* Query:Regarding object poison overwritten in binder_transaction
[not found] <4d2b6014-ea76-b489-fdde-2e058e2fac4d@codeaurora.org>
@ 2018-03-03 14:52 ` Kohli, Gaurav
2018-03-03 19:27 ` Greg Kroah-Hartman
0 siblings, 1 reply; 3+ messages in thread
From: Kohli, Gaurav @ 2018-03-03 14:52 UTC (permalink / raw)
To: Arve Hjønnevåg, Riley Andrews, devel
Cc: Greg Kroah-Hartman, linux-kernel
HI ,
Is there any known issue of slab poisoning in binder_transaction variable on kernel 4.9,
it seems owner variable of spinlock is
getting corrupted(which is last 8th byte of binder_transaction struct).
368.423462: <2> [<ffffff918ec3177c>] print_trailer+0x13c/0x214
368.428998: <2> [<ffffff918ec3193c>] check_bytes_and_report+0xe8/0xfc
368.435144: <2> [<ffffff918ec31d8c>] check_object+0x248/0x280
368.440592: <2> [<ffffff918ec31f0c>] alloc_debug_processing+0x148/0x1a0
368.446913: <2> [<ffffff918ec333d0>] ___slab_alloc.constprop.72+0x654/0x690
368.453586: <2> [<ffffff918ec33464>] __slab_alloc.isra.68.constprop.71+0x58/0x98
368.460693: <2> [<ffffff918ec338fc>] kmem_cache_alloc_trace+0x198/0x2c4
368.467011: <2> [<ffffff918f7ae24c>] binder_transaction+0xcb8/0x244c
368.473065: <2> [<ffffff918f7b03b8>] binder_thread_write+0x9d8/0x1410
368.479206: <2> [<ffffff918f7b0f20>] binder_ioctl_write_read+0x130/0x370
368.485615: <2> [<ffffff918f7b16b0>] binder_ioctl+0x550/0x7dc
368.491065: <2> [<ffffff918ec5ac0c>] do_vfs_ioctl+0xcc/0x888
368.496424: <2> [<ffffff918ec5b458>] SyS_ioctl+0x90/0xa4
368.501430: <2> [<ffffff918ea83770>] el0_svc_naked+0x24/0x28
368.506798: <6> Kernel panic - not syncing: object poison overwritten
368.287743: <6> Object ffffffc5a0692e20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
368.297117: <6> Object ffffffc5a0692e30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
368.306487: <6> Object ffffffc5a0692e40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
368.315866: <6> Object ffffffc5a0692e50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
368.325241: <6> Object ffffffc5a0692e60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
368.334618: <6> Object ffffffc5a0692e70: 6b 6b 6b 6b 6b 6b 6b 6b 67 6b 6b 6b 6b 6b 6b a5 kkkkkkkkgkkkkkk. here it is corrupted(seems write after free case)
368.343997: <6> Redzone ffffffc5a0692e80: bb bb bb bb bb bb bb bb ........
368.352755: <6> Padding ffffffc5a0692fc0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
368.362215: <6> Padding ffffffc5a0692fd0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
368.371681: <6> Padding ffffffc5a0692fe0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
368.381146: <6> Padding ffffffc5a0692ff0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Regards
Gaurav
--
Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project.
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Query:Regarding object poison overwritten in binder_transaction
2018-03-03 14:52 ` Query:Regarding object poison overwritten in binder_transaction Kohli, Gaurav
@ 2018-03-03 19:27 ` Greg Kroah-Hartman
2018-03-05 11:39 ` Kohli, Gaurav
0 siblings, 1 reply; 3+ messages in thread
From: Greg Kroah-Hartman @ 2018-03-03 19:27 UTC (permalink / raw)
To: Kohli, Gaurav
Cc: devel, Arve Hjønnevåg, Riley Andrews, linux-kernel
On Sat, Mar 03, 2018 at 08:22:35PM +0530, Kohli, Gaurav wrote:
> HI ,
>
> Is there any known issue of slab poisoning in binder_transaction variable on kernel 4.9,
If you are using binder in an Android device with 4.9, please use the
version in the android-common tree, as it has all of the newer features
backported properly there. You will need that for newer Android systems
(like Android O and newer) anyway, so please try that tree. If you
still have problems there, please file a bug in AOSP.
thanks,
greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Query:Regarding object poison overwritten in binder_transaction
2018-03-03 19:27 ` Greg Kroah-Hartman
@ 2018-03-05 11:39 ` Kohli, Gaurav
0 siblings, 0 replies; 3+ messages in thread
From: Kohli, Gaurav @ 2018-03-05 11:39 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Arve Hjønnevåg, Riley Andrews, devel, linux-kernel,
linux-arm-msm
Thanks Greg,
I will check the common tree, and it seems to me a new bug , will file a
bug if won't be able to
resolve from android-common tree.
Regards
Gaurav
On 3/4/2018 12:57 AM, Greg Kroah-Hartman wrote:
> On Sat, Mar 03, 2018 at 08:22:35PM +0530, Kohli, Gaurav wrote:
>> HI ,
>>
>> Is there any known issue of slab poisoning in binder_transaction variable on kernel 4.9,
> If you are using binder in an Android device with 4.9, please use the
> version in the android-common tree, as it has all of the newer features
> backported properly there. You will need that for newer Android systems
> (like Android O and newer) anyway, so please try that tree. If you
> still have problems there, please file a bug in AOSP.
>
> thanks,
>
> greg k-h
--
Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-05 11:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <4d2b6014-ea76-b489-fdde-2e058e2fac4d@codeaurora.org>
2018-03-03 14:52 ` Query:Regarding object poison overwritten in binder_transaction Kohli, Gaurav
2018-03-03 19:27 ` Greg Kroah-Hartman
2018-03-05 11:39 ` Kohli, Gaurav
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).