From: Andreas Gruenbacher <agruen@suse.de>
To: Andrew Morton <akpm@osdl.org>, Dave Jones <davej@redhat.com>,
Paul Fulghum <paulkf@microgate.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: yet more slab corruption.
Date: Tue, 4 Apr 2006 15:44:01 +0200 [thread overview]
Message-ID: <200604041544.01656.agruen@suse.de> (raw)
In-Reply-To: <20060307231414.34c3b3a4.akpm@osdl.org>
On Wednesday, 08 March 2006 08:14, Andrew Morton wrote:
> Dave Jones <davej@redhat.com> wrote:
> > Garg. Is there no end to these ?
> > That kernel is based off 2.6.16rc5-git8
> >
> > This brings the current count up to 8 different patterns filed
> > against our 2.6.16rc tree in Fedora bugzilla.
> > (One of them doesn't count as it's against the out-of-tree bcm43xx
> > driver).
We have two similar bug reports to
https://bugzilla.redhat.com/bugzilla/184310, slab corruption in an object
freed by release_mem:
https://bugzilla.novell.com/151111 (i386)
https://bugzilla.novell.com/154601 (x86_64)
So this bug seems to trigger on different architectures, and with different
hardware.
> A use-after-free on size-2048. We wrote -1L and 0L apparently 0x6b8 bytes
> into the object. That's an awfully large offset for tty_struct - off the
> end. Sometimes the buffer was used as skb data too.
I don't know about offset 0x6b8: 0x6b is POISON_FREE in mm/slab.c, so this is
probably a misread. I think the correct offset is 0xbc. Bug 151111 has the
corruption at the same offset. On x86_64, the offset is 0x124. This seems to
be tty_struct->winsize in all cases, even though I can't tell for sure for
most of the reports anymore.
So this could be a tty_struct locking bug -- it's surprising that we are also
seeing filesystem corruption, but only in some cases. There was a recent
locking fix in this area by Paul Fulghum <paulkf@microgate.com> from Feb 15
which might be related, but the fix looks good to me:
http://www.kernel.org/hg/linux-2.6/?cs=623e3c38a511.
> Unless it was a DMA scribble, CONFIG_DEBUG_PAGEALLOC should catch this.
This didn't trigger anything in an overnight run. Any further ideas?
Thanks,
Andreas
--
Andreas Gruenbacher <agruen@suse.de>
Novell / SUSE Labs
next prev parent reply other threads:[~2006-04-04 13:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-03-07 23:59 yet more slab corruption Dave Jones
2006-03-08 7:14 ` Andrew Morton
2006-04-04 13:44 ` Andreas Gruenbacher [this message]
2006-04-04 14:21 ` Jan Niehusmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200604041544.01656.agruen@suse.de \
--to=agruen@suse.de \
--cc=akpm@osdl.org \
--cc=davej@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paulkf@microgate.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.