From: Thomas Graf <tgraf@suug.ch>
To: Roberto Nibali <ratz@tac.ch>
Cc: Netfilter Developers <netfilter-devel@lists.netfilter.org>,
Pablo Neira <pablo@eurodev.net>
Subject: Re: [PATCH] update raw patch in POM
Date: Tue, 21 Jun 2005 02:34:41 +0200 [thread overview]
Message-ID: <20050621003441.GI8335@postel.suug.ch> (raw)
In-Reply-To: <42B67BEC.1090105@tac.ch>
* Roberto Nibali <42B67BEC.1090105@tac.ch> 2005-06-20 10:18
> > I'm not yet done with testing, however something is not quite right now:
> >
> > CPU: 2
> > EIP: 0010:[<00000000>] Not tainted
> > Using defaults from ksymoops -t elf32-i386 -a i386
> > EFLAGS: 00010202
> > eax: 00000000 ebx: c287df30 ecx: f8aa1ef4 edx: c287c001
> > esi: 00000000 edi: f7b92a34 ebp: f7b92980 esp: c287deac
> > ds: 0018 es: 0018 ss: 0018
> > Process swapper (pid:0, stackpage=c287d000)
> > Stack: c02a8f74 f8aa1e80 c287df30 f7b92a34 c01de099 f4a4d920 c287df30 00000040
> > f7b92980 f7b92800 00000000 00000001 00000001 f7b92800 f7b92a18 c01ddee9
> > f7b92980 f7b928c4 f7b92800 00000002 c0417b20 2471321d 00000000 c02ad245
> > Call trace: [<c02a8f74>] [<f8aa1e80>] [<c01de099>] [<c01ddee9>] [<c02ad245>]
> > [<c011f7ad>] [<c0108e00>] [<c0105330>] [<c0105330>] [<c0105330>] [<c0105330>]
> > [<c010535c>] [<c01053c2>] [<c011a859>]
> > Code: Bad EIP value.
>
> Added following code in skbuff.h, because of the strange (overwritten) stack:
>
> nf_conntrack_put(struct nf_ct_info *nfct)
> {
> + if ((((long) nfct) & 0xf8000000) && atomic_read(&nfct->master->use) <= 1
> )
> + BUG();
> if (nfct && atomic_dec_and_test(&nfct->master->use))
> nfct->master->destroy(nfct->master);
> }
>
>
> BUG at /home/.../include/linux/skbuff.h: 1175!
:1175 is the BUG above, right? If so it means that we're about to call
destroy() on a conntrack entry which is not allocated. I assume it is
ip_conntrack_untracked.
My theory is:
ip_conntrack_untracked is put into the conntrack with a refcnt of 2
(+1 during init and +1 while assigning it to nfct). Once the packet
leaves the ip stack we release the first use, when the modules
get unloaded we release the entry again and call destroy() on it
resulting in a overall corruption.
The whole notrack thing seems to be a big hack. ;->
next prev parent reply other threads:[~2005-06-21 0:34 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-07 11:06 [PATCH] update raw patch in POM Roberto Nibali
2005-06-07 14:37 ` Roberto Nibali
2005-06-07 22:55 ` Pablo Neira
2005-06-08 8:23 ` Roberto Nibali
2005-06-08 12:37 ` Pablo Neira
2005-06-14 15:27 ` Roberto Nibali
2005-06-20 8:18 ` Roberto Nibali
2005-06-20 9:07 ` Roberto Nibali
2005-06-20 10:41 ` SOLVED (was: Re: [PATCH] update raw patch in POM) Roberto Nibali
2005-06-20 11:01 ` Jozsef Kadlecsik
2005-06-20 11:03 ` SOLVED Roberto Nibali
2005-06-20 11:04 ` SOLVED Jozsef Kadlecsik
2005-06-20 10:49 ` [PATCH] update raw patch in POM Jan Engelhardt
2005-06-20 11:03 ` Roberto Nibali
2005-06-21 0:34 ` Thomas Graf [this message]
2005-06-21 0:39 ` Thomas Graf
2005-06-21 6:46 ` Roberto Nibali
2005-06-21 8:59 ` Pablo Neira
2005-06-21 9:08 ` Jozsef Kadlecsik
2005-06-21 11:18 ` Thomas Graf
2005-06-21 0:51 ` Pablo Neira
2005-06-21 11:13 ` Thomas Graf
2005-06-21 14:00 ` Patrick McHardy
2005-06-21 14:17 ` [PATCH] update raw patch in POM [2.4.x] Roberto Nibali
2005-06-21 14:47 ` Patrick McHardy
2005-06-21 15:15 ` Roberto Nibali
2005-06-21 15:32 ` Patrick McHardy
2005-06-22 9:26 ` Roberto Nibali
2005-06-22 7:04 ` Jozsef Kadlecsik
2005-06-22 9:10 ` Roberto Nibali
2005-06-22 9:19 ` Jozsef Kadlecsik
2005-06-22 9:27 ` Roberto Nibali
2005-06-21 21:50 ` [PATCH] update raw patch in POM Thomas Graf
2005-06-22 0:32 ` Patrick McHardy
2005-06-22 0:52 ` Thomas Graf
2005-06-22 3:24 ` Pablo Neira
2005-06-22 3:55 ` Patrick McHardy
2005-06-22 5:48 ` Roberto Nibali
2005-06-22 11:39 ` Roberto Nibali
2005-06-22 18:38 ` Patrick McHardy
2005-06-27 6:36 ` Roberto Nibali
2005-06-27 10:57 ` Patrick McHardy
2005-06-27 12:07 ` Roberto Nibali
2005-06-27 12:55 ` Patrick McHardy
2005-06-27 13:53 ` Roberto Nibali
2005-06-27 15:49 ` Patrick McHardy
2005-06-28 6:02 ` Roberto Nibali
2005-06-27 8:50 ` Roberto Nibali
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050621003441.GI8335@postel.suug.ch \
--to=tgraf@suug.ch \
--cc=netfilter-devel@lists.netfilter.org \
--cc=pablo@eurodev.net \
--cc=ratz@tac.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.