* Use-after-free in pte_chain in 2.6.0-test11
@ 2003-12-13 22:04 Petr Vandrovec
2003-12-13 22:13 ` William Lee Irwin III
0 siblings, 1 reply; 5+ messages in thread
From: Petr Vandrovec @ 2003-12-13 22:04 UTC (permalink / raw)
To: linux-kernel
Hi,
today I get this one while attempting to build new kernel. Running kernel is
2.6.0-test11-c1511 (bk as of 2003-12-05 23:35:35-08:00). Does anybody
have any clue what could happen, or should I start looking for a new
memory modules?
AMD K7/1GHz box, 512MB RAM, no vmmon/vmnet loaded since reboot, gcc-3.3.2
as of last week Debian unstable. Kernel built with all possible memory
debugging enabled...
Unfortunately I have no idea which process did this clone() call, and
whether it succeeded or died.
Thanks,
Petr Vandrovec
vandrove@vc.cvut.cz
Slab corruption: start=da54d380, expend=da54d3ff, problemat=da54d3fc
Data: ****************************************************************************************************************************6A **A5
Next: 1D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
slab error in check_poison_obj(): cache `pte_chain': object was modified after freeing
Call Trace:
[<c0152658>] check_poison_obj+0x108/0x190
[<c0166e3c>] pte_chain_alloc+0x3c/0x80
[<c0154813>] kmem_cache_alloc+0x83/0x210
[<c0166e3c>] pte_chain_alloc+0x3c/0x80
[<c015d1b0>] copy_page_range+0x410/0x900
[<c0152579>] check_poison_obj+0x29/0x190
[<c0125c51>] copy_mm+0x571/0x730
[<c0127369>] copy_process+0xcd9/0xee0
[<c0126bc2>] copy_process+0x532/0xee0
[<c01275cc>] do_fork+0x5c/0x1e0
[<c01078d1>] sys_clone+0x41/0x50
[<c0109dab>] syscall_call+0x7/0xb
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
2003-12-13 22:04 Petr Vandrovec
@ 2003-12-13 22:13 ` William Lee Irwin III
2003-12-13 22:32 ` Petr Vandrovec
0 siblings, 1 reply; 5+ messages in thread
From: William Lee Irwin III @ 2003-12-13 22:13 UTC (permalink / raw)
To: Petr Vandrovec; +Cc: linux-kernel
On Sat, Dec 13, 2003 at 11:04:59PM +0100, Petr Vandrovec wrote:
> today I get this one while attempting to build new kernel. Running kernel is
> 2.6.0-test11-c1511 (bk as of 2003-12-05 23:35:35-08:00). Does anybody
> have any clue what could happen, or should I start looking for a new
> memory modules?
> AMD K7/1GHz box, 512MB RAM, no vmmon/vmnet loaded since reboot, gcc-3.3.2
> as of last week Debian unstable. Kernel built with all possible memory
> debugging enabled...
> Unfortunately I have no idea which process did this clone() call, and
> whether it succeeded or died.
CONFIG_DEBUG_PAGEALLOC should have oopsed this...
-- wli
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
2003-12-13 22:13 ` William Lee Irwin III
@ 2003-12-13 22:32 ` Petr Vandrovec
2003-12-13 22:33 ` William Lee Irwin III
0 siblings, 1 reply; 5+ messages in thread
From: Petr Vandrovec @ 2003-12-13 22:32 UTC (permalink / raw)
To: William Lee Irwin III, linux-kernel
On Sat, Dec 13, 2003 at 02:13:20PM -0800, William Lee Irwin III wrote:
> On Sat, Dec 13, 2003 at 11:04:59PM +0100, Petr Vandrovec wrote:
> > today I get this one while attempting to build new kernel. Running kernel is
> > 2.6.0-test11-c1511 (bk as of 2003-12-05 23:35:35-08:00). Does anybody
> > have any clue what could happen, or should I start looking for a new
> > memory modules?
> > AMD K7/1GHz box, 512MB RAM, no vmmon/vmnet loaded since reboot, gcc-3.3.2
> > as of last week Debian unstable. Kernel built with all possible memory
> > debugging enabled...
> > Unfortunately I have no idea which process did this clone() call, and
> > whether it succeeded or died.
>
> CONFIG_DEBUG_PAGEALLOC should have oopsed this...
Maybe pte_chain is too small to get unmapped (it is 128 bytes here)? Or it is
really hardware bug :-(
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_STACKOVERFLOW=y
CONFIG_DEBUG_SLAB=y
CONFIG_DEBUG_IOVIRT=y
CONFIG_MAGIC_SYSRQ=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_DEBUG_PAGEALLOC=y
CONFIG_DEBUG_HIGHMEM=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_SPINLOCK_SLEEP=y
# CONFIG_FRAME_POINTER is not set
CONFIG_X86_EXTRA_IRQS=y
CONFIG_X86_FIND_SMP_CONFIG=y
CONFIG_X86_MPPARSE=y
Thanks,
Petr Vandrovec
vandrove@vc.cvut.cz
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
2003-12-13 22:32 ` Petr Vandrovec
@ 2003-12-13 22:33 ` William Lee Irwin III
0 siblings, 0 replies; 5+ messages in thread
From: William Lee Irwin III @ 2003-12-13 22:33 UTC (permalink / raw)
To: Petr Vandrovec; +Cc: linux-kernel
On Sat, Dec 13, 2003 at 02:13:20PM -0800, William Lee Irwin III wrote:
>> CONFIG_DEBUG_PAGEALLOC should have oopsed this...
On Sat, Dec 13, 2003 at 11:32:08PM +0100, Petr Vandrovec wrote:
> Maybe pte_chain is too small to get unmapped (it is 128 bytes here)? Or it is
> really hardware bug :-(
The alignment flags prevent it.
Anyhow, 6a vs. 5a/5b looks like a bitflip...
-- wli
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Use-after-free in pte_chain in 2.6.0-test11
@ 2003-12-13 22:36 Manfred Spraul
0 siblings, 0 replies; 5+ messages in thread
From: Manfred Spraul @ 2003-12-13 22:36 UTC (permalink / raw)
To: Petr Vandrovec; +Cc: linux-kernel
>
>
>Slab corruption: start=da54d380, expend=da54d3ff, problemat=da54d3fc
>Data: ******************************************************************************** \
> ********************************************6A **A5
>
"*" stands for 0x6b, and the pte chain contains pointers, not bits. It
looks like bad memory.
--
Manfred
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-12-13 22:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-12-13 22:36 Use-after-free in pte_chain in 2.6.0-test11 Manfred Spraul
-- strict thread matches above, loose matches on Subject: below --
2003-12-13 22:04 Petr Vandrovec
2003-12-13 22:13 ` William Lee Irwin III
2003-12-13 22:32 ` Petr Vandrovec
2003-12-13 22:33 ` William Lee Irwin III
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.