Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp587001ybx;
        Tue, 5 Nov 2019 02:21:12 -0800 (PST)
X-Google-Smtp-Source: APXvYqyinUjEjJObJhmFCP5zVXmLTzigJ9plHJUemqrzMT4nDAQGjwVgbKJ9b1rwUiuAX6FAY1X4
X-Received: by 2002:a50:aad2:: with SMTP id r18mr35354162edc.44.1572949272875;
        Tue, 05 Nov 2019 02:21:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1572949272; cv=none;
        d=google.com; s=arc-20160816;
        b=vb2c9syVHiEO/fI03+lBtqk8ScZtpqQ15vEL3SJ4HDuWrYaiD2voPMminlwxt9AT68
         l1nMuuSFvf4jXzEB2KgIc+ACtz5yeSPF0mNmzVtN+YhmyG0BVMDTxcqFHPCOo9ppmnm/
         gDc+PMmEqIZZ3RjPVJv1gnQlgl7MHndT3a7JM96aK4H3IiaH1fPmgf4L4UTgmwtqdTkv
         XkHIAI7trIsRSNr8rEASqWOUeodFoaL9OAxZp1RQCGZNfo+BscBKAwbYRQ1ylsX4ROV/
         0HISbzXgH+o6+pkYHkYblO0SsFWgWDsNu9KBipllXqYxbEJPQ/CCuFf3DwkIzQdQbQcS
         Uo7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=Vg9FJPss8oQNDihBdCZVUS9OPM3FEf7k8iX3IaB/rMk=;
        b=M6Xq+5NG4Cbl8Y2zdkyDiLxCSRua84jcexVG0x+1SW2rSCZK5Di1YeyDw7iMiOcVef
         hZV9xDi98LzTLrX4hZxuGfkc7PCbhr+QOB6xaVmgo4vUmi8VD1GRL7uVlezq2IATAvc5
         blAmHAghwWS1crNlmOGt3SLXGKZz6hBQCZWawJH6Oft+eodQZFyxua5Qo1otuWr6ceE0
         W++sQ5PKXj1hKX3V6C21m/FmFzCCbd0uv7cBJuO2gW529Z1n2WUwolz5XQ+LE/cTTdg5
         2HNPtuDakv52jCTmwvhuqi+Xsei0F922Y81amfK4L83QY7ndCDUeYwSrSK9YKc0Ky+4S
         Rp4w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=RcHtpXj3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id fy19si13193589ejb.239.2019.11.05.02.20.48;
        Tue, 05 Nov 2019 02:21:12 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=RcHtpXj3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388283AbfKEKTW (ORCPT <rfc822;zhangckid@gmail.com> + 99 others);
        Tue, 5 Nov 2019 05:19:22 -0500
Received: from mail-wr1-f68.google.com ([209.85.221.68]:33624 "EHLO
        mail-wr1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388412AbfKEKTW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Nov 2019 05:19:22 -0500
Received: by mail-wr1-f68.google.com with SMTP id s1so20695998wro.0
        for <linux-kernel@vger.kernel.org>; Tue, 05 Nov 2019 02:19:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=Vg9FJPss8oQNDihBdCZVUS9OPM3FEf7k8iX3IaB/rMk=;
        b=RcHtpXj3xta/TON458H7sjcflesgxh5ZIlGgF/w8cfKM3Tk++oQ+UbZoc9IbQXIzNP
         lZfX6mIUUKkgE4D47Exwy+dGakSiN0zHvJYFfxPtZ9uY0UBy7SkGiDKKyKO1VicjgGe2
         lHaKhpBd+dQXxgTS0O8qp8jxGhIuK897UuPkUay4dMSF3M1M5+2/j6DUaE5x4kwSlV2k
         FZPFnDT9ipt72eBrh88K+/boQvPA+ScTe+0DiBMVtpbdc48zbwDqyVtemGY50IG8Zq1f
         y1G/01WqP974kRwLTd2zh6RvthXOlf2ebuB+RJP6MnPNd7yWKGkgarAUEMiTvDTWzIKv
         1siw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=Vg9FJPss8oQNDihBdCZVUS9OPM3FEf7k8iX3IaB/rMk=;
        b=DQYqNmitdevQ8xWx3yek1+qqdMDMQaWpHkJ7d2J8QZvIY1M5TKHUCSHPH1TbUsU+ja
         MexrHqGvzBAnoSA7Vx+21fHTrxHtZMYHBdzkBfyYh4Bupp/aqclDnquO3hhNq+0eT8cX
         pC2UONoVeHNDnlbgdRiMpQXHc52JauMAdbxz8wj3dlrThx4RGOc+vrg2BAS1VG4zrZOK
         VcJ1TarPN3KaJ9igqX9CfhhuzNiH5rnY4boHi0upgBhO01uaK8s9e448Vp0J9Wnvsw8p
         dOFZ9StAZ+SrVIb32hbd5n7SzARqvLTvSS5/5mjZzzs7bfOcGoYdaZosDoFmfrbHcDlz
         Mb3Q==
X-Gm-Message-State: APjAAAX8ES1ejEqLvKAWVBu4r3gkk+dI9KogShxOXiL54ZELj84u2BrM
        B3DLVzZf9c7W1PYWuKehNpb0Og9xfk4P1XiGcPKz/Q==
X-Received: by 2002:a5d:4ecd:: with SMTP id s13mr28633229wrv.216.1572949159760;
 Tue, 05 Nov 2019 02:19:19 -0800 (PST)
MIME-Version: 1.0
References: <20191104170303.GA50361@gandi.net> <719eebd3-259d-8beb-025a-f2d17c632711@gmail.com>
 <20191105080554.GA1006@gandi.net>
In-Reply-To: <20191105080554.GA1006@gandi.net>
From:   Alexander Potapenko <glider@google.com>
Date:   Tue, 5 Nov 2019 11:19:08 +0100
Message-ID: <CAG_fn=V1rriybnSB3WSS-yqWEAuAdo89MG1SWPkvneizX61TVA@mail.gmail.com>
Subject: Re: Double free of struct sk_buff reported by SLAB_CONSISTENCY_CHECKS
 with init_on_free
To:     Thibaut Sautereau <thibaut.sautereau@clip-os.org>
Cc:     Eric Dumazet <eric.dumazet@gmail.com>,
        Networking <netdev@vger.kernel.org>,
        Linux Memory Management List <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Laura Abbott <labbott@redhat.com>,
        Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>, clipos@ssi.gouv.fr
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Nov 5, 2019 at 9:06 AM Thibaut Sautereau
<thibaut.sautereau@clip-os.org> wrote:
>
> On Mon, Nov 04, 2019 at 09:33:18AM -0800, Eric Dumazet wrote:
> >
> >
> > On 11/4/19 9:03 AM, Thibaut Sautereau wrote:
> > >
> > > We first encountered this issue under huge network traffic (system im=
age
> > > download), and I was able to reproduce by simply sending a big packet
> > > with `ping -s 65507 <ip>`, which crashes the kernel every single time=
.
> > >
> >
> > Since you have a repro, could you start a bisection ?
>
> From my previous email:
>
>         "Bisection points to the following commit: 1b7e816fc80e ("mm: slu=
b:
>         Fix slab walking for init_on_free"), and indeed the BUG is not
>         triggered when init_on_free is disabled."
>
> Or are you meaning something else?
Could you please give more specific reproduction steps?
I've checked out v5.3.8 from
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git, ran
`make defconfig` and added CONFIG_SLUB_DEBUG_ON=3Dy.
Then I've built the kernel, ran it on QEMU with slub_debug=3DF and
init_on_free=3D1, SSHed into the machine and executed `ping -s 65507
127.0.0.1`
This however didn't trigger any crashes.
Am I missing something?
> --
> Thibaut Sautereau
> CLIP OS developer



--=20
Alexander Potapenko
Software Engineer

Google Germany GmbH
Erika-Mann-Stra=C3=9Fe, 33
80636 M=C3=BCnchen

Gesch=C3=A4ftsf=C3=BChrer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg