From: Patrick McHardy <kaber@trash.net>
To: Peter Osterlund <petero2@telia.com>
Cc: Linus Torvalds <torvalds@osdl.org>,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
"David S. Miller" <davem@davemloft.net>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Linux 2.6.20-rc4
Date: Mon, 08 Jan 2007 23:33:18 +0100 [thread overview]
Message-ID: <45A2C6AE.5080400@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0701071442580.3661@woody.osdl.org>
[-- Attachment #1: Type: text/plain, Size: 2245 bytes --]
Linus Torvalds wrote:
> On Sun, 7 Jan 2007, Peter Osterlund wrote:
>
>>I get kernel panics when doing large ethernet transfers. A loop doing
>>continuous scp transfers of some large (>100MB) files makes the kernel
>>crash after a few minutes. scp runs on a different machine and copies
>>data from the machine that crashes. (The first crash did not happen
>>when scp was used, but scp is an easy way to reproduce the problem.)
>>
>>I've seen this crash also with 2.6.20-rc2-git-something. Previously I
>>ran these kernels quite a lot and used a ppp link without problems.
>>Today I started using eth0 and the crashes started to occur. I have
>>netfilter rules for ppp0, but no rules for eth0. Earlier kernels have
>>been working perfectly for large eth0 transfers on this machine.
>>
>>Hand copied data from the console:
>>
>> BUG: unable to handle kernel paging request at virtual address 9f5cea9f
>> printing eip:
>> c034c729
>> *pde = 00000000
>> Ooops: 0000 [#1]
>> PREEMPT
>> Modules linked in: ... 8139too ...
>> CPU: 0
>> EIP: 0060:[<c034c729>] Not tainted VLI
>> EFALLGS: 00010206 (2.6.20-rc4 #13)
>> EIP is at ipv4_conntrack_help+0x6b/0x83
>> eax: c0475e44 ebx: 9f5cea37 ecx: d1dcebb0 edx: 00000014
>> esi: d1dcebb0 edi: c0475e44 ebp: c0475dd8 esp: c0475dc4
>
>
> That's
>
> and $0xf,%dl
> movzbl %dl,%edx
> lea (%ecx,%edx,4),%edx
> movzbl %bl,%eax
> mov %eax,(%esp)
> mov %esi,%ecx
> mov %edi,%eax
> mov 0xfffffff0(%ebp),%ebx
> ** call *0x68(%ebx) **
> add $0x8,%esp
> pop %ebx
> pop %esi
> pop %edi
> pop %ebp
> ret
>
> which is ipv4_conntrack_help():
>
> return help->helper->help(pskb,
> (*pskb)->nh.raw - (*pskb)->data
> + (*pskb)->nh.iph->ihl*4,
> ct, ctinfo);
>
> and that call instruction is the one that oopses because "help->helper" is
> corrupt (it's 0x9f5cea37 - not a valid kernel pointer).
I guess its because of an uninitialized helper field in struct
nf_conntrack_expect, which is then copied from the expectation to
the conntrack entry.
Peter, do you have locally generated netbios ns queries on the machine
running nf_conntrack? If so, please try this patch. Otherwise, are
there any other conntrack helpers that are actually used?
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1203 bytes --]
[NETFILTER]: nf_conntrack_netbios_ns: fix uninitialized member in expectation
->helper is uninitialized in the expectation registered by the netbios_ns
helper and it later copied to the expected connection, which causes invalid
memory dereferences when trying to call the helper.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit fe6df90eb909a84593b6902e6e4f802687bc4564
tree 113ffbc5cd73dd3a5fe66bc24ba4747b2b5a4c6c
parent fa0035e191e85a2ab31861df9e0a0273e60dc745
author Patrick McHardy <kaber@trash.net> Mon, 08 Jan 2007 23:30:35 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 08 Jan 2007 23:30:35 +0100
net/netfilter/nf_conntrack_netbios_ns.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c
index a5b234e..2a48efd 100644
--- a/net/netfilter/nf_conntrack_netbios_ns.c
+++ b/net/netfilter/nf_conntrack_netbios_ns.c
@@ -89,6 +89,7 @@ static int help(struct sk_buff **pskb, u
exp->expectfn = NULL;
exp->flags = NF_CT_EXPECT_PERMANENT;
+ exp->helper = NULL;
nf_conntrack_expect_related(exp);
nf_conntrack_expect_put(exp);
WARNING: multiple messages have this Message-ID (diff)
From: Patrick McHardy <kaber@trash.net>
To: Peter Osterlund <petero2@telia.com>
Cc: Linus Torvalds <torvalds@osdl.org>,
"David S. Miller" <davem@davemloft.net>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>
Subject: Re: Linux 2.6.20-rc4
Date: Mon, 08 Jan 2007 23:33:18 +0100 [thread overview]
Message-ID: <45A2C6AE.5080400@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0701071442580.3661@woody.osdl.org>
[-- Attachment #1: Type: text/plain, Size: 2245 bytes --]
Linus Torvalds wrote:
> On Sun, 7 Jan 2007, Peter Osterlund wrote:
>
>>I get kernel panics when doing large ethernet transfers. A loop doing
>>continuous scp transfers of some large (>100MB) files makes the kernel
>>crash after a few minutes. scp runs on a different machine and copies
>>data from the machine that crashes. (The first crash did not happen
>>when scp was used, but scp is an easy way to reproduce the problem.)
>>
>>I've seen this crash also with 2.6.20-rc2-git-something. Previously I
>>ran these kernels quite a lot and used a ppp link without problems.
>>Today I started using eth0 and the crashes started to occur. I have
>>netfilter rules for ppp0, but no rules for eth0. Earlier kernels have
>>been working perfectly for large eth0 transfers on this machine.
>>
>>Hand copied data from the console:
>>
>> BUG: unable to handle kernel paging request at virtual address 9f5cea9f
>> printing eip:
>> c034c729
>> *pde = 00000000
>> Ooops: 0000 [#1]
>> PREEMPT
>> Modules linked in: ... 8139too ...
>> CPU: 0
>> EIP: 0060:[<c034c729>] Not tainted VLI
>> EFALLGS: 00010206 (2.6.20-rc4 #13)
>> EIP is at ipv4_conntrack_help+0x6b/0x83
>> eax: c0475e44 ebx: 9f5cea37 ecx: d1dcebb0 edx: 00000014
>> esi: d1dcebb0 edi: c0475e44 ebp: c0475dd8 esp: c0475dc4
>
>
> That's
>
> and $0xf,%dl
> movzbl %dl,%edx
> lea (%ecx,%edx,4),%edx
> movzbl %bl,%eax
> mov %eax,(%esp)
> mov %esi,%ecx
> mov %edi,%eax
> mov 0xfffffff0(%ebp),%ebx
> ** call *0x68(%ebx) **
> add $0x8,%esp
> pop %ebx
> pop %esi
> pop %edi
> pop %ebp
> ret
>
> which is ipv4_conntrack_help():
>
> return help->helper->help(pskb,
> (*pskb)->nh.raw - (*pskb)->data
> + (*pskb)->nh.iph->ihl*4,
> ct, ctinfo);
>
> and that call instruction is the one that oopses because "help->helper" is
> corrupt (it's 0x9f5cea37 - not a valid kernel pointer).
I guess its because of an uninitialized helper field in struct
nf_conntrack_expect, which is then copied from the expectation to
the conntrack entry.
Peter, do you have locally generated netbios ns queries on the machine
running nf_conntrack? If so, please try this patch. Otherwise, are
there any other conntrack helpers that are actually used?
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1203 bytes --]
[NETFILTER]: nf_conntrack_netbios_ns: fix uninitialized member in expectation
->helper is uninitialized in the expectation registered by the netbios_ns
helper and it later copied to the expected connection, which causes invalid
memory dereferences when trying to call the helper.
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit fe6df90eb909a84593b6902e6e4f802687bc4564
tree 113ffbc5cd73dd3a5fe66bc24ba4747b2b5a4c6c
parent fa0035e191e85a2ab31861df9e0a0273e60dc745
author Patrick McHardy <kaber@trash.net> Mon, 08 Jan 2007 23:30:35 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 08 Jan 2007 23:30:35 +0100
net/netfilter/nf_conntrack_netbios_ns.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c
index a5b234e..2a48efd 100644
--- a/net/netfilter/nf_conntrack_netbios_ns.c
+++ b/net/netfilter/nf_conntrack_netbios_ns.c
@@ -89,6 +89,7 @@ static int help(struct sk_buff **pskb, u
exp->expectfn = NULL;
exp->flags = NF_CT_EXPECT_PERMANENT;
+ exp->helper = NULL;
nf_conntrack_expect_related(exp);
nf_conntrack_expect_put(exp);
next prev parent reply other threads:[~2007-01-08 22:33 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-07 6:19 Linux 2.6.20-rc4 Linus Torvalds
2007-01-07 10:56 ` Jan Engelhardt
2007-01-07 11:44 ` Russell King
2007-01-07 13:06 ` OT: character encodings (was: Linux 2.6.20-rc4) Tilman Schmidt
2007-01-07 15:13 ` David Woodhouse
2007-01-07 15:38 ` Russell King
2007-01-07 16:29 ` David Woodhouse
2007-01-07 17:06 ` Russell King
2007-01-07 19:11 ` Jan Engelhardt
2007-01-07 19:20 ` Russell King
2007-01-07 20:48 ` Willy Tarreau
2007-01-07 23:37 ` Adrian Bunk
2007-01-08 0:38 ` Willy Tarreau
2007-01-08 1:03 ` Adrian Bunk
2007-01-08 1:14 ` Willy Tarreau
2007-01-08 1:45 ` Adrian Bunk
2007-01-08 6:52 ` Jan Engelhardt
2007-01-08 8:02 ` Adrian Bunk
2007-01-08 1:32 ` OT: character encodings Tilman Schmidt
2007-01-08 1:59 ` Adrian Bunk
2007-01-08 19:53 ` OT: character encodings (was: Linux 2.6.20-rc4) Valdis.Kletnieks
2007-01-07 19:29 ` OT: character encodings Tilman Schmidt
[not found] ` <20070107195051.GF21133@flint.arm.linux.org.uk>
[not found] ` <45A17645.1030905@imap.cc>
2007-01-08 1:53 ` David Woodhouse
2007-01-07 18:21 ` OT: character encodings (was: Linux 2.6.20-rc4) Alan
2007-01-07 19:12 ` Jan Engelhardt
2007-01-07 22:30 ` Alan
2007-01-08 1:22 ` Jan Engelhardt
2007-01-08 20:17 ` Jan Engelhardt
2007-01-08 22:00 ` Ken Moffat
2007-01-08 23:21 ` Jan Engelhardt
2007-01-08 23:34 ` Eberhard Moenkeberg
2007-01-08 16:14 ` Pavel Machek
2007-01-08 22:17 ` Tim Pepper
2007-01-08 23:30 ` Jan Engelhardt
2007-01-07 19:17 ` Russell King
2007-01-07 19:58 ` Robin Rosenberg
2007-01-07 20:05 ` Dave Jones
2007-01-07 20:15 ` Sean
2007-01-07 20:40 ` Jan Engelhardt
2007-01-07 21:07 ` Xavier Bestel
2007-01-08 4:42 ` David Woodhouse
2007-01-08 1:40 ` Horst H. von Brand
2007-01-07 13:23 ` Linux 2.6.20-rc4 Alan
2007-01-07 12:15 ` Akula2
2007-01-07 12:55 ` Russell King
2007-01-07 13:38 ` Akula2
2007-01-07 13:53 ` Willy Tarreau
2007-01-07 14:23 ` Akula2
2007-01-07 20:57 ` Peter Osterlund
2007-01-07 21:04 ` Peter Osterlund
2007-01-08 15:50 ` Dmitry Torokhov
2007-01-07 22:50 ` Linus Torvalds
2007-01-08 1:00 ` David Miller
2007-01-08 6:38 ` Peter Osterlund
2007-01-08 20:49 ` Peter Osterlund
2007-01-08 21:52 ` David Miller
2007-01-08 22:33 ` Patrick McHardy [this message]
2007-01-08 22:33 ` Patrick McHardy
2007-01-08 23:02 ` Peter Osterlund
2007-01-08 23:12 ` Linus Torvalds
2007-01-09 3:42 ` Adrian Bunk
2007-01-09 7:39 ` David Miller
2007-01-09 7:39 ` David Miller
2007-01-07 21:22 ` Gene Heskett
2007-01-08 0:22 ` 2.6.20-rc4: known unfixed regressions Adrian Bunk
2007-01-08 0:22 ` Adrian Bunk
2007-01-08 1:20 ` Bernhard Schmidt
2007-01-08 1:20 ` Bernhard Schmidt
2007-01-08 0:25 ` 2.6.20-rc4: known regressions with patches available Adrian Bunk
2007-01-08 0:25 ` Adrian Bunk
2007-01-08 0:33 ` [Bluez-devel] " Marcel Holtmann
2007-01-08 0:33 ` Marcel Holtmann
2007-01-08 0:33 ` Marcel Holtmann
2007-01-08 14:50 ` Linux 2.6.20-rc4 Mariusz Kozlowski
2007-01-08 14:50 ` Mariusz Kozlowski
2007-01-08 14:58 ` Sylvain Munaut
2007-01-08 14:58 ` Sylvain Munaut
2007-01-08 15:03 ` Mariusz Kozlowski
2007-01-08 15:03 ` Mariusz Kozlowski
2007-01-08 19:11 ` Jean Delvare
2007-01-08 19:11 ` Jean Delvare
2007-01-09 0:38 ` Benjamin Herrenschmidt
2007-01-09 0:38 ` Benjamin Herrenschmidt
2007-01-09 0:56 ` Greg KH
2007-01-09 0:56 ` Greg KH
2007-01-09 2:05 ` Benjamin Herrenschmidt
2007-01-09 2:05 ` Benjamin Herrenschmidt
2007-01-09 7:04 ` David Woodhouse
2007-01-09 7:04 ` David Woodhouse
2007-01-09 7:04 ` Sylvain Munaut
2007-01-09 7:04 ` Sylvain Munaut
2007-01-09 9:04 ` Benjamin Herrenschmidt
2007-01-09 9:04 ` Benjamin Herrenschmidt
2007-01-09 7:14 ` Sylvain Munaut
2007-01-09 7:14 ` Sylvain Munaut
2007-01-09 7:28 ` David Woodhouse
2007-01-09 7:28 ` David Woodhouse
2007-01-09 9:08 ` Benjamin Herrenschmidt
2007-01-09 9:08 ` Benjamin Herrenschmidt
2007-01-09 9:07 ` Benjamin Herrenschmidt
2007-01-09 9:07 ` Benjamin Herrenschmidt
2007-01-09 7:18 ` Greg KH
2007-01-09 7:18 ` Greg KH
2007-01-09 5:25 ` 2.6.20-rc4: known unfixed regressions (v2) Adrian Bunk
2007-01-09 5:25 ` Adrian Bunk
2007-01-09 17:58 ` Linus Torvalds
2007-01-09 18:08 ` Malte Schröder
2007-01-09 18:30 ` Linus Torvalds
2007-01-11 0:24 ` Vladimir V. Saveliev
2007-01-11 1:00 ` Nick Piggin
2007-01-11 13:12 ` Vladimir V. Saveliev
2007-01-11 23:53 ` Nick Piggin
2007-01-09 20:28 ` Adrian Bunk
2007-01-09 5:51 ` 2.6.20-rc4: known regressions with patches (v2) Adrian Bunk
2007-01-09 5:51 ` Adrian Bunk
2007-01-11 5:10 ` 2.6.20-rc4: known unfixed regressions (v3) Adrian Bunk
2007-01-11 6:43 ` Nick Piggin
2007-01-11 8:45 ` Adrian Bunk
2007-01-11 10:21 ` Jiri Kosina
2007-01-11 10:54 ` Adrian Bunk
2007-01-11 11:08 ` CIJOML
[not found] ` <Pine.LNX.4.64.0701062216210.3661-AgDkxUvNf0y7TbgM5vRIOg@public.gmane.org>
2007-01-11 5:13 ` 2.6.20-rc4: known regressions with patches (v3) Adrian Bunk
2007-01-11 5:13 ` Adrian Bunk
2007-01-11 21:39 ` David Chinner
2007-01-11 22:02 ` Andrew Morton
2007-01-11 23:05 ` David Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45A2C6AE.5080400@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=petero2@telia.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.