public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
* conntrack related slab corruption in 2.5.65
@ 2003-03-24 22:04 Dave Jones
  2003-03-24 22:32 ` Martin Josefsson
  0 siblings, 1 reply; 3+ messages in thread
From: Dave Jones @ 2003-03-24 22:04 UTC (permalink / raw)
  To: Linux Kernel

Slab corruption: start=cf480a84, expend=cf480bb7, problemat=cf480aec
Last user: [<c03ed43a>](destroy_conntrack+0xf8/0x159)
Data: ********************************************************************************************************EC 0A 48 CF EC 0A 48 CF ***************************************************************************************************************************************************************************************************A5 
Next: 71 F0 2C .3A D4 3E C0 71 F0 2C .********************
slab error in check_poison_obj(): cache `ip_conntrack': object was modified after freeing
Call Trace:
 [<c0144496>] check_poison_obj+0x155/0x195
 [<c0145e4b>] kmem_cache_alloc+0x139/0x177
 [<c03edfba>] init_conntrack+0x8d/0x44f
 [<c03edfba>] init_conntrack+0x8d/0x44f
 [<c03ee586>] ip_conntrack_in+0x20a/0x2bc
 [<c03db2eb>] udp_connect+0xa8/0x353
 [<c03aa074>] nf_iterate+0x5f/0x93
 [<c03b9634>] dst_output+0x0/0x2d
 [<c03aa3db>] nf_hook_slow+0xa9/0x205
 [<c03b9634>] dst_output+0x0/0x2d
 [<c03b7a84>] ip_queue_xmit+0x435/0x525
 [<c03b9634>] dst_output+0x0/0x2d
 [<c039d1df>] __kfree_skb+0x89/0xfe
 [<c014437c>] check_poison_obj+0x3b/0x195
 [<c03d0eeb>] tcp_v4_send_check+0x4d/0xd8
 [<c03ca6ae>] tcp_transmit_skb+0x3b0/0x5b3
 [<c03cd026>] tcp_connect+0x3af/0x47b
 [<c02aa34e>] secure_tcp_sequence_number+0x82/0xa0
 [<c03d0237>] tcp_v4_connect+0x393/0x5db
 [<c03e3f1d>] inet_stream_connect+0x264/0x3bc
 [<c0398ae2>] move_addr_to_kernel+0x6b/0x6f
 [<c039a2d8>] sys_connect+0x78/0x99
 [<c0398c00>] sock_destroy_inode+0x1d/0x21
 [<c0398c00>] sock_destroy_inode+0x1d/0x21
 [<c0178bbc>] destroy_inode+0x36/0x50
 [<c017a493>] iput+0x63/0x7c
 [<c01760b3>] dput+0x24/0x333
 [<c039adb1>] sys_socketcall+0xb2/0x262
 [<c015c938>] filp_close+0xe9/0x12d
 [<c015ca13>] sys_close+0x97/0xdf
 [<c010978f>] syscall_call+0x7/0xb



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: conntrack related slab corruption in 2.5.65
  2003-03-24 22:04 conntrack related slab corruption in 2.5.65 Dave Jones
@ 2003-03-24 22:32 ` Martin Josefsson
  2003-03-25  1:24   ` Dave Jones
  0 siblings, 1 reply; 3+ messages in thread
From: Martin Josefsson @ 2003-03-24 22:32 UTC (permalink / raw)
  To: Dave Jones; +Cc: Linux Kernel

On Mon, 2003-03-24 at 23:04, Dave Jones wrote:
> Slab corruption: start=cf480a84, expend=cf480bb7, problemat=cf480aec
> Last user: [<c03ed43a>](destroy_conntrack+0xf8/0x159)
> Data: ********************************************************************************************************EC 0A 48 CF EC 0A 48 CF ***************************************************************************************************************************************************************************************************A5 
> Next: 71 F0 2C .3A D4 3E C0 71 F0 2C .********************
> slab error in check_poison_obj(): cache `ip_conntrack': object was modified after freeing

Are you using a conntrack helper (ie. ip_conntrack_ftp) ?
If so then this is fixed in -mm. If not then this is another bug that I
need to track down.

I've been trying to get hold of Harald Welte for a few days now, all
netfilter patches should go through him -> davem -> linus/marcelo.


--- linux-2.5.64-bk10/net/ipv4/netfilter/ip_conntrack_core.c.orig	2003-03-21 01:42:57.000000000 +0100
+++ linux-2.5.64-bk10/net/ipv4/netfilter/ip_conntrack_core.c	2003-03-22 00:43:28.000000000 +0100
@@ -274,6 +274,7 @@
 		 * the un-established ones only */
 		if (exp->sibling) {
 			DEBUGP("remove_expectations: skipping established %p of %p\n", exp->sibling, ct);
+			exp->expectant = NULL;
 			continue;
 		}
 
@@ -327,9 +328,11 @@
 	WRITE_LOCK(&ip_conntrack_lock);
 	/* Delete our master expectation */
 	if (ct->master) {
-		/* can't call __unexpect_related here,
-		 * since it would screw up expect_list */
-		list_del(&ct->master->expected_list);
+		if (ct->master->expectant) {
+			/* can't call __unexpect_related here,
+			 * since it would screw up expect_list */
+			list_del(&ct->master->expected_list);
+		}
 		kfree(ct->master);
 	}
 	WRITE_UNLOCK(&ip_conntrack_lock);


-- 
/Martin

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: conntrack related slab corruption in 2.5.65
  2003-03-24 22:32 ` Martin Josefsson
@ 2003-03-25  1:24   ` Dave Jones
  0 siblings, 0 replies; 3+ messages in thread
From: Dave Jones @ 2003-03-25  1:24 UTC (permalink / raw)
  To: Martin Josefsson; +Cc: Linux Kernel

On Mon, Mar 24, 2003 at 11:32:01PM +0100, Martin Josefsson wrote:

 > Are you using a conntrack helper (ie. ip_conntrack_ftp) ?
 > If so then this is fixed in -mm. If not then this is another bug that I
 > need to track down.

Yep, I was. Thanks for the patch, I'll give it a spin.

		Dave


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-03-25  1:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-24 22:04 conntrack related slab corruption in 2.5.65 Dave Jones
2003-03-24 22:32 ` Martin Josefsson
2003-03-25  1:24   ` Dave Jones

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox