Re: Double free of struct sk_buff reported by SLAB_CONSISTENCY_CHECKS with init_on_free

From: Thibaut Sautereau
Date: Tue Nov 05 2019 - 03:06:03 EST

Next message: Greg Kroah-Hartman: "Re: stable-rc-5.3.9-rc1: regressions detected - remove_proc_entry: removing non-empty directory 'net/dev_snmp6', leaking at least 'lo'"
Previous message: syzbot: "Re: KASAN: use-after-free Read in j1939_session_get_by_addr"
In reply to: Eric Dumazet: "Re: Double free of struct sk_buff reported by SLAB_CONSISTENCY_CHECKS with init_on_free"
Next in thread: Alexander Potapenko: "Re: Double free of struct sk_buff reported by SLAB_CONSISTENCY_CHECKS with init_on_free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 04, 2019 at 09:33:18AM -0800, Eric Dumazet wrote:
>
>
> On 11/4/19 9:03 AM, Thibaut Sautereau wrote:
> >
> > We first encountered this issue under huge network traffic (system image
> > download), and I was able to reproduce by simply sending a big packet
> > with `ping -s 65507 <ip>`, which crashes the kernel every single time.
> >
>
> Since you have a repro, could you start a bisection ?

>From my previous email:

"Bisection points to the following commit: 1b7e816fc80e ("mm: slub:
Fix slab walking for init_on_free"), and indeed the BUG is not
triggered when init_on_free is disabled."

Or are you meaning something else?

--
Thibaut Sautereau
CLIP OS developer

Next message: Greg Kroah-Hartman: "Re: stable-rc-5.3.9-rc1: regressions detected - remove_proc_entry: removing non-empty directory 'net/dev_snmp6', leaking at least 'lo'"
Previous message: syzbot: "Re: KASAN: use-after-free Read in j1939_session_get_by_addr"
In reply to: Eric Dumazet: "Re: Double free of struct sk_buff reported by SLAB_CONSISTENCY_CHECKS with init_on_free"
Next in thread: Alexander Potapenko: "Re: Double free of struct sk_buff reported by SLAB_CONSISTENCY_CHECKS with init_on_free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]