Jon Masters wrote:

On Tue, 2010-02-02 at 06:35 -0500, Jon Masters wrote:

quoted

I think there's something more fundamental going on here.

What happens is the conntrack code attempts to free
nf_conntrack_untracked back into the SL[U]B cache from which it
allocates other ct's.

That shouldn't happen, the untracked conntrack is initialized to a
refcount of 1, which is never released.

There's just one problem...that's a static struct
not from the cache. So, this is why we end up with the SLAB being
corrupted and the address immediately following the
nf_conntrack_untracked being corrupted.

I shoved some debug comments into the destroy code to see if we were
trying to free nf_conntrack_untracked, and bingo. I have shoved a panic
in there now, will send you a backtrace.

Thanks.