From: Patrick McHardy <kaber@trash.net>
To: Holger Eitzenberger <holger@eitzenberger.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [OOPS PATCH 1/1] netfilter: fix OOPS in flush_expectations()
Date: Fri, 11 Oct 2013 15:35:41 +0100 [thread overview]
Message-ID: <20131011143539.GA5276@macbook.localnet> (raw)
In-Reply-To: <20131011140440.339579297@eitzenberger.org>
On Fri, Oct 11, 2013 at 04:02:05PM +0200, Holger Eitzenberger wrote:
> This is the initial report I got:
>
> [ 2886.953175] BUG: unable to handle kernel paging request at 00100100
> [ 2886.956435] IP: [<f88a4ab8>] flush_expectations+0x68/0x85 [nf_conntrack_sip]
> [ 2886.956435] *pde = 00000000
> [ 2886.956435] Oops: 0000 [001] SMP
> ...
> [ 2886.956435] Pid: 5606, comm: red_server.plc Tainted: G O
> 3.3.8-79.g20f5c30-smp 001 Astaro AG ASG/i845GV-W83627HF
> [ 2886.956435] EIP: 0060:[<f88a4ab8>] EFLAGS: 00210246 CPU: 0
> [ 2886.956435] EIP is at flush_expectations+0x68/0x85 [nf_conntrack_sip]
> [ 2886.956435] EAX: 00000000 EBX: 00100100 ECX: 00000000 EDX: effdc0a0
> [ 2886.956435] ESI: 00100100 EDI: 00000001 EBP: 00000001 ESP: f5c0bd54
> [ 2886.956435] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> [ 2886.956435] Process red_server.plc (pid: 5606, ti=f5c0a000 task=f5da2a20 task.ti=efc62000)
> [ 2886.956435] Stack:
> [ 2886.956435] f490b948 00000001 00000197 f45f4f00 f88a5918 f5c0bde0 f5c0bddc 0000001c
> [ 2886.956435] 00000014 f88a72a8 0000015d f5c0bddc 00000001 f88a472e f5c0bddc f5c0bde0
> [ 2886.956435] 00000001 00000197 00000014 f490b948 f45f4f00 f88a72a8 00000197 00000001
>
> Which is due to nf_conntrack_expect.lnode hlist entry not being reset
> to NULL after being removed from the list in hlist_del(), but instead to
> LIST_POISON1. And because of this hlist_for_each_entry_safe() does
> not terminate correctly.
>
> Therefore change nf_ct_unlink_expect_report() to use __hlist_del()
> instead.
We should be holding the conntrack lock here and in flush_expectations(),
Not sure what I'm missing here, but if locking were used correctly, this
shouldn't be happening.
>
> Signed-off-by: Holger Eitzenberger <holger@eitzenberger.org>
>
> Index: linux-stable-3.8.y/net/netfilter/nf_conntrack_expect.c
> ===================================================================
> --- linux-stable-3.8.y.orig/net/netfilter/nf_conntrack_expect.c
> +++ linux-stable-3.8.y/net/netfilter/nf_conntrack_expect.c
> @@ -51,7 +51,7 @@ void nf_ct_unlink_expect_report(struct n
> hlist_del_rcu(&exp->hnode);
> net->ct.expect_count--;
>
> - hlist_del(&exp->lnode);
> + __hlist_del(&exp->lnode);
> master_help->expecting[exp->class]--;
>
> nf_ct_expect_event_report(IPEXP_DESTROY, exp, pid, report);
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-10-11 14:35 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 14:02 [OOPS PATCH 0/1] netfilter/sip: fix OOPS in flush_expectations() Holger Eitzenberger
2013-10-11 14:02 ` [OOPS PATCH 1/1] netfilter: " Holger Eitzenberger
2013-10-11 14:35 ` Patrick McHardy [this message]
2013-10-11 14:53 ` Holger Eitzenberger
2013-10-11 15:09 ` Patrick McHardy
2013-10-11 20:37 ` [OOPS PATCH 0/1] netfilter/sip: " Pablo Neira Ayuso
2013-10-12 5:58 ` Holger Eitzenberger
2013-10-12 8:55 ` Patrick McHardy
2013-10-12 10:11 ` Holger Eitzenberger
2013-10-14 13:46 ` Holger Eitzenberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131011143539.GA5276@macbook.localnet \
--to=kaber@trash.net \
--cc=holger@eitzenberger.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.