linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Andrew Morton <akpm@digeo.com>
To: Dave Jones <davej@codemonkey.org.uk>
Cc: cat@zip.com.au, linux-kernel@vger.kernel.org, sct@redhat.com,
	akpm@zip.com.au, adilger@clusterfs.com, davem@redhat.com,
	jmorris@intercode.com.au
Subject: Re: 2.5.67: ext3 and tcp BUG()/oops/error/whatnot?
Date: Thu, 10 Apr 2003 14:14:43 -0700	[thread overview]
Message-ID: <20030410141443.730ead79.akpm@digeo.com> (raw)
In-Reply-To: <20030410173017.GB20177@suse.de>

Dave Jones <davej@codemonkey.org.uk> wrote:
>
> On Fri, Apr 11, 2003 at 02:38:58AM +1000, CaT wrote:
> 
>  > Slab corruption: start=ce6130c4, expend=ce6131f3, problemat=ce613128
>  > Last user: [<c032ff78>](destroy_conntrack+0x9c/0xac)
>  > Data: ****************************************************************************************************28 31 61 CE 28 31 61 CE ***************************************************************************************************************************************************************************************************A5 
>  > Next: 71 F0 2C .78 FF 32 C0 71 F0 2C .********************
>  > slab error in check_poison_obj(): cache `ip_conntrack': object was modified after freeing
>  > Call Trace:
>  >  [<c0131d5d>] __slab_error+0x21/0x28
>  >  [<c013214c>] check_poison_obj+0x174/0x180
>  >  [<c01331b9>] kmem_cache_alloc+0x8d/0x128
>  >  [<c033075f>] init_conntrack+0xcf/0x310
>  >  [<c033075f>] init_conntrack+0xcf/0x310
> 
> Known bug, with known fix. This really should go to Linus.
> http://bugzilla.kernel.org/show_bug.cgi?id=497

I've had the below patch in -mm for some time, but am not sure what to do
with it.  My last attempt to contact netfilter people didn't work.

James?  Help?


From: Martin Josefsson <gandalf@wlug.westbo.se>

You are correct. It was a list_del() that caused it (at least I think
so, it's 2am right now).

1. conntrack helper adds an expectation and adds that to a list hanging
of off a connection.

2. the expected connection arrives. the expectation is still on the
list.

3. the original connection that caused the expectation terminates but
the expectation still thinks it's added to the list.

4. the expected connection terminates and list_del() is called to remove
it from the list which doesn't exist anymore. boom!

(forwarded by akpm@digeo.com)


 25-akpm/net/ipv4/netfilter/ip_conntrack_core.c |    9 ++++++---
 1 files changed, 6 insertions(+), 3 deletions(-)

diff -puN net/ipv4/netfilter/ip_conntrack_core.c~conntrack-use-after-free-fix net/ipv4/netfilter/ip_conntrack_core.c
--- 25/net/ipv4/netfilter/ip_conntrack_core.c~conntrack-use-after-free-fix	Thu Apr  3 14:53:46 2003
+++ 25-akpm/net/ipv4/netfilter/ip_conntrack_core.c	Thu Apr  3 14:53:46 2003
@@ -273,6 +273,7 @@ static void remove_expectations(struct i
 		 * the un-established ones only */
 		if (exp->sibling) {
 			DEBUGP("remove_expectations: skipping established %p of %p\n", exp->sibling, ct);
+			exp->expectant = NULL;
 			continue;
 		}
 
@@ -326,9 +327,11 @@ destroy_conntrack(struct nf_conntrack *n
 	WRITE_LOCK(&ip_conntrack_lock);
 	/* Delete our master expectation */
 	if (ct->master) {
-		/* can't call __unexpect_related here,
-		 * since it would screw up expect_list */
-		list_del(&ct->master->expected_list);
+		if (ct->master->expectant) {
+			/* can't call __unexpect_related here,
+			 * since it would screw up expect_list */
+			list_del(&ct->master->expected_list);
+		}
 		kfree(ct->master);
 	}
 	WRITE_UNLOCK(&ip_conntrack_lock);

_


  reply	other threads:[~2003-04-10 21:02 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-04-10 16:38 2.5.67: ext3 and tcp BUG()/oops/error/whatnot? CaT
2003-04-10 17:30 ` Dave Jones
2003-04-10 21:14   ` Andrew Morton [this message]
2003-04-10 22:35     ` Martin Josefsson
2003-04-11  0:18       ` James Morris
2003-04-10 23:33     ` David S. Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030410141443.730ead79.akpm@digeo.com \
    --to=akpm@digeo.com \
    --cc=adilger@clusterfs.com \
    --cc=akpm@zip.com.au \
    --cc=cat@zip.com.au \
    --cc=davej@codemonkey.org.uk \
    --cc=davem@redhat.com \
    --cc=jmorris@intercode.com.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sct@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).