kernel crashes when shutting down ppp interface

Issue

• System crashed when shutting down ppp interface.

BUG: unable to handle kernel NULL pointer dereference at 00000048
IP: [<fa031498>] find_match+0x38/0x160 [ipv6]
*pdpt = 000000002a9e9001 *pde = 000000031f022067
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/virtual/net/ppp33/flags
Modules linked in: bluetooth rfkill ppp_async crc_ccitt ppp_generic slhc sctp libcrc32c iptable_filter ip_tables mptctl mptbase nfsd lockd nfs_acl auth_rpcgss exportfs autofs4 sunrpc pcc_cpufreq ipv6 dm_mirror dm_region_hash dm_log uinput power_meter sg microcode serio_raw iTCO_wdt iTCO_vendor_support hpilo hpwdt bnx2 i7core_edac edac_core ext3 jbd mbcache sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic ata_piix hpsa radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core dm_mod [last unloaded: scsi_wait_scan]

Pid: 17922, comm: ping6 Not tainted 2.6.32-220.4.2.el6.i686 #1 HP ProLiant DL380 G7
EIP: 0060:[<fa031498>] EFLAGS: 00010202 CPU: 3
EIP is at find_match+0x38/0x160 [ipv6]
EAX: 00000000 EBX: e0860580 ECX: 00000003 EDX: 00002297
ESI: 00000000 EDI: 00000000 EBP: dbcbbccc ESP: dbcbbc78
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process ping6 (pid: 17922, ti=dbcba000 task=f0941030 task.ti=dbcba000)
Stack:
 dbcbbe14 00000000 00000000 e0860580 00000000 00000003 dbcbbccc fa0329e4
<0> dbcbbccc 00000000 00002297 e0860580 e5943dc0 c0c386a0 00000002 00000002
<0> dbcbbe14 dbcbbe24 f1b0cd90 00000003 f1b0cd8c ffffffff 00000001 c0c386a0
Call Trace:
 [<fa0329e4>] ? ip6_pol_route+0xe4/0x2d0 [ipv6]
 [<fa032be6>] ? ip6_pol_route_output+0x16/0x20 [ipv6]
 [<fa0526a7>] ? fib6_rule_action+0xb7/0x1e0 [ipv6]
 [<c043f742>] ? __wake_up+0x42/0x60
 [<fa032bd0>] ? ip6_pol_route_output+0x0/0x20 [ipv6]
 [<c079b954>] ? fib_rules_lookup+0x84/0xc0
 [<fa052801>] ? fib6_rule_lookup+0x31/0x90 [ipv6]
 [<fa032bd0>] ? ip6_pol_route_output+0x0/0x20 [ipv6]
 [<fa030fc3>] ? ip6_route_output+0xa3/0xc0 [ipv6]
 [<fa032bd0>] ? ip6_pol_route_output+0x0/0x20 [ipv6]
 [<fa0261f1>] ? ip6_dst_lookup_tail+0x201/0x220 [ipv6]
 [<c0475f60>] ? autoremove_wake_function+0x0/0x40
 [<c0440af7>] ? update_curr+0x207/0x310
 [<fa04c290>] ? ip6_datagram_connect+0x380/0x650 [ipv6]
 [<fa03a308>] ? ipv6_rcv_saddr_equal+0x88/0x1c0 [ipv6]
 [<fa03a280>] ? ipv6_rcv_saddr_equal+0x0/0x1c0 [ipv6]
 [<c0830a78>] ? _spin_lock_bh+0x8/0x30
 [<c077bdb2>] ? release_sock+0x12/0xb0
 [<c07dfe66>] ? inet_dgram_connect+0x26/0x80
 [<c077a02d>] ? sys_connect+0xdd/0x100
 [<c077d7fb>] ? sock_setsockopt+0xfb/0x6c0
 [<c077a3c3>] ? sys_setsockopt+0xb3/0xd0
 [<c077ae2b>] ? sys_socketcall+0x28b/0x2e0
 [<c04afb4c>] ? audit_syscall_entry+0x21c/0x240
 [<c04af860>] ? __audit_syscall_exit+0x220/0x250
 [<c0409a9f>] ? sysenter_do_call+0x12/0x28
Code: 8b 7c 24 24 89 74 24 10 89 6c 24 18 8b b0 a8 00 00 00 f7 c6 00 00 40 00 74 0a a1 00 da a2 c0 39 43 18 78 37 85 d2 8b 43 0c 74 48 <3b> 50 48 74 43 f6 80 c0 00 00 00 08 74 16 8b 83 90 00 00 00 85
EIP: [<fa031498>] find_match+0x38/0x160 [ipv6] SS:ESP 0068:dbcbbc78
CR2: 0000000000000048

kernel BUG at net/ipv6/ip6_fib.c:1139!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/devices/virtual/net/ppp37/flags
Modules linked in: ppp_async crc_ccitt ppp_generic slhc sctp libcrc32c iptable_filter ip_tables bluetooth rfkill mptctl mptbase nfsd lockd nfs_acl auth_rpcgss exportfs autofs4 sunrpc pcc_cpufreq ipv6 dm_mirror dm_region_hash dm_log uinput power_meter sg microcode serio_raw iTCO_wdt iTCO_vendor_support hpilo hpwdt bnx2 i7core_edac edac_core ext3 jbd mbcache sr_mod cdrom sd_mod crc_t10dif pata_acpi ata_generic ata_piix hpsa radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core dm_mod [last unloaded: scsi_wait_scan]

Pid: 31956, comm: pppdsip Not tainted 2.6.32-220.4.2.el6.i686 #1 HP ProLiant DL380 G7
EIP: 0060:[<fa0353a9>] EFLAGS: 00210202 CPU: 1
EIP is at fib6_del+0x4c9/0x4d0 [ipv6]
EAX: 00000002 EBX: e31aa180 ECX: ecc3b8e0 EDX: 00000000
ESI: 00000000 EDI: ed495d74 EBP: e31aa230 ESP: ed495d14
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process pppdsip (pid: 31956, ti=ed494000 task=e3021570 task.ti=ed494000)
Stack:
 c0c386a0 e31aa180 ed495d74 ed495d20 ed495d20 f1bc1720 f1bc1720 00000000
<0> c0c30103 fa0353b0 00000000 c0c386a0 fa033be0 e31aa180 e31aa180 f188cd8c
<0> fffffffe ed495d74 fa0309e5 c1686540 00000000 00000040 ef4c92c0 fa030b76
Call Trace:
 [<fa0353b0>] ? fib6_clean_node+0x0/0xb0 [ipv6]
 [<fa033be0>] ? fib6_prune_clone+0x0/0x20 [ipv6]
 [<fa0309e5>] ? __ip6_del_rt+0x45/0x70 [ipv6]
 [<fa030b76>] ? ip6_del_rt+0x26/0x30 [ipv6]
 [<fa02b2b6>] ? __ipv6_ifa_notify+0x146/0x1d0 [ipv6]
 [<fa02c624>] ? addrconf_ifdown+0x1a4/0x330 [ipv6]
 [<c07a99bb>] ? netlink_broadcast+0x17b/0x3d0
 [<fa02e959>] ? addrconf_notify+0xd9/0x8e0 [ipv6]
 [<c0830a38>] ? _write_lock_bh+0x8/0x20
 [<fa034488>] ? fib6_walk+0x78/0x80 [ipv6]
 [<fa034772>] ? fib6_clean_all+0x72/0x90 [ipv6]
 [<c0464d67>] ? lock_timer_base+0x27/0x50
 [<fa034880>] ? fib6_gc_timer_cb+0x0/0x10 [ipv6]
 [<c0465c1e>] ? mod_timer+0xfe/0x1e0
 [<fa033c00>] ? fib6_age+0x0/0x80 [ipv6]
 [<fa03481d>] ? fib6_run_gc+0x8d/0xf0 [ipv6]
 [<c08339b4>] ? notifier_call_chain+0x44/0x60
 [<c047b987>] ? raw_notifier_call_chain+0x17/0x20
 [<c0789a6e>] ? dev_close+0x6e/0xb0
 [<c0789aee>] ? rollback_registered+0x3e/0x110
 [<c056068c>] ? fsnotify_clear_marks_by_inode+0x1c/0xb0
 [<c0789bd6>] ? unregister_netdevice+0x16/0x60
 [<c082f931>] ? mutex_lock+0x11/0x40
 [<c0789c2f>] ? unregister_netdev+0xf/0x20
 [<f9835023>] ? ppp_shutdown_interface+0xf3/0x110 [ppp_generic]
 [<f983507c>] ? ppp_release+0x3c/0x60 [ppp_generic]
 [<c052bd5c>] ? __fput+0xdc/0x1f0
 [<c0527fb7>] ? filp_close+0x47/0x80
 [<c0452645>] ? mmput+0x85/0xd0
 [<c0456e9a>] ? put_files_struct+0x5a/0xb0
 [<c0458d0c>] ? do_exit+0x14c/0x740
 [<c04afb4c>] ? audit_syscall_entry+0x21c/0x240
 [<c045933c>] ? do_group_exit+0x3c/0xa0
 [<c04593b1>] ? sys_exit_group+0x11/0x20
 [<c0409a9f>] ? sysenter_do_call+0x12/0x28
Code: c0 56 05 fa ba e3 03 00 00 e8 b4 f7 41 c6 0f b7 46 12 e9 dd fd ff ff ba 89 04 00 00 b8 c0 56 05 fa e8 9c f7 41 c6 e9 95 fb ff ff <0f> 0b eb fe 8d 76 00 57 56 89 c6 53 83 ec 1c 8b 5e 10 8b 40 20
EIP: [<fa0353a9>] fib6_del+0x4c9/0x4d0 [ipv6] SS:ESP 0068:ed495d14

unregister_netdevice: waiting for ppp37 to become free. Usage count = 1
unregister_netdevice: waiting for ppp37 to become free. Usage count = 1
unregister_netdevice: waiting for ppp37 to become free. Usage count = 1
unregister_netdevice: waiting for ppp37 to become free. Usage count = 1
unregister_netdevice: waiting for ppp37 to become free. Usage count = 1
INFO: task pppdsip:23197 blocked for more than 300 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
pppdsip       D ecbefe90     0 23197      1 0x00000080
 f00f6ab0 00200046 00000002 ecbefe90 c1e13aa4 00000000 f3423c94 00000000
 f34d2472 eeebf040 00000294 02ec7394 00000294 c0b0f0c0 c0b0f0c0 f00f6d58
 c0b0f0c0 c0b0aaa4 c0b0f0c0 f00f6d58 0026ae59 f00f6ab0 e4c2d9a1 f00f6ab0
Call Trace:
 [<c043f742>] ? __wake_up+0x42/0x60
 [<f85f05d6>] ? journal_stop+0x136/0x2d0 [jbd]
 [<f8655c69>] ? ext3_free_inode+0x259/0x340 [ext3]
 [<c082fa38>] ? __mutex_lock_slowpath+0xd8/0x140
 [<c082f93d>] ? mutex_lock+0x1d/0x40
 [<f9f49f7f>] ? ppp_shutdown_interface+0x4f/0x110 [ppp_generic]
 [<f9f4a07c>] ? ppp_release+0x3c/0x60 [ppp_generic]
 [<c052bd5c>] ? __fput+0xdc/0x1f0
 [<c0527fb7>] ? filp_close+0x47/0x80
 [<c0452645>] ? mmput+0x85/0xd0
 [<c0456e9a>] ? put_files_struct+0x5a/0xb0
 [<c0458d0c>] ? do_exit+0x14c/0x740
 [<c04afb4c>] ? audit_syscall_entry+0x21c/0x240
 [<c045933c>] ? do_group_exit+0x3c/0xa0
 [<c04593b1>] ? sys_exit_group+0x11/0x20
 [<c0409a9f>] ? sysenter_do_call+0x12/0x28
Kernel panic - not syncing: hung_task: blocked tasks
Pid: 137, comm: khungtaskd Not tainted 2.6.32-220.4.2.el6.i686 #1
Call Trace:
 [<c082e0a8>] ? panic+0x42/0xf9
 [<c04b33da>] ? watchdog+0x1da/0x1e0
 [<c04b3200>] ? watchdog+0x0/0x1e0
 [<c0475d24>] ? kthread+0x74/0x80
 [<c0475cb0>] ? kthread+0x0/0x80
 [<c0409fff>] ? kernel_thread_helper+0x7/0x10