[slab,poison,overwritten] Re: [GIT] Networking

Message ID	1300738540.2837.5.camel@edumazet-laptop
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=BE/aJyfttKYj/ESm4YJNCJk7aUtWEB0hAKuj8Col2eQC+yv+AsOVLpZZYM8a9aMMfB zTfoWUD2DraldWm/CVWlgAorPsEr6P5+Zp54RCm5J0C0IBx3pBflYDnFwCs1WIgXYIEU Ag6Rrgg02X2VG4Bnh+S74wV/vszg8urlAI/Ks= Subject: Re: [slab poison overwritten] Re: [GIT] Networking From: Eric Dumazet <eric.dumazet@gmail.com> To: Ingo Molnar <mingo@elte.hu> Cc: David Miller <davem@davemloft.net>, torvalds@linux-foundation.org, akpm@linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Peter Zijlstra <a.p.zijlstra@chello.nl>, Thomas Gleixner <tglx@linutronix.de>, Arnd Bergmann <arnd@arndb.de>, Pekka Enberg <penberg@cs.helsinki.fi>, Simon Horman <horms@verge.net.au>, Julian Anastasov <ja@ssi.bg> In-Reply-To: <1300730838.2884.578.camel@edumazet-laptop> References: <20110320.195156.226769634.davem@davemloft.net> <20110321125320.GA23490@elte.hu> <1300714346.2884.284.camel@edumazet-laptop> <20110321161528.GA28580@elte.hu> <20110321164238.GA5303@elte.hu> <20110321173941.GB3892@elte.hu> <1300730838.2884.578.camel@edumazet-laptop> Content-Type: text/plain; charset="UTF-8" Date: Mon, 21 Mar 2011 21:15:40 +0100 Message-ID: <1300738540.2837.5.camel@edumazet-laptop> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netdev-owner@vger.kernel.org Precedence: bulk

Eric Dumazet March 21, 2011, 8:15 p.m. UTC

Le lundi 21 mars 2011 à 19:07 +0100, Eric Dumazet a écrit :
> Le lundi 21 mars 2011 à 18:39 +0100, Ingo Molnar a écrit :
> > here's the same but with kallsyms enabled.
> > 
> > Thanks,
> > 
> > 	Ingo
> > 
> > [    9.585627] initcall 0xffffffff81d5b806 returned 0 after 0 usecs
> > [    9.588960] calling  0xffffffff81d5b9da @ 1
> > [    9.592303] IPVS: Creating netns size=1272 id=0
> > [    9.595646] IPVS: __ip_vs_control_init(): alloc_percpu.
> > [    9.602298] IPVS: cannot register namespace.
> > [    9.605627] IPVS: can't setup control
> 
> It seems IPVS is busted in case of memory allocation error in 
> __ip_vs_control_init()
> 
> IPVS deinits its "struct netns_ipvs" space, but something (in IPVS) uses
> it after free.
> 
> __ip_vs_init() seems to be called before ip_vs_init() completes
> correctly. We then keep in net->ipvs a pointer to some freed memory.
> 
> Commit 14e405461e664b7 did some changes in this area
> 
> Simon, any idea ?
> 
> 

For the time being, we can avoid the false memory allocation error (and
leak)

Thanks

[PATCH] ipvs: fix a typo in __ip_vs_control_init()

Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Simon Horman <horms@verge.net.au>
Cc: Julian Anastasov <ja@ssi.bg>
---
 net/netfilter/ipvs/ip_vs_ctl.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Simon Horman March 21, 2011, 10:13 p.m. UTC | #1

On Mon, Mar 21, 2011 at 09:15:40PM +0100, Eric Dumazet wrote:
> Le lundi 21 mars 2011 à 19:07 +0100, Eric Dumazet a écrit :
> > Le lundi 21 mars 2011 à 18:39 +0100, Ingo Molnar a écrit :
> > > here's the same but with kallsyms enabled.
> > > 
> > > Thanks,
> > > 
> > > 	Ingo
> > > 
> > > [    9.585627] initcall 0xffffffff81d5b806 returned 0 after 0 usecs
> > > [    9.588960] calling  0xffffffff81d5b9da @ 1
> > > [    9.592303] IPVS: Creating netns size=1272 id=0
> > > [    9.595646] IPVS: __ip_vs_control_init(): alloc_percpu.
> > > [    9.602298] IPVS: cannot register namespace.
> > > [    9.605627] IPVS: can't setup control
> > 
> > It seems IPVS is busted in case of memory allocation error in 
> > __ip_vs_control_init()
> > 
> > IPVS deinits its "struct netns_ipvs" space, but something (in IPVS) uses
> > it after free.
> > 
> > __ip_vs_init() seems to be called before ip_vs_init() completes
> > correctly. We then keep in net->ipvs a pointer to some freed memory.
> > 
> > Commit 14e405461e664b7 did some changes in this area
> > 
> > Simon, any idea ?
> > 
> > 
> 
> For the time being, we can avoid the false memory allocation error (and
> leak)

Sorry, that typo is my work.

> Thanks
> 
> [PATCH] ipvs: fix a typo in __ip_vs_control_init()
> 
> Reported-by: Ingo Molnar <mingo@elte.hu>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: Simon Horman <horms@verge.net.au>
> Cc: Julian Anastasov <ja@ssi.bg>

Acked-by: Simon Horman <horms@verge.net.au>

> ---
>  net/netfilter/ipvs/ip_vs_ctl.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index b799cea..33733c8 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -3605,7 +3605,7 @@ int __net_init __ip_vs_control_init(struct net *net)
>  
>  	/* procfs stats */
>  	ipvs->tot_stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
> -	if (ipvs->tot_stats.cpustats) {
> +	if (!ipvs->tot_stats.cpustats) {
>  		pr_err("%s(): alloc_percpu.\n", __func__);
>  		return -ENOMEM;
>  	}
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Simon Horman March 21, 2011, 11:29 p.m. UTC | #2

On Tue, Mar 22, 2011 at 07:13:58AM +0900, Simon Horman wrote:
> On Mon, Mar 21, 2011 at 09:15:40PM +0100, Eric Dumazet wrote:
> > Le lundi 21 mars 2011 à 19:07 +0100, Eric Dumazet a écrit :
> > > Le lundi 21 mars 2011 à 18:39 +0100, Ingo Molnar a écrit :
> > > > here's the same but with kallsyms enabled.
> > > > 
> > > > Thanks,
> > > > 
> > > > 	Ingo
> > > > 
> > > > [    9.585627] initcall 0xffffffff81d5b806 returned 0 after 0 usecs
> > > > [    9.588960] calling  0xffffffff81d5b9da @ 1
> > > > [    9.592303] IPVS: Creating netns size=1272 id=0
> > > > [    9.595646] IPVS: __ip_vs_control_init(): alloc_percpu.
> > > > [    9.602298] IPVS: cannot register namespace.
> > > > [    9.605627] IPVS: can't setup control
> > > 
> > > It seems IPVS is busted in case of memory allocation error in 
> > > __ip_vs_control_init()
> > > 
> > > IPVS deinits its "struct netns_ipvs" space, but something (in IPVS) uses
> > > it after free.
> > > 
> > > __ip_vs_init() seems to be called before ip_vs_init() completes
> > > correctly. We then keep in net->ipvs a pointer to some freed memory.
> > > 
> > > Commit 14e405461e664b7 did some changes in this area
> > > 
> > > Simon, any idea ?
> > > 
> > > 
> > 
> > For the time being, we can avoid the false memory allocation error (and
> > leak)
> 
> Sorry, that typo is my work.

With your patch applied I now see the following

ffff880003bbf1a0 corresponds to &ipvs->app_key in __ip_vs_app_init().
I'll continue looking into this.

[   12.610000] IPVS: Creating netns size=2456 id=0
[   12.630000] IPVS: Registered protocols (TCP, UDP, SCTP, AH, ESP)
[   12.640000] BUG: key ffff880003bbf1a0 not in .data!
[   12.640000] ------------[ cut here ]------------
[   12.640000] WARNING: at kernel/lockdep.c:2701
lockdep_init_map+0x37b/0x570()
[   12.640000] Hardware name: Bochs
[   12.640000] Pid: 1, comm: swapper Tainted: G        W
2.6.38-kexec-06330-g69b7efe-dirty #122
[   12.650000] Call Trace:
[   12.650000]  [<ffffffff8102e685>] warn_slowpath_common+0x75/0xb0
[   12.650000]  [<ffffffff8102e6d5>] warn_slowpath_null+0x15/0x20
[   12.650000]  [<ffffffff8105967b>] lockdep_init_map+0x37b/0x570
[   12.650000]  [<ffffffff8105829d>] ? trace_hardirqs_on+0xd/0x10
[   12.650000]  [<ffffffff81055ad8>] debug_mutex_init+0x38/0x50
[   12.650000]  [<ffffffff8104bc4c>] __mutex_init+0x5c/0x70
[   12.650000]  [<ffffffff81685ee7>] __ip_vs_app_init+0x64/0x86
[   12.660000]  [<ffffffff81685a3b>] ? ip_vs_init+0x0/0xff
[   12.660000]  [<ffffffff811b1c33>] T.620+0x43/0x170
[   12.660000]  [<ffffffff811b1e9a>] ? register_pernet_subsys+0x1a/0x40
[   12.660000]  [<ffffffff81685a3b>] ? ip_vs_init+0x0/0xff
[   12.660000]  [<ffffffff81685a3b>] ? ip_vs_init+0x0/0xff
[   12.660000]  [<ffffffff811b1db7>] register_pernet_operations+0x57/0xb0
[   12.660000]  [<ffffffff81685a3b>] ? ip_vs_init+0x0/0xff
[   12.670000]  [<ffffffff811b1ea9>] register_pernet_subsys+0x29/0x40
[   12.670000]  [<ffffffff81685f19>] ip_vs_app_init+0x10/0x12
[   12.670000]  [<ffffffff81685a87>] ip_vs_init+0x4c/0xff
[   12.670000]  [<ffffffff8166562c>] do_one_initcall+0x7a/0x12e
[   12.670000]  [<ffffffff8166583e>] kernel_init+0x13e/0x1c2
[   12.670000]  [<ffffffff8128c134>] kernel_thread_helper+0x4/0x10
[   12.670000]  [<ffffffff8128ad40>] ? restore_args+0x0/0x30
[   12.680000]  [<ffffffff81665700>] ? kernel_init+0x0/0x1c2
[   12.680000]  [<ffffffff8128c130>] ? kernel_thread_helper+0x0/0x10
[   12.680000] ---[ end trace 4eaa2a86a8e2da23 ]---

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Miller March 22, 2011, 3:39 a.m. UTC | #3

From: Simon Horman <horms@verge.net.au>
Date: Tue, 22 Mar 2011 07:13:58 +0900

> On Mon, Mar 21, 2011 at 09:15:40PM +0100, Eric Dumazet wrote:
>> [PATCH] ipvs: fix a typo in __ip_vs_control_init()
>> 
>> Reported-by: Ingo Molnar <mingo@elte.hu>
>> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
>> Cc: Simon Horman <horms@verge.net.au>
>> Cc: Julian Anastasov <ja@ssi.bg>
> 
> Acked-by: Simon Horman <horms@verge.net.au>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Ingo Molnar March 22, 2011, 9:56 a.m. UTC | #4

* Eric Dumazet <eric.dumazet@gmail.com> wrote:

> [PATCH] ipvs: fix a typo in __ip_vs_control_init()

This fix and Simon's:

  IPVS: Use global mutex in ip_vs_app.c

Did the trick here, the IPVS related SLAB corruptions are now gone.

Thanks guys!

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Eric Dumazet March 22, 2011, 10 a.m. UTC | #5

Le mardi 22 mars 2011 à 10:56 +0100, Ingo Molnar a écrit :
> * Eric Dumazet <eric.dumazet@gmail.com> wrote:
> 
> > [PATCH] ipvs: fix a typo in __ip_vs_control_init()
> 
> This fix and Simon's:
> 
>   IPVS: Use global mutex in ip_vs_app.c
> 
> Did the trick here, the IPVS related SLAB corruptions are now gone.
> 
> Thanks guys!

Thanks for testing Ingo ;)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Simon Horman March 22, 2011, 9:52 p.m. UTC | #6

On Tue, Mar 22, 2011 at 11:00:39AM +0100, Eric Dumazet wrote:
> Le mardi 22 mars 2011 à 10:56 +0100, Ingo Molnar a écrit :
> > * Eric Dumazet <eric.dumazet@gmail.com> wrote:
> > 
> > > [PATCH] ipvs: fix a typo in __ip_vs_control_init()
> > 
> > This fix and Simon's:
> > 
> >   IPVS: Use global mutex in ip_vs_app.c
> > 
> > Did the trick here, the IPVS related SLAB corruptions are now gone.
> > 
> > Thanks guys!
> 
> Thanks for testing Ingo ;)

Yes, thanks Ingo.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[slab,poison,overwritten] Re: [GIT] Networking

Commit Message

Comments

Patch