Re: Oops in Unix sockets code

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Dumazet <eric.dumazet@gmail.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Blaschka <frank.blaschka@de.ibm.com>,
	netdev@vger.kernel.org, linux-s390@vger.kernel.org
Subject: Re: Oops in Unix sockets code
Date: Thu, 19 Nov 2009 15:20:29 +0100	[thread overview]
Message-ID: <4B05542D.7060401@gmail.com> (raw)
In-Reply-To: <200911191440.18949.borntraeger@de.ibm.com>

Christian Borntraeger a écrit :
> Am Donnerstag 19 November 2009 14:20:28 schrieb Blaschka:
>>     <1>Unable to handle kernel pointer dereference at virtual kernel address 000000007575e000
>>     <4>Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> 0011(page translation excepton) and DEBUG_PAGEALLOC might indicate a use after free.
> 
>>     <4>Modules linked in: sunrpc qeth_l3 dm_multipath dm_mod qeth ccwgroup chsc_sch
>>     <4>CPU: 0 Not tainted 2.6.31-39.x.20091102-s390xdefault #1
>>     <4>Process hald (pid: 2117, task: 000000007d200c40, ksp: 000000007ab33880)
>>     <4>Krnl PSW : 0704100180000000 00000000003a15f8 (_raw_read_trylock+0x0/0x28)
>>     <4>           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:1 PM:0 EA:3
>>     <4>Krnl GPRS: 16c8a00000000000 000000007d200c40 000000007575ed18 0000000000000003
>>     <4>           00000000005853d2 000000007d201470 0000000000000002 000000007ab33c30
>>     <4>           0000000075746c78 000000007a74da48 000000000051a16a 000000007575ed18
>>     <4>           000000007575ed30 00000000005da190 00000000005853dc 000000007ab338c8
>>     <4>Krnl Code: 00000000003a15e8: c03000185811        larl    %r3,6ac60a
>>     <4>           00000000003a15ee: c0e5fffffdd9        brasl   %r14,3a11a0
>>     <4>           00000000003a15f4: a7f4ffce            brc     15,3a1590
>>     <4>          >00000000003a15f8: 58302000            l       %r3,0(%r2)
>>     <4>           00000000003a15fc: b9170033            llgtr   %r3,%r3
>>     <4>           00000000003a1600: 1853                lr      %r5,%r3
>>     <4>           00000000003a1602: 1813                lr      %r1,%r3
>>     <4>           00000000003a1604: a75a0001            ahi     %r5,1
>>     <4>Call Trace:
>>     <4>([<00000000005853d2>] _read_lock+0x5a/0x98)
>>     <4> [<000000000051a16a>] unix_write_space+0x36/0xb0
> [...]
> 
> So it looks like that struct sock *sk is already gone in unix_write_space.
> Since I have no clue about the socket code, I can only guess that there is a
> locking or refcount issue.

2.6.31 has a known bug

2.6.31.4 should correct it

commit 657453424a3c382035983f9a47306fafea730f6d
Author: Eric Dumazet <eric.dumazet@gmail.com>
Date:   Thu Sep 24 10:49:24 2009 +0000

    net: Fix sock_wfree() race
    
    [ Upstream commit d99927f4d93f36553699573b279e0ff98ad7dea6 ]
    
    Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80
    (net: No more expensive sock_hold()/sock_put() on each tx)
    opens a window in sock_wfree() where another cpu
    might free the socket we are working on.
    
    A fix is to call sk->sk_write_space(sk) while still
    holding a reference on sk.
    
    Reported-by: Jike Song <albcamus@gmail.com>
    Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


Please try 2.6.31.6 ;)

next prev parent reply	other threads:[~2009-11-19 14:20 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-19 13:20 Oops in Unix sockets code Blaschka
2009-11-19 13:40 ` Christian Borntraeger
2009-11-19 14:20   ` Eric Dumazet [this message]
2009-11-19 15:46     ` Sebastian Ott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B05542D.7060401@gmail.com \
    --to=eric.dumazet@gmail.com \
    --cc=borntraeger@de.ibm.com \
    --cc=frank.blaschka@de.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.