Query:Regarding object poison overwritten in binder_transaction

From: "Kohli, Gaurav" <gkohli@codeaurora.org>
To: "Arve Hjønnevåg" <arve@android.com>,
	"Riley Andrews" <riandrews@android.com>,
	devel@driverdev.osuosl.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-kernel@vger.kernel.org
Subject: Query:Regarding object poison overwritten in binder_transaction
Date: Sat, 3 Mar 2018 20:22:35 +0530	[thread overview]
Message-ID: <760538e9-dd50-6cd3-1268-bb535eb363d0@codeaurora.org> (raw)
In-Reply-To: <4d2b6014-ea76-b489-fdde-2e058e2fac4d@codeaurora.org>

HI ,

Is there any known issue of slab poisoning in binder_transaction variable on kernel 4.9,

  it seems owner variable of spinlock is
getting corrupted(which is last 8th byte of binder_transaction struct).

    368.423462:   <2> [<ffffff918ec3177c>] print_trailer+0x13c/0x214

    368.428998:   <2> [<ffffff918ec3193c>] check_bytes_and_report+0xe8/0xfc

    368.435144:   <2> [<ffffff918ec31d8c>] check_object+0x248/0x280

    368.440592:   <2> [<ffffff918ec31f0c>] alloc_debug_processing+0x148/0x1a0

    368.446913:   <2> [<ffffff918ec333d0>] ___slab_alloc.constprop.72+0x654/0x690

    368.453586:   <2> [<ffffff918ec33464>] __slab_alloc.isra.68.constprop.71+0x58/0x98

    368.460693:   <2> [<ffffff918ec338fc>] kmem_cache_alloc_trace+0x198/0x2c4

    368.467011:   <2> [<ffffff918f7ae24c>] binder_transaction+0xcb8/0x244c

    368.473065:   <2> [<ffffff918f7b03b8>] binder_thread_write+0x9d8/0x1410

    368.479206:   <2> [<ffffff918f7b0f20>] binder_ioctl_write_read+0x130/0x370

    368.485615:   <2> [<ffffff918f7b16b0>] binder_ioctl+0x550/0x7dc

    368.491065:   <2> [<ffffff918ec5ac0c>] do_vfs_ioctl+0xcc/0x888

    368.496424:   <2> [<ffffff918ec5b458>] SyS_ioctl+0x90/0xa4

    368.501430:   <2> [<ffffff918ea83770>] el0_svc_naked+0x24/0x28

    368.506798:   <6> Kernel panic - not syncing: object poison overwritten

    368.287743:   <6> Object ffffffc5a0692e20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.297117:   <6> Object ffffffc5a0692e30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.306487:   <6> Object ffffffc5a0692e40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.315866:   <6> Object ffffffc5a0692e50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.325241:   <6> Object ffffffc5a0692e60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk

    368.334618:   <6> Object ffffffc5a0692e70: 6b 6b 6b 6b 6b 6b 6b 6b 67 6b 6b 6b 6b 6b 6b a5  kkkkkkkkgkkkkkk.    here it is corrupted(seems write after free case)

    368.343997:   <6> Redzone ffffffc5a0692e80: bb bb bb bb bb bb bb bb                          ........

    368.352755:   <6> Padding ffffffc5a0692fc0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ

    368.362215:   <6> Padding ffffffc5a0692fd0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ

    368.371681:   <6> Padding ffffffc5a0692fe0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ

    368.381146:   <6> Padding ffffffc5a0692ff0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ

Regards

Gaurav

-- 

Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,

a Linux Foundation Collaborative Project.

_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel