From patchwork Sat Nov 8 03:36:18 2008 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Dobriyan X-Patchwork-Id: 7845 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 2DFC4DDE01 for ; Sat, 8 Nov 2008 14:33:04 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752204AbYKHDc7 (ORCPT ); Fri, 7 Nov 2008 22:32:59 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752177AbYKHDc7 (ORCPT ); Fri, 7 Nov 2008 22:32:59 -0500 Received: from ug-out-1314.google.com ([66.249.92.168]:51469 "EHLO ug-out-1314.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752127AbYKHDc6 (ORCPT ); Fri, 7 Nov 2008 22:32:58 -0500 Received: by ug-out-1314.google.com with SMTP id 39so9881ugf.37 for ; Fri, 07 Nov 2008 19:32:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=vppKNI6k8Dv9BgDoMBa8klG441WAw3cHKZBoM0Whr7U=; b=xd5mkwE2rXOrfxY7H1FcqaX4CsYgvxkO//fKV00LqLkTKlQHgwXx43qJhPrZswqtox oQBkYAmFGaSVfZzYPWKqFWZm4mxLqVVVpkWpmfHSl09Hz5ezcTpAHG4aINFlOGOZx7d7 kPho3u1IbFc7LVu7f6uucTBgs6/MF6aECPvlk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=qO/YVPSnyXOiXoQPQHTZwSUwl0HnJ9g251UI2I8ItWSIiHfsKPt2qBYXkXvt/f5go4 VQPGcWDFu1kVECZvOUmoxKlLbWfVQgwNuz3thZA+v15ZKprWKg4NWXmuUMkZq942p7NN fY0NL5luMfqtKmgUIF9e72gNIhlSRyjhdkYjo= Received: by 10.210.50.5 with SMTP id x5mr4707577ebx.167.1226115176522; Fri, 07 Nov 2008 19:32:56 -0800 (PST) Received: from localhost (gw.zunet.ru [217.67.117.64]) by mx.google.com with ESMTPS id 1sm2752297nfv.18.2008.11.07.19.32.54 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 07 Nov 2008 19:32:55 -0800 (PST) Date: Sat, 8 Nov 2008 06:36:18 +0300 From: Alexey Dobriyan To: Eric Sesterhenn , davem@davemloft.net Cc: netdev@vger.kernel.org, alan@lxorguk.ukuu.org.uk Subject: [PATCH] net: fix /proc/net/snmp as memory corruptor Message-ID: <20081108033618.GA27960@x200.localdomain> References: <20081108002208.GB17721@alice> <20081108010237.GA7062@x200.localdomain> <20081108025256.GA16001@x200.localdomain> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20081108025256.GA16001@x200.localdomain> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Sat, Nov 08, 2008 at 05:52:56AM +0300, Alexey Dobriyan wrote: > On Sat, Nov 08, 2008 at 04:02:37AM +0300, Alexey Dobriyan wrote: > > On Sat, Nov 08, 2008 at 01:22:08AM +0100, Eric Sesterhenn wrote: > > > running a bunch of network related stresstests (isic, isicng, ...) > > > and trying to read all files in /proc afterwards gave me two > > > oopses. I was able to reproduce them on another box with > > > a different config. I was able to reproduce this on 2.6.24 too, > > > so this is no regression. The icmpsic is version 0.06. > > > The minimal testcase to trigger this: > > > > > > ------------8<---------------- > > > #!/bin/bash > > > > > > icmpsic -s 127.0.0.1 -d 127.0.0.1 -p 100000 > > > > > > find /proc/net/ | xargs cat > /dev/null > > > > > > cat /proc/net/ip_mr_cache > > > cat /proc/net/ip_mr_vif > > > ------------8<---------------- > > > > > > > > > root@computer-desktop:~/testing# cat /proc/338/net/ip_mr_cache > > > > > > [ 1572.702100] BUG: unable to handle kernel NULL pointer dereference at 000001c1 > > > [ 1572.702588] IP: [] ipmr_mfc_seq_show+0x26/0xf0 > > > > Reproduced. > > icmpsic -s 127.0.0.1 -d 127.0.0.1 -p 100000 > cat /proc/net/snmp # sic > cat /proc/net/ip_mr_cache > > mfc_cache_array is full of small integers > > [0] = 0x1a8 > [1] = 0x1a9 > > and so on. OK, this minimally fixes mfc_cache_array corruption. Someone was scared of 16 integers on stack. :^) [PATCH] net: fix /proc/net/snmp as memory corruptor Local "interesting MIBs" table is so small, and counter can get so big given junk ICMP packets. Signed-off-by: Alexey Dobriyan --- net/ipv4/proc.c | 1 + 1 file changed, 1 insertion(+) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html --- a/net/ipv4/proc.c +++ b/net/ipv4/proc.c @@ -263,6 +263,7 @@ static void icmpmsg_put(struct seq_file *seq) snmp_fold_field((void **) net->mib.icmpmsg_statistics, out[j])); seq_putc(seq, '\n'); + count = 0; } if (count) { seq_printf(seq, "\nIcmpMsg:");