lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4B15F27C.9020707@gmail.com>
Date:	Wed, 02 Dec 2009 05:52:12 +0100
From:	Eric Dumazet <eric.dumazet@...il.com>
To:	Chris Rankin <rankincj@...oo.com>
CC:	linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [WARNING] Network-related warnings with 2.6.31.6

Chris Rankin a écrit :
> Hi,
> 
> I've just noticed these warnings in my dmesg log, and have no idea what might have triggered them. e1000 related, perhaps?
> 
> Cheers,
> Chris
> 
> ------------[ cut here ]------------
> WARNING: at /home/chris/LINUX/linux-2.6.31/net/core/stream.c:202 inet_csk_destroy_sock+0x77/0xd3()
> Hardware name: Precision WorkStation 650    
> Modules linked in: tun snd_seq_oss snd_seq_midi snd_seq_dummy fuse nfsd lockd auth_rpcgss exportfs sunrpc autofs4 af_packet ipt_LOG nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_LOG nf_conntrack_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables x_tables ipv6 p4_clockmod speedstep_lib binfmt_misc dm_mirror dm_region_hash dm_log dm_mod uinput snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_seq_midi_event snd_seq_midi_emul snd_emu10k1 snd_ac97_codec snd_usb_audio ac97_bus snd_seq snd_pcm snd_usb_lib snd_rawmidi snd_seq_device snd_timer firewire_ohci ppdev uvcvideo floppy firewire_core snd_page_alloc snd_util_mem snd_hwdep parport_pc pwc psmouse videodev parport v4l1_compat crc_itu_t pcspkr snd sg i2c_i801 serio_raw soundcore dcdbas ext3 jbd mbcache sr_mod cdrom sd_mod pata_acpi sata_sil uhci_hcd ata_piix libata scsi_mod ehci_hcd e1000 usbcore thermal button radeon intel_agp ttm drm agpgart i2c_algo_bit cfbcopyarea cfbimgblt
>  cfbfillrect [last unloaded: processor]
> Pid: 32056, comm: rpm Not tainted 2.6.31.6 #1
> Call Trace:
>  [<c1023ba8>] ? warn_slowpath_common+0x5d/0x70
>  [<c1023bc6>] ? warn_slowpath_null+0xb/0xd
>  [<c11871ca>] ? inet_csk_destroy_sock+0x77/0xd3
>  [<c119188f>] ? tcp_rcv_state_process+0x81f/0x9e8
>  [<c11966c3>] ? tcp_v4_do_rcv+0x128/0x16d
>  [<c1196b0d>] ? tcp_v4_rcv+0x405/0x640
>  [<c118003e>] ? ip_local_deliver_finish+0xf3/0x1ab
>  [<c117fcd9>] ? ip_rcv_finish+0x2a9/0x2cf
>  [<c117fa30>] ? ip_rcv_finish+0x0/0x2cf
>  [<c116b7c5>] ? netif_receive_skb+0x261/0x281
>  [<f8527bfc>] ? e1000_clean_rx_irq+0x31c/0x3c3 [e1000]
>  [<f852a6fa>] ? e1000_clean+0x2a7/0x3f5 [e1000]
>  [<c11c783c>] ? _spin_unlock_irqrestore+0xe/0x21
>  [<c10354c0>] ? hrtimer_run_pending+0xd/0xa5
>  [<c11c769b>] ? _spin_lock_irq+0xe/0x24
>  [<c116bce5>] ? net_rx_action+0x57/0xfd
>  [<c1027ea3>] ? __do_softirq+0x7a/0xe3
>  [<c1027e29>] ? __do_softirq+0x0/0xe3
>  <IRQ>  [<c1027c3c>] ? irq_exit+0x29/0x63
>  [<c1004320>] ? do_IRQ+0x7c/0x8d
>  [<c1002f29>] ? common_interrupt+0x29/0x30
> ---[ end trace e643d9455a26ccf3 ]---
> ------------[ cut here ]------------
> WARNING: at /home/chris/LINUX/linux-2.6.31/net/ipv4/af_inet.c:151 inet_sock_destruct+0xd8/0x138()
> Hardware name: Precision WorkStation 650    
> Modules linked in: tun snd_seq_oss snd_seq_midi snd_seq_dummy fuse nfsd lockd auth_rpcgss exportfs sunrpc autofs4 af_packet ipt_LOG nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_LOG nf_conntrack_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables x_tables ipv6 p4_clockmod speedstep_lib binfmt_misc dm_mirror dm_region_hash dm_log dm_mod uinput snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_seq_midi_event snd_seq_midi_emul snd_emu10k1 snd_ac97_codec snd_usb_audio ac97_bus snd_seq snd_pcm snd_usb_lib snd_rawmidi snd_seq_device snd_timer firewire_ohci ppdev uvcvideo floppy firewire_core snd_page_alloc snd_util_mem snd_hwdep parport_pc pwc psmouse videodev parport v4l1_compat crc_itu_t pcspkr snd sg i2c_i801 serio_raw soundcore dcdbas ext3 jbd mbcache sr_mod cdrom sd_mod pata_acpi sata_sil uhci_hcd ata_piix libata scsi_mod ehci_hcd e1000 usbcore thermal button radeon intel_agp ttm drm agpgart i2c_algo_bit cfbcopyarea cfbimgblt
>  cfbfillrect [last unloaded: processor]
> Pid: 32056, comm: rpm Tainted: G        W  2.6.31.6 #1
> Call Trace:
>  [<c1023ba8>] ? warn_slowpath_common+0x5d/0x70
>  [<c1023bc6>] ? warn_slowpath_null+0xb/0xd
>  [<c11a1414>] ? inet_sock_destruct+0xd8/0x138
>  [<c1163243>] ? __sk_free+0x10/0xa2
>  [<c1196b4a>] ? tcp_v4_rcv+0x442/0x640
>  [<c118003e>] ? ip_local_deliver_finish+0xf3/0x1ab
>  [<c117fcd9>] ? ip_rcv_finish+0x2a9/0x2cf
>  [<c117fa30>] ? ip_rcv_finish+0x0/0x2cf
>  [<c116b7c5>] ? netif_receive_skb+0x261/0x281
>  [<f8527bfc>] ? e1000_clean_rx_irq+0x31c/0x3c3 [e1000]
>  [<f852a6fa>] ? e1000_clean+0x2a7/0x3f5 [e1000]
>  [<c11c783c>] ? _spin_unlock_irqrestore+0xe/0x21
>  [<c10354c0>] ? hrtimer_run_pending+0xd/0xa5
>  [<c11c769b>] ? _spin_lock_irq+0xe/0x24
>  [<c116bce5>] ? net_rx_action+0x57/0xfd
>  [<c1027ea3>] ? __do_softirq+0x7a/0xe3
>  [<c1027e29>] ? __do_softirq+0x0/0xe3
>  <IRQ>  [<c1027c3c>] ? irq_exit+0x29/0x63
>  [<c1004320>] ? do_IRQ+0x7c/0x8d
>  [<c1002f29>] ? common_interrupt+0x29/0x30
> ---[ end trace e643d9455a26ccf4 ]---
> ------------[ cut here ]------------
> WARNING: at /home/chris/LINUX/linux-2.6.31/net/ipv4/af_inet.c:154 inet_sock_destruct+0x11e/0x138()
> Hardware name: Precision WorkStation 650    
> Modules linked in: tun snd_seq_oss snd_seq_midi snd_seq_dummy fuse nfsd lockd auth_rpcgss exportfs sunrpc autofs4 af_packet ipt_LOG nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_LOG nf_conntrack_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables x_tables ipv6 p4_clockmod speedstep_lib binfmt_misc dm_mirror dm_region_hash dm_log dm_mod uinput snd_emu10k1_synth snd_emux_synth snd_seq_virmidi snd_seq_midi_event snd_seq_midi_emul snd_emu10k1 snd_ac97_codec snd_usb_audio ac97_bus snd_seq snd_pcm snd_usb_lib snd_rawmidi snd_seq_device snd_timer firewire_ohci ppdev uvcvideo floppy firewire_core snd_page_alloc snd_util_mem snd_hwdep parport_pc pwc psmouse videodev parport v4l1_compat crc_itu_t pcspkr snd sg i2c_i801 serio_raw soundcore dcdbas ext3 jbd mbcache sr_mod cdrom sd_mod pata_acpi sata_sil uhci_hcd ata_piix libata scsi_mod ehci_hcd e1000 usbcore thermal button radeon intel_agp ttm drm agpgart i2c_algo_bit cfbcopyarea cfbimgblt
>  cfbfillrect [last unloaded: processor]
> Pid: 32056, comm: rpm Tainted: G        W  2.6.31.6 #1
> Call Trace:
>  [<c1023ba8>] ? warn_slowpath_common+0x5d/0x70
>  [<c1023bc6>] ? warn_slowpath_null+0xb/0xd
>  [<c11a145a>] ? inet_sock_destruct+0x11e/0x138
>  [<c1163243>] ? __sk_free+0x10/0xa2
>  [<c1196b4a>] ? tcp_v4_rcv+0x442/0x640
>  [<c118003e>] ? ip_local_deliver_finish+0xf3/0x1ab
>  [<c117fcd9>] ? ip_rcv_finish+0x2a9/0x2cf
>  [<c117fa30>] ? ip_rcv_finish+0x0/0x2cf
>  [<c116b7c5>] ? netif_receive_skb+0x261/0x281
>  [<f8527bfc>] ? e1000_clean_rx_irq+0x31c/0x3c3 [e1000]
>  [<f852a6fa>] ? e1000_clean+0x2a7/0x3f5 [e1000]
>  [<c11c783c>] ? _spin_unlock_irqrestore+0xe/0x21
>  [<c10354c0>] ? hrtimer_run_pending+0xd/0xa5
>  [<c11c769b>] ? _spin_lock_irq+0xe/0x24
>  [<c116bce5>] ? net_rx_action+0x57/0xfd
>  [<c1027ea3>] ? __do_softirq+0x7a/0xe3
>  [<c1027e29>] ? __do_softirq+0x0/0xe3
>  <IRQ>  [<c1027c3c>] ? irq_exit+0x29/0x63
>  [<c1004320>] ? do_IRQ+0x7c/0x8d
>  [<c1002f29>] ? common_interrupt+0x29/0x30
> ---[ end trace e643d9455a26ccf5 ]---
> 
> 
> 


Hmm, one other sk_forward_alloc corruption I guess...

I fixed one corruption but this is only about UDP sockets used by SUNRPC,
while your traces seems to point a TCP problem.


This is a note to let you know that we have just queued up the patch titled

    Subject: net: fix sk_forward_alloc corruption

to the 2.6.31-stable tree.  Its filename is

    net-fix-sk_forward_alloc-corruption.patch

A git repo of this tree can be found at 
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary


>From 4432366eece70b6cf72a7e862945ea8c9e576e3d Mon Sep 17 00:00:00 2001
From: Eric Dumazet <eric.dumazet@...il.com>
Date: Sun, 15 Nov 2009 20:50:00 -0800
Subject: net: fix sk_forward_alloc corruption

From: Eric Dumazet <eric.dumazet@...il.com>

[ Upstream commit: 9d410c796067686b1e032d54ce475b7055537138 ]

On UDP sockets, we must call skb_free_datagram() with socket locked,
or risk sk_forward_alloc corruption. This requirement is not respected
in SUNRPC.

Add a convenient helper, skb_free_datagram_locked() and use it in SUNRPC

Reported-by: Francis Moreau <francis.moro@...il.com>
Signed-off-by: Eric Dumazet <eric.dumazet@...il.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
---
 include/linux/skbuff.h |    2 ++
 net/core/datagram.c    |   10 +++++++++-
 net/ipv4/udp.c         |    4 +---
 net/ipv6/udp.c         |    4 +---
 net/sunrpc/svcsock.c   |   10 +++++-----
 5 files changed, 18 insertions(+), 12 deletions(-)

--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1761,6 +1761,8 @@ extern int	       skb_copy_datagram_cons
 						     int to_offset,
 						     int size);
 extern void	       skb_free_datagram(struct sock *sk, struct sk_buff *skb);
+extern void	       skb_free_datagram_locked(struct sock *sk,
+						struct sk_buff *skb);
 extern int	       skb_kill_datagram(struct sock *sk, struct sk_buff *skb,
 					 unsigned int flags);
 extern __wsum	       skb_checksum(const struct sk_buff *skb, int offset,
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -223,6 +223,15 @@ void skb_free_datagram(struct sock *sk, 
 	consume_skb(skb);
 	sk_mem_reclaim_partial(sk);
 }
+EXPORT_SYMBOL(skb_free_datagram);
+
+void skb_free_datagram_locked(struct sock *sk, struct sk_buff *skb)
+{
+	lock_sock(sk);
+	skb_free_datagram(sk, skb);
+	release_sock(sk);
+}
+EXPORT_SYMBOL(skb_free_datagram_locked);
 
 /**
  *	skb_kill_datagram - Free a datagram skbuff forcibly
@@ -749,5 +758,4 @@ unsigned int datagram_poll(struct file *
 EXPORT_SYMBOL(datagram_poll);
 EXPORT_SYMBOL(skb_copy_and_csum_datagram_iovec);
 EXPORT_SYMBOL(skb_copy_datagram_iovec);
-EXPORT_SYMBOL(skb_free_datagram);
 EXPORT_SYMBOL(skb_recv_datagram);
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -987,9 +987,7 @@ try_again:
 		err = ulen;
 
 out_free:
-	lock_sock(sk);
-	skb_free_datagram(sk, skb);
-	release_sock(sk);
+	skb_free_datagram_locked(sk, skb);
 out:
 	return err;
 
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -288,9 +288,7 @@ try_again:
 		err = ulen;
 
 out_free:
-	lock_sock(sk);
-	skb_free_datagram(sk, skb);
-	release_sock(sk);
+	skb_free_datagram_locked(sk, skb);
 out:
 	return err;
 
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -110,7 +110,7 @@ static void svc_release_skb(struct svc_r
 		rqstp->rq_xprt_ctxt = NULL;
 
 		dprintk("svc: service %p, releasing skb %p\n", rqstp, skb);
-		skb_free_datagram(svsk->sk_sk, skb);
+		skb_free_datagram_locked(svsk->sk_sk, skb);
 	}
 }
 
@@ -537,7 +537,7 @@ static int svc_udp_recvfrom(struct svc_r
 			printk("rpcsvc: received unknown control message:"
 			       "%d/%d\n",
 			       cmh->cmsg_level, cmh->cmsg_type);
-		skb_free_datagram(svsk->sk_sk, skb);
+		skb_free_datagram_locked(svsk->sk_sk, skb);
 		return 0;
 	}
 	svc_udp_get_dest_address(rqstp, cmh);
@@ -548,18 +548,18 @@ static int svc_udp_recvfrom(struct svc_r
 		if (csum_partial_copy_to_xdr(&rqstp->rq_arg, skb)) {
 			local_bh_enable();
 			/* checksum error */
-			skb_free_datagram(svsk->sk_sk, skb);
+			skb_free_datagram_locked(svsk->sk_sk, skb);
 			return 0;
 		}
 		local_bh_enable();
-		skb_free_datagram(svsk->sk_sk, skb);
+		skb_free_datagram_locked(svsk->sk_sk, skb);
 	} else {
 		/* we can use it in-place */
 		rqstp->rq_arg.head[0].iov_base = skb->data +
 			sizeof(struct udphdr);
 		rqstp->rq_arg.head[0].iov_len = len;
 		if (skb_checksum_complete(skb)) {
-			skb_free_datagram(svsk->sk_sk, skb);
+			skb_free_datagram_locked(svsk->sk_sk, skb);
 			return 0;
 		}
 		rqstp->rq_xprt_ctxt = skb;



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ