Bug 859346 - use-after-free in destroy_conntrack
Summary: use-after-free in destroy_conntrack
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 917792 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-21 09:12 UTC by Stef Walter
Modified: 2013-03-22 00:16 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-11 01:22:45 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Picture of the kernel panic (1.10 MB, image/jpeg)
2012-09-21 09:12 UTC, Stef Walter 		no flags Details
View All

Description Stef Walter 2012-09-21 09:12:46 UTC 
Created attachment 615311 [details]
Picture of the kernel panic

Description of problem:

Today rawhide did not start up to a GDM login screen. I tried to restart the system, using a 'shutdown -r now' from a text VT. I got the attached kernel panic.

Version-Release number of selected component (if applicable):

Installed Packages
Name        : kernel
Arch        : x86_64
Version     : 3.6.0
Release     : 0.rc6.git0.2.fc18

How reproducible:

Not sure.
Comment 1 Dave Jones 2012-09-21 15:32:40 UTC 
posted upstream to netdev, with you cc'd.
Comment 2 Josh Boyer 2012-11-13 17:18:56 UTC 
Stef, are you still seeing this with the 3.6 final release, or the 3.7-rc5 kernels in rawhide?

It appears that Dave's upstream report to netdev got 0 replies.
Comment 3 Dave Jones 2013-03-06 16:45:45 UTC 
*** Bug 917792 has been marked as a duplicate of this bug. ***
Comment 4 Dave Jones 2013-03-06 17:11:35 UTC 
Eric Dumazet just posted this patch which should fix it.

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 2c6a22e..b7c457a 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -747,6 +747,8 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev)
                goto drop;
        skb_orphan(skb);

+       nf_reset(skb);
+
        /* Enqueue packet */
        skb_queue_tail(&tfile->socket.sk->sk_receive_queue, skb);
Comment 5 Stef Walter 2013-03-06 17:45:14 UTC 
This was (In reply to comment #2)
> Stef, are you still seeing this with the 3.6 final release, or the 3.7-rc5
> kernels in rawhide?

This was not reproducible for me. At least it seemed hard to reproduce.
Comment 6 Fedora Update System 2013-03-08 18:43:48 UTC 
kernel-3.8.2-206.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/kernel-3.8.2-206.fc18
Comment 7 Fedora Update System 2013-03-08 22:16:07 UTC 
kernel-3.8.2-105.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/kernel-3.8.2-105.fc17
Comment 8 Fedora Update System 2013-03-10 01:00:19 UTC 
Package kernel-3.8.2-206.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kernel-3.8.2-206.fc18'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3630/kernel-3.8.2-206.fc18
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2013-03-11 01:22:47 UTC 
kernel-3.8.2-206.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-03-14 15:19:10 UTC 
kernel-3.8.2-105.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/FEDORA-2013-3638/kernel-3.8.2-105.fc17
Comment 11 Fedora Update System 2013-03-14 22:55:44 UTC 
kernel-3.8.3-101.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/kernel-3.8.3-101.fc17
Comment 12 Fedora Update System 2013-03-22 00:16:06 UTC 
kernel-3.8.3-103.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.