PAX: refcount overflow occured at: __netif_receive_skb

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

PAX: refcount overflow occured at: __netif_receive_skb

Postby fabled » Fri Jan 27, 2012 10:21 am

Hi,

Just got a "PAX: refcount overflow occured at: __netif_receive_skb+0x425/0x43c" on one of my routers. It would appear that net/core/dev.c does atomic_(long_)inc:s on some statistics e.g. rx_dropped, and these are not properly converted to atomic_*_unchecked causing the abort.

The same problem would appear to be present in the latest patches too. Could you please audit the PAX patch set for atomic_* usage, to see if further conversions to atomic_*_unchecked is needed.

Thanks.
fabled
 
Posts: 20
Joined: Sat Aug 08, 2009 8:39 am

Re: PAX: refcount overflow occured at: __netif_receive_skb

Postby ncopa » Fri Jan 27, 2012 10:35 am

This might explain why some of those long-running boxes reboots once in a while...

I would be interested in an incremental patch somehow if possible since I will need to backport the fix to the 2.6.38.y kernel (shipped with Alpine Linux v2.2) and 3.0.y kernel (shipped with Alpine Linux v2.3).

Thanks!
ncopa
 
Posts: 7
Joined: Thu Jan 28, 2010 1:32 pm

Re: PAX: refcount overflow occured at: __netif_receive_skb

Postby PaX Team » Fri Jan 27, 2012 7:15 pm

fabled wrote:Just got a "PAX: refcount overflow occured at: __netif_receive_skb+0x425/0x43c" on one of my routers. It would appear that net/core/dev.c does atomic_(long_)inc:s on some statistics e.g. rx_dropped, and these are not properly converted to atomic_*_unchecked causing the abort.
thanks for the report, that'd be a 63 bit count overflow on 64 bit archs! ;)
The same problem would appear to be present in the latest patches too. Could you please audit the PAX patch set for atomic_* usage, to see if further conversions to atomic_*_unchecked is needed.
we actually did audit the kernel but this one slipped through and there may be more unfortunately, it's not exactly easy to find these instances without static analysis of the entire tree. one of these days i'll put my LTO work to this use and write a plugin that'll automatically find every candidate but until then i'm afraid we're at the mercy of manual audits and user reports...
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: PAX: refcount overflow occured at: __netif_receive_skb

Postby spender » Fri Jan 27, 2012 10:01 pm

This is fixed in the latest test patch.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity support