From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: Kernel crash in free_pipe_info()
Date: Tue, 31 Oct 2017 04:44:49 +0000 [thread overview]
Message-ID: <20171031044449.GJ21978@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CA+55aFypnFvxdZbaqwyZmV_1QzgHE92zu7xsMqAwJ+u-vR=01g@mail.gmail.com>
On Mon, Oct 30, 2017 at 07:08:46PM -0700, Linus Torvalds wrote:
> On Mon, Oct 30, 2017 at 6:19 PM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> >
> > 1. The faulty addresses are all near 0000000100000000, with one exception
> > of null (which is the most recent one)
>
> Well, they're at 8(%rax), except for that last case.
0x10(%rax)?
> And in every case (_including_ that last case), %rax has a very
> interesting pattern.. That's the (bad) buf->ops pointer that was
> loaded from the somehow corrupted "buf".
> So _if_ this is some kind of use-after-free thing, and the allocation
> got re-used for something else, that might just be related to whatever
> ends up being the offset that is filled in with the (int) error
> number.
>
> Except the offset is that %r12*0x28+0x10, so we're talking a byte
> offset of 330 bytes into the allocation, and apparently the eight
> previous (0-7) iterations were fine.
>
> Which is really odd.
I wonder what pipe->buffers is equal to here...
> I'm not seeing anything that makes sense. I'll have to think about this.
>
> I'm assuming you don't have slub debugging enabled, and no way to
> enable it and try to catch this?
FWIW, I would try to slap
if (buf->ops && (unsigned long)buf->ops <= 0xffffffff)
dump the living hell out of that thing
and see what it catches...
next prev parent reply other threads:[~2017-10-31 4:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-30 20:58 Kernel crash in free_pipe_info() Cong Wang
2017-10-30 22:14 ` Linus Torvalds
2017-10-30 22:26 ` Linus Torvalds
2017-10-31 1:19 ` Cong Wang
2017-10-31 2:08 ` Linus Torvalds
2017-10-31 3:06 ` Linus Torvalds
2017-10-31 5:00 ` Al Viro
2017-10-31 4:44 ` Al Viro [this message]
2017-10-31 19:00 ` Linus Torvalds
2017-11-01 3:19 ` Cong Wang
2017-11-10 6:07 ` Simon Brewer
2017-11-10 19:16 ` Cong Wang
2017-11-10 19:47 ` Linus Torvalds
2017-10-31 1:28 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171031044449.GJ21978@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.