From: Anton Blanchard <anton@samba.org>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Sasha Levin <levinsasha928@gmail.com>,
David Miller <davem@davemloft.net>,
Matt Mackall <mpm@selenic.com>,
Christoph Lameter <cl@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>, linux-mm <linux-mm@kvack.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
netdev <netdev@vger.kernel.org>
Subject: [PATCH] net: Fix corruption in /proc/*/net/dev_mcast
Date: Mon, 28 Nov 2011 18:14:46 +1100 [thread overview]
Message-ID: <20111128181446.2ab784d0@kryten> (raw)
In-Reply-To: <1321870529.2552.19.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC>
Hi,
> I got the following output when running some tests (I'm not really sure
> what exactly happened when this bug was triggered):
>
> [13850.947279] =============================================================================
> [13850.948024] BUG kmalloc-8: Redzone overwritten
> [13850.948024] -----------------------------------------------------------------------------
> [13850.948024]
> [13850.948024] INFO: 0xffff8800104f6d28-0xffff8800104f6d2b. First byte 0x0 instead of 0xcc
> [13850.948024] INFO: Allocated in __seq_open_private+0x20/0x5e age=4436 cpu=0 pid=17295
> [13850.948024] __slab_alloc.clone.46+0x3e7/0x456
> [13850.948024] __kmalloc+0x8c/0x110
> [13850.948024] __seq_open_private+0x20/0x5e
> [13850.948024] seq_open_net+0x3b/0x5d
> [13850.948024] dev_mc_seq_open+0x15/0x17
> [13850.948024] proc_reg_open+0xad/0x127
I just hit this during my testing. Isn't there another bug lurking?
Anton
--
With slub debugging on I see red zone issues in /proc/*/net/dev_mcast:
=============================================================================
BUG kmalloc-8: Redzone overwritten
-----------------------------------------------------------------------------
INFO: 0xc0000000de9dec48-0xc0000000de9dec4b. First byte 0x0 instead of 0xcc
INFO: Allocated in .__seq_open_private+0x30/0xa0 age=0 cpu=5 pid=3896
.__kmalloc+0x1e0/0x2d0
.__seq_open_private+0x30/0xa0
.seq_open_net+0x60/0xe0
.dev_mc_seq_open+0x4c/0x70
.proc_reg_open+0xd8/0x260
.__dentry_open.clone.11+0x2b8/0x400
.do_last+0xf4/0x950
.path_openat+0xf8/0x480
.do_filp_open+0x48/0xc0
.do_sys_open+0x140/0x250
syscall_exit+0x0/0x40
dev_mc_seq_ops uses dev_seq_start/next/stop but only allocates
sizeof(struct seq_net_private) of private data, whereas it expects
sizeof(struct dev_iter_state):
struct dev_iter_state {
struct seq_net_private p;
unsigned int pos; /* bucket << BUCKET_SPACE + offset */
};
Create dev_seq_open_ops and use it so we don't have to expose
struct dev_iter_state.
Signed-off-by: Anton Blanchard <anton@samba.org>
---
Index: linux-net/include/linux/netdevice.h
===================================================================
--- linux-net.orig/include/linux/netdevice.h 2011-11-28 17:55:51.469508056 +1100
+++ linux-net/include/linux/netdevice.h 2011-11-28 17:55:52.985535812 +1100
@@ -2536,6 +2536,8 @@ extern void net_disable_timestamp(void)
extern void *dev_seq_start(struct seq_file *seq, loff_t *pos);
extern void *dev_seq_next(struct seq_file *seq, void *v, loff_t *pos);
extern void dev_seq_stop(struct seq_file *seq, void *v);
+extern int dev_seq_open_ops(struct inode *inode, struct file *file,
+ const struct seq_operations *ops);
#endif
extern int netdev_class_create_file(struct class_attribute *class_attr);
Index: linux-net/net/core/dev.c
===================================================================
--- linux-net.orig/net/core/dev.c 2011-11-28 17:55:51.481508276 +1100
+++ linux-net/net/core/dev.c 2011-11-28 17:55:52.989535885 +1100
@@ -4282,6 +4282,12 @@ static int dev_seq_open(struct inode *in
sizeof(struct dev_iter_state));
}
+int dev_seq_open_ops(struct inode *inode, struct file *file,
+ const struct seq_operations *ops)
+{
+ return seq_open_net(inode, file, ops, sizeof(struct dev_iter_state));
+}
+
static const struct file_operations dev_seq_fops = {
.owner = THIS_MODULE,
.open = dev_seq_open,
Index: linux-net/net/core/dev_addr_lists.c
===================================================================
--- linux-net.orig/net/core/dev_addr_lists.c 2011-11-28 17:55:47.845441705 +1100
+++ linux-net/net/core/dev_addr_lists.c 2011-11-28 17:55:52.989535885 +1100
@@ -696,8 +696,7 @@ static const struct seq_operations dev_m
static int dev_mc_seq_open(struct inode *inode, struct file *file)
{
- return seq_open_net(inode, file, &dev_mc_seq_ops,
- sizeof(struct seq_net_private));
+ return dev_seq_open_ops(inode, file, &dev_mc_seq_ops);
}
static const struct file_operations dev_mc_seq_fops = {
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Anton Blanchard <anton@samba.org>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Sasha Levin <levinsasha928@gmail.com>,
David Miller <davem@davemloft.net>,
Matt Mackall <mpm@selenic.com>,
Christoph Lameter <cl@linux-foundation.org>,
Pekka Enberg <penberg@kernel.org>, linux-mm <linux-mm@kvack.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
netdev <netdev@vger.kernel.org>
Subject: [PATCH] net: Fix corruption in /proc/*/net/dev_mcast
Date: Mon, 28 Nov 2011 18:14:46 +1100 [thread overview]
Message-ID: <20111128181446.2ab784d0@kryten> (raw)
In-Reply-To: <1321870529.2552.19.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC>
Hi,
> I got the following output when running some tests (I'm not really sure
> what exactly happened when this bug was triggered):
>
> [13850.947279] =============================================================================
> [13850.948024] BUG kmalloc-8: Redzone overwritten
> [13850.948024] -----------------------------------------------------------------------------
> [13850.948024]
> [13850.948024] INFO: 0xffff8800104f6d28-0xffff8800104f6d2b. First byte 0x0 instead of 0xcc
> [13850.948024] INFO: Allocated in __seq_open_private+0x20/0x5e age=4436 cpu=0 pid=17295
> [13850.948024] __slab_alloc.clone.46+0x3e7/0x456
> [13850.948024] __kmalloc+0x8c/0x110
> [13850.948024] __seq_open_private+0x20/0x5e
> [13850.948024] seq_open_net+0x3b/0x5d
> [13850.948024] dev_mc_seq_open+0x15/0x17
> [13850.948024] proc_reg_open+0xad/0x127
I just hit this during my testing. Isn't there another bug lurking?
Anton
--
With slub debugging on I see red zone issues in /proc/*/net/dev_mcast:
=============================================================================
BUG kmalloc-8: Redzone overwritten
-----------------------------------------------------------------------------
INFO: 0xc0000000de9dec48-0xc0000000de9dec4b. First byte 0x0 instead of 0xcc
INFO: Allocated in .__seq_open_private+0x30/0xa0 age=0 cpu=5 pid=3896
.__kmalloc+0x1e0/0x2d0
.__seq_open_private+0x30/0xa0
.seq_open_net+0x60/0xe0
.dev_mc_seq_open+0x4c/0x70
.proc_reg_open+0xd8/0x260
.__dentry_open.clone.11+0x2b8/0x400
.do_last+0xf4/0x950
.path_openat+0xf8/0x480
.do_filp_open+0x48/0xc0
.do_sys_open+0x140/0x250
syscall_exit+0x0/0x40
dev_mc_seq_ops uses dev_seq_start/next/stop but only allocates
sizeof(struct seq_net_private) of private data, whereas it expects
sizeof(struct dev_iter_state):
struct dev_iter_state {
struct seq_net_private p;
unsigned int pos; /* bucket << BUCKET_SPACE + offset */
};
Create dev_seq_open_ops and use it so we don't have to expose
struct dev_iter_state.
Signed-off-by: Anton Blanchard <anton@samba.org>
---
Index: linux-net/include/linux/netdevice.h
===================================================================
--- linux-net.orig/include/linux/netdevice.h 2011-11-28 17:55:51.469508056 +1100
+++ linux-net/include/linux/netdevice.h 2011-11-28 17:55:52.985535812 +1100
@@ -2536,6 +2536,8 @@ extern void net_disable_timestamp(void)
extern void *dev_seq_start(struct seq_file *seq, loff_t *pos);
extern void *dev_seq_next(struct seq_file *seq, void *v, loff_t *pos);
extern void dev_seq_stop(struct seq_file *seq, void *v);
+extern int dev_seq_open_ops(struct inode *inode, struct file *file,
+ const struct seq_operations *ops);
#endif
extern int netdev_class_create_file(struct class_attribute *class_attr);
Index: linux-net/net/core/dev.c
===================================================================
--- linux-net.orig/net/core/dev.c 2011-11-28 17:55:51.481508276 +1100
+++ linux-net/net/core/dev.c 2011-11-28 17:55:52.989535885 +1100
@@ -4282,6 +4282,12 @@ static int dev_seq_open(struct inode *in
sizeof(struct dev_iter_state));
}
+int dev_seq_open_ops(struct inode *inode, struct file *file,
+ const struct seq_operations *ops)
+{
+ return seq_open_net(inode, file, ops, sizeof(struct dev_iter_state));
+}
+
static const struct file_operations dev_seq_fops = {
.owner = THIS_MODULE,
.open = dev_seq_open,
Index: linux-net/net/core/dev_addr_lists.c
===================================================================
--- linux-net.orig/net/core/dev_addr_lists.c 2011-11-28 17:55:47.845441705 +1100
+++ linux-net/net/core/dev_addr_lists.c 2011-11-28 17:55:52.989535885 +1100
@@ -696,8 +696,7 @@ static const struct seq_operations dev_m
static int dev_mc_seq_open(struct inode *inode, struct file *file)
{
- return seq_open_net(inode, file, &dev_mc_seq_ops,
- sizeof(struct seq_net_private));
+ return dev_seq_open_ops(inode, file, &dev_mc_seq_ops);
}
static const struct file_operations dev_mc_seq_fops = {
next prev parent reply other threads:[~2011-11-28 7:14 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-21 9:14 [BUG] 3.2-rc2: BUG kmalloc-8: Redzone overwritten Sasha Levin
2011-11-21 9:14 ` Sasha Levin
2011-11-21 10:15 ` Eric Dumazet
2011-11-21 10:15 ` Eric Dumazet
2011-11-21 10:15 ` Eric Dumazet
2011-11-21 10:21 ` Eric Dumazet
2011-11-21 10:21 ` Eric Dumazet
2011-11-21 10:21 ` Eric Dumazet
2011-11-21 10:22 ` Sasha Levin
2011-11-21 10:22 ` Sasha Levin
2011-11-21 10:22 ` Sasha Levin
2011-11-26 10:54 ` Sasha Levin
2011-11-26 10:54 ` Sasha Levin
2011-11-26 10:54 ` Sasha Levin
2011-11-26 10:59 ` Eric Dumazet
2011-11-26 10:59 ` Eric Dumazet
2011-11-26 10:59 ` Eric Dumazet
2011-11-26 20:49 ` David Miller
2011-11-26 20:49 ` David Miller
2011-11-21 10:58 ` Steven Whitehouse
2011-11-21 10:58 ` Steven Whitehouse
2011-11-21 10:58 ` Steven Whitehouse
2011-11-26 20:50 ` David Miller
2011-11-26 20:50 ` David Miller
2011-11-28 9:58 ` Christine Caulfield
2011-11-28 9:58 ` Christine Caulfield
2011-11-28 14:22 ` Proposed removal of DECnet support (was: Re: [BUG] 3.2-rc2: BUG kmalloc-8: Redzone overwritten) Steven Whitehouse
2011-11-28 14:22 ` Steven Whitehouse
2011-11-29 14:47 ` Philipp Schafft
2011-11-30 13:52 ` [Linux-decnet-user] Proposed removal of DECnet support (was:Re: [BUG] 3.2-rc2:BUG " mike.gair
2011-11-30 13:52 ` mike.gair
2011-11-30 14:52 ` Steven Whitehouse
2011-11-30 14:52 ` Steven Whitehouse
2011-12-02 9:14 ` mike.gair
2011-12-02 9:14 ` mike.gair
2011-12-04 19:54 ` Philipp Schafft
2011-12-04 19:50 ` Philipp Schafft
2011-12-05 1:23 ` Ben Hutchings
2011-12-05 10:14 ` Philipp Schafft
2011-11-30 14:03 ` [Linux-decnet-user] Proposed removal of DECnet support Bob Armstrong
2011-11-30 14:03 ` Bob Armstrong
2011-11-28 7:14 ` Anton Blanchard [this message]
2011-11-28 7:14 ` [PATCH] net: Fix corruption in /proc/*/net/dev_mcast Anton Blanchard
2011-11-28 9:55 ` Eric Dumazet
2011-11-28 9:55 ` Eric Dumazet
2011-11-28 9:55 ` Eric Dumazet
2011-11-28 10:40 ` Daniel Baluta
2011-11-28 10:40 ` Daniel Baluta
2011-11-28 23:08 ` David Miller
2011-11-28 23:08 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111128181446.2ab784d0@kryten \
--to=anton@samba.org \
--cc=cl@linux-foundation.org \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=levinsasha928@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mpm@selenic.com \
--cc=netdev@vger.kernel.org \
--cc=penberg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.