc32c ses enclosure scsi_transport_sas uas usb_storage ath10k_pci thunderbolt rfcomm pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) ccm arc4 cmac bnep binfmt_misc nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic dell_wmi wmi_bmof mxm_wmi intel_wmi_thunderbolt snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm intel_rapl x86_pkg_temp_thermal dell_laptop intel_powerclamp ath10k_core dell_smbios coretemp dell_wmi_descriptor kvm_intel snd_seq_midi dcdbas snd_seq_midi_event ath snd_rawmidi mac80211 kvm snd_seq irqbypass uvcvideo intel_cstate videobuf2_vmalloc intel_rapl_perf snd_seq_device videobuf2_memops snd_timer videobuf2_v4l2 btusb serio_raw videobuf2_common btrtl btbcm snd rtsx_pci_ms
[156541.502470] videodev btintel soundcore cfg80211 memstick cdc_acm media input_leds bluetooth ecdh_generic mei_me joydev mei hid_multitouch idma64 virt_dma processor_thermal_device intel_soc_dts_iosf intel_pch_thermal ucsi_acpi typec_ucsi typec int3403_thermal int340x_thermal_zone int3400_thermal mac_hid acpi_thermal_rel dell_smo8800 intel_hid wmi sparse_keymap acpi_pad sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 algif_skcipher af_alg dm_crypt wacom usbhid hid_generic i915 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc i2c_algo_bit drm_kms_helper aesni_intel syscopyarea sysfillrect aes_x86_64 sysimgblt rtsx_pci_sdmmc crypto_simd fb_sys_fops nvme cryptd glue_helper psmouse drm ahci nvme_core rtsx_pci i2c_i801 intel_lpss_pci libahci i2c_hid intel_lpss hid pinctrl_cannonlake
[156541.502523] video pinctrl_intel [last unloaded: ath10k_pci]
[156541.502528] CR2: 0000000000000108
[156541.502531] ---[ end trace 48bd88c62d9ac460 ]---
[156541.502535] RIP: 0010:ipip_netlink_fan.isra.11+0x5/0x250 [ipip]
[156541.502536] Code: d9 fe ff ff 48 8d 93 78 09 00 00 eb 93 48 89 de 4c 89 e7 e8 cd 78 fe ff eb c3 e8 c6 79 5d e8 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 87 08 01 00 00 48 85 c0 0f 84 1a 02 00 00 8b 12 85 d2 0f 85
[156541.502558] RSP: 0018:ffffbac005a2b588 EFLAGS: 00010246
[156541.502559] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[156541.502560] RDX: ffffbac005a2b5d0 RSI: ffff9c1122439900 RDI: 0000000000000000
[156541.502561] RBP: ffffbac005a2b600 R08: 0000000000000000 R09: ffffbac005a2b594
[156541.502563] R10: ffffffffc0cb9120 R11: 0000000000000000 R12: ffff9c1122439000
[156541.502564] R13: ffff9c1122439900 R14: ffffbac005a2b930 R15: ffffffffaa805780
[156541.502565] FS: 00007fe219348680(0000) GS:ffff9c136be40000(0000) knlGS:0000000000000000
[156541.502567] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[156541.502568] CR2: 0000000000000108 CR3: 000000010f724001 CR4: 00000000003606e0
[156541.502569] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[156541.502571] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1811803

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: cosmic
Witold Krecicki (wpk) wrote :

Due to the fact that networking stops working when the crash I can't collect anything using apport-collect, I believe dmesg above should be enough.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Juerg Haefliger (juergh) on 2019-01-18
Changed in linux (Ubuntu):
importance: Undecided → High
assignee: nobody → Juerg Haefliger (juergh)
Seth Forshee (sforshee) on 2019-01-18
Changed in linux (Ubuntu Disco):
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Changed in linux (Ubuntu Bionic):
status: New → Fix Committed
Changed in linux (Ubuntu Cosmic):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (14.1 KiB)

This bug was fixed in the package linux - 4.19.0-12.13

---------------
linux (4.19.0-12.13) disco; urgency=medium

  * linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)

  * kernel oops in bcache module (LP: #1793901)
    - SAUCE: bcache: never writeback a discard operation

  * Disco update: 4.19.18 upstream stable release (LP: #1813611)
    - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address
    - mlxsw: spectrum: Disable lag port TX before removing it
    - mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
    - net: dsa: mv88x6xxx: mv88e6390 errata
    - net, skbuff: do not prefer skb allocation fails early
    - qmi_wwan: add MTU default to qmap network interface
    - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
    - net: clear skb->tstamp in bridge forwarding path
    - netfilter: ipset: Allow matching on destination MAC address for mac and
      ipmac sets
    - gpio: pl061: Move irq_chip definition inside struct pl061
    - drm/amd/display: Guard against null stream_state in set_crc_source
    - drm/amdkfd: fix interrupt spin lock
    - ixgbe: allow IPsec Tx offload in VEPA mode
    - platform/x86: asus-wmi: Tell the EC the OS will handle the display off
      hotkey
    - e1000e: allow non-monotonic SYSTIM readings
    - usb: typec: tcpm: Do not disconnect link for self powered devices
    - selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
    - of: overlay: add missing of_node_put() after add new node to changeset
    - writeback: don't decrement wb->refcnt if !wb->bdi
    - serial: set suppress_bind_attrs flag only if builtin
    - bpf: Allow narrow loads with offset > 0
    - ALSA: oxfw: add support for APOGEE duet FireWire
    - x86/mce: Fix -Wmissing-prototypes warnings
    - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
    - crypto: ecc - regularize scalar for scalar multiplication
    - arm64: perf: set suppress_bind_attrs flag to true
    - drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
    - clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
    - samples: bpf: fix: error handling regarding kprobe_events
    - usb: gadget: udc: renesas_usb3: add a safety connection way for
      forced_b_device
    - fpga: altera-cvp: fix probing for multiple FPGAs on the bus
    - selinux: always allow mounting submounts
    - ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
    - scsi: qedi: Check for session online before getting iSCSI TLV data.
    - drm/amdgpu: Reorder uvd ring init before uvd resume
    - rxe: IB_WR_REG_MR does not capture MR's iova field
    - efi/libstub: Disable some warnings for x86{,_64}
    - jffs2: Fix use of uninitialized delayed_work, lockdep breakage
    - clk: imx: make mux parent strings const
    - pstore/ram: Do not treat empty buffers as valid
    - media: uvcvideo: Refactor teardown of uvc on USB disconnect
    - powerpc/xmon: Fix invocation inside lock region
    - powerpc/pseries/cpuidle: Fix preempt warning
    - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
    - ASoC: use dma_ops of parent device for acp_audio_dma
    - media: ve...

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed-cosmic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-cosmic
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Juerg Haefliger (juergh) wrote :

Successfully tested Xenial, Bionic and Cosmic kernels.

tags: added: verification-done-bionic verification-done-cosmic verification-done-xenial
removed: verification-needed-bionic verification-needed-cosmic verification-needed-xenial
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers