From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: [PATCH] netfilter: per netns nf_conntrack_cachep Date: Tue, 02 Feb 2010 17:48:22 +0100 Message-ID: <4B685756.8010107@trash.net> References: <1264813832.2793.446.camel@tonnant> <1264816634.2793.505.camel@tonnant> <1264816777.2793.510.camel@tonnant> <1264834704.2919.3.camel@edumazet-laptop> <1265016745.7499.144.camel@tonnant> <1265019160.2848.14.camel@edumazet-laptop> <1265023437.2848.30.camel@edumazet-laptop> <1265035970.2848.50.camel@edumazet-laptop> <1265036548.2848.55.camel@edumazet-laptop> <1265108690.2861.118.camel@tonnant> <1265110504.2861.135.camel@tonnant> <1265129192.2861.141.camel@tonnant> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: Eric Dumazet , Alexey Dobriyan , linux-kernel , netdev , netfilter-devel , "Paul E. McKenney" To: Jon Masters Return-path: In-Reply-To: <1265129192.2861.141.camel@tonnant> Sender: netdev-owner@vger.kernel.org List-Id: netfilter-devel.vger.kernel.org Jon Masters wrote: > On Tue, 2010-02-02 at 06:35 -0500, Jon Masters wrote: > >> I think there's something more fundamental going on here. > > What happens is the conntrack code attempts to free > nf_conntrack_untracked back into the SL[U]B cache from which it > allocates other ct's. That shouldn't happen, the untracked conntrack is initialized to a refcount of 1, which is never released. > There's just one problem...that's a static struct > not from the cache. So, this is why we end up with the SLAB being > corrupted and the address immediately following the > nf_conntrack_untracked being corrupted. > > I shoved some debug comments into the destroy code to see if we were > trying to free nf_conntrack_untracked, and bingo. I have shoved a panic > in there now, will send you a backtrace. Thanks.