From: Chris Mason <chris.mason@fusionio.com>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Lameter <cl@gentwo.org>,
Al Viro <viro@zeniv.linux.org.uk>
Cc: Simon Kirby <sim@hostway.ca>, Pekka Enberg <penberg@kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [3.10] Oopses in kmem_cache_allocate() via prepare_creds()
Date: Mon, 19 Aug 2013 17:24:41 -0400 [thread overview]
Message-ID: <20130819212441.17880.16729@localhost.localdomain> (raw)
In-Reply-To: <CA+55aFxiYzxLDUnr+9BGQ+fsfmb1T8_zW4fOOC=SQ4rVzwbv4A@mail.gmail.com>
Quoting Linus Torvalds (2013-08-19 17:16:36)
> On Mon, Aug 19, 2013 at 1:29 PM, Christoph Lameter <cl@gentwo.org> wrote:
> > On Mon, 19 Aug 2013, Simon Kirby wrote:
> >
> >> [... ] The
> >> alloc/free traces are always the same -- always alloc_pipe_info and
> >> free_pipe_info. This is seen on 3.10 and (now) 3.11-rc4:
> >>
> >> Object ffff880090f19e78: 6b 6b 6b 6b 6c 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkklkkkkkkkkkkk
> >
> > This looks like an increment after free in the second 32 bit value of the
> > structure. First 32 bit value's poison is unchanged.
>
> Ugh. If that is "struct pipe_inode_info" and I read it right, that's
> the "wait_lock" spinlock that is part of the mutex.
>
> Doing a "spin_lock()" could indeed cause an increment operation. But
> it still sounds like a very odd case. And even for some wild pointer
> I'd then expect the spin_unlock to also happen, and to then increment
> the next byte (or word) too. More importantly, for a mutex, I'd expect
> the *other* fields to be corrupted too (the "waiter" field etc). That
> is, unless we're still spinning waiting for the mutex, but with that
> value we shouldn't, as far as I can see.
>
Simon, is this box doing btrfs send/receive? If so, it's probably where
this pipe is coming from.
Linus' CONFIG_DEBUG_PAGE_ALLOC suggestions are going to be the fastest
way to find it, I can give you a patch if it'll help.
It would be nice if you could trigger this on plain 3.11-rcX instead of
btrfs-next.
-chris
next prev parent reply other threads:[~2013-08-19 21:24 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-06 0:09 [3.10] Oopses in kmem_cache_allocate() via prepare_creds() Simon Kirby
2013-07-06 8:27 ` Pekka Enberg
2013-08-19 20:17 ` Simon Kirby
2013-08-19 20:29 ` Christoph Lameter
2013-08-19 21:16 ` Linus Torvalds
2013-08-19 21:24 ` Chris Mason [this message]
2013-08-19 23:31 ` Simon Kirby
2013-09-03 20:43 ` Simon Kirby
2013-08-20 4:06 ` Al Viro
2013-08-20 7:17 ` Ian Applegate
2013-08-20 7:21 ` Al Viro
2013-08-20 7:51 ` Ian Applegate
2013-11-26 0:44 ` Simon Kirby
2013-11-26 23:16 ` Linus Torvalds
2013-11-26 23:44 ` Linus Torvalds
2013-11-30 9:43 ` Simon Kirby
2013-11-30 17:25 ` Linus Torvalds
2013-11-30 21:04 ` Simon Kirby
2013-11-30 21:08 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130819212441.17880.16729@localhost.localdomain \
--to=chris.mason@fusionio.com \
--cc=cl@gentwo.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penberg@kernel.org \
--cc=sim@hostway.ca \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.