Re: [bug, netconsole, SLUB] BUG skbuff_head_cache: Poison overwritten

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
To: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Ingo Molnar <mingo@elte.hu>,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	Vegard Nossum <vegard.nossum@gmail.com>,
	"Rafael J. Wysocki" <rjw@sisk.pl>
Subject: Re: [bug, netconsole, SLUB] BUG skbuff_head_cache: Poison overwritten
Date: Fri, 18 Jul 2008 14:16:24 +0400	[thread overview]
Message-ID: <20080718101624.GA7107@2ka.mipt.ru> (raw)
In-Reply-To: <84144f020807180202l6c703234ic3a2b57e73a1d89a@mail.gmail.com>

Hi Pekka.

On Fri, Jul 18, 2008 at 12:02:26PM +0300, Pekka Enberg (penberg@cs.helsinki.fi) wrote:
> > Out of curiosity, why does it scream at allocation time?
> 
> Because it's checking for use-after-free errors. The object is
> poisoned with POISON_FREE when it's free'd and we verify the poison
> values at allocation time.

Does it also scream on double free event? Just to closer guilty
circles... 0x9c offset is somewhere at the very end of the skbuff
structure, likely skb->users.

Can you also check in some kind of this patch to catch freed skb freeing
for testing?

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 3666216..dda96bf 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -419,6 +419,14 @@ void kfree_skb(struct sk_buff *skb)
 {
 	if (unlikely(!skb))
 		return;
+
+	{
+		u8 *ptr = (u8 *)(&skb->users);
+
+		if (*ptr == POISON_FREE || *ptr == POISON_INUSE || *ptr == POISON_END)
+			BUG();
+	}
+
 	if (likely(atomic_read(&skb->users) == 1))
 		smp_rmb();
 	else if (likely(!atomic_dec_and_test(&skb->users)))

-- 
	Evgeniy Polyakov

next prev parent reply	other threads:[~2008-07-18 10:16 UTC|newest]

Thread overview: 57+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-07-17 21:42 [bug, netconsole, SLUB] BUG skbuff_head_cache: Poison overwritten Ingo Molnar
2008-07-17 21:45 ` David Miller
2008-07-17 22:06   ` Ingo Molnar
2008-07-17 22:09     ` David Miller
2008-07-17 22:43     ` Ingo Molnar
2008-07-17 23:15 ` Vegard Nossum
2008-07-17 23:35   ` Vegard Nossum
2008-07-17 23:52   ` Ingo Molnar
2008-07-18  0:01     ` Ingo Molnar
2008-07-18  0:05     ` Vegard Nossum
2008-07-18  0:16       ` Ingo Molnar
2008-07-18  2:13     ` David Miller
2008-07-18  2:03   ` David Miller
2008-07-18  7:03     ` Vegard Nossum
2008-07-18  7:12       ` David Miller
2008-07-18  9:05       ` Ingo Molnar
2008-07-18 19:10       ` [bug] Attempt to release alive inet socket f6fac040 Ingo Molnar
2008-07-18 19:55         ` Ingo Molnar
2008-07-17 23:27 ` [bug, netconsole, SLUB] BUG skbuff_head_cache: Poison overwritten Vegard Nossum
2008-07-17 23:56   ` Ingo Molnar
2008-07-21 11:41     ` Vegard Nossum
2008-07-18  5:46 ` Evgeniy Polyakov
2008-07-18  9:02   ` Pekka Enberg
2008-07-18  9:09     ` Ingo Molnar
2008-07-18  9:15       ` Pekka Enberg
2008-07-18 10:16     ` Evgeniy Polyakov [this message]
2008-07-18 14:44       ` Pekka Enberg
2008-07-18 14:48         ` Christoph Lameter
2008-07-18 16:07         ` Evgeniy Polyakov
2008-07-18  9:00 ` Pekka J Enberg
2008-07-18  9:11   ` Ingo Molnar
2008-07-18  9:16     ` Pekka Enberg
2008-07-18 13:54       ` Christoph Lameter
2008-07-21  9:41     ` Ingo Molnar
2008-07-21  9:52       ` Pekka Enberg
2008-07-21 10:06         ` Evgeniy Polyakov
2008-07-21 10:50           ` Ingo Molnar
2008-07-21 11:03             ` Vegard Nossum
2008-07-21 11:13               ` Ingo Molnar
2008-07-21 16:19               ` Christoph Lameter
2008-07-21 20:23                 ` Vegard Nossum
2008-07-21 11:25             ` Evgeniy Polyakov
2008-07-21 11:55               ` Ingo Molnar
2008-07-21 12:57                 ` Evgeniy Polyakov
2008-07-21 14:01                   ` Ingo Molnar
2008-07-21 19:21                 ` Ingo Molnar
2008-07-21 21:24                   ` Evgeniy Polyakov
2008-07-21 23:33                     ` David Miller
2008-07-22  7:50                       ` Ingo Molnar
2008-07-22 13:34                         ` Ingo Molnar
2008-07-23 22:31                           ` David Miller
2008-07-23 22:40                             ` Jeff Kirsher
2008-07-21 16:22           ` Christoph Lameter
2008-07-21 19:57             ` Evgeniy Polyakov
2008-07-21 20:05               ` Ingo Molnar
2008-07-21 20:22                 ` Vegard Nossum
2008-07-18 13:55   ` Christoph Lameter

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3666216 dfblob:dda96bf )
 OR (
bs:"Re: [bug, netconsole, SLUB] BUG skbuff_head_cache: Poison overwritten" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080718101624.GA7107@2ka.mipt.ru \
    --to=johnpol@2ka.mipt.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=netdev@vger.kernel.org \
    --cc=penberg@cs.helsinki.fi \
    --cc=rjw@sisk.pl \
    --cc=vegard.nossum@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).