From: Al Viro <viro@ZenIV.linux.org.uk>
To: lkp@lists.01.org
Subject: Re: [memdup_user_nul] kernel BUG at mm/slab.c:2735!
Date: Tue, 29 Dec 2015 14:57:09 +0000 [thread overview]
Message-ID: <20151229145709.GB9938@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20151229143946.GA9938@ZenIV.linux.org.uk>
[-- Attachment #1: Type: text/plain, Size: 712 bytes --]
On Tue, Dec 29, 2015 at 02:39:47PM +0000, Al Viro wrote:
> On Tue, Dec 29, 2015 at 08:38:43PM +0800, Fengguang Wu wrote:
> > Hi Al,
> >
> > It looks this patch has various impacts. Here are some more bug messages.
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git work.misc
> >
> > commit c7af9d5728bed29ef614324e67e066896d087c8f
>
> The version in vfs.git has been ad8e00e50cbda2ce3831a4badc239ad014eec69 for
> a couple of days already...
FWIW, the difference (and the source of those bugs) is that the earlier
variant had missed the fact that value of kbuf gets modified between the
allocation and freeing, so it ended up doing kfree() on the tail of kmalloced
buffer.
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Fengguang Wu <fengguang.wu@intel.com>
Cc: LKP <lkp@01.org>, Huang Ying <ying.huang@intel.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [memdup_user_nul] kernel BUG at mm/slab.c:2735!
Date: Tue, 29 Dec 2015 14:57:09 +0000 [thread overview]
Message-ID: <20151229145709.GB9938@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20151229143946.GA9938@ZenIV.linux.org.uk>
On Tue, Dec 29, 2015 at 02:39:47PM +0000, Al Viro wrote:
> On Tue, Dec 29, 2015 at 08:38:43PM +0800, Fengguang Wu wrote:
> > Hi Al,
> >
> > It looks this patch has various impacts. Here are some more bug messages.
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git work.misc
> >
> > commit c7af9d5728bed29ef614324e67e066896d087c8f
>
> The version in vfs.git has been ad8e00e50cbda2ce3831a4badc239ad014eec69 for
> a couple of days already...
FWIW, the difference (and the source of those bugs) is that the earlier
variant had missed the fact that value of kbuf gets modified between the
allocation and freeing, so it ended up doing kfree() on the tail of kmalloced
buffer.
next prev parent reply other threads:[~2015-12-29 14:57 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-28 1:14 [kernel/*] c7af9d5728: BUG kmalloc-16 (Not tainted): Invalid object pointer 0xd5c76188 kernel test robot
2015-12-28 1:14 ` [lkp] " kernel test robot
2015-12-29 12:38 ` [memdup_user_nul] kernel BUG at mm/slab.c:2735! Fengguang Wu
2015-12-29 12:38 ` Fengguang Wu
2015-12-29 14:39 ` Al Viro
2015-12-29 14:39 ` Al Viro
2015-12-29 14:57 ` Al Viro [this message]
2015-12-29 14:57 ` Al Viro
2015-12-29 12:39 ` [memdup_user_nul] BUG: unable to handle kernel NULL pointer dereference at 00000100 Fengguang Wu
2015-12-29 12:39 ` Fengguang Wu
2015-12-29 12:40 ` [memdup_user_nul] BUG: unable to handle kernel paging request at ffffffff880009ed Fengguang Wu
2015-12-29 12:40 ` Fengguang Wu
2015-12-29 12:42 ` [memdup_user_nul] init/222 is trying to release lock ((null)) at: Fengguang Wu
2015-12-29 12:42 ` Fengguang Wu
2015-12-29 12:43 ` [memdup_user_nul] BUG: unable to handle kernel paging request at 5e005bc4 Fengguang Wu
2015-12-29 12:44 ` [memdup_user_nul] BUG: unable to handle kernel NULL pointer dereference at 0000000000000002 Fengguang Wu
2015-12-29 12:45 ` [memdup_user_nul] BUG: unable to handle kernel paging request at 000b777b Fengguang Wu
2015-12-29 12:46 ` [memdup_user_nul] BUG: unable to handle kernel paging request at 013d0fe2 Fengguang Wu
2015-12-29 12:59 ` [memdup_user_nul] BUG: unable to handle kernel NULL pointer dereference at 000004ec Fengguang Wu
2015-12-29 12:59 ` Fengguang Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151229145709.GB9938@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=lkp@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.