From: Linus Torvalds <torvalds@linux-foundation.org>
To: Ingo Molnar <mingo@elte.hu>
Cc: Eric Paris <eparis@redhat.com>,
Pekka Enberg <penberg@cs.helsinki.fi>,
Jens Axboe <jens.axboe@oracle.com>,
James Morris <jmorris@namei.org>, Thomas Liu <tliu@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [origin tree SLAB corruption] BUG kmalloc-64: Poison overwritten, INFO: Allocated in bdi_alloc_work+0x2b/0x100 age=175 cpu=1 pid=3514
Date: Mon, 14 Sep 2009 07:40:27 -0700 (PDT) [thread overview]
Message-ID: <alpine.LFD.2.01.0909140725470.3654@localhost.localdomain> (raw)
In-Reply-To: <20090914071631.GA24801@elte.hu>
On Mon, 14 Sep 2009, Ingo Molnar wrote:
>
> BUG kmalloc-64: Poison overwritten
> -----------------------------------------------------------------------------
>
> INFO: 0xf498f6a0-0xf498f6a7. First byte 0x90 instead of 0x6b
> INFO: Allocated in bdi_alloc_work+0x2b/0x100 age=175 cpu=1 pid=3514
> INFO: Freed in bdi_work_free+0x45/0x60 age=9 cpu=1 pid=3509
> INFO: Slab 0xc3257d84 objects=36 used=11 fp=0xf498f690 flags=0x400000c3
> INFO: Object 0xf498f690 @offset=1680 fp=0xf498fe00
>
> Bytes b4 0xf498f680: ab 0d 00 00 9c 27 ff ff 5a 5a 5a 5a 5a 5a 5a 5a ?....'??ZZZZZZZZ
> Object 0xf498f690: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> Object 0xf498f6a0: 90 f3 98 f4 60 3c 11 c1 6b 6b 6b 6b 6b 6b 6b 6b .?.?`<.?kkkkkkkk
That's 8 bytes of 0xf498f398 and 0xc1113c60. Doesn't look like much, but
they're both valid kernel pointers, and the 0xf498f398 one is actually
into the same page as the corruption, so it's a pointer to the same slab
type (or at least same size). Which is a good hint in itself: we're
looking at a list or something.
And it's at offset 16 in the structure.
That's almost certainly a "struct bdi_work", and the use-aftr-free thing
is the "struct rcu_head rcu_head" part of it. That first thing (pointer to
the same page) is 'next', and the second thing is a pointer to kernel text
(and I can pretty much guarantee that 0xc1113c60 is 'bdi_work_free').
So this is either a fs/fs-writeback.c bug, or it's a problem with RCU.
Both of them are new or hugely changed since 2.6.31.
Linus
next prev parent reply other threads:[~2009-09-14 14:41 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-04 17:08 [PATCH] IMA: update ima_counts_put Mimi Zohar
2009-09-06 21:59 ` Eric Paris
2009-09-07 2:17 ` [GIT] IMA regression fix James Morris
2009-09-12 7:24 ` [origin tree boot crash] Revert "selinux: clean up avc node cache when disabling selinux" Ingo Molnar
2009-09-12 7:58 ` [origin tree boot crash #2] kernel BUG at kernel/cred.c:855! Ingo Molnar
2009-09-12 8:19 ` Ingo Molnar
2009-09-12 8:40 ` [PATCH] out-of-tree: Whack warning off in kernel/cred.c Ingo Molnar
2009-09-12 9:58 ` [origin tree boot crash #2] kernel BUG at kernel/cred.c:855! Eric Paris
2009-09-12 9:46 ` [origin tree boot crash] Revert "selinux: clean up avc node cache when disabling selinux" Eric Paris
2009-09-12 10:43 ` Ingo Molnar
2009-09-12 13:58 ` [origin tree boot hang] lockup in key_schedule_gc() Ingo Molnar
2009-09-12 20:27 ` Eric Paris
2009-09-14 6:15 ` Ingo Molnar
2009-09-14 14:38 ` David Howells
2009-09-13 2:28 ` [origin tree boot crash] Revert "selinux: clean up avc node cache when disabling selinux" Eric Paris
2009-09-13 23:03 ` Eric Paris
2009-09-14 7:16 ` [origin tree SLAB corruption] BUG kmalloc-64: Poison overwritten, INFO: Allocated in bdi_alloc_work+0x2b/0x100 age=175 cpu=1 pid=3514 Ingo Molnar
2009-09-14 7:57 ` Pekka Enberg
2009-09-14 9:20 ` Jens Axboe
2009-09-14 9:23 ` Pekka Enberg
2009-09-14 14:40 ` Linus Torvalds [this message]
2009-09-14 16:29 ` Paul E. McKenney
2009-09-14 17:10 ` Jens Axboe
2009-09-15 6:57 ` Ingo Molnar
2009-09-15 7:00 ` Jens Axboe
2009-09-15 7:11 ` [origin tree SLAB corruption #2] " Ingo Molnar
2009-09-15 7:24 ` Jens Axboe
2009-09-15 7:44 ` Ingo Molnar
2009-09-15 7:48 ` Ingo Molnar
2009-09-15 7:51 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.01.0909140725470.3654@localhost.localdomain \
--to=torvalds@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=jens.axboe@oracle.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=penberg@cs.helsinki.fi \
--cc=tliu@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.