Re: utrace, RCU and ia64 - Alexey Dobriyan

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Alexey Dobriyan <adobriyan@sw.ru>
To: Roland McGrath <roland@redhat.com>
Cc: akpm@osdl.org, linux-kernel@vger.kernel.org, devel@openvz.org
Subject: Re: utrace, RCU and ia64
Date: Tue, 17 Apr 2007 15:20:48 +0400	[thread overview]
Message-ID: <20070417112048.GA10908@localhost.sw.ru> (raw)
In-Reply-To: <20070329203025.540841801C4@magilla.sf.frob.com>

[double freeing of struct utrace leading to oops in
 __rcu_process_callbacks]

Hi, Roland,

utrace debugging you've put into 2.6.21-rc6-mm1 helped. Two double-frees
reproduced:
1) BUG at kernel/utrace.c:176
	rcu_utrace_free
	utrace_reap
	utrace_release_task
	release_task
	flush_old_exec
	load_elf_binary
	search_binary_handler
	do_execve

2)	rcu_utrace_free
	check_dead_utrace
	remove_detached
	finish_report_death
	utrace_report_death
	do_exit
	debug_mutex_init
	get_signal_to_deliver
	do_notify_resume
	ptregscall_common
	sysret_signal
----------------
I've sprinkled more atomic_set's over utrace code to determine who is at
fault of first freeing. It seems to be

	rcu_utrace_free
	check_dead_utrace
	wake_quiscent
	utrace_detach

It was atomic_set(&utrace->debug, 42) right before wake_quiscent() call
and printk() in rcu_utrace_free() call. So it was 42 or garbage.

How I understand all this is that check_dead_utrace() can free struct
utrace, and don't clear ->utrace pointer.

     prev parent reply	other threads:[~2007-04-17 11:12 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-03-29 17:07 utrace, RCU and ia64 Alexey Dobriyan
2007-03-29 20:30 ` Roland McGrath
2007-04-17 11:20   ` Alexey Dobriyan [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070417112048.GA10908@localhost.sw.ru \
    --to=adobriyan@sw.ru \
    --cc=akpm@osdl.org \
    --cc=devel@openvz.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=roland@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.