diff for duplicates of <4896CA3F.3070709@gmail.com> diff --git a/a/1.txt b/N1/1.txt index e21fb6e..d7bbcc2 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,55 +1,36 @@ Dave Young napsal(a): -> On Thu, Jul 31, 2008 at 5:15 PM, Pekka J Enberg <penberg@cs.helsinki.= -fi> wrote: +> On Thu, Jul 31, 2008 at 5:15 PM, Pekka J Enberg <penberg@cs.helsinki.fi> wrote: >> On Wed, 30 Jul 2008, Andrew Morton wrote: ->>> INFO: Allocated in dev_alloc_skb+0x1c/0x30 age=3D3642 cpu=3D0 pid=3D= -0 ->>> INFO: Freed in skb_release_data+0x57/0x80 age=3D3146 cpu=3D0 pid=3D= -2398 ->> So the corrupted object was free'd by skb_release_data() so we need = -to ->> look for a driver or the networking stack calling that function too = -early. +>>> INFO: Allocated in dev_alloc_skb+0x1c/0x30 age=3642 cpu=0 pid=0 +>>> INFO: Freed in skb_release_data+0x57/0x80 age=3146 cpu=0 pid=2398 +>> So the corrupted object was free'd by skb_release_data() so we need to +>> look for a driver or the networking stack calling that function too early. >> ->>> INFO: Slab 0xc1c05440 objects=3D7 used=3D3 fp=3D0xf6f3a060 flags=3D= -0x400020c3 ->>> INFO: Object 0xf6f3a060 @offset=3D8288 fp=3D0xf6f39030 +>>> INFO: Slab 0xc1c05440 objects=7 used=3 fp=0xf6f3a060 flags=0x400020c3 +>>> INFO: Object 0xf6f3a060 @offset=8288 fp=0xf6f39030 >>> ->>> Bytes b4 0xf6f3a050: 5e 09 00 00 57 c9 05 00 5a 5a 5a 5a 5a 5a 5a = -5a ^...W=C3=89..ZZZZZZZZ ->> The object starts here (the poison values for first 32 bytes are oka= -y): +>>> Bytes b4 0xf6f3a050: 5e 09 00 00 57 c9 05 00 5a 5a 5a 5a 5a 5a 5a 5a ^...WÉ..ZZZZZZZZ +>> The object starts here (the poison values for first 32 bytes are okay): >> ->>> Object 0xf6f3a060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b= - kkkkkkkkkkkkkkkk ->>> Object 0xf6f3a070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b= - kkkkkkkkkkkkkkkk +>>> Object 0xf6f3a060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk +>>> Object 0xf6f3a070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk >> And here are the first 96 bytes of the corruption: >> ->>> Object 0xf6f3a080: 80 00 00 00 ff ff ff ff ff ff 00 17 7b 00 46 40= - ....=C3=BF=C3=BF=C3=BF=C3=BF=C3=BF=C3=BF..{.F@ ->>> Object 0xf6f3a090: 00 17 7b 00 46 40 30 09 81 21 08 7a 21 00 00 00= - ..{.F@0..!.z!... ->>> Object 0xf6f3a0a0: 64 00 21 04 00 07 00 00 00 00 00 00 00 01 08 82= - d.!............. ->>> Object 0xf6f3a0b0: 84 8b 0c 12 96 18 24 03 01 01 05 04 00 02 00 00= - ......$......... ->>> Object 0xf6f3a0c0: 07 06 43 4e 20 01 0d 14 2a 01 00 32 04 30 48 60= - ..CN....*..2.0H` ->>> Object 0xf6f3a0d0: 6c dd 18 00 17 7b 01 04 00 00 00 01 00 00 00 10= - l=C3=9D...{.......... +>>> Object 0xf6f3a080: 80 00 00 00 ff ff ff ff ff ff 00 17 7b 00 46 40 ....ÿÿÿÿÿÿ..{.F@ +>>> Object 0xf6f3a090: 00 17 7b 00 46 40 30 09 81 21 08 7a 21 00 00 00 ..{.F@0..!.z!... +>>> Object 0xf6f3a0a0: 64 00 21 04 00 07 00 00 00 00 00 00 00 01 08 82 d.!............. +>>> Object 0xf6f3a0b0: 84 8b 0c 12 96 18 24 03 01 01 05 04 00 02 00 00 ......$......... +>>> Object 0xf6f3a0c0: 07 06 43 4e 20 01 0d 14 2a 01 00 32 04 30 48 60 ..CN....*..2.0H` +>>> Object 0xf6f3a0d0: 6c dd 18 00 17 7b 01 04 00 00 00 01 00 00 00 10 lÝ...{.......... >> But I think that's just the payload of a SKB? -It's a receive frame from ath5k, I suppose. 00:17:7b:00:46:40 is your A= -P? +It's a receive frame from ath5k, I suppose. 00:17:7b:00:46:40 is your AP? ->>> Redzone 0xf6f3b060: bb bb bb bb = - =C2=BB=C2=BB=C2=BB=C2=BB +>>> Redzone 0xf6f3b060: bb bb bb bb »»»» >> The red-zone has SLUB_RED_INACTIVE ("0xbb") which reinforces >> use-after-free. >> ->>> Padding 0xf6f3b088: 5a 5a 5a 5a 5a 5a 5a 5a = - ZZZZZZZZ +>>> Padding 0xf6f3b088: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ >>> Pid: 0, comm: swapper Tainted: G W 2.6.26-smp #2 >>> [<c0180f5d>] print_trailer+0xad/0xf0 >>> [<c018103b>] check_bytes_and_report+0x9b/0xc0 @@ -65,31 +46,23 @@ P? >>> [<c014969a>] ? print_lock_contention_bug+0x1a/0xe0 >>> [<c012eafc>] tasklet_action+0x4c/0xc0 [...] ->>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ->>> FIX kmalloc-4096: Restoring 0xf6f3a080-0xf6f3a0ef=3D0x6b +>>> ======================= +>>> FIX kmalloc-4096: Restoring 0xf6f3a080-0xf6f3a0ef=0x6b >>> Dave, could you please remind us which net driver was in use here? >> There's ath5k in the stack trace but that, of course, doesn't ->> automatically mean it's at fault here. It could have been just the p= -oor ->> bastard who was the next to allocate 4 KB with kmalloc() noticing th= -e +>> automatically mean it's at fault here. It could have been just the poor +>> bastard who was the next to allocate 4 KB with kmalloc() noticing the >> corruption. -No, unfortunately ath5k *is* likely the culprit. Next time please Cc=20 +No, unfortunately ath5k *is* likely the culprit. Next time please Cc ath5k-devel@lists.ath5k.org even if it is only a suspicion. > But I still have no idea with the poison overwritten. Could you try patch from http://lkml.org/lkml/2008/7/15/276 -? (I have no idea how reproducible is this by you, it often happens on = -noisy=20 +? (I have no idea how reproducible is this by you, it often happens on noisy channels and/or by lowering RX buffers, i.e. ATH_RXBUF). [It hit mainline few days ago, I'm going to fwd it to stable.] --- -To unsubscribe from this list: send the line "unsubscribe linux-wireles= -s" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index c26492a..8449a1c 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -17,57 +17,38 @@ "\00:1\0" "b\0" "Dave Young napsal(a):\n" - "> On Thu, Jul 31, 2008 at 5:15 PM, Pekka J Enberg <penberg@cs.helsinki.=\n" - "fi> wrote:\n" + "> On Thu, Jul 31, 2008 at 5:15 PM, Pekka J Enberg <penberg@cs.helsinki.fi> wrote:\n" ">> On Wed, 30 Jul 2008, Andrew Morton wrote:\n" - ">>> INFO: Allocated in dev_alloc_skb+0x1c/0x30 age=3D3642 cpu=3D0 pid=3D=\n" - "0\n" - ">>> INFO: Freed in skb_release_data+0x57/0x80 age=3D3146 cpu=3D0 pid=3D=\n" - "2398\n" - ">> So the corrupted object was free'd by skb_release_data() so we need =\n" - "to\n" - ">> look for a driver or the networking stack calling that function too =\n" - "early.\n" + ">>> INFO: Allocated in dev_alloc_skb+0x1c/0x30 age=3642 cpu=0 pid=0\n" + ">>> INFO: Freed in skb_release_data+0x57/0x80 age=3146 cpu=0 pid=2398\n" + ">> So the corrupted object was free'd by skb_release_data() so we need to\n" + ">> look for a driver or the networking stack calling that function too early.\n" ">>\n" - ">>> INFO: Slab 0xc1c05440 objects=3D7 used=3D3 fp=3D0xf6f3a060 flags=3D=\n" - "0x400020c3\n" - ">>> INFO: Object 0xf6f3a060 @offset=3D8288 fp=3D0xf6f39030\n" + ">>> INFO: Slab 0xc1c05440 objects=7 used=3 fp=0xf6f3a060 flags=0x400020c3\n" + ">>> INFO: Object 0xf6f3a060 @offset=8288 fp=0xf6f39030\n" ">>>\n" - ">>> Bytes b4 0xf6f3a050: 5e 09 00 00 57 c9 05 00 5a 5a 5a 5a 5a 5a 5a =\n" - "5a ^...W=C3=89..ZZZZZZZZ\n" - ">> The object starts here (the poison values for first 32 bytes are oka=\n" - "y):\n" + ">>> Bytes b4 0xf6f3a050: 5e 09 00 00 57 c9 05 00 5a 5a 5a 5a 5a 5a 5a 5a ^...W\303\211..ZZZZZZZZ\n" + ">> The object starts here (the poison values for first 32 bytes are okay):\n" ">>\n" - ">>> Object 0xf6f3a060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b=\n" - " kkkkkkkkkkkkkkkk\n" - ">>> Object 0xf6f3a070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b=\n" - " kkkkkkkkkkkkkkkk\n" + ">>> Object 0xf6f3a060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n" + ">>> Object 0xf6f3a070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n" ">> And here are the first 96 bytes of the corruption:\n" ">>\n" - ">>> Object 0xf6f3a080: 80 00 00 00 ff ff ff ff ff ff 00 17 7b 00 46 40=\n" - " ....=C3=BF=C3=BF=C3=BF=C3=BF=C3=BF=C3=BF..{.F@\n" - ">>> Object 0xf6f3a090: 00 17 7b 00 46 40 30 09 81 21 08 7a 21 00 00 00=\n" - " ..{.F@0..!.z!...\n" - ">>> Object 0xf6f3a0a0: 64 00 21 04 00 07 00 00 00 00 00 00 00 01 08 82=\n" - " d.!.............\n" - ">>> Object 0xf6f3a0b0: 84 8b 0c 12 96 18 24 03 01 01 05 04 00 02 00 00=\n" - " ......$.........\n" - ">>> Object 0xf6f3a0c0: 07 06 43 4e 20 01 0d 14 2a 01 00 32 04 30 48 60=\n" - " ..CN....*..2.0H`\n" - ">>> Object 0xf6f3a0d0: 6c dd 18 00 17 7b 01 04 00 00 00 01 00 00 00 10=\n" - " l=C3=9D...{..........\n" + ">>> Object 0xf6f3a080: 80 00 00 00 ff ff ff ff ff ff 00 17 7b 00 46 40 ....\303\277\303\277\303\277\303\277\303\277\303\277..{.F@\n" + ">>> Object 0xf6f3a090: 00 17 7b 00 46 40 30 09 81 21 08 7a 21 00 00 00 ..{.F@0..!.z!...\n" + ">>> Object 0xf6f3a0a0: 64 00 21 04 00 07 00 00 00 00 00 00 00 01 08 82 d.!.............\n" + ">>> Object 0xf6f3a0b0: 84 8b 0c 12 96 18 24 03 01 01 05 04 00 02 00 00 ......$.........\n" + ">>> Object 0xf6f3a0c0: 07 06 43 4e 20 01 0d 14 2a 01 00 32 04 30 48 60 ..CN....*..2.0H`\n" + ">>> Object 0xf6f3a0d0: 6c dd 18 00 17 7b 01 04 00 00 00 01 00 00 00 10 l\303\235...{..........\n" ">> But I think that's just the payload of a SKB?\n" "\n" - "It's a receive frame from ath5k, I suppose. 00:17:7b:00:46:40 is your A=\n" - "P?\n" + "It's a receive frame from ath5k, I suppose. 00:17:7b:00:46:40 is your AP?\n" "\n" - ">>> Redzone 0xf6f3b060: bb bb bb bb =\n" - " =C2=BB=C2=BB=C2=BB=C2=BB\n" + ">>> Redzone 0xf6f3b060: bb bb bb bb \302\273\302\273\302\273\302\273\n" ">> The red-zone has SLUB_RED_INACTIVE (\"0xbb\") which reinforces\n" ">> use-after-free.\n" ">>\n" - ">>> Padding 0xf6f3b088: 5a 5a 5a 5a 5a 5a 5a 5a =\n" - " ZZZZZZZZ\n" + ">>> Padding 0xf6f3b088: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ\n" ">>> Pid: 0, comm: swapper Tainted: G W 2.6.26-smp #2\n" ">>> [<c0180f5d>] print_trailer+0xad/0xf0\n" ">>> [<c018103b>] check_bytes_and_report+0x9b/0xc0\n" @@ -83,33 +64,25 @@ ">>> [<c014969a>] ? print_lock_contention_bug+0x1a/0xe0\n" ">>> [<c012eafc>] tasklet_action+0x4c/0xc0\n" "[...]\n" - ">>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D\n" - ">>> FIX kmalloc-4096: Restoring 0xf6f3a080-0xf6f3a0ef=3D0x6b\n" + ">>> =======================\n" + ">>> FIX kmalloc-4096: Restoring 0xf6f3a080-0xf6f3a0ef=0x6b\n" "\n" ">>> Dave, could you please remind us which net driver was in use here?\n" ">> There's ath5k in the stack trace but that, of course, doesn't\n" - ">> automatically mean it's at fault here. It could have been just the p=\n" - "oor\n" - ">> bastard who was the next to allocate 4 KB with kmalloc() noticing th=\n" - "e\n" + ">> automatically mean it's at fault here. It could have been just the poor\n" + ">> bastard who was the next to allocate 4 KB with kmalloc() noticing the\n" ">> corruption.\n" "\n" - "No, unfortunately ath5k *is* likely the culprit. Next time please Cc=20\n" + "No, unfortunately ath5k *is* likely the culprit. Next time please Cc \n" "ath5k-devel@lists.ath5k.org even if it is only a suspicion.\n" "\n" "> But I still have no idea with the poison overwritten.\n" "\n" "Could you try patch from\n" "http://lkml.org/lkml/2008/7/15/276\n" - "? (I have no idea how reproducible is this by you, it often happens on =\n" - "noisy=20\n" + "? (I have no idea how reproducible is this by you, it often happens on noisy \n" "channels and/or by lowering RX buffers, i.e. ATH_RXBUF).\n" "\n" - "[It hit mainline few days ago, I'm going to fwd it to stable.]\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-wireles=\n" - "s\" in\n" - "the body of a message to majordomo@vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + [It hit mainline few days ago, I'm going to fwd it to stable.] -487a90a76722d83c7d628beaaa29cc3b3315016fdcfa06a195f9417168ec125e +c1959fd3ed9afe2c486e056a2346c009d09c018a77420546569e59ed87115590
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.