* Use-after-free in pte_chain in 2.6.0-test11
@ 2003-12-13 22:04 Petr Vandrovec
2003-12-13 22:13 ` William Lee Irwin III
0 siblings, 1 reply; 5+ messages in thread
From: Petr Vandrovec @ 2003-12-13 22:04 UTC (permalink / raw)
To: linux-kernel
Hi,
today I get this one while attempting to build new kernel. Running kernel is
2.6.0-test11-c1511 (bk as of 2003-12-05 23:35:35-08:00). Does anybody
have any clue what could happen, or should I start looking for a new
memory modules?
AMD K7/1GHz box, 512MB RAM, no vmmon/vmnet loaded since reboot, gcc-3.3.2
as of last week Debian unstable. Kernel built with all possible memory
debugging enabled...
Unfortunately I have no idea which process did this clone() call, and
whether it succeeded or died.
Thanks,
Petr Vandrovec
vandrove@vc.cvut.cz
Slab corruption: start=da54d380, expend=da54d3ff, problemat=da54d3fc
Data: ****************************************************************************************************************************6A **A5
Next: 1D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
slab error in check_poison_obj(): cache `pte_chain': object was modified after freeing
Call Trace:
[<c0152658>] check_poison_obj+0x108/0x190
[<c0166e3c>] pte_chain_alloc+0x3c/0x80
[<c0154813>] kmem_cache_alloc+0x83/0x210
[<c0166e3c>] pte_chain_alloc+0x3c/0x80
[<c015d1b0>] copy_page_range+0x410/0x900
[<c0152579>] check_poison_obj+0x29/0x190
[<c0125c51>] copy_mm+0x571/0x730
[<c0127369>] copy_process+0xcd9/0xee0
[<c0126bc2>] copy_process+0x532/0xee0
[<c01275cc>] do_fork+0x5c/0x1e0
[<c01078d1>] sys_clone+0x41/0x50
[<c0109dab>] syscall_call+0x7/0xb
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
2003-12-13 22:04 Use-after-free in pte_chain in 2.6.0-test11 Petr Vandrovec
@ 2003-12-13 22:13 ` William Lee Irwin III
2003-12-13 22:32 ` Petr Vandrovec
0 siblings, 1 reply; 5+ messages in thread
From: William Lee Irwin III @ 2003-12-13 22:13 UTC (permalink / raw)
To: Petr Vandrovec; +Cc: linux-kernel
On Sat, Dec 13, 2003 at 11:04:59PM +0100, Petr Vandrovec wrote:
> today I get this one while attempting to build new kernel. Running kernel is
> 2.6.0-test11-c1511 (bk as of 2003-12-05 23:35:35-08:00). Does anybody
> have any clue what could happen, or should I start looking for a new
> memory modules?
> AMD K7/1GHz box, 512MB RAM, no vmmon/vmnet loaded since reboot, gcc-3.3.2
> as of last week Debian unstable. Kernel built with all possible memory
> debugging enabled...
> Unfortunately I have no idea which process did this clone() call, and
> whether it succeeded or died.
CONFIG_DEBUG_PAGEALLOC should have oopsed this...
-- wli
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
2003-12-13 22:13 ` William Lee Irwin III
@ 2003-12-13 22:32 ` Petr Vandrovec
2003-12-13 22:33 ` William Lee Irwin III
0 siblings, 1 reply; 5+ messages in thread
From: Petr Vandrovec @ 2003-12-13 22:32 UTC (permalink / raw)
To: William Lee Irwin III, linux-kernel
On Sat, Dec 13, 2003 at 02:13:20PM -0800, William Lee Irwin III wrote:
> On Sat, Dec 13, 2003 at 11:04:59PM +0100, Petr Vandrovec wrote:
> > today I get this one while attempting to build new kernel. Running kernel is
> > 2.6.0-test11-c1511 (bk as of 2003-12-05 23:35:35-08:00). Does anybody
> > have any clue what could happen, or should I start looking for a new
> > memory modules?
> > AMD K7/1GHz box, 512MB RAM, no vmmon/vmnet loaded since reboot, gcc-3.3.2
> > as of last week Debian unstable. Kernel built with all possible memory
> > debugging enabled...
> > Unfortunately I have no idea which process did this clone() call, and
> > whether it succeeded or died.
>
> CONFIG_DEBUG_PAGEALLOC should have oopsed this...
Maybe pte_chain is too small to get unmapped (it is 128 bytes here)? Or it is
really hardware bug :-(
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_STACKOVERFLOW=y
CONFIG_DEBUG_SLAB=y
CONFIG_DEBUG_IOVIRT=y
CONFIG_MAGIC_SYSRQ=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_DEBUG_PAGEALLOC=y
CONFIG_DEBUG_HIGHMEM=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_SPINLOCK_SLEEP=y
# CONFIG_FRAME_POINTER is not set
CONFIG_X86_EXTRA_IRQS=y
CONFIG_X86_FIND_SMP_CONFIG=y
CONFIG_X86_MPPARSE=y
Thanks,
Petr Vandrovec
vandrove@vc.cvut.cz
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
2003-12-13 22:32 ` Petr Vandrovec
@ 2003-12-13 22:33 ` William Lee Irwin III
0 siblings, 0 replies; 5+ messages in thread
From: William Lee Irwin III @ 2003-12-13 22:33 UTC (permalink / raw)
To: Petr Vandrovec; +Cc: linux-kernel
On Sat, Dec 13, 2003 at 02:13:20PM -0800, William Lee Irwin III wrote:
>> CONFIG_DEBUG_PAGEALLOC should have oopsed this...
On Sat, Dec 13, 2003 at 11:32:08PM +0100, Petr Vandrovec wrote:
> Maybe pte_chain is too small to get unmapped (it is 128 bytes here)? Or it is
> really hardware bug :-(
The alignment flags prevent it.
Anyhow, 6a vs. 5a/5b looks like a bitflip...
-- wli
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
@ 2003-12-13 22:36 Manfred Spraul
0 siblings, 0 replies; 5+ messages in thread
From: Manfred Spraul @ 2003-12-13 22:36 UTC (permalink / raw)
To: Petr Vandrovec; +Cc: linux-kernel
>
>
>Slab corruption: start=da54d380, expend=da54d3ff, problemat=da54d3fc
>Data: ******************************************************************************** \
> ********************************************6A **A5
>
"*" stands for 0x6b, and the pte chain contains pointers, not bits. It
looks like bad memory.
--
Manfred
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-12-13 22:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-12-13 22:04 Use-after-free in pte_chain in 2.6.0-test11 Petr Vandrovec
2003-12-13 22:13 ` William Lee Irwin III
2003-12-13 22:32 ` Petr Vandrovec
2003-12-13 22:33 ` William Lee Irwin III
2003-12-13 22:36 Manfred Spraul
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).