linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Use-after-free in pte_chain in 2.6.0-test11
@ 2003-12-13 22:04 Petr Vandrovec
  2003-12-13 22:13 ` William Lee Irwin III
  0 siblings, 1 reply; 5+ messages in thread
From: Petr Vandrovec @ 2003-12-13 22:04 UTC (permalink / raw)
  To: linux-kernel

Hi,
  today I get this one while attempting to build new kernel. Running kernel is
2.6.0-test11-c1511 (bk as of 2003-12-05 23:35:35-08:00). Does anybody
have any clue what could happen, or should I start looking for a new
memory modules?

  AMD K7/1GHz box, 512MB RAM, no vmmon/vmnet loaded since reboot, gcc-3.3.2
as of last week Debian unstable. Kernel built with all possible memory 
debugging enabled... 

  Unfortunately I have no idea which process did this clone() call, and
whether it succeeded or died. 
					Thanks,
						Petr Vandrovec
						vandrove@vc.cvut.cz

Slab corruption: start=da54d380, expend=da54d3ff, problemat=da54d3fc
Data: ****************************************************************************************************************************6A **A5
Next: 1D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
slab error in check_poison_obj(): cache `pte_chain': object was modified after freeing
Call Trace:
 [<c0152658>] check_poison_obj+0x108/0x190
 [<c0166e3c>] pte_chain_alloc+0x3c/0x80
 [<c0154813>] kmem_cache_alloc+0x83/0x210
 [<c0166e3c>] pte_chain_alloc+0x3c/0x80
 [<c015d1b0>] copy_page_range+0x410/0x900
 [<c0152579>] check_poison_obj+0x29/0x190
 [<c0125c51>] copy_mm+0x571/0x730
 [<c0127369>] copy_process+0xcd9/0xee0
 [<c0126bc2>] copy_process+0x532/0xee0
 [<c01275cc>] do_fork+0x5c/0x1e0
 [<c01078d1>] sys_clone+0x41/0x50
 [<c0109dab>] syscall_call+0x7/0xb



^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
  2003-12-13 22:04 Use-after-free in pte_chain in 2.6.0-test11 Petr Vandrovec
@ 2003-12-13 22:13 ` William Lee Irwin III
  2003-12-13 22:32   ` Petr Vandrovec
  0 siblings, 1 reply; 5+ messages in thread
From: William Lee Irwin III @ 2003-12-13 22:13 UTC (permalink / raw)
  To: Petr Vandrovec; +Cc: linux-kernel

On Sat, Dec 13, 2003 at 11:04:59PM +0100, Petr Vandrovec wrote:
>   today I get this one while attempting to build new kernel. Running kernel is
> 2.6.0-test11-c1511 (bk as of 2003-12-05 23:35:35-08:00). Does anybody
> have any clue what could happen, or should I start looking for a new
> memory modules?
>   AMD K7/1GHz box, 512MB RAM, no vmmon/vmnet loaded since reboot, gcc-3.3.2
> as of last week Debian unstable. Kernel built with all possible memory 
> debugging enabled... 
>   Unfortunately I have no idea which process did this clone() call, and
> whether it succeeded or died. 

CONFIG_DEBUG_PAGEALLOC should have oopsed this...


-- wli

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
  2003-12-13 22:13 ` William Lee Irwin III
@ 2003-12-13 22:32   ` Petr Vandrovec
  2003-12-13 22:33     ` William Lee Irwin III
  0 siblings, 1 reply; 5+ messages in thread
From: Petr Vandrovec @ 2003-12-13 22:32 UTC (permalink / raw)
  To: William Lee Irwin III, linux-kernel

On Sat, Dec 13, 2003 at 02:13:20PM -0800, William Lee Irwin III wrote:
> On Sat, Dec 13, 2003 at 11:04:59PM +0100, Petr Vandrovec wrote:
> >   today I get this one while attempting to build new kernel. Running kernel is
> > 2.6.0-test11-c1511 (bk as of 2003-12-05 23:35:35-08:00). Does anybody
> > have any clue what could happen, or should I start looking for a new
> > memory modules?
> >   AMD K7/1GHz box, 512MB RAM, no vmmon/vmnet loaded since reboot, gcc-3.3.2
> > as of last week Debian unstable. Kernel built with all possible memory 
> > debugging enabled... 
> >   Unfortunately I have no idea which process did this clone() call, and
> > whether it succeeded or died. 
> 
> CONFIG_DEBUG_PAGEALLOC should have oopsed this...

Maybe pte_chain is too small to get unmapped (it is 128 bytes here)? Or it is 
really hardware bug :-(

CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_STACKOVERFLOW=y
CONFIG_DEBUG_SLAB=y
CONFIG_DEBUG_IOVIRT=y
CONFIG_MAGIC_SYSRQ=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_DEBUG_PAGEALLOC=y
CONFIG_DEBUG_HIGHMEM=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_SPINLOCK_SLEEP=y
# CONFIG_FRAME_POINTER is not set
CONFIG_X86_EXTRA_IRQS=y
CONFIG_X86_FIND_SMP_CONFIG=y
CONFIG_X86_MPPARSE=y

						Thanks,
							Petr Vandrovec
							vandrove@vc.cvut.cz


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
  2003-12-13 22:32   ` Petr Vandrovec
@ 2003-12-13 22:33     ` William Lee Irwin III
  0 siblings, 0 replies; 5+ messages in thread
From: William Lee Irwin III @ 2003-12-13 22:33 UTC (permalink / raw)
  To: Petr Vandrovec; +Cc: linux-kernel

On Sat, Dec 13, 2003 at 02:13:20PM -0800, William Lee Irwin III wrote:
>> CONFIG_DEBUG_PAGEALLOC should have oopsed this...

On Sat, Dec 13, 2003 at 11:32:08PM +0100, Petr Vandrovec wrote:
> Maybe pte_chain is too small to get unmapped (it is 128 bytes here)? Or it is 
> really hardware bug :-(

The alignment flags prevent it.

Anyhow, 6a vs. 5a/5b looks like a bitflip...


-- wli

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
@ 2003-12-13 22:36 Manfred Spraul
  0 siblings, 0 replies; 5+ messages in thread
From: Manfred Spraul @ 2003-12-13 22:36 UTC (permalink / raw)
  To: Petr Vandrovec; +Cc: linux-kernel

>
>
>Slab corruption: start=da54d380, expend=da54d3ff, problemat=da54d3fc
>Data: ******************************************************************************** \
>                ********************************************6A **A5
>
"*" stands for 0x6b, and the pte chain contains pointers, not bits. It 
looks like bad memory.

--
    Manfred


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-12-13 22:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-12-13 22:04 Use-after-free in pte_chain in 2.6.0-test11 Petr Vandrovec
2003-12-13 22:13 ` William Lee Irwin III
2003-12-13 22:32   ` Petr Vandrovec
2003-12-13 22:33     ` William Lee Irwin III
2003-12-13 22:36 Manfred Spraul

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).