networking crash in current mainline: sk_filter_delayed

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* networking crash in current mainline: sk_filter_delayed_uncharge()
@ 2007-10-19  6:09 Andrew Morton
  2007-10-19  6:11 ` David Miller
  2007-10-19  6:12 ` Andrew Morton
  0 siblings, 2 replies; 5+ messages in thread
From: Andrew Morton @ 2007-10-19  6:09 UTC (permalink / raw)
  To: netdev; +Cc: Paul Mackerras, Benjamin Herrenschmidt


powerpc mac G5
config: http://userweb.kernel.org/~akpm/config-g5.txt
screenshot: http://userweb.kernel.org/~akpm/dsc00005.jpg

It does this shortly after bringing up eth0 (tg3), in dhclient.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: networking crash in current mainline: sk_filter_delayed_uncharge()
  2007-10-19  6:09 networking crash in current mainline: sk_filter_delayed_uncharge() Andrew Morton
@ 2007-10-19  6:11 ` David Miller
  2007-10-19  6:48   ` Andrew Morton
  2007-10-19  6:12 ` Andrew Morton
  1 sibling, 1 reply; 5+ messages in thread
From: David Miller @ 2007-10-19  6:11 UTC (permalink / raw)
  To: akpm; +Cc: netdev, paulus, benh

From: Andrew Morton <akpm@linux-foundation.org>
Date: Thu, 18 Oct 2007 23:09:48 -0700

> 
> powerpc mac G5
> config: http://userweb.kernel.org/~akpm/config-g5.txt
> screenshot: http://userweb.kernel.org/~akpm/dsc00005.jpg
> 
> It does this shortly after bringing up eth0 (tg3), in dhclient.

Try this:

>From 9b013e05e0289c190a53d78ca029e2f21c0e4485 Mon Sep 17 00:00:00 2001
From: Olof Johansson <olof@lixom.net>
Date: Thu, 18 Oct 2007 21:48:39 -0700
Subject: [PATCH] [NET]: Fix bug in sk_filter race cures.

Looks like this might be causing problems, at least for me on ppc. This
happened during a normal boot, right around first interface config/dhcp
run..

cpu 0x0: Vector: 300 (Data Access) at [c00000000147b820]
    pc: c000000000435e5c: .sk_filter_delayed_uncharge+0x1c/0x60
    lr: c0000000004360d0: .sk_attach_filter+0x170/0x180
    sp: c00000000147baa0
   msr: 9000000000009032
   dar: 4
 dsisr: 40000000
  current = 0xc000000004780fa0
  paca    = 0xc000000000650480
    pid   = 1295, comm = dhclient3
0:mon> t
[c00000000147bb20] c0000000004360d0 .sk_attach_filter+0x170/0x180
[c00000000147bbd0] c000000000418988 .sock_setsockopt+0x788/0x7f0
[c00000000147bcb0] c000000000438a74 .compat_sys_setsockopt+0x4e4/0x5a0
[c00000000147bd90] c00000000043955c .compat_sys_socketcall+0x25c/0x2b0
[c00000000147be30] c000000000007508 syscall_exit+0x0/0x40
--- Exception: c01 (System Call) at 000000000ff618d8
SP (fffdf040) is in userspace
0:mon>

I.e. null pointer deref at sk_filter_delayed_uncharge+0x1c:

0:mon> di $.sk_filter_delayed_uncharge
c000000000435e40  7c0802a6      mflr    r0
c000000000435e44  fbc1fff0      std     r30,-16(r1)
c000000000435e48  7c8b2378      mr      r11,r4
c000000000435e4c  ebc2cdd0      ld      r30,-12848(r2)
c000000000435e50  f8010010      std     r0,16(r1)
c000000000435e54  f821ff81      stdu    r1,-128(r1)
c000000000435e58  380300a4      addi    r0,r3,164
c000000000435e5c  81240004      lwz     r9,4(r4)

That's the deref of fp:

static void sk_filter_delayed_uncharge(struct sock *sk, struct sk_filter *fp)
{
        unsigned int size = sk_filter_len(fp);
...

That is called from sk_attach_filter():

...
        rcu_read_lock_bh();
        old_fp = rcu_dereference(sk->sk_filter);
        rcu_assign_pointer(sk->sk_filter, fp);
        rcu_read_unlock_bh();

        sk_filter_delayed_uncharge(sk, old_fp);
        return 0;
...

So, looks like rcu_dereference() returned NULL. I don't know the
filter code at all, but it seems like it might be a valid case?
sk_detach_filter() seems to handle a NULL sk_filter, at least.

So, this needs review by someone who knows the filter, but it fixes the
problem for me:

Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/core/filter.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index 1f0068e..e0a0694 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -447,7 +447,8 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
 	rcu_assign_pointer(sk->sk_filter, fp);
 	rcu_read_unlock_bh();
 
-	sk_filter_delayed_uncharge(sk, old_fp);
+	if (old_fp)
+		sk_filter_delayed_uncharge(sk, old_fp);
 	return 0;
 }
 
-- 
1.5.3.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: networking crash in current mainline: sk_filter_delayed_uncharge()
  2007-10-19  6:09 networking crash in current mainline: sk_filter_delayed_uncharge() Andrew Morton
  2007-10-19  6:11 ` David Miller
@ 2007-10-19  6:12 ` Andrew Morton
  1 sibling, 0 replies; 5+ messages in thread
From: Andrew Morton @ 2007-10-19  6:12 UTC (permalink / raw)
  To: netdev, Paul Mackerras, Benjamin Herrenschmidt; +Cc: Pavel Emelyanov

On Thu, 18 Oct 2007 23:09:48 -0700 Andrew Morton <akpm@linux-foundation.org> wrote:

> 
> powerpc mac G5
> config: http://userweb.kernel.org/~akpm/config-g5.txt
> screenshot: http://userweb.kernel.org/~akpm/dsc00005.jpg
> 
> It does this shortly after bringing up eth0 (tg3), in dhclient.
> 

<looks in the git tree, adds cc ;)>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: networking crash in current mainline: sk_filter_delayed_uncharge()
  2007-10-19  6:11 ` David Miller
@ 2007-10-19  6:48   ` Andrew Morton
  0 siblings, 0 replies; 5+ messages in thread
From: Andrew Morton @ 2007-10-19  6:48 UTC (permalink / raw)
  To: David Miller; +Cc: netdev, paulus, benh

On Thu, 18 Oct 2007 23:11:27 -0700 (PDT) David Miller <davem@davemloft.net> wrote:

> From: Andrew Morton <akpm@linux-foundation.org>
> Date: Thu, 18 Oct 2007 23:09:48 -0700
> 
> > 
> > powerpc mac G5
> > config: http://userweb.kernel.org/~akpm/config-g5.txt
> > screenshot: http://userweb.kernel.org/~akpm/dsc00005.jpg
> > 
> > It does this shortly after bringing up eth0 (tg3), in dhclient.
> 
> Try this:

Now it says "login:".  Let me know if you want a photo ;)

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: networking crash in current mainline: sk_filter_delayed_uncharge()
@ 2007-10-19 18:05 Pierre Ossman
  0 siblings, 0 replies; 5+ messages in thread
From: Pierre Ossman @ 2007-10-19 18:05 UTC (permalink / raw)
  To: netdev; +Cc: Andrew Morton

Andrew Morton wrote:

> powerpc mac G5
> config: http://userweb.kernel.org/~akpm/config-g5.txt
> screenshot: http://userweb.kernel.org/~akpm/dsc00005.jpg
> 
> It does this shortly after bringing up eth0 (tg3), in dhclient.

+1

A Pentium M laptop here. Problem both with a ipw2200 wifi card and 8139
ethernet card.

[  174.237818] BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004
[  174.237828] printing eip: c05b6ed1 *pde = 00000000 
[  174.237834] Oops: 0000 [#1] PREEMPT 
[  174.237837] Modules linked in: tun rfcomm l2cap sunrpc binfmt_misc radeon drm ipv6 snd_intel8x0m snd_intel8x0 snd_seq_dummy snd_ac97_codec ac97_bus snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd hci_usb pcmcia ipw2200 soundcore button bluetooth rtc_cmos parport_pc smsc_ircc2 firewire_ohci i2c_i801 yenta_socket rsrc_nonstatic ieee80211 rtc_core 8139cp parport snd_page_alloc irda firewire_core crc_itu_t 8139too ieee80211_crypt battery ac pcmcia_core pcspkr i2c_core wbsd mmc_core video output rtc_lib crc_ccitt mii sr_mod sg cdrom ata_piix libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ehci_hcd
[  174.237880] CPU:    0
[  174.237881] EIP:    0060:[<c05b6ed1>]    Not tainted VLI
[  174.237882] EFLAGS: 00210246   (2.6.23 #11)
[  174.237892] EIP is at sk_filter_delayed_uncharge+0x1/0x20
[  174.237895] eax: c3cefc00   ebx: 00000000   ecx: 00000000   edx: 00000000
[  174.237898] esi: c3cefc00   edi: 00000000   ebp: c3e05efc   esp: c3e05edc
[  174.237901] ds: 007b   es: 007b   fs: 0000  gs: 0033  ss: 0068
[  174.237904] Process dhclient (pid: 2997, ti=c3e05000 task=c3e753b0 task.ti=c3e05000)
[  174.237906] Stack: c3e05efc c05b7032 00000068 c3cf3080 00000058 c3e05f24 c3cefc00 c3a86300 
[  174.237913]        c3e05f48 c05a366e c3d039f8 c3e2c180 00000004 00000000 bfca000b 00000001 
[  174.237918]        bfca000b c3756080 bfca000b 080b3320 c3e05f5c c3e05f48 c059f2f0 c3e05f58 
[  174.237924] Call Trace:
[  174.237926]  [<c04051da>] show_trace_log_lvl+0x1a/0x30
[  174.237933]  [<c0405299>] show_stack_log_lvl+0xa9/0xd0
[  174.237937]  [<c04054c6>] show_registers+0x206/0x350
[  174.237940]  [<c0405711>] die+0x101/0x200
[  174.237944]  [<c060cd7e>] do_page_fault+0x3de/0x6c0
[  174.237950]  [<c060b402>] error_code+0x6a/0x70
[  174.237953]  [<c05a366e>] sock_setsockopt+0x58e/0x5b0
[  174.237958]  [<c059f4c5>] sys_setsockopt+0x95/0xb0
[  174.237964]  [<c05a0f8a>] sys_socketcall+0x21a/0x280
[  174.237968]  [<c040428a>] syscall_call+0x7/0xb
[  174.237972]  =======================
[  174.237973] Code: 77 c8 eb e6 8d b6 00 00 00 00 83 7c d9 04 0f 76 b9 eb d7 8d b4 26 00 00 00 00 8b 44 d9 04 85 c0 75 a8 eb c6 8d b6 00 00 00 00 55 <8b> 4a 04 89 e5 8d 0c cd 10 00 00 00 29 48 5c 8d 42 08 ba 40 6f 
[  174.237999] EIP: [<c05b6ed1>] sk_filter_delayed_uncharge+0x1/0x20 SS:ESP 0068:c3e05edc

Rgds

-- 
     -- Pierre Ossman

  Linux kernel, MMC maintainer        http://www.kernel.org
  PulseAudio, core developer          http://pulseaudio.org
  rdesktop, core developer          http://www.rdesktop.org

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2007-10-19 18:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-19  6:09 networking crash in current mainline: sk_filter_delayed_uncharge() Andrew Morton
2007-10-19  6:11 ` David Miller
2007-10-19  6:48   ` Andrew Morton
2007-10-19  6:12 ` Andrew Morton
  -- strict thread matches above, loose matches on Subject: below --
2007-10-19 18:05 Pierre Ossman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).