From: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
To: netdev@vger.kernel.org
Subject: [RFC PATCH 0/5] netlink: mmap kernel panic and some issues
Date: Wed, 22 Jul 2015 22:17:30 +0900 [thread overview]
Message-ID: <20150722131730.GA18037@gmail.com> (raw)
Hello,
I got a kernel panic below when I dumped using mmaped netlink socket
while monitoring it by nlmon tap device. I realized it is because
mmaped netlink skb does not have skb_shared_info but don't know how
to fix it in sane. This patch series seems to work fine for me but
I'm not sure it's right or not.
Patch 1/5 added helper functions for mmaped netlink skb and applied
these at 2/5. I'm not sure I embed helper functions like this or add
skb functions and wrap it like alloc_skb_head() in
netlink_alloc_skb(). Patch 3/5 fixes nm_state for skb which is
allocated but not sent.
I noticed I can not send netlink message by using mmaped netlink
socket since:
commit: a8866ff6a5bce7d0ec465a63bc482a85c09b0d39
netlink: make the check for "send from tx_ring" deterministic
I found a msg->msg_iter.type was set to 1 (WRITE). It seems that we
need to accept it but reject KERNEL_DS. Patch 4/5 may fix it.
Talking about Patch 5/5, I receive many notifications which frame
status is NL_MMAP_STATUS_RESERVED from mmaped nflog poll() when I
specified QTHRESH or TIMEOUT nflog config option. This behavior
seems to be different from normal socket. And I don't need to be
notified that there is a frame I'm processing - SKIP in the ring
too.
It would be appreciate if someone consolidate patches or tell me how
to fix it.
Thanks,
[ 196.691844] Netfilter messages via NETLINK v0.30.
[ 196.742847] nf_conntrack version 0.5.0 (2943 buckets, 11772 max)
[ 196.787119] ctnetlink v0.93: registering with nfnetlink.
[ 211.177865] device eth1 entered promiscuous mode
[ 211.314466] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 211.319998] br0: port 1(eth1) entered forwarding state
[ 211.320419] br0: port 1(eth1) entered forwarding state
[ 211.466591] Ebtables v2.0 registered
[ 226.336171] br0: port 1(eth1) entered forwarding state
[ 300.957103] BUG: unable to handle kernel NULL pointer dereference at 0000000000000002
[ 300.958740] IP: [<ffffffff81482b48>] kfree_skb_list+0x18/0x30
[ 300.959814] PGD 177ae067 PUD 177c6067 PMD 0
[ 300.960958] Oops: 0000 [#1] SMP
[ 300.960958] Modules linked in: nlmon nf_conntrack_ipv4 nf_defrag_ipv4 ebt_redirect ebtable_broute ebtables x_tables bridge stp llc dummy nf_conntrack_netlink nf_conntrack nfnetlink netconsole binfmt_misc ttm drm_kms_helper drm ppdev snd_pcm snd_timer parport_pc snd parport soundcore acpi_cpufreq psmouse pcspkr i2c_piix4 evdev i2c_core processor button thermal_sys serio_raw configfs loop autofs4 ext4 crc16 mbcache jbd2 sg sr_mod cdrom ata_generic virtio_blk virtio_net ata_piix virtio_pci virtio_ring virtio libata scsi_mod floppy [last unloaded: netconsole]
[ 300.960958] CPU: 0 PID: 890 Comm: ulogd Not tainted 4.1.1 #3
[ 300.960958] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 300.960958] task: ffff8800129963d0 ti: ffff880017254000 task.ti: ffff880017254000
[ 300.960958] RIP: 0010:[<ffffffff81482b48>] [<ffffffff81482b48>] kfree_skb_list+0x18/0x30
[ 300.960958] RSP: 0018:ffff8800172577e8 EFLAGS: 00010202
[ 300.960958] RAX: 0000000000000000 RBX: ffff88001513c000 RCX: 000000005fb50000
[ 300.960958] RDX: 00000000ffffffff RSI: ffff88000012e000 RDI: 0000000000000002
[ 300.960958] RBP: ffff8800172577f8 R08: 0000000000000020 R09: 0000000000000578
[ 300.960958] R10: ffffffff818c4cc0 R11: 0000000000000000 R12: ffff88001747d800
[ 300.960958] R13: 0000000000000000 R14: 0000000000001000 R15: ffff8800157ed400
[ 300.960958] FS: 00007f92e6dc1700(0000) GS:ffff880017c00000(0000) knlGS:0000000000000000
[ 300.960958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 300.960958] CR2: 0000000000000002 CR3: 0000000015100000 CR4: 00000000000006f0
[ 300.960958] Stack:
[ 300.960958] ffff880017666600 ffff88001513c000 ffff880017257828 ffffffff81482be5
[ 300.960958] ffff880017257828 ffff88001747d800 0000000000000000 ffff88000012e000
[ 300.960958] ffff880017257848 ffffffff81482cc6 ffff88001747d800 ffff88001747d800
[ 300.960958] Call Trace:
[ 300.960958] [<ffffffff81482be5>] ? skb_release_data+0x85/0xd0
[ 300.960958] [<ffffffff81482cc6>] ? __kfree_skb+0x16/0x90
[ 300.960958] [<ffffffffa033b16c>] ? nlmon_xmit+0x2c/0x30 [nlmon]
[ 300.960958] [<ffffffff81494043>] ? dev_hard_start_xmit+0x233/0x3e0
[ 300.960958] [<ffffffff8149442e>] ? netif_skb_features+0xfe/0x200
[ 300.960958] [<ffffffff81494770>] ? validate_xmit_skb+0x40/0x330
[ 300.960958] [<ffffffff81494f59>] ? __dev_queue_xmit+0x489/0x590
[ 300.960958] [<ffffffff814c2e26>] ? netlink_deliver_tap+0xe6/0x170
[ 300.960958] [<ffffffff814c2eeb>] ? __netlink_sendskb+0x3b/0x240
[ 300.960958] [<ffffffff814c57c6>] ? netlink_dump+0x1c6/0x2d0
[ 300.960958] [<ffffffff814c769a>] ? __netlink_dump_start+0x19a/0x1d0
[ 300.960958] [<ffffffffa02f4d20>] ? ctnetlink_get_conntrack+0xc0/0x25c [nf_conntrack_netlink]
[ 300.960958] [<ffffffffa02f2b20>] ? ctnetlink_dump_dying+0x20/0x20 [nf_conntrack_netlink]
[ 300.960958] [<ffffffffa02f0a40>] ? ctnetlink_nfqueue_attach_expect+0x170/0x170 [nf_conntrack_netlink]
[ 300.960958] [<ffffffff8131a15e>] ? __nla_reserve+0x4e/0x70
[ 300.960958] [<ffffffff8131a15e>] ? __nla_reserve+0x4e/0x70
[ 300.960958] [<ffffffffa02f4c60>] ? ctnetlink_nfqueue_parse+0x2e0/0x2e0 [nf_conntrack_netlink]
[ 300.960958] [<ffffffffa0056b7b>] ? nfnetlink_rcv_msg+0x28b/0x2a0 [nfnetlink]
[ 300.960958] [<ffffffff81494770>] ? validate_xmit_skb+0x40/0x330
[ 300.960958] [<ffffffffa00568f0>] ? nfnetlink_rcv+0xe0/0xe0 [nfnetlink]
[ 300.960958] [<ffffffff814c65d9>] ? netlink_rcv_skb+0xa9/0xd0
[ 300.960958] [<ffffffff814c6266>] ? netlink_unicast+0x126/0x1c0
[ 300.960958] [<ffffffff814c6ea6>] ? netlink_sendmsg+0x556/0x660
[ 300.960958] [<ffffffff8147770d>] ? sock_sendmsg+0x4d/0x60
[ 300.960958] [<ffffffff814791b4>] ? SYSC_sendto+0x104/0x180
[ 300.960958] [<ffffffff811d7eb9>] ? vfs_read+0xa9/0xe0
[ 300.960958] [<ffffffff811d87fc>] ? SyS_read+0x9c/0xd0
[ 300.960958] [<ffffffff81596bae>] ? system_call_fastpath+0x12/0x71
[ 300.960958] Code: 48 83 c4 08 5b c9 c3 66 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 53 48 83 ec 08 0f 1f 44 00 00 48 85 ff 74 15 0f 1f 44 00 00 <48> 8b 1f e8 f0 fc ff ff 48 85 db 48 89 df 75 f0 48 83 c4 08 5b
[ 300.960958] RIP [<ffffffff81482b48>] kfree_skb_list+0x18/0x30
[ 300.960958] RSP <ffff8800172577e8>
[ 300.960958] CR2: 0000000000000002
[ 300.960958] ---[ end trace fa655a8b26512358 ]---
[ 300.960958] Kernel panic - not syncing: Fatal exception in interrupt
[ 300.960958] Kernel Offset: disabled
[ 300.960958] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
----- End forwarded message -----
next reply other threads:[~2015-07-22 13:17 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-22 13:17 Ken-ichirou MATSUZAWA [this message]
2015-08-12 8:28 ` [PATCHv1 net-next 0/5] netlink: mmap: kernel panic and some issues Ken-ichirou MATSUZAWA
2015-08-12 8:31 ` [PATCHv1 net-next 1/5] netlink: mmap: introduce mmaped skb helper functions Ken-ichirou MATSUZAWA
2015-08-12 8:32 ` [PATCHv1 net-next 2/5] netlink: mmap: apply " Ken-ichirou MATSUZAWA
2015-08-12 8:34 ` [PATCHv1 net-next 3/5] netlink: mmap: fix status for not delivered skb Ken-ichirou MATSUZAWA
2015-08-12 8:35 ` [PATCHv1 net-next 4/5] netlink: mmap: update tx type check Ken-ichirou MATSUZAWA
2015-08-12 8:38 ` [PATCHv1 net-next 5/5] netlink: mmap: notify only when NL_MMAP_STATUS_VALID frame exists Ken-ichirou MATSUZAWA
2015-08-12 23:38 ` [PATCHv1 net-next 0/5] netlink: mmap: kernel panic and some issues David Miller
2015-08-14 8:58 ` Ken-ichirou MATSUZAWA
2015-08-14 10:01 ` Daniel Borkmann
2015-08-14 10:38 ` Daniel Borkmann
2015-08-15 2:25 ` Ken-ichirou MATSUZAWA
2015-08-17 21:02 ` David Miller
2015-08-19 14:29 ` Daniel Borkmann
2015-09-02 0:04 ` Ken-ichirou MATSUZAWA
2015-09-02 9:47 ` Daniel Borkmann
2015-09-02 11:35 ` Ken-ichirou MATSUZAWA
2015-09-02 15:56 ` Daniel Borkmann
2015-09-02 22:27 ` Ken-ichirou MATSUZAWA
2015-09-07 14:54 ` Daniel Borkmann
2015-09-09 5:59 ` David Miller
2015-09-09 8:53 ` Thomas Graf
2015-09-09 9:22 ` Daniel Borkmann
2015-08-20 3:43 ` [PATCH net] netlink: mmap: fix tx type check Ken-ichirou MATSUZAWA
2015-08-23 23:06 ` David Miller
2015-08-20 5:54 ` [PATCH net] netlink: rx mmap: fix POLLIN condition Ken-ichirou MATSUZAWA
2015-08-26 3:17 ` David Miller
2015-08-28 7:00 ` Ken-ichirou MATSUZAWA
2015-08-28 7:05 ` [PATCH net] netlink: mmap: fix lookup frame position Ken-ichirou MATSUZAWA
2015-08-29 5:26 ` David Miller
2015-08-30 22:54 ` [PATCH net] netlink: rx mmap: fix POLLIN condition Ken-ichirou MATSUZAWA
2015-08-31 4:56 ` David Miller
2015-08-20 7:07 ` [PATCH net] netlink: mmap: fix status setting in skb destructor Ken-ichirou MATSUZAWA
2015-08-26 3:22 ` David Miller
2015-08-28 7:37 ` Ken-ichirou MATSUZAWA
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150722131730.GA18037@gmail.com \
--to=chamaken@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).