From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.3 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1197EC010A2 for ; Tue, 5 Nov 2019 10:19:23 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B786C217F5 for ; Tue, 5 Nov 2019 10:19:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="RcHtpXj3" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B786C217F5 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 698E36B0007; Tue, 5 Nov 2019 05:19:22 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 64AFC6B0008; Tue, 5 Nov 2019 05:19:22 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5135C6B000A; Tue, 5 Nov 2019 05:19:22 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0090.hostedemail.com [216.40.44.90]) by kanga.kvack.org (Postfix) with ESMTP id 3955D6B0007 for ; Tue, 5 Nov 2019 05:19:22 -0500 (EST) Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with SMTP id F014C180AD811 for ; Tue, 5 Nov 2019 10:19:21 +0000 (UTC) X-FDA: 76121826522.24.books36_1780e1a54ed3b X-HE-Tag: books36_1780e1a54ed3b X-Filterd-Recvd-Size: 4617 Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) by imf35.hostedemail.com (Postfix) with ESMTP for ; Tue, 5 Nov 2019 10:19:21 +0000 (UTC) Received: by mail-wr1-f68.google.com with SMTP id q13so20654166wrs.12 for ; Tue, 05 Nov 2019 02:19:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Vg9FJPss8oQNDihBdCZVUS9OPM3FEf7k8iX3IaB/rMk=; b=RcHtpXj3xta/TON458H7sjcflesgxh5ZIlGgF/w8cfKM3Tk++oQ+UbZoc9IbQXIzNP lZfX6mIUUKkgE4D47Exwy+dGakSiN0zHvJYFfxPtZ9uY0UBy7SkGiDKKyKO1VicjgGe2 lHaKhpBd+dQXxgTS0O8qp8jxGhIuK897UuPkUay4dMSF3M1M5+2/j6DUaE5x4kwSlV2k FZPFnDT9ipt72eBrh88K+/boQvPA+ScTe+0DiBMVtpbdc48zbwDqyVtemGY50IG8Zq1f y1G/01WqP974kRwLTd2zh6RvthXOlf2ebuB+RJP6MnPNd7yWKGkgarAUEMiTvDTWzIKv 1siw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Vg9FJPss8oQNDihBdCZVUS9OPM3FEf7k8iX3IaB/rMk=; b=Jckv04ah+7wN2+/vW340HopqmvEiZCLCsKgtenIKpyLcplOUhREyBk6vVUKMhjcE3m krk05pXdRgG/v4d8INZKNmciXtrMLsC9DBpIXN2R9D2VYJ4h+OIrKd69kUNZml0Xl4mY zydPuucsKgen5StBCEjXu/RIrLM53dYEG9mYyRTpSDPbTR8xDp6W6j2uKb6NuNNIrKNV MlnDLe0uDuJxYHtvTZqv3oi2LEGUcz+YJBU7+oIiYQLg2PU5SDV5Lcr9BZTCFjp5mp4l RASod44Owm8FE2rrXW4bWZ/IG4VK/L5ByadPFC38mz6+rEb2OdEuAPRQ8SUlojZsm12B 2uHw== X-Gm-Message-State: APjAAAU1X97zqoOwRTUPe+MIdh7WK0YvK8HF38rEnYFwfFyL92CGzpsT bdqZJD2R7iBxCqo6uppRPQOEmlB/9gzs5r/yTwY3YA== X-Google-Smtp-Source: APXvYqwc5X4e8SULXzuHD/iDw6JHvrLWDIMOYR8u3xD+xd7yygIt7ZnRIEQDjl27KzoMY9DuDrlrVwgs2+8GyXTUg0U= X-Received: by 2002:a5d:4ecd:: with SMTP id s13mr28633229wrv.216.1572949159760; Tue, 05 Nov 2019 02:19:19 -0800 (PST) MIME-Version: 1.0 References: <20191104170303.GA50361@gandi.net> <719eebd3-259d-8beb-025a-f2d17c632711@gmail.com> <20191105080554.GA1006@gandi.net> In-Reply-To: <20191105080554.GA1006@gandi.net> From: Alexander Potapenko Date: Tue, 5 Nov 2019 11:19:08 +0100 Message-ID: Subject: Re: Double free of struct sk_buff reported by SLAB_CONSISTENCY_CHECKS with init_on_free To: Thibaut Sautereau Cc: Eric Dumazet , Networking , Linux Memory Management List , LKML , "David S. Miller" , Laura Abbott , Kees Cook , Andrew Morton , clipos@ssi.gouv.fr Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000454, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Nov 5, 2019 at 9:06 AM Thibaut Sautereau wrote: > > On Mon, Nov 04, 2019 at 09:33:18AM -0800, Eric Dumazet wrote: > > > > > > On 11/4/19 9:03 AM, Thibaut Sautereau wrote: > > > > > > We first encountered this issue under huge network traffic (system im= age > > > download), and I was able to reproduce by simply sending a big packet > > > with `ping -s 65507 `, which crashes the kernel every single time= . > > > > > > > Since you have a repro, could you start a bisection ? > > From my previous email: > > "Bisection points to the following commit: 1b7e816fc80e ("mm: slu= b: > Fix slab walking for init_on_free"), and indeed the BUG is not > triggered when init_on_free is disabled." > > Or are you meaning something else? Could you please give more specific reproduction steps? I've checked out v5.3.8 from git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git, ran `make defconfig` and added CONFIG_SLUB_DEBUG_ON=3Dy. Then I've built the kernel, ran it on QEMU with slub_debug=3DF and init_on_free=3D1, SSHed into the machine and executed `ping -s 65507 127.0.0.1` This however didn't trigger any crashes. Am I missing something? > -- > Thibaut Sautereau > CLIP OS developer --=20 Alexander Potapenko Software Engineer Google Germany GmbH Erika-Mann-Stra=C3=9Fe, 33 80636 M=C3=BCnchen Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Halimah DeLaine Prado Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg