From: Andrew Morton <akpm@linux-foundation.org>
To: Michal Schmidt <mschmidt@redhat.com>
Cc: linux-kernel@vger.kernel.org, cpufreq@vger.kernel.org,
mark.langsdorf@amd.com
Subject: Re: use after free of struct powernow_k8_data
Date: Wed, 30 Sep 2009 13:30:59 -0700 [thread overview]
Message-ID: <20090930133059.995c34b4.akpm@linux-foundation.org> (raw)
In-Reply-To: <20090924165125.7cf51a1f@leela>
On Thu, 24 Sep 2009 16:51:25 +0200
Michal Schmidt <mschmidt@redhat.com> wrote:
> Hello,
>
> After resume from suspend I get:
>
> =============================================================================
> BUG kmalloc-256: Poison overwritten
> -----------------------------------------------------------------------------
>
> INFO: 0xffff880073bf1bb0-0xffff880073bf1bb7. First byte 0x12 instead of 0x6b
> INFO: Allocated in powernowk8_cpu_init+0x72/0xc27 [powernow_k8] age=290 cpu=0 pid=1782
> INFO: Freed in powernowk8_cpu_exit+0x6b/0x88 [powernow_k8] age=289 cpu=0 pid=1782
> INFO: Slab 0xffffea0002f059e8 objects=12 used=10 fp=0xffff880073bf1b88 flags=0x200000000000c3
> INFO: Object 0xffff880073bf1b88 @offset=2952 fp=0xffff880073bf1e18
>
> Bytes b4 0xffff880073bf1b78: ec 77 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a __w____....ZZZZZZZZ
> Object 0xffff880073bf1b88: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> Object 0xffff880073bf1b98: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
> Object 0xffff880073bf1ba8: 6b 6b 6b 6b 6b 6b 6b 6b 12 00 00 00 0c 00 00 00 kkkkkkkk........
> Object 0xffff880073bf1bb8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>
> The overwritten values correspond to the currvid (0x12) and currfid (0x0c)
> fields if struct powernow_k8_data. Earlier in dmesg these exact values
> can be seen:
>
> powernow-k8: table matched fid 0xc, giving vid 0x12
> powernow-k8: target matches current values (fid 0xc, vid 0x12)
>
> It seems that something called query_current_values_with_pending_wait()
> while the struct was already freed.
>
> It is perfectly reproducible. The kernel is the latest from git
> (94a8d5caba74211ec76dac80fc6e2d5c391530df).
> I'm attaching the full dmesg and .config.
>
Do you know if this is a regression? If so, since which kernel version?
Thanks.
next prev parent reply other threads:[~2009-09-30 20:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-24 14:51 use after free of struct powernow_k8_data Michal Schmidt
2009-09-30 20:30 ` Andrew Morton [this message]
2009-10-11 15:20 ` Michal Schmidt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090930133059.995c34b4.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=cpufreq@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.langsdorf@amd.com \
--cc=mschmidt@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.