Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Dumazet <eric.dumazet@gmail.com>
To: Jike Song <albcamus@gmail.com>
Cc: Parag Warudkar <parag.lkml@gmail.com>,
	linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53
Date: Tue, 08 Sep 2009 09:38:16 +0200	[thread overview]
Message-ID: <4AA609E8.3060408@gmail.com> (raw)
In-Reply-To: <df9815e70909072151l2686231en76773418aaf9deeb@mail.gmail.com>

Jike Song a écrit :
> On Tue, Sep 8, 2009 at 11:56 AM, Parag Warudkar<parag.lkml@gmail.com> wrote:
>> On Thu, Aug 27, 2009 at 4:45 PM, Jike Song<albcamus@gmail.com> wrote:
>>>> hi, I hit this with vnc. Below is part of dmesg :
>>> Still producible in 2.6.31-rc9, anybody helps?
>> How does one go about reproducing this? You said VNC triggers this but
>> what VNC version, server or client? What distro and what needs to be done
>> with VNC to trigger this problem? I ask since I use VNC myself and test -git kernels
>> and have not encountered this issue.
>>
>> Parag
>>
>>
> Thanks for your attention,  CC netdev this time.
> 
> VNC server: tigervnc-server-0.0.91-0.11.fc11.x86_64
> VNC client:  TurboVNC Viewer version 0.5 for Solaris
> Distro       : Fedora 11, x86-64
> 
> I specify gnome-init in xstartup, below is my xstartup file, with this
> file one only need to run vncviewer from the client to produce this
> bug:
> 
> #!/bin/sh
> 
> unset LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> unset LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> unset LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER
> LANG=zh_CN.UTF-8
> export LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> export LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> export LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER
> export G_FILENAME_ENCODING=@locale
> XMODIFIERS="@im=SCIM"
> GTK_IM_MODULE="scim"
> export XMODIFIERS GTK_IM_MODULE
> if type scim &> /dev/null ; then
> 	scim -d &
> fi
> 
> vncconfig -iconic &
> unset SESSION_MANAGER
> unset DBUS_SESSION_BUS_ADDRESS
> OS=`uname -s`
> if [ $OS = 'Linux' ]; then
>   case "$WINDOWMANAGER" in
>     *gnome*)
>       if [ -e /etc/SuSE-release ]; then
>         PATH=$PATH:/opt/gnome/bin
>         export PATH
>       fi
>       ;;
>   esac
> fi
> if [ -x /etc/X11/xinit/xinitrc ]; then
>   exec /etc/X11/xinit/xinitrc
> fi
> if [ -f /etc/X11/xinit/xinitrc ]; then
>   exec sh /etc/X11/xinit/xinitrc
> fi
> [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
> xsetroot -solid grey
> xterm -geometry 1024x768 -ls -title "$VNCDESKTOP Desktop" &
> gnome-init &
> 
> 
> 

We decrement a refcnt while object already freed.

(SLUB DEBUG poisons the zone with 0x6B pattern)

You might add this patch to trigger a WARN_ON when refcnt >= 0x60000000U
in sk_free() : We'll see the path trying to delete an already freed sock

diff --git a/net/core/sock.c b/net/core/sock.c
index 7633422..1cb85ff 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk)

 void sk_free(struct sock *sk)
 {
+	WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U);
 	/*
 	 * We substract one from sk_wmem_alloc and can know if
 	* some packets are still in some tx queue.

next prev parent reply	other threads:[~2009-09-08  7:38 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-09-08  3:56 BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 Parag Warudkar
2009-09-08  4:51 ` Jike Song
2009-09-08  7:38   ` Eric Dumazet [this message]
2009-09-08  8:09     ` Jike Song
2009-09-08 12:12       ` Eric Dumazet
2009-09-08 22:49         ` [PATCH] net: Fix sock_wfree() race Eric Dumazet
2009-09-09  7:14           ` Jike Song
2009-09-09  7:14             ` Jike Song
2009-09-09  9:18             ` Eric Dumazet
2009-09-11 18:43           ` David Miller
2009-09-11 19:52             ` David Miller
2009-09-23 13:44               ` Eric Dumazet
2009-09-24 20:07                 ` Jarek Poplawski
2009-09-24 20:49                   ` Eric Dumazet
2009-09-30 23:23                     ` David Miller
  -- strict thread matches above, loose matches on Subject: below --
2009-08-27  8:45 BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 Jike Song
2009-09-08  2:23 ` Jike Song
2009-09-08  3:23   ` Eric Dumazet

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7633422 dfblob:1cb85ff )
 OR (
bs:"Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4AA609E8.3060408@gmail.com \
    --to=eric.dumazet@gmail.com \
    --cc=albcamus@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=parag.lkml@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.