Re: Linux 2.5.74: BUG at mm/slab.c:1537

Re: Linux 2.5.74: BUG at mm/slab.c:1537

[Manfred Spraul]

The problem is caused by changeset 1.1310.102.3, 2003/07/01 
02:01:51+10:00, yoshfuji@linux-ipv6.org:

http://linus.bkbits.net:8080/linux-2.5/diffs/net/ipv4/raw.c@3f005eebc5YsuvTFXhDo-QDhPEgh5Q?nav=index.html
(Subject: [NET] fixed /proc/net/raw{,6} seq_file support)

raw_iter_state is just an integer. Without that patch, the integer is 
stored directly in the seq->private pointer (note the & in the define of 
raw_seq_private, around line 690 of net/ipv4/raw.c). The patch converts 
part of the code to an pointer to an integer, but other parts still 
consider seq->private as an integer. The oops is actually a BUG 
statement in kmalloc: it complains (if CONFIG_DEBUG_SLAB is enabled) 
about the invalid pointer.

--
    Manfred

Re: Linux 2.5.74: BUG at mm/slab.c:1537

[Andrew Morton]

Manfred Spraul <manfred@colorfullife.com> wrote:
>
> The problem is caused by changeset 1.1310.102.3, 2003/07/01 
> 02:01:51+10:00, yoshfuji@linux-ipv6.org:
> 
> http://linus.bkbits.net:8080/linux-2.5/diffs/net/ipv4/raw.c@3f005eebc5YsuvTFXhDo-QDhPEgh5Q?nav=index.html
> (Subject: [NET] fixed /proc/net/raw{,6} seq_file support)
> 
> raw_iter_state is just an integer. Without that patch, the integer is 
> stored directly in the seq->private pointer (note the & in the define of 
> raw_seq_private, around line 690 of net/ipv4/raw.c). The patch converts 
> part of the code to an pointer to an integer, but other parts still 
> consider seq->private as an integer. The oops is actually a BUG 
> statement in kmalloc: it complains (if CONFIG_DEBUG_SLAB is enabled) 
> about the invalid pointer.
> 

This is the patch out of bugzilla.  I'm not sure who wrote it, and
there is no description.

(Could people please not do that?  If you have a patch which fixes a
bug, please squirt it to the mailing list)


 25-akpm/net/ipv4/igmp.c          |    4 ++--
 25-akpm/net/ipv4/raw.c           |    2 +-
 25-akpm/net/ipv6/anycast.c       |    2 +-
 25-akpm/net/ipv6/ip6_flowlabel.c |    2 +-
 25-akpm/net/ipv6/mcast.c         |    4 ++--
 25-akpm/net/ipv6/raw.c           |    2 +-
 6 files changed, 8 insertions(+), 8 deletions(-)

diff -puN net/ipv4/igmp.c~netstat-oops-fix net/ipv4/igmp.c
--- 25/net/ipv4/igmp.c~netstat-oops-fix	Thu Jul  3 12:31:19 2003
+++ 25-akpm/net/ipv4/igmp.c	Thu Jul  3 12:31:19 2003
@@ -2099,7 +2099,7 @@ struct igmp_mc_iter_state {
 	struct in_device *in_dev;
 };
 
-#define	igmp_mc_seq_private(seq)	((struct igmp_mc_iter_state *)&seq->private)
+#define	igmp_mc_seq_private(seq)	((struct igmp_mc_iter_state *)(seq)->private)
 
 static inline struct ip_mc_list *igmp_mc_get_first(struct seq_file *seq)
 {
@@ -2254,7 +2254,7 @@ struct igmp_mcf_iter_state {
 	struct ip_mc_list *im;
 };
 
-#define igmp_mcf_seq_private(seq)	((struct igmp_mcf_iter_state *)&seq->private)
+#define igmp_mcf_seq_private(seq)	((struct igmp_mcf_iter_state *)(seq)->private)
 
 static inline struct ip_sf_list *igmp_mcf_get_first(struct seq_file *seq)
 {
diff -puN net/ipv4/raw.c~netstat-oops-fix net/ipv4/raw.c
--- 25/net/ipv4/raw.c~netstat-oops-fix	Thu Jul  3 12:31:19 2003
+++ 25-akpm/net/ipv4/raw.c	Thu Jul  3 12:31:19 2003
@@ -687,7 +687,7 @@ struct raw_iter_state {
 	int bucket;
 };
 
-#define raw_seq_private(seq) ((struct raw_iter_state *)&seq->private)
+#define raw_seq_private(seq) ((struct raw_iter_state *)(seq)->private)
 
 static struct sock *raw_get_first(struct seq_file *seq)
 {
diff -puN net/ipv6/anycast.c~netstat-oops-fix net/ipv6/anycast.c
--- 25/net/ipv6/anycast.c~netstat-oops-fix	Thu Jul  3 12:31:19 2003
+++ 25-akpm/net/ipv6/anycast.c	Thu Jul  3 12:31:19 2003
@@ -441,7 +441,7 @@ struct ac6_iter_state {
 	struct inet6_dev *idev;
 };
 
-#define ac6_seq_private(seq)	((struct ac6_iter_state *)&seq->private)
+#define ac6_seq_private(seq)	((struct ac6_iter_state *)(seq)->private)
 
 static inline struct ifacaddr6 *ac6_get_first(struct seq_file *seq)
 {
diff -puN net/ipv6/ip6_flowlabel.c~netstat-oops-fix net/ipv6/ip6_flowlabel.c
--- 25/net/ipv6/ip6_flowlabel.c~netstat-oops-fix	Thu Jul  3 12:31:19 2003
+++ 25-akpm/net/ipv6/ip6_flowlabel.c	Thu Jul  3 12:31:19 2003
@@ -559,7 +559,7 @@ struct ip6fl_iter_state {
 	int bucket;
 };
 
-#define ip6fl_seq_private(seq)	((struct ip6fl_iter_state *)&(seq)->private)
+#define ip6fl_seq_private(seq)	((struct ip6fl_iter_state *)(seq)->private)
 
 static struct ip6_flowlabel *ip6fl_get_first(struct seq_file *seq)
 {
diff -puN net/ipv6/mcast.c~netstat-oops-fix net/ipv6/mcast.c
--- 25/net/ipv6/mcast.c~netstat-oops-fix	Thu Jul  3 12:31:19 2003
+++ 25-akpm/net/ipv6/mcast.c	Thu Jul  3 12:31:19 2003
@@ -2045,7 +2045,7 @@ struct igmp6_mc_iter_state {
 	struct inet6_dev *idev;
 };
 
-#define igmp6_mc_seq_private(seq)	((struct igmp6_mc_iter_state *)&seq->private)
+#define igmp6_mc_seq_private(seq)	((struct igmp6_mc_iter_state *)(seq)->private)
 
 static inline struct ifmcaddr6 *igmp6_mc_get_first(struct seq_file *seq)
 {
@@ -2185,7 +2185,7 @@ struct igmp6_mcf_iter_state {
 	struct ifmcaddr6 *im;
 };
 
-#define igmp6_mcf_seq_private(seq)	((struct igmp6_mcf_iter_state *)&seq->private)
+#define igmp6_mcf_seq_private(seq)	((struct igmp6_mcf_iter_state *)(seq)->private)
 
 static inline struct ip6_sf_list *igmp6_mcf_get_first(struct seq_file *seq)
 {
diff -puN net/ipv6/raw.c~netstat-oops-fix net/ipv6/raw.c
--- 25/net/ipv6/raw.c~netstat-oops-fix	Thu Jul  3 12:31:19 2003
+++ 25-akpm/net/ipv6/raw.c	Thu Jul  3 12:31:19 2003
@@ -913,7 +913,7 @@ struct raw6_iter_state {
 	int bucket;
 };
 
-#define raw6_seq_private(seq) ((struct raw6_iter_state *)&seq->private)
+#define raw6_seq_private(seq) ((struct raw6_iter_state *)(seq)->private)
 
 static struct sock *raw6_get_first(struct seq_file *seq)
 {

_

Re: Linux 2.5.74: BUG at mm/slab.c:1537

[YOSHIFUJI Hideaki / 吉藤英明]

In article <20030703141758.12ec3825.akpm@osdl.org> (at Thu, 3 Jul 2003 14:17:58 -0700), Andrew Morton <akpm@osdl.org> says:

> This is the patch out of bugzilla.  I'm not sure who wrote it, and
> there is no description.
>
> (Could people please not do that?  If you have a patch which fixes a
> bug, please squirt it to the mailing list)

I am so sorry to have introduced this bug.
I am the author of the patch, and I have already submit it 
here and to netdev.

http://www.ussg.iu.edu/hypermail/linux/kernel/0307.0/0503.html

-- 
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA

Re: Linux 2.5.74: BUG at mm/slab.c:1537

[Kronos]

Andy Pfiffer <andyp@osdl.org> ha scritto:
> kernel BUG at mm/slab.c:1537!
> invalid operand: 0000 [#1]
> CPU:    0
> EIP:    0060:[<c01457ad>]    Not tainted
> EFLAGS: 00010002
> EIP is at kfree+0x35/0x268
> eax: 0000002c   ebx: ded59b68   ecx: c150bc20   edx: c0412ce8
> esi: 00000100   edi: 00040000   ebp: df12df30   esp: df12df00
> ds: 007b   es: 007b   ss: 0068
> Process netstat (pid: 1405, threadinfo=df12c000 task=df3c6080)
> Stack: c0389060 00000100 ded59b68 df5e0e64 df0b4cb4 df12df6c df5e0e84
> df12df30
>       c0344ca1 ded59b68 00000001 00000206 df12df48 c017ae8c 00000100
> defe1c54
>       df5e0e64 df0b4cb4 df12df6c c015b9c7 df0b4cb4 df5e0e64 defe1c54
> df5e0e64
> Call Trace:
> [<c0344ca1>] raw_seq_start+0x4d/0x58
> [<c017ae8c>] seq_release_private+0x18/0x30
> [<c015b9c7>] __fput+0x3b/0xfc
> [<c015b987>] fput+0x17/0x1c
> [<c015a402>] filp_close+0x10a/0x118
> [<c015a4ba>] sys_close+0xaa/0x100
> [<c010af6f>] syscall_call+0x7/0xb
>
> Code: 0f 0b 01 06 27 8d 38 c0 83 c4 08 8d 04 bf c1 e0 03 89 45 f8

I can reproduce it with cat /proc/net/raw:

kernel BUG at mm/slab.c:1537!
invalid operand: 0000 [#7]
CPU:    0
EIP:    0060:[<c015ae85>]    Not tainted
EFLAGS: 00010082
EIP is at kfree+0x315/0x330
eax: 0000002c   ebx: 00040000   ecx: 00000000   edx: 00000001
esi: de5e390c   edi: c8b355d0   ebp: e9edff1c   esp: e9edfef0
ds: 007b   es: 007b   ss: 0068
Process cat (pid: 4564, threadinfo=e9ede000 task=dbcae3c0)
Stack: c0373c00 00000100 eeb94044 00000000 dff166c8 de5e392c e9edff1c 00000206
       dff166c8 de5e390c c8b355d0 e9edff38 c01a9263 00000100 00000000 de5e390c
       de5e390c effe67c4 e9edff5c c017a642 c8b355d0 de5e390c c8b355d0 eacf22e8
Call Trace:
 [<c01a9263>] seq_release_private+0x23/0x3f
 [<c017a642>] __fput+0x112/0x120
 [<c017862a>] filp_close+0x15a/0x220
 [<c01787f2>] sys_close+0x102/0x220
 [<c01795df>] sys_read+0x3f/0x60
 [<c010b10f>] syscall_call+0x7/0xb

Code: 0f 0b 01 06 b6 30 37 c0 e9 0f fd ff ff 8d b4 26 00 00 00 00

ksymoops says:

>>EIP; c015ae85 <kfree+315/330>   <=====

>>esi; de5e390c <_end+1e161064/3fb7b758>
>>edi; c8b355d0 <_end+86b2d28/3fb7b758>
>>ebp; e9edff1c <_end+29a5d674/3fb7b758>
>>esp; e9edfef0 <_end+29a5d648/3fb7b758>

Trace; c01a9263 <seq_release_private+23/3f>
Trace; c017a642 <__fput+112/120>
Trace; c017862a <filp_close+15a/220>
Trace; c01787f2 <sys_close+102/220>
Trace; c01795df <sys_read+3f/60>
Trace; c010b10f <syscall_call+7/b>

Code;  c015ae85 <kfree+315/330>
00000000 <_EIP>:
Code;  c015ae85 <kfree+315/330>   <=====
   0:   0f 0b                     ud2a      <=====
Code;  c015ae87 <kfree+317/330>
   2:   01 06                     add    %eax,(%esi)
Code;  c015ae89 <kfree+319/330>
   4:   b6 30                     mov    $0x30,%dh
Code;  c015ae8b <kfree+31b/330>
   6:   37                        aaa
Code;  c015ae8c <kfree+31c/330>
   7:   c0 e9 0f                  shr    $0xf,%cl
Code;  c015ae8f <kfree+31f/330>
   a:   fd                        std
Code;  c015ae90 <kfree+320/330>
   b:   ff                        (bad)
Code;  c015ae91 <kfree+321/330>
   c:   ff 8d b4 26 00 00         decl   0x26b4(%ebp)


HTH,
Luca
-- 
Reply-To: kronos@kronoz.cjb.net
Home: http://kronoz.cjb.net
You and me baby ain't nothin' but mammals
So let's do it like they do on the Discovery Channel

Re: Linux 2.5.74: BUG at mm/slab.c:1537

[Andy Pfiffer]

2.5.74 booted okay, but after I "init 1", it BUG's (whitespace mangled):

Shutting down zope                                                  
done
Shutting down RPC portmap daemon                                    
done
Shutting down SSH daemonkfree_debugcheck: out of range ptr 100h.
------------[ cut here ]------------
kernel BUG at mm/slab.c:1537!
invalid operand: 0000 [#1]
CPU:    0
EIP:    0060:[<c01457ad>]    Not tainted
EFLAGS: 00010002
EIP is at kfree+0x35/0x268
eax: 0000002c   ebx: ded59b68   ecx: c150bc20   edx: c0412ce8
esi: 00000100   edi: 00040000   ebp: df12df30   esp: df12df00
ds: 007b   es: 007b   ss: 0068
Process netstat (pid: 1405, threadinfo=df12c000 task=df3c6080)
Stack: c0389060 00000100 ded59b68 df5e0e64 df0b4cb4 df12df6c df5e0e84
df12df30 
       c0344ca1 ded59b68 00000001 00000206 df12df48 c017ae8c 00000100
defe1c54 
       df5e0e64 df0b4cb4 df12df6c c015b9c7 df0b4cb4 df5e0e64 defe1c54
df5e0e64 
Call Trace:
 [<c0344ca1>] raw_seq_start+0x4d/0x58
 [<c017ae8c>] seq_release_private+0x18/0x30
 [<c015b9c7>] __fput+0x3b/0xfc
 [<c015b987>] fput+0x17/0x1c
 [<c015a402>] filp_close+0x10a/0x118
 [<c015a4ba>] sys_close+0xaa/0x100
 [<c010af6f>] syscall_call+0x7/0xb

Code: 0f 0b 01 06 27 8d 38 c0 83 c4 08 8d 04 bf c1 e0 03 89 45 f8 
                                                                    
done
Shutting down syslog services                                       
failed
Shutting down network interfaces:
    eth0                                                            
done
Shutting down personal-firewall [not active]                        
unused
Saving random seed                                                  
done
Loading keymap qwerty/us.map.gz                                     
done
Loading console font lat1-16.psfu                                   
done
Loading screenmap none                                              
done
Setting up console ttys