Re: [BUG] 3.2-rc2: BUG kmalloc-8: Redzone overwritten
From: Steven Whitehouse
Date: Mon Nov 21 2011 - 05:57:18 EST
Hi,
On Mon, 2011-11-21 at 11:21 +0100, Eric Dumazet wrote:
> Le lundi 21 novembre 2011 Ã 11:15 +0100, Eric Dumazet a Ãcrit :
>
> >
> > Hmm, trinity tries to crash decnet ;)
> >
> > Maybe we should remove this decnet stuff for good instead of tracking
> > all bugs just for the record. Is there anybody still using decnet ?
> >
The best place to ask that question is on the decnet mailing list:
linux-decnet-user@xxxxxxxxxxxxxxxxxxxxxx I've BCC'd this message since
that list requires you to be subscribed in order to post there.
I have to say that I've been wondering lately whether it has got to the
point where it is no longer useful. Has anybody actually tested it
lately against "real" DEC implementations?
Steve.
>
> > For example dn_start_slow_timer() starts a timer without holding a
> > reference on struct sock, this is highly suspect.
> >
> > [PATCH] decnet: proper socket refcounting
> >
> > Better use sk_reset_timer() / sk_stop_timer() helpers to make sure we
> > dont access already freed/reused memory later.
> >
> > Reported-by: Sasha Levin <levinsasha928@xxxxxxxxx>
> > Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
>
> Hmm, I forgot to remove the sock_hold(sk) call from dn_slow_timer(),
> here is V2 :
>
> [PATCH] decnet: proper socket refcounting
>
> Better use sk_reset_timer() / sk_stop_timer() helpers to make sure we
> dont access already freed/reused memory later.
>
> Reported-by: Sasha Levin <levinsasha928@xxxxxxxxx>
> Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
> ---
> V2: remove sock_hold(sk) call from dn_slow_timer()
>
> net/decnet/dn_timer.c | 17 +++++------------
> 1 file changed, 5 insertions(+), 12 deletions(-)
>
> diff --git a/net/decnet/dn_timer.c b/net/decnet/dn_timer.c
> index 67f691b..d9c150c 100644
> --- a/net/decnet/dn_timer.c
> +++ b/net/decnet/dn_timer.c
> @@ -36,16 +36,13 @@ static void dn_slow_timer(unsigned long arg);
>
> void dn_start_slow_timer(struct sock *sk)
> {
> - sk->sk_timer.expires = jiffies + SLOW_INTERVAL;
> - sk->sk_timer.function = dn_slow_timer;
> - sk->sk_timer.data = (unsigned long)sk;
> -
> - add_timer(&sk->sk_timer);
> + setup_timer(&sk->sk_timer, dn_slow_timer, (unsigned long)sk);
> + sk_reset_timer(sk, &sk->sk_timer, jiffies + SLOW_INTERVAL);
> }
>
> void dn_stop_slow_timer(struct sock *sk)
> {
> - del_timer(&sk->sk_timer);
> + sk_stop_timer(sk, &sk->sk_timer);
> }
>
> static void dn_slow_timer(unsigned long arg)
> @@ -53,12 +50,10 @@ static void dn_slow_timer(unsigned long arg)
> struct sock *sk = (struct sock *)arg;
> struct dn_scp *scp = DN_SK(sk);
>
> - sock_hold(sk);
> bh_lock_sock(sk);
>
> if (sock_owned_by_user(sk)) {
> - sk->sk_timer.expires = jiffies + HZ / 10;
> - add_timer(&sk->sk_timer);
> + sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ / 10);
> goto out;
> }
>
> @@ -100,9 +95,7 @@ static void dn_slow_timer(unsigned long arg)
> scp->keepalive_fxn(sk);
> }
>
> - sk->sk_timer.expires = jiffies + SLOW_INTERVAL;
> -
> - add_timer(&sk->sk_timer);
> + sk_reset_timer(sk, &sk->sk_timer, jiffies + SLOW_INTERVAL);
> out:
> bh_unlock_sock(sk);
> sock_put(sk);
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/