Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758453AbZFRQOA (ORCPT ); Thu, 18 Jun 2009 12:14:00 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752634AbZFRQNu (ORCPT ); Thu, 18 Jun 2009 12:13:50 -0400 Received: from mail.us.es ([193.147.175.20]:53686 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752547AbZFRQNt (ORCPT ); Thu, 18 Jun 2009 12:13:49 -0400 Message-ID: <4A3A67B5.1060909@netfilter.org> Date: Thu, 18 Jun 2009 18:13:41 +0200 From: Pablo Neira Ayuso User-Agent: Thunderbird 1.5.0.5 (X11/20060812) MIME-Version: 1.0 To: Patrick McHardy CC: Eric Dumazet , Ingo Molnar , David Miller , Thomas Gleixner , torvalds@linux-foundation.org, akpm@linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [bug] __nf_ct_refresh_acct(): WARNING: at lib/list_debug.c:30 __list_add+0x7d/0xad() References: <20090615.050449.144947903.davem@davemloft.net> <20090616091538.GA4184@elte.hu> <20090616.034752.226811527.davem@davemloft.net> <20090616105304.GA3579@elte.hu> <20090616122415.GA16630@elte.hu> <20090617092152.GA17449@elte.hu> <4A38C2F3.3000009@gmail.com> <20090617110803.GA10175@elte.hu> <20090618052356.GA18722@elte.hu> <4A39D778.9020607@cosmosbay.com> <4A3A0D45.8090806@trash.net> <4A3A5599.4080906@trash.net> <4A3A6143.3040607@gmail.com> <4A3A66CC.4090205@trash.net> In-Reply-To: <4A3A66CC.4090205@trash.net> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1781 Lines: 48 Patrick McHardy wrote: > Eric Dumazet wrote: >> In my own analysis, I found death_by_timeout() might be problematic, >> with RCU and lockless lookups. >> >> static void death_by_timeout(unsigned long ul_conntrack) >> { >> struct nf_conn *ct = (void *)ul_conntrack; >> >> if (!test_bit(IPS_DYING_BIT, &ct->status) && >> unlikely(nf_conntrack_event(IPCT_DESTROY, ct) < 0)) { >> /* destroy event was not delivered */ >> nf_ct_delete_from_lists(ct); >> << HERE >> >> >> nf_ct_insert_dying_list(ct); >> return; >> } >> set_bit(IPS_DYING_BIT, &ct->status); >> nf_ct_delete_from_lists(ct); >> nf_ct_put(ct); >> } >> >> >> We delete ct from a list and insert it in a new list. >> >> I believe a reader could "*catch*" ct while doing a lookup and miss >> the end >> of its chain. (nulls algo check the null value at the end of lookup >> and can >> decide to restart the lookup if the null value is not the expected one) >> >> We need to change nf_conntrack_init_net() and use a different "null" >> value, >> guaranteed not being used in regular lists > > Good catch. This is a new bug, but it shouldn't matter in this case > since nf_conntrack_event() can't fail unless you have a userspace > listener that makes use of reliable delivery, which I think hasn't > even been released yet. Indeed. I didn't include user-space support for this yet in my tree, so this should not be the problem. Thanks for the catch anyway! -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/