linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: David Miller <davem@davemloft.net>
To: torvalds@linux-foundation.org
Cc: aconole@redhat.com, fw@strlen.de, viro@zeniv.linux.org.uk,
	akpm@linux-foundation.org, axboe@fb.com, tytso@mit.edu,
	cl@linux.com, pablo@netfilter.org, linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org,
	netfilter-devel@vger.kernel.org
Subject: Re: slab corruption with current -git
Date: Mon, 10 Oct 2016 04:24:01 -0400 (EDT)	[thread overview]
Message-ID: <20161010.042401.637964142015887598.davem@davemloft.net> (raw)
In-Reply-To: <20161009.235745.860945462339053703.davem@davemloft.net>

From: David Miller <davem@davemloft.net>
Date: Sun, 09 Oct 2016 23:57:45 -0400 (EDT)

> From: Linus Torvalds <torvalds@linux-foundation.org>
> Date: Sun, 9 Oct 2016 20:41:17 -0700
> 
>> Note that the "correct way" of doing list operations also almost
>> inevitably is the shortest way by far, since it gets rid of all the
>> special cases. So the patch looks nice. It gets rid of the magic
>> "nf_set_hooks_head()" thing too, because once you do list following
>> right, the head is no different from any other pointer in the list.
> 
> Perhaps we should have some "slist" primitives added to
> include/linux/list.h but since the comparison differs for each user I
> guess it's hard to abstract in a way that's generic and inlines
> properly.
> 
> I'll start taking a look at your patch and this stuff as well, thanks
> Linus.

So I've been reviewing this patch and it looks fine, but I also want
to figure out what is actually causing the OOPS and I can't spot it
yet.

One possible way to see that oops is to free the head entry of the
chain without unlinking it.  The next unregister will dereference a
POISON pointer.

Actually...

The POISON value comes not from a hook entry, but from the array of
pointers in the per-netns datastructure.

This means that the netns is possibly getting freed up before we
unregister the netfilter hooks.

  reply	other threads:[~2016-10-10  8:24 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-09 21:31 slab corruption with current -git (was Re: [git pull] vfs pile 1 (splice)) Linus Torvalds
2016-10-10  0:51 ` Florian Westphal
2016-10-10  1:35   ` Aaron Conole
2016-10-10  2:49     ` Linus Torvalds
2016-10-10  3:41       ` Linus Torvalds
2016-10-10  3:57         ` slab corruption with current -git David Miller
2016-10-10  8:24           ` David Miller [this message]
2016-10-10 16:15             ` Linus Torvalds
2016-10-11 13:17             ` Michal Kubecek
2016-10-11 13:55               ` Aaron Conole
2016-10-10 13:49         ` slab corruption with current -git (was Re: [git pull] vfs pile 1 (splice)) Aaron Conole
2016-10-10 16:28           ` Linus Torvalds
2016-10-10 19:05             ` Linus Torvalds
2016-10-10 19:18               ` Aaron Conole
2016-10-11  0:30               ` slab corruption with current -git David Miller
2016-10-11  0:54                 ` Linus Torvalds
2016-10-11  5:39         ` slab corruption with current -git (was Re: [git pull] vfs pile 1 (splice)) Linus Torvalds
2016-10-11  5:47           ` Linus Torvalds
2016-10-11  8:57             ` slab corruption with current -git David Miller
2016-10-13  6:02               ` Markus Trippelsdorf
2016-10-13  6:06                 ` Markus Trippelsdorf
     [not found]                   ` <CA+55aFwsUR4-YmOYgJOOO4a2e48M4_tk7YhAo4s5KZQQxUjpZw@mail.gmail.com>
2016-10-13  6:27                     ` Markus Trippelsdorf
2016-10-13 19:49                       ` Linus Torvalds
2016-10-13 20:43                         ` Florian Westphal
2016-10-13 21:32                         ` Al Viro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161010.042401.637964142015887598.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=aconole@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=axboe@fb.com \
    --cc=cl@linux.com \
    --cc=fw@strlen.de \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).