* Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 @ 2009-09-08 3:56 Parag Warudkar 2009-09-08 4:51 ` Jike Song 0 siblings, 1 reply; 18+ messages in thread From: Parag Warudkar @ 2009-09-08 3:56 UTC (permalink / raw) To: albcamus; +Cc: linux-kernel On Thu, Aug 27, 2009 at 4:45 PM, Jike Song<albcamus@gmail.com> wrote: >> hi, I hit this with vnc. Below is part of dmesg : > Still producible in 2.6.31-rc9, anybody helps? How does one go about reproducing this? You said VNC triggers this but what VNC version, server or client? What distro and what needs to be done with VNC to trigger this problem? I ask since I use VNC myself and test -git kernels and have not encountered this issue. Parag ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 2009-09-08 3:56 BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 Parag Warudkar @ 2009-09-08 4:51 ` Jike Song 2009-09-08 7:38 ` Eric Dumazet 0 siblings, 1 reply; 18+ messages in thread From: Jike Song @ 2009-09-08 4:51 UTC (permalink / raw) To: Parag Warudkar; +Cc: linux-kernel, netdev [-- Attachment #1: Type: text/plain, Size: 2023 bytes --] On Tue, Sep 8, 2009 at 11:56 AM, Parag Warudkar<parag.lkml@gmail.com> wrote: > > On Thu, Aug 27, 2009 at 4:45 PM, Jike Song<albcamus@gmail.com> wrote: >>> hi, I hit this with vnc. Below is part of dmesg : > >> Still producible in 2.6.31-rc9, anybody helps? > > How does one go about reproducing this? You said VNC triggers this but > what VNC version, server or client? What distro and what needs to be done > with VNC to trigger this problem? I ask since I use VNC myself and test -git kernels > and have not encountered this issue. > > Parag > > Thanks for your attention, CC netdev this time. VNC server: tigervnc-server-0.0.91-0.11.fc11.x86_64 VNC client: TurboVNC Viewer version 0.5 for Solaris Distro : Fedora 11, x86-64 I specify gnome-init in xstartup, below is my xstartup file, with this file one only need to run vncviewer from the client to produce this bug: #!/bin/sh unset LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES unset LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT unset LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER LANG=zh_CN.UTF-8 export LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES export LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT export LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER export G_FILENAME_ENCODING=@locale XMODIFIERS="@im=SCIM" GTK_IM_MODULE="scim" export XMODIFIERS GTK_IM_MODULE if type scim &> /dev/null ; then scim -d & fi vncconfig -iconic & unset SESSION_MANAGER unset DBUS_SESSION_BUS_ADDRESS OS=`uname -s` if [ $OS = 'Linux' ]; then case "$WINDOWMANAGER" in *gnome*) if [ -e /etc/SuSE-release ]; then PATH=$PATH:/opt/gnome/bin export PATH fi ;; esac fi if [ -x /etc/X11/xinit/xinitrc ]; then exec /etc/X11/xinit/xinitrc fi if [ -f /etc/X11/xinit/xinitrc ]; then exec sh /etc/X11/xinit/xinitrc fi [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey xterm -geometry 1024x768 -ls -title "$VNCDESKTOP Desktop" & gnome-init & -- Thanks, Jike [-- Attachment #2: xstartup --] [-- Type: application/octet-stream, Size: 1142 bytes --] #!/bin/sh # added by albcamus unset LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES unset LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT unset LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER LANG=zh_CN.UTF-8 export LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES export LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT export LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER export G_FILENAME_ENCODING=@locale XMODIFIERS="@im=SCIM" GTK_IM_MODULE="scim" export XMODIFIERS GTK_IM_MODULE if type scim &> /dev/null ; then scim -d & fi vncconfig -iconic & unset SESSION_MANAGER unset DBUS_SESSION_BUS_ADDRESS OS=`uname -s` if [ $OS = 'Linux' ]; then case "$WINDOWMANAGER" in *gnome*) if [ -e /etc/SuSE-release ]; then PATH=$PATH:/opt/gnome/bin export PATH fi ;; esac fi if [ -x /etc/X11/xinit/xinitrc ]; then exec /etc/X11/xinit/xinitrc fi if [ -f /etc/X11/xinit/xinitrc ]; then exec sh /etc/X11/xinit/xinitrc fi [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey xterm -geometry 1024x768 -ls -title "$VNCDESKTOP Desktop" & gnome-init & ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 2009-09-08 4:51 ` Jike Song @ 2009-09-08 7:38 ` Eric Dumazet 2009-09-08 8:09 ` Jike Song 0 siblings, 1 reply; 18+ messages in thread From: Eric Dumazet @ 2009-09-08 7:38 UTC (permalink / raw) To: Jike Song; +Cc: Parag Warudkar, linux-kernel, netdev Jike Song a écrit : > On Tue, Sep 8, 2009 at 11:56 AM, Parag Warudkar<parag.lkml@gmail.com> wrote: >> On Thu, Aug 27, 2009 at 4:45 PM, Jike Song<albcamus@gmail.com> wrote: >>>> hi, I hit this with vnc. Below is part of dmesg : >>> Still producible in 2.6.31-rc9, anybody helps? >> How does one go about reproducing this? You said VNC triggers this but >> what VNC version, server or client? What distro and what needs to be done >> with VNC to trigger this problem? I ask since I use VNC myself and test -git kernels >> and have not encountered this issue. >> >> Parag >> >> > Thanks for your attention, CC netdev this time. > > VNC server: tigervnc-server-0.0.91-0.11.fc11.x86_64 > VNC client: TurboVNC Viewer version 0.5 for Solaris > Distro : Fedora 11, x86-64 > > I specify gnome-init in xstartup, below is my xstartup file, with this > file one only need to run vncviewer from the client to produce this > bug: > > #!/bin/sh > > unset LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES > unset LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > unset LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER > LANG=zh_CN.UTF-8 > export LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES > export LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > export LC_IDENTIFICATION LC_ALL LANG LANGUAGE PAGER > export G_FILENAME_ENCODING=@locale > XMODIFIERS="@im=SCIM" > GTK_IM_MODULE="scim" > export XMODIFIERS GTK_IM_MODULE > if type scim &> /dev/null ; then > scim -d & > fi > > vncconfig -iconic & > unset SESSION_MANAGER > unset DBUS_SESSION_BUS_ADDRESS > OS=`uname -s` > if [ $OS = 'Linux' ]; then > case "$WINDOWMANAGER" in > *gnome*) > if [ -e /etc/SuSE-release ]; then > PATH=$PATH:/opt/gnome/bin > export PATH > fi > ;; > esac > fi > if [ -x /etc/X11/xinit/xinitrc ]; then > exec /etc/X11/xinit/xinitrc > fi > if [ -f /etc/X11/xinit/xinitrc ]; then > exec sh /etc/X11/xinit/xinitrc > fi > [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources > xsetroot -solid grey > xterm -geometry 1024x768 -ls -title "$VNCDESKTOP Desktop" & > gnome-init & > > > We decrement a refcnt while object already freed. (SLUB DEBUG poisons the zone with 0x6B pattern) You might add this patch to trigger a WARN_ON when refcnt >= 0x60000000U in sk_free() : We'll see the path trying to delete an already freed sock diff --git a/net/core/sock.c b/net/core/sock.c index 7633422..1cb85ff 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) void sk_free(struct sock *sk) { + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); /* * We substract one from sk_wmem_alloc and can know if * some packets are still in some tx queue. ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 2009-09-08 7:38 ` Eric Dumazet @ 2009-09-08 8:09 ` Jike Song 2009-09-08 12:12 ` Eric Dumazet 0 siblings, 1 reply; 18+ messages in thread From: Jike Song @ 2009-09-08 8:09 UTC (permalink / raw) To: Eric Dumazet; +Cc: Parag Warudkar, linux-kernel, netdev [-- Attachment #1: Type: text/plain, Size: 890 bytes --] On Tue, Sep 8, 2009 at 3:38 PM, Eric Dumazet<eric.dumazet@gmail.com> wrote: > > We decrement a refcnt while object already freed. > > (SLUB DEBUG poisons the zone with 0x6B pattern) > > You might add this patch to trigger a WARN_ON when refcnt >= 0x60000000U > in sk_free() : We'll see the path trying to delete an already freed sock > > diff --git a/net/core/sock.c b/net/core/sock.c > index 7633422..1cb85ff 100644 > --- a/net/core/sock.c > +++ b/net/core/sock.c > @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) > > void sk_free(struct sock *sk) > { > + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); > /* > * We substract one from sk_wmem_alloc and can know if > * some packets are still in some tx queue. > > The output of dmesg with this patch appllied is attached. -- Thanks, Jike [-- Attachment #2: dmesg.txt --] [-- Type: text/plain, Size: 80605 bytes --] Initializing cgroup subsys cpuset Initializing cgroup subsys cpu Linux version 2.6.31-rc9-dirty (arc@git) (gcc version 4.4.0 20090506 (Red Hat 4.4.0-4) (GCC) ) #2 SMP Tue Sep 8 15:39:27 CST 2009 Command line: ro root=UUID=b5b554d8-04fc-42b6-b56d-b29b34ebe7fe vga=0x375 KERNEL supported cpus: Intel GenuineIntel AMD AuthenticAMD Centaur CentaurHauls BIOS-provided physical RAM map: BIOS-e820: 0000000000000000 - 000000000009fc00 (usable) BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved) BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved) BIOS-e820: 0000000000100000 - 00000000bf790000 (usable) BIOS-e820: 00000000bf790000 - 00000000bf79e000 (ACPI data) BIOS-e820: 00000000bf79e000 - 00000000bf7d0000 (ACPI NVS) BIOS-e820: 00000000bf7d0000 - 00000000bf7e0000 (reserved) BIOS-e820: 00000000bf7ec000 - 00000000c0000000 (reserved) BIOS-e820: 00000000fee00000 - 00000000fee01000 (reserved) BIOS-e820: 00000000ffb00000 - 0000000100000000 (reserved) BIOS-e820: 0000000100000000 - 00000001c0000000 (usable) DMI present. last_pfn = 0x1c0000 max_arch_pfn = 0x400000000 MTRR default type: uncachable MTRR fixed ranges enabled: 00000-9FFFF write-back A0000-DFFFF uncachable E0000-E3FFF write-protect E4000-E7FFF write-through E8000-EBFFF write-protect EC000-EFFFF write-through F0000-FFFFF write-protect MTRR variable ranges enabled: 0 base 1C0000000 mask FC0000000 uncachable 1 base 000000000 mask E00000000 write-back 2 base 0C0000000 mask FC0000000 uncachable 3 base 0BF800000 mask FFF800000 uncachable 4 disabled 5 disabled 6 disabled 7 disabled x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106 original variable MTRRs reg 0, base: 7GB, range: 1GB, type UC reg 1, base: 0GB, range: 8GB, type WB reg 2, base: 3GB, range: 1GB, type UC reg 3, base: 3064MB, range: 8MB, type UC total RAM coverred: 6136M Found optimal setting for mtrr clean up gran_size: 64K chunk_size: 16M num_reg: 5 lose cover RAM: 0G New variable MTRRs reg 0, base: 0GB, range: 2GB, type WB reg 1, base: 2GB, range: 1GB, type WB reg 2, base: 3064MB, range: 8MB, type UC reg 3, base: 4GB, range: 2GB, type WB reg 4, base: 6GB, range: 1GB, type WB x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106 e820 update range: 00000000bf800000 - 0000000100000000 (usable) ==> (reserved) last_pfn = 0xbf790 max_arch_pfn = 0x400000000 initial memory mapped : 0 - 20000000 init_memory_mapping: 0000000000000000-00000000bf790000 0000000000 - 00bf600000 page 2M 00bf600000 - 00bf790000 page 4k kernel direct mapping tables up to bf790000 @ 8000-d000 init_memory_mapping: 0000000100000000-00000001c0000000 0100000000 - 01c0000000 page 2M kernel direct mapping tables up to 1c0000000 @ b000-13000 RAMDISK: 37ce5000 - 37fef63d ACPI: RSDP 00000000000f9cb0 00014 (v00 ACPIAM) ACPI: RSDT 00000000bf790000 00044 (v01 DELL FX09 20081114 MSFT 00000097) ACPI: FACP 00000000bf790200 00084 (v01 DELL FX09 20081114 MSFT 00000097) ACPI: DSDT 00000000bf790660 0568E (v01 1AAAA 1AAAA000 00000000 INTL 20051117) ACPI: FACS 00000000bf79e000 00040 ACPI: APIC 00000000bf790390 0008C (v01 DELL FX09 20081114 MSFT 00000097) ACPI: MCFG 00000000bf790420 0003C (v01 DELL OEMMCFG 20081114 MSFT 00000097) ACPI: SLIC 00000000bf790460 00176 (v01 DELL FX09 20081114 MSFT 00000097) ACPI: OSFR 00000000bf7905e0 00080 (v01 DELL FX09 20081114 MSFT 00000097) ACPI: OEMB 00000000bf79e040 00072 (v01 DELL FX09 20081114 MSFT 00000097) ACPI: HPET 00000000bf798660 00038 (v01 DELL OEMHPET 20081114 MSFT 00000097) ACPI: SSDT 00000000bf7a0540 01298 (v01 DpgPmm CpuPm 00000012 INTL 20051117) ACPI: Local APIC address 0xfee00000 No NUMA configuration found Faking a node at 0000000000000000-00000001c0000000 Bootmem setup node 0 0000000000000000-00000001c0000000 NODE_DATA [000000000000e000 - 0000000000022fff] bootmap [0000000000023000 - 000000000005afff] pages 38 (8 early reservations) ==> bootmem [0000000000 - 01c0000000] #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000] #1 [0000006000 - 0000008000] TRAMPOLINE ==> [0000006000 - 0000008000] #2 [0001000000 - 000261e640] TEXT DATA BSS ==> [0001000000 - 000261e640] #3 [0037ce5000 - 0037fef63d] RAMDISK ==> [0037ce5000 - 0037fef63d] #4 [000009fc00 - 0000100000] BIOS reserved ==> [000009fc00 - 0000100000] #5 [000261f000 - 000261f0fc] BRK ==> [000261f000 - 000261f0fc] #6 [0000008000 - 000000b000] PGTABLE ==> [0000008000 - 000000b000] #7 [000000b000 - 000000e000] PGTABLE ==> [000000b000 - 000000e000] found SMP MP-table at [ffff8800000ff780] ff780 [ffffea0000000000-ffffea000b5fffff] PMD -> [ffff880028600000-ffff8800321fffff] on node 0 Zone PFN ranges: DMA 0x00000000 -> 0x00001000 DMA32 0x00001000 -> 0x00100000 Normal 0x00100000 -> 0x001c0000 Movable zone start PFN for each node early_node_map[3] active PFN ranges 0: 0x00000000 -> 0x0000009f 0: 0x00000100 -> 0x000bf790 0: 0x00100000 -> 0x001c0000 On node 0 totalpages: 1570607 DMA zone: 104 pages used for memmap DMA zone: 105 pages reserved DMA zone: 3790 pages, LIFO batch:0 DMA32 zone: 26520 pages used for memmap DMA32 zone: 753656 pages, LIFO batch:31 Normal zone: 19968 pages used for memmap Normal zone: 766464 pages, LIFO batch:31 ACPI: PM-Timer IO Port: 0x808 ACPI: Local APIC address 0xfee00000 ACPI: LAPIC (acpi_id[0x01] lapic_id[0x00] enabled) ACPI: LAPIC (acpi_id[0x02] lapic_id[0x02] enabled) ACPI: LAPIC (acpi_id[0x03] lapic_id[0x04] enabled) ACPI: LAPIC (acpi_id[0x04] lapic_id[0x06] enabled) ACPI: LAPIC (acpi_id[0x05] lapic_id[0x01] enabled) ACPI: LAPIC (acpi_id[0x06] lapic_id[0x03] enabled) ACPI: LAPIC (acpi_id[0x07] lapic_id[0x05] enabled) ACPI: LAPIC (acpi_id[0x08] lapic_id[0x07] enabled) ACPI: IOAPIC (id[0x08] address[0xfec00000] gsi_base[0]) IOAPIC[0]: apic_id 8, version 32, address 0xfec00000, GSI 0-23 ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl) ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) ACPI: IRQ0 used by override. ACPI: IRQ2 used by override. ACPI: IRQ9 used by override. Using ACPI (MADT) for SMP configuration information ACPI: HPET id: 0xffffffff base: 0xfed00000 SMP: Allowing 8 CPUs, 0 hotplug CPUs nr_irqs_gsi: 24 PM: Registered nosave memory: 000000000009f000 - 00000000000a0000 PM: Registered nosave memory: 00000000000a0000 - 00000000000e0000 PM: Registered nosave memory: 00000000000e0000 - 0000000000100000 PM: Registered nosave memory: 00000000bf790000 - 00000000bf79e000 PM: Registered nosave memory: 00000000bf79e000 - 00000000bf7d0000 PM: Registered nosave memory: 00000000bf7d0000 - 00000000bf7e0000 PM: Registered nosave memory: 00000000bf7e0000 - 00000000bf7ec000 PM: Registered nosave memory: 00000000bf7ec000 - 00000000c0000000 PM: Registered nosave memory: 00000000c0000000 - 00000000fee00000 PM: Registered nosave memory: 00000000fee00000 - 00000000fee01000 PM: Registered nosave memory: 00000000fee01000 - 00000000ffb00000 PM: Registered nosave memory: 00000000ffb00000 - 0000000100000000 Allocating PCI resources starting at c0000000 (gap: c0000000:3ee00000) NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:8 nr_node_ids:1 PERCPU: Embedded 479 pages at ffff880032200000, static data 1930144 bytes Built 1 zonelists in Zone order, mobility grouping on. Total pages: 1523910 Policy zone: Normal Kernel command line: ro root=UUID=b5b554d8-04fc-42b6-b56d-b29b34ebe7fe vga=0x375 PID hash table entries: 4096 (order: 12, 32768 bytes) Initializing CPU#0 Checking aperture... No AGP bridge found Calgary: detecting Calgary via BIOS EBDA area Calgary: Unable to locate Rio Grande table in EBDA - bailing! PCI-DMA: Using software bounce buffering for IO (SWIOTLB) Placing 64MB software IO TLB between ffff880020000000 - ffff880024000000 software IO TLB at phys 0x20000000 - 0x24000000 Memory: 6014764k/7340032k available (5341k kernel code, 1057604k absent, 267664k reserved, 3015k data, 3192k init) SLUB: Genslabs=14, HWalign=64, Order=0-3, MinObjects=0, CPUs=8, Nodes=1 NR_IRQS:4352 nr_irqs:472 Fast TSC calibration using PIT Detected 2926.077 MHz processor. Console: colour dummy device 80x25 console [tty0] enabled Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar ... MAX_LOCKDEP_SUBCLASSES: 8 ... MAX_LOCK_DEPTH: 48 ... MAX_LOCKDEP_KEYS: 8191 ... CLASSHASH_SIZE: 4096 ... MAX_LOCKDEP_ENTRIES: 16384 ... MAX_LOCKDEP_CHAINS: 32768 ... CHAINHASH_SIZE: 16384 memory used by lock dependency info: 6207 kB per task-struct memory footprint: 2688 bytes allocated 62914560 bytes of page_cgroup please try 'cgroup_disable=memory' option if you don't want memory cgroups ODEBUG: 17 of 17 active objects replaced hpet clockevent registered HPET: 4 timers in total, 0 timers will be used for per-cpu timer Calibrating delay loop (skipped), value calculated using timer frequency.. 5852.15 BogoMIPS (lpj=2926077) Security Framework initialized SELinux: Initializing. SELinux: Starting in permissive mode Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes) Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes) Mount-cache hash table entries: 256 Initializing cgroup subsys ns Initializing cgroup subsys cpuacct Initializing cgroup subsys memory Initializing cgroup subsys devices Initializing cgroup subsys freezer Initializing cgroup subsys net_cls CPU: Physical Processor ID: 0 CPU: Processor Core ID: 0 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 256K CPU: L3 cache: 8192K CPU 0/0x0 -> Node 0 mce: CPU supports 9 MCE banks CPU0: Thermal monitoring enabled (TM1) CPU 0 MCA banks CMCI:2 CMCI:3 CMCI:5 CMCI:6 CMCI:8 using mwait in idle threads. Performance Counters: Nehalem/Corei7 events, Intel PMU driver. ... version: 3 ... bit width: 48 ... generic counters: 4 ... value mask: 0000ffffffffffff ... max period: 000000007fffffff ... fixed-purpose counters: 3 ... counter mask: 000000070000000f ACPI: Core revision 20090521 ftrace: converting mcount calls to 0f 1f 44 00 00 ftrace: allocating 21740 entries in 86 pages Setting APIC routing to flat ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 CPU0: Intel(R) Core(TM) i7 CPU 940 @ 2.93GHz stepping 04 lockdep: fixing up alternatives. Booting processor 1 APIC 0x2 ip 0x6000 Initializing CPU#1 Calibrating delay using timer specific routine.. 5850.98 BogoMIPS (lpj=2925493) CPU: Physical Processor ID: 0 CPU: Processor Core ID: 1 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 256K CPU: L3 cache: 8192K CPU 1/0x2 -> Node 0 mce: CPU supports 9 MCE banks CPU1: Thermal monitoring enabled (TM1) CPU 1 MCA banks CMCI:2 CMCI:3 CMCI:5 SHD:6 SHD:8 x86 PAT enabled: cpu 1, old 0x7040600070406, new 0x7010600070106 CPU1: Intel(R) Core(TM) i7 CPU 940 @ 2.93GHz stepping 04 Skipping synchronization checks as TSC is reliable. lockdep: fixing up alternatives. Booting processor 2 APIC 0x4 ip 0x6000 Initializing CPU#2 Calibrating delay using timer specific routine.. 5850.98 BogoMIPS (lpj=2925493) CPU: Physical Processor ID: 0 CPU: Processor Core ID: 2 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 256K CPU: L3 cache: 8192K CPU 2/0x4 -> Node 0 mce: CPU supports 9 MCE banks CPU2: Thermal monitoring enabled (TM1) CPU 2 MCA banks CMCI:2 CMCI:3 CMCI:5 SHD:6 SHD:8 x86 PAT enabled: cpu 2, old 0x7040600070406, new 0x7010600070106 CPU2: Intel(R) Core(TM) i7 CPU 940 @ 2.93GHz stepping 04 Skipping synchronization checks as TSC is reliable. lockdep: fixing up alternatives. Booting processor 3 APIC 0x6 ip 0x6000 Initializing CPU#3 Calibrating delay using timer specific routine.. 5850.98 BogoMIPS (lpj=2925492) CPU: Physical Processor ID: 0 CPU: Processor Core ID: 3 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 256K CPU: L3 cache: 8192K CPU 3/0x6 -> Node 0 mce: CPU supports 9 MCE banks CPU3: Thermal monitoring enabled (TM1) CPU 3 MCA banks CMCI:2 CMCI:3 CMCI:5 SHD:6 SHD:8 x86 PAT enabled: cpu 3, old 0x7040600070406, new 0x7010600070106 CPU3: Intel(R) Core(TM) i7 CPU 940 @ 2.93GHz stepping 04 Skipping synchronization checks as TSC is reliable. lockdep: fixing up alternatives. Booting processor 4 APIC 0x1 ip 0x6000 Initializing CPU#4 Calibrating delay using timer specific routine.. 5850.97 BogoMIPS (lpj=2925488) CPU: Physical Processor ID: 0 CPU: Processor Core ID: 0 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 256K CPU: L3 cache: 8192K CPU 4/0x1 -> Node 0 mce: CPU supports 9 MCE banks CPU4: Thermal monitoring enabled (TM1) CPU 4 MCA banks SHD:2 SHD:3 SHD:5 SHD:6 SHD:8 x86 PAT enabled: cpu 4, old 0x7040600070406, new 0x7010600070106 CPU4: Intel(R) Core(TM) i7 CPU 940 @ 2.93GHz stepping 04 Skipping synchronization checks as TSC is reliable. lockdep: fixing up alternatives. Booting processor 5 APIC 0x3 ip 0x6000 Initializing CPU#5 Calibrating delay using timer specific routine.. 5850.98 BogoMIPS (lpj=2925492) CPU: Physical Processor ID: 0 CPU: Processor Core ID: 1 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 256K CPU: L3 cache: 8192K CPU 5/0x3 -> Node 0 mce: CPU supports 9 MCE banks CPU5: Thermal monitoring enabled (TM1) CPU 5 MCA banks SHD:2 SHD:3 SHD:5 SHD:6 SHD:8 x86 PAT enabled: cpu 5, old 0x7040600070406, new 0x7010600070106 CPU5: Intel(R) Core(TM) i7 CPU 940 @ 2.93GHz stepping 04 Skipping synchronization checks as TSC is reliable. lockdep: fixing up alternatives. Booting processor 6 APIC 0x5 ip 0x6000 Initializing CPU#6 Calibrating delay using timer specific routine.. 5850.98 BogoMIPS (lpj=2925490) CPU: Physical Processor ID: 0 CPU: Processor Core ID: 2 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 256K CPU: L3 cache: 8192K CPU 6/0x5 -> Node 0 mce: CPU supports 9 MCE banks CPU6: Thermal monitoring enabled (TM1) CPU 6 MCA banks SHD:2 SHD:3 SHD:5 SHD:6 SHD:8 x86 PAT enabled: cpu 6, old 0x7040600070406, new 0x7010600070106 CPU6: Intel(R) Core(TM) i7 CPU 940 @ 2.93GHz stepping 04 Skipping synchronization checks as TSC is reliable. lockdep: fixing up alternatives. Booting processor 7 APIC 0x7 ip 0x6000 Initializing CPU#7 Calibrating delay using timer specific routine.. 5850.98 BogoMIPS (lpj=2925491) CPU: Physical Processor ID: 0 CPU: Processor Core ID: 3 CPU: L1 I cache: 32K, L1 D cache: 32K CPU: L2 cache: 256K CPU: L3 cache: 8192K CPU 7/0x7 -> Node 0 mce: CPU supports 9 MCE banks CPU7: Thermal monitoring enabled (TM1) CPU 7 MCA banks SHD:2 SHD:3 SHD:5 SHD:6 SHD:8 x86 PAT enabled: cpu 7, old 0x7040600070406, new 0x7010600070106 CPU7: Intel(R) Core(TM) i7 CPU 940 @ 2.93GHz stepping 04 Skipping synchronization checks as TSC is reliable. Brought up 8 CPUs Total of 8 processors activated (46809.03 BogoMIPS). CPU0 attaching sched-domain: domain 0: span 0,4 level SIBLING groups: 0 4 domain 1: span 0-7 level MC groups: 0,4 1,5 2,6 3,7 CPU1 attaching sched-domain: domain 0: span 1,5 level SIBLING groups: 1 5 domain 1: span 0-7 level MC groups: 1,5 2,6 3,7 0,4 CPU2 attaching sched-domain: domain 0: span 2,6 level SIBLING groups: 2 6 domain 1: span 0-7 level MC groups: 2,6 3,7 0,4 1,5 CPU3 attaching sched-domain: domain 0: span 3,7 level SIBLING groups: 3 7 domain 1: span 0-7 level MC groups: 3,7 0,4 1,5 2,6 CPU4 attaching sched-domain: domain 0: span 0,4 level SIBLING groups: 4 0 domain 1: span 0-7 level MC groups: 0,4 1,5 2,6 3,7 CPU5 attaching sched-domain: domain 0: span 1,5 level SIBLING groups: 5 1 domain 1: span 0-7 level MC groups: 1,5 2,6 3,7 0,4 CPU6 attaching sched-domain: domain 0: span 2,6 level SIBLING groups: 6 2 domain 1: span 0-7 level MC groups: 2,6 3,7 0,4 1,5 CPU7 attaching sched-domain: domain 0: span 3,7 level SIBLING groups: 7 3 domain 1: span 0-7 level MC groups: 3,7 0,4 1,5 2,6 Booting paravirtualized kernel on bare hardware regulator: core version 0.5 Time: 7:55:30 Date: 09/08/09 NET: Registered protocol family 16 ACPI: bus type pci registered PCI: MCFG configuration 0: base e0000000 segment 0 buses 0 - 255 PCI: Not using MMCONFIG. PCI: Using configuration type 1 for base access bio: create slab <bio-0> at 0 ACPI: EC: Look up EC in DSDT ACPI: Interpreter enabled ACPI: (supports S0 S1 S3 S4 S5) ACPI: Using IOAPIC for interrupt routing PCI: MCFG configuration 0: base e0000000 segment 0 buses 0 - 255 PCI: MCFG area at e0000000 reserved in ACPI motherboard resources PCI: Using MMCONFIG at e0000000 - efffffff ACPI: No dock devices found. ACPI: PCI Root Bridge [PCI0] (0000:00) pci 0000:00:00.0: PME# supported from D0 D3hot D3cold pci 0000:00:00.0: PME# disabled pci 0000:00:01.0: PME# supported from D0 D3hot D3cold pci 0000:00:01.0: PME# disabled pci 0000:00:03.0: PME# supported from D0 D3hot D3cold pci 0000:00:03.0: PME# disabled pci 0000:00:07.0: PME# supported from D0 D3hot D3cold pci 0000:00:07.0: PME# disabled pci 0000:00:19.0: reg 10 32bit mmio: [0xfbcc0000-0xfbcdffff] pci 0000:00:19.0: reg 14 32bit mmio: [0xfbcf4000-0xfbcf4fff] pci 0000:00:19.0: reg 18 io port: [0xa080-0xa09f] pci 0000:00:19.0: PME# supported from D0 D3hot D3cold pci 0000:00:19.0: PME# disabled pci 0000:00:1a.0: reg 20 io port: [0xa400-0xa41f] pci 0000:00:1a.1: reg 20 io port: [0xa480-0xa49f] pci 0000:00:1a.2: reg 20 io port: [0xa800-0xa81f] pci 0000:00:1a.7: reg 10 32bit mmio: [0xfbcf6000-0xfbcf63ff] pci 0000:00:1a.7: PME# supported from D0 D3hot D3cold pci 0000:00:1a.7: PME# disabled pci 0000:00:1b.0: reg 10 64bit mmio: [0xfbcf8000-0xfbcfbfff] pci 0000:00:1b.0: PME# supported from D0 D3hot D3cold pci 0000:00:1b.0: PME# disabled pci 0000:00:1c.0: PME# supported from D0 D3hot D3cold pci 0000:00:1c.0: PME# disabled pci 0000:00:1c.1: PME# supported from D0 D3hot D3cold pci 0000:00:1c.1: PME# disabled pci 0000:00:1d.0: reg 20 io port: [0xa880-0xa89f] pci 0000:00:1d.1: reg 20 io port: [0xac00-0xac1f] pci 0000:00:1d.2: reg 20 io port: [0xb000-0xb01f] pci 0000:00:1d.7: reg 10 32bit mmio: [0xfbcfc000-0xfbcfc3ff] pci 0000:00:1d.7: PME# supported from D0 D3hot D3cold pci 0000:00:1d.7: PME# disabled pci 0000:00:1f.0: quirk: region 0800-087f claimed by ICH6 ACPI/GPIO/TCO pci 0000:00:1f.0: quirk: region 0500-053f claimed by ICH6 GPIO pci 0000:00:1f.0: ICH7 LPC Generic IO decode 1 PIO at 0a00 (mask 00ff) pci 0000:00:1f.2: reg 10 io port: [0xbc00-0xbc07] pci 0000:00:1f.2: reg 14 io port: [0xb880-0xb883] pci 0000:00:1f.2: reg 18 io port: [0xb800-0xb807] pci 0000:00:1f.2: reg 1c io port: [0xb480-0xb483] pci 0000:00:1f.2: reg 20 io port: [0xb400-0xb40f] pci 0000:00:1f.2: reg 24 io port: [0xb080-0xb08f] pci 0000:00:1f.3: reg 10 64bit mmio: [0xfbcffc00-0xfbcffcff] pci 0000:00:1f.3: reg 20 io port: [0x400-0x41f] pci 0000:00:1f.5: reg 10 io port: [0xcc00-0xcc07] pci 0000:00:1f.5: reg 14 io port: [0xc880-0xc883] pci 0000:00:1f.5: reg 18 io port: [0xc800-0xc807] pci 0000:00:1f.5: reg 1c io port: [0xc480-0xc483] pci 0000:00:1f.5: reg 20 io port: [0xc400-0xc40f] pci 0000:00:1f.5: reg 24 io port: [0xc080-0xc08f] pci 0000:04:00.0: reg 10 64bit mmio: [0xd0000000-0xdfffffff] pci 0000:04:00.0: reg 18 64bit mmio: [0xfbee0000-0xfbeeffff] pci 0000:04:00.0: reg 20 io port: [0xe000-0xe0ff] pci 0000:04:00.0: reg 30 32bit mmio: [0xfbec0000-0xfbedffff] pci 0000:04:00.0: supports D1 D2 pci 0000:04:00.1: reg 10 64bit mmio: [0xfbefc000-0xfbefffff] pci 0000:04:00.1: supports D1 D2 pci 0000:00:07.0: bridge io port: [0xe000-0xefff] pci 0000:00:07.0: bridge 32bit mmio: [0xfbe00000-0xfbefffff] pci 0000:00:07.0: bridge 64bit mmio pref: [0xd0000000-0xdfffffff] pci 0000:02:00.0: reg 10 64bit mmio: [0xfbdff800-0xfbdfffff] pci 0000:02:00.0: reg 18 io port: [0xd800-0xd8ff] pci 0000:02:00.0: supports D2 pci 0000:02:00.0: PME# supported from D2 D3hot D3cold pci 0000:02:00.0: PME# disabled pci 0000:00:1c.1: bridge io port: [0xd000-0xdfff] pci 0000:00:1c.1: bridge 32bit mmio: [0xfbd00000-0xfbdfffff] pci 0000:00:1e.0: transparent bridge ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.P0P4._PRT] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.P0P5._PRT] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.NPE1._PRT] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.NPE3._PRT] ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.NPE7._PRT] ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 6 7 *10 11 12 14 15) ACPI: PCI Interrupt Link [LNKB] (IRQs *5) ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 6 7 10 11 12 14 *15) ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 6 7 10 *11 12 14 15) ACPI: PCI Interrupt Link [LNKE] (IRQs 3 *4 6 7 10 11 12 14 15) ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 6 *7 10 11 12 14 15) ACPI: PCI Interrupt Link [LNKG] (IRQs *3 4 6 7 10 11 12 14 15) ACPI: PCI Interrupt Link [LNKH] (IRQs 3 4 6 7 10 11 12 *14 15) SCSI subsystem initialized libata version 3.00 loaded. usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb PCI: Using ACPI for IRQ routing NetLabel: Initializing NetLabel: domain hash size = 128 NetLabel: protocols = UNLABELED CIPSOv4 NetLabel: unlabeled traffic allowed by default hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0, 0 hpet0: 4 comparators, 64-bit 14.318180 MHz counter Switched to high resolution mode on CPU 0 Switched to high resolution mode on CPU 2 Switched to high resolution mode on CPU 1 Switched to high resolution mode on CPU 3 Switched to high resolution mode on CPU 4 Switched to high resolution mode on CPU 5 Switched to high resolution mode on CPU 7 Switched to high resolution mode on CPU 6 pnp: PnP ACPI init ACPI: bus type pnp registered pnp: PnP ACPI: found 14 devices ACPI: ACPI bus type pnp unregistered system 00:01: iomem range 0xfbf00000-0xfbffffff has been reserved system 00:01: iomem range 0xfc000000-0xfcffffff has been reserved system 00:01: iomem range 0xfd000000-0xfdffffff has been reserved system 00:01: iomem range 0xfe000000-0xfebfffff has been reserved system 00:06: ioport range 0xa00-0xa0f has been reserved system 00:06: ioport range 0xa10-0xa1f has been reserved system 00:06: ioport range 0xa20-0xa2f has been reserved system 00:06: ioport range 0xa30-0xa3f has been reserved system 00:07: ioport range 0x4d0-0x4d1 has been reserved system 00:07: ioport range 0x800-0x87f has been reserved system 00:07: ioport range 0x500-0x57f could not be reserved system 00:07: iomem range 0xfed1c000-0xfed1ffff has been reserved system 00:07: iomem range 0xfed20000-0xfed3ffff has been reserved system 00:07: iomem range 0xfed40000-0xfed8ffff has been reserved system 00:0a: iomem range 0xffc00000-0xffefffff has been reserved system 00:0b: iomem range 0xfec00000-0xfec00fff could not be reserved system 00:0b: iomem range 0xfee00000-0xfee00fff has been reserved system 00:0c: iomem range 0xe0000000-0xefffffff has been reserved system 00:0d: iomem range 0x0-0x9ffff could not be reserved system 00:0d: iomem range 0xc0000-0xcffff has been reserved system 00:0d: iomem range 0xe0000-0xfffff could not be reserved system 00:0d: iomem range 0x100000-0xbfffffff could not be reserved system 00:0d: iomem range 0xfed90000-0xffffffff could not be reserved pci 0000:00:01.0: PCI bridge, secondary bus 0000:06 pci 0000:00:01.0: IO window: disabled pci 0000:00:01.0: MEM window: disabled pci 0000:00:01.0: PREFETCH window: disabled pci 0000:00:03.0: PCI bridge, secondary bus 0000:05 pci 0000:00:03.0: IO window: disabled pci 0000:00:03.0: MEM window: disabled pci 0000:00:03.0: PREFETCH window: disabled pci 0000:00:07.0: PCI bridge, secondary bus 0000:04 pci 0000:00:07.0: IO window: 0xe000-0xefff pci 0000:00:07.0: MEM window: 0xfbe00000-0xfbefffff pci 0000:00:07.0: PREFETCH window: 0x000000d0000000-0x000000dfffffff pci 0000:00:1c.0: PCI bridge, secondary bus 0000:03 pci 0000:00:1c.0: IO window: disabled pci 0000:00:1c.0: MEM window: disabled pci 0000:00:1c.0: PREFETCH window: disabled pci 0000:00:1c.1: PCI bridge, secondary bus 0000:02 pci 0000:00:1c.1: IO window: 0xd000-0xdfff pci 0000:00:1c.1: MEM window: 0xfbd00000-0xfbdfffff pci 0000:00:1c.1: PREFETCH window: disabled pci 0000:00:1e.0: PCI bridge, secondary bus 0000:01 pci 0000:00:1e.0: IO window: disabled pci 0000:00:1e.0: MEM window: disabled pci 0000:00:1e.0: PREFETCH window: disabled pci 0000:00:01.0: setting latency timer to 64 pci 0000:00:03.0: setting latency timer to 64 pci 0000:00:07.0: setting latency timer to 64 alloc irq_desc for 17 on node 0 alloc kstat_irqs on node 0 pci 0000:00:1c.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17 pci 0000:00:1c.0: setting latency timer to 64 alloc irq_desc for 16 on node 0 alloc kstat_irqs on node 0 pci 0000:00:1c.1: PCI INT B -> GSI 16 (level, low) -> IRQ 16 pci 0000:00:1c.1: setting latency timer to 64 pci 0000:00:1e.0: setting latency timer to 64 pci_bus 0000:00: resource 0 io: [0x00-0xffff] pci_bus 0000:00: resource 1 mem: [0x000000-0xffffffffffffffff] pci_bus 0000:04: resource 0 io: [0xe000-0xefff] pci_bus 0000:04: resource 1 mem: [0xfbe00000-0xfbefffff] pci_bus 0000:04: resource 2 pref mem [0xd0000000-0xdfffffff] pci_bus 0000:02: resource 0 io: [0xd000-0xdfff] pci_bus 0000:02: resource 1 mem: [0xfbd00000-0xfbdfffff] pci_bus 0000:01: resource 3 io: [0x00-0xffff] pci_bus 0000:01: resource 4 mem: [0x000000-0xffffffffffffffff] NET: Registered protocol family 2 IP route cache hash table entries: 262144 (order: 9, 2097152 bytes) TCP established hash table entries: 524288 (order: 11, 8388608 bytes) TCP bind hash table entries: 65536 (order: 10, 4718592 bytes) TCP: Hash tables configured (established 524288 bind 65536) TCP reno registered NET: Registered protocol family 1 Trying to unpack rootfs image as initramfs... Freeing initrd memory: 3113k freed cpu0(8) debug files 193 cpu1(8) debug files 193 cpu2(8) debug files 193 cpu3(8) debug files 193 cpu4(8) debug files 193 cpu5(8) debug files 193 cpu6(8) debug files 193 cpu7(8) debug files 193 audit: initializing netlink socket (disabled) type=2000 audit(1252396529.928:1): initialized HugeTLB registered 2 MB page size, pre-allocated 0 pages VFS: Disk quotas dquot_6.5.2 Dquot-cache hash table entries: 512 (order 0, 4096 bytes) msgmni has been set to 11753 SELinux: Registering netfilter hooks cryptomgr_test used greatest stack depth: 5312 bytes left alg: No test for stdrng (krng) Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252) io scheduler noop registered io scheduler anticipatory registered io scheduler deadline registered io scheduler cfq registered (default) pci 0000:04:00.0: Boot video device alloc irq_desc for 24 on node 0 alloc kstat_irqs on node 0 pcieport-driver 0000:00:01.0: irq 24 for MSI/MSI-X pcieport-driver 0000:00:01.0: setting latency timer to 64 alloc irq_desc for 25 on node 0 alloc kstat_irqs on node 0 pcieport-driver 0000:00:03.0: irq 25 for MSI/MSI-X pcieport-driver 0000:00:03.0: setting latency timer to 64 alloc irq_desc for 26 on node 0 alloc kstat_irqs on node 0 pcieport-driver 0000:00:07.0: irq 26 for MSI/MSI-X pcieport-driver 0000:00:07.0: setting latency timer to 64 alloc irq_desc for 27 on node 0 alloc kstat_irqs on node 0 pcieport-driver 0000:00:1c.0: irq 27 for MSI/MSI-X pcieport-driver 0000:00:1c.0: setting latency timer to 64 alloc irq_desc for 28 on node 0 alloc kstat_irqs on node 0 pcieport-driver 0000:00:1c.1: irq 28 for MSI/MSI-X pcieport-driver 0000:00:1c.1: setting latency timer to 64 aer 0000:00:01.0:pcie02: AER service couldn't init device: no _OSC support aer 0000:00:03.0:pcie02: AER service couldn't init device: no _OSC support aer 0000:00:07.0:pcie02: AER service couldn't init device: no _OSC support pci_hotplug: PCI Hot Plug PCI Core version: 0.5 pciehp: PCI Express Hot Plug Controller Driver version: 0.4 acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5 vesafb: framebuffer at 0xd0000000, mapped to 0xffffc90011b80000, using 7500k, total 16384k vesafb: mode is 1600x1200x16, linelength=3200, pages=3 vesafb: scrolling: redraw vesafb: Truecolor: size=0:5:6:5, shift=0:11:5:0 Console: switching to colour frame buffer device 200x75 fb0: VESA VGA frame buffer device input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 ACPI: Power Button [PWRF] input: Power Button as /devices/LNXSYSTM:00/device:00/PNP0C0C:00/input/input1 ACPI: Power Button [PWRB] ACPI: SSDT 00000000bf79e0c0 00487 (v01 DpgPmm P001Ist 00000011 INTL 20051117) processor LNXCPU:00: registered as cooling_device0 ACPI: SSDT 00000000bf79e550 00487 (v01 DpgPmm P002Ist 00000012 INTL 20051117) processor LNXCPU:01: registered as cooling_device1 ACPI: SSDT 00000000bf79e9e0 00487 (v01 DpgPmm P003Ist 00000012 INTL 20051117) processor LNXCPU:02: registered as cooling_device2 ACPI: SSDT 00000000bf79ee70 00487 (v01 DpgPmm P004Ist 00000012 INTL 20051117) processor LNXCPU:03: registered as cooling_device3 ACPI: SSDT 00000000bf79f300 00487 (v01 DpgPmm P005Ist 00000012 INTL 20051117) processor LNXCPU:04: registered as cooling_device4 ACPI: SSDT 00000000bf79f790 00487 (v01 DpgPmm P006Ist 00000012 INTL 20051117) processor LNXCPU:05: registered as cooling_device5 ACPI: SSDT 00000000bf79fc20 00487 (v01 DpgPmm P007Ist 00000012 INTL 20051117) processor LNXCPU:06: registered as cooling_device6 ACPI: SSDT 00000000bf7a00b0 00487 (v01 DpgPmm P008Ist 00000012 INTL 20051117) processor LNXCPU:07: registered as cooling_device7 Non-volatile memory driver v1.3 Linux agpgart interface v0.103 Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled brd: module loaded loop: module loaded input: Macintosh mouse button emulation as /devices/virtual/input/input2 Loading iSCSI transport class v2.0-870. Broadcom NetXtreme II iSCSI Driver bnx2i v2.0.1d (Mar 25, 2009) iscsi: registered transport (bnx2i) ata_piix 0000:00:1f.2: version 2.13 alloc irq_desc for 19 on node 0 alloc kstat_irqs on node 0 ata_piix 0000:00:1f.2: PCI INT B -> GSI 19 (level, low) -> IRQ 19 ata_piix 0000:00:1f.2: MAP [ P0 P2 P1 P3 ] ata_piix 0000:00:1f.2: setting latency timer to 64 scsi0 : ata_piix scsi1 : ata_piix ata1: SATA max UDMA/133 cmd 0xbc00 ctl 0xb880 bmdma 0xb400 irq 19 ata2: SATA max UDMA/133 cmd 0xb800 ctl 0xb480 bmdma 0xb408 irq 19 work_for_cpu used greatest stack depth: 3104 bytes left ata_piix 0000:00:1f.5: PCI INT B -> GSI 19 (level, low) -> IRQ 19 ata_piix 0000:00:1f.5: MAP [ P0 -- P1 -- ] ata_piix 0000:00:1f.5: setting latency timer to 64 scsi2 : ata_piix scsi3 : ata_piix ata3: SATA max UDMA/133 cmd 0xcc00 ctl 0xc880 bmdma 0xc400 irq 19 ata4: SATA max UDMA/133 cmd 0xc800 ctl 0xc480 bmdma 0xc408 irq 19 Intel(R) Virtual Function Network Driver - version 1.0.0-k0 Copyright (c) 2009 Intel Corporation. Broadcom NetXtreme II CNIC Driver cnic v2.0.0 (May 21, 2009) Fixed MDIO Bus: probed vxge: Copyright(c) 2002-2009 Neterion Inc vxge: Driver version: 2.0.4.17795-k ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver alloc irq_desc for 18 on node 0 alloc kstat_irqs on node 0 ehci_hcd 0000:00:1a.7: PCI INT C -> GSI 18 (level, low) -> IRQ 18 ehci_hcd 0000:00:1a.7: setting latency timer to 64 ehci_hcd 0000:00:1a.7: EHCI Host Controller ehci_hcd 0000:00:1a.7: new USB bus registered, assigned bus number 1 ehci_hcd 0000:00:1a.7: debug port 1 ehci_hcd 0000:00:1a.7: cache line size of 32 is not supported ehci_hcd 0000:00:1a.7: irq 18, io mem 0xfbcf6000 ehci_hcd 0000:00:1a.7: USB 2.0 started, EHCI 1.00 ata3: SATA link down (SStatus 0 SControl 300) ata4: SATA link down (SStatus 0 SControl 300) usb usb1: New USB device found, idVendor=1d6b, idProduct=0002 usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb1: Product: EHCI Host Controller usb usb1: Manufacturer: Linux 2.6.31-rc9-dirty ehci_hcd usb usb1: SerialNumber: 0000:00:1a.7 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 6 ports detected alloc irq_desc for 23 on node 0 alloc kstat_irqs on node 0 ehci_hcd 0000:00:1d.7: PCI INT A -> GSI 23 (level, low) -> IRQ 23 ehci_hcd 0000:00:1d.7: setting latency timer to 64 ehci_hcd 0000:00:1d.7: EHCI Host Controller ehci_hcd 0000:00:1d.7: new USB bus registered, assigned bus number 2 ehci_hcd 0000:00:1d.7: debug port 1 ehci_hcd 0000:00:1d.7: cache line size of 32 is not supported ehci_hcd 0000:00:1d.7: irq 23, io mem 0xfbcfc000 ehci_hcd 0000:00:1d.7: USB 2.0 started, EHCI 1.00 usb usb2: New USB device found, idVendor=1d6b, idProduct=0002 usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb2: Product: EHCI Host Controller usb usb2: Manufacturer: Linux 2.6.31-rc9-dirty ehci_hcd usb usb2: SerialNumber: 0000:00:1d.7 usb usb2: configuration #1 chosen from 1 choice hub 2-0:1.0: USB hub found hub 2-0:1.0: 6 ports detected ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver uhci_hcd: USB Universal Host Controller Interface driver uhci_hcd 0000:00:1a.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16 uhci_hcd 0000:00:1a.0: setting latency timer to 64 uhci_hcd 0000:00:1a.0: UHCI Host Controller uhci_hcd 0000:00:1a.0: new USB bus registered, assigned bus number 3 uhci_hcd 0000:00:1a.0: irq 16, io base 0x0000a400 usb usb3: New USB device found, idVendor=1d6b, idProduct=0001 usb usb3: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb3: Product: UHCI Host Controller usb usb3: Manufacturer: Linux 2.6.31-rc9-dirty uhci_hcd usb usb3: SerialNumber: 0000:00:1a.0 usb usb3: configuration #1 chosen from 1 choice hub 3-0:1.0: USB hub found hub 3-0:1.0: 2 ports detected alloc irq_desc for 21 on node 0 alloc kstat_irqs on node 0 uhci_hcd 0000:00:1a.1: PCI INT B -> GSI 21 (level, low) -> IRQ 21 uhci_hcd 0000:00:1a.1: setting latency timer to 64 uhci_hcd 0000:00:1a.1: UHCI Host Controller uhci_hcd 0000:00:1a.1: new USB bus registered, assigned bus number 4 uhci_hcd 0000:00:1a.1: irq 21, io base 0x0000a480 usb usb4: New USB device found, idVendor=1d6b, idProduct=0001 usb usb4: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb4: Product: UHCI Host Controller usb usb4: Manufacturer: Linux 2.6.31-rc9-dirty uhci_hcd usb usb4: SerialNumber: 0000:00:1a.1 usb usb4: configuration #1 chosen from 1 choice hub 4-0:1.0: USB hub found hub 4-0:1.0: 2 ports detected uhci_hcd 0000:00:1a.2: PCI INT D -> GSI 19 (level, low) -> IRQ 19 uhci_hcd 0000:00:1a.2: setting latency timer to 64 uhci_hcd 0000:00:1a.2: UHCI Host Controller uhci_hcd 0000:00:1a.2: new USB bus registered, assigned bus number 5 uhci_hcd 0000:00:1a.2: irq 19, io base 0x0000a800 usb usb5: New USB device found, idVendor=1d6b, idProduct=0001 usb usb5: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb5: Product: UHCI Host Controller usb usb5: Manufacturer: Linux 2.6.31-rc9-dirty uhci_hcd usb usb5: SerialNumber: 0000:00:1a.2 usb usb5: configuration #1 chosen from 1 choice hub 5-0:1.0: USB hub found hub 5-0:1.0: 2 ports detected uhci_hcd 0000:00:1d.0: PCI INT A -> GSI 23 (level, low) -> IRQ 23 uhci_hcd 0000:00:1d.0: setting latency timer to 64 uhci_hcd 0000:00:1d.0: UHCI Host Controller uhci_hcd 0000:00:1d.0: new USB bus registered, assigned bus number 6 uhci_hcd 0000:00:1d.0: irq 23, io base 0x0000a880 usb usb6: New USB device found, idVendor=1d6b, idProduct=0001 usb usb6: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb6: Product: UHCI Host Controller usb usb6: Manufacturer: Linux 2.6.31-rc9-dirty uhci_hcd usb usb6: SerialNumber: 0000:00:1d.0 usb usb6: configuration #1 chosen from 1 choice hub 6-0:1.0: USB hub found hub 6-0:1.0: 2 ports detected uhci_hcd 0000:00:1d.1: PCI INT B -> GSI 19 (level, low) -> IRQ 19 uhci_hcd 0000:00:1d.1: setting latency timer to 64 uhci_hcd 0000:00:1d.1: UHCI Host Controller uhci_hcd 0000:00:1d.1: new USB bus registered, assigned bus number 7 uhci_hcd 0000:00:1d.1: irq 19, io base 0x0000ac00 usb usb7: New USB device found, idVendor=1d6b, idProduct=0001 usb usb7: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb7: Product: UHCI Host Controller usb usb7: Manufacturer: Linux 2.6.31-rc9-dirty uhci_hcd usb usb7: SerialNumber: 0000:00:1d.1 usb usb7: configuration #1 chosen from 1 choice hub 7-0:1.0: USB hub found hub 7-0:1.0: 2 ports detected uhci_hcd 0000:00:1d.2: PCI INT C -> GSI 18 (level, low) -> IRQ 18 uhci_hcd 0000:00:1d.2: setting latency timer to 64 uhci_hcd 0000:00:1d.2: UHCI Host Controller uhci_hcd 0000:00:1d.2: new USB bus registered, assigned bus number 8 uhci_hcd 0000:00:1d.2: irq 18, io base 0x0000b000 usb usb8: New USB device found, idVendor=1d6b, idProduct=0001 usb usb8: New USB device strings: Mfr=3, Product=2, SerialNumber=1 usb usb8: Product: UHCI Host Controller usb usb8: Manufacturer: Linux 2.6.31-rc9-dirty uhci_hcd usb usb8: SerialNumber: 0000:00:1d.2 usb usb8: configuration #1 chosen from 1 choice hub 8-0:1.0: USB hub found hub 8-0:1.0: 2 ports detected PNP: No PS/2 controller found. Probing ports directly. serio: i8042 KBD port at 0x60,0x64 irq 1 serio: i8042 AUX port at 0x60,0x64 irq 12 mice: PS/2 mouse device common for all mice rtc_cmos 00:03: RTC can wake from S4 rtc_cmos 00:03: rtc core: registered rtc_cmos as rtc0 rtc0: alarms up to one month, y3k, 114 bytes nvram, hpet irqs device-mapper: uevent: version 1.0.3 device-mapper: ioctl: 4.15.0-ioctl (2009-04-01) initialised: dm-devel@redhat.com cpuidle: using governor ladder cpuidle: using governor menu usbcore: registered new interface driver hiddev usbcore: registered new interface driver usbhid usbhid: v2.6:USB HID core driver nf_conntrack version 0.5.0 (16384 buckets, 65536 max) CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Please use nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option or sysctl net.netfilter.nf_conntrack_acct=1 to enable it. ip_tables: (C) 2000-2006 Netfilter Core Team TCP cubic registered Initializing XFRM netlink socket NET: Registered protocol family 17 ata2.00: SATA link up 3.0 Gbps (SStatus 123 SControl 300) ata2.01: SATA link down (SStatus 0 SControl 300) ata1.00: SATA link up 3.0 Gbps (SStatus 123 SControl 300) ata1.01: SATA link up 1.5 Gbps (SStatus 113 SControl 300) ata2.00: ATA-8: WDC WD6400AAKS-75A7B2, 01.03B01, max UDMA/133 ata2.00: 1250263728 sectors, multi 16: LBA48 NCQ (depth 0/32) ata2.00: configured for UDMA/133 ata1.00: ATA-8: ST31000340AS, DE13, max UDMA/133 ata1.00: 1953525168 sectors, multi 16: LBA48 NCQ (depth 0/32) ata1.01: ATAPI: Optiarc DVD+/-RW AD-7200S, 102A, max UDMA/100 ata1.00: configured for UDMA/133 ata1.01: configured for UDMA/100 scsi 0:0:0:0: Direct-Access ATA ST31000340AS DE13 PQ: 0 ANSI: 5 sd 0:0:0:0: Attached scsi generic sg0 type 0 sd 0:0:0:0: [sda] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB) scsi 0:0:1:0: CD-ROM Optiarc DVD+-RW AD-7200S 102A PQ: 0 ANSI: 5 sd 0:0:0:0: [sda] Write Protect is off sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00 sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA sda: sda1 sr0: scsi3-mmc drive: 48x/48x writer dvd-ram cd/rw xa/form2 cdda tray Uniform CD-ROM driver Revision: 3.20 sr 0:0:1:0: Attached scsi CD-ROM sr0 sr 0:0:1:0: Attached scsi generic sg1 type 5 scsi 1:0:0:0: Direct-Access ATA WDC WD6400AAKS-7 01.0 PQ: 0 ANSI: 5 sd 1:0:0:0: Attached scsi generic sg2 type 0 sd 1:0:0:0: [sdb] 1250263728 512-byte logical blocks: (640 GB/596 GiB) sd 1:0:0:0: [sdb] Write Protect is off sd 1:0:0:0: [sdb] Mode Sense: 00 3a 00 00 sd 1:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA sdb: sda1: <solaris: [s0] sda5 [s1] sda6 [s2] sda7 [s7] sda8 [s8] sda9 [s9] sda10 > usb 1-4: new high speed USB device using ehci_hcd and address 3 usb 1-4: New USB device found, idVendor=0644, idProduct=0201 usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-4: Product: CAB-200 usb 1-4: Manufacturer: DELL usb 1-4: SerialNumber: 0000010279B1 usb 1-4: configuration #1 chosen from 1 choice usb 4-1: new full speed USB device using uhci_hcd and address 2 usb 4-1: New USB device found, idVendor=046d, idProduct=0b05 usb 4-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 usb 4-1: Product: BT Mini-Receiver usb 4-1: Manufacturer: Logitech usb 4-1: configuration #1 chosen from 1 choice hub 4-1:1.0: USB hub found hub 4-1:1.0: 3 ports detected usb 5-2: new low speed USB device using uhci_hcd and address 2 usb 5-2: New USB device found, idVendor=0a81, idProduct=0101 usb 5-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 usb 5-2: Product: USB Keyboard usb 5-2: Manufacturer: CHESEN usb 5-2: configuration #1 chosen from 1 choice input: CHESEN USB Keyboard as /devices/pci0000:00/0000:00:1a.2/usb5/5-2/5-2:1.0/input/input3 generic-usb 0003:0A81:0101.0001: input,hidraw0: USB HID v1.10 Keyboard [CHESEN USB Keyboard] on usb-0000:00:1a.2-2/input0 input: CHESEN USB Keyboard as /devices/pci0000:00/0000:00:1a.2/usb5/5-2/5-2:1.1/input/input4 generic-usb 0003:0A81:0101.0002: input,hidraw1: USB HID v1.10 Device [CHESEN USB Keyboard] on usb-0000:00:1a.2-2/input1 usb 4-1.1: new full speed USB device using uhci_hcd and address 3 usb 4-1.1: New USB device found, idVendor=413c, idProduct=8130 usb 4-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 4-1.1: Product: BT Mini-Receiver usb 4-1.1: Manufacturer: Logitech usb 4-1.1: SerialNumber: 001E4CE6DA8F usb 4-1.1: configuration #1 chosen from 1 choice usb 4-1.2: new full speed USB device using uhci_hcd and address 4 usb 4-1.2: New USB device found, idVendor=046d, idProduct=c718 usb 4-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 4-1.2: Product: BT Mini-Receiver usb 4-1.2: Manufacturer: Logitech usb 4-1.2: SerialNumber: 001E4CE6DA8F usb 4-1.2: configuration #1 chosen from 1 choice input: Logitech BT Mini-Receiver as /devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1.2/4-1.2:1.0/input/input5 generic-usb 0003:046D:C718.0003: input,hidraw2: USB HID v1.11 Keyboard [Logitech BT Mini-Receiver] on usb-0000:00:1a.1-1.2/input0 usb 4-1.3: new full speed USB device using uhci_hcd and address 5 usb 4-1.3: New USB device found, idVendor=046d, idProduct=c719 usb 4-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 4-1.3: Product: BT Mini-Receiver usb 4-1.3: Manufacturer: Logitech usb 4-1.3: SerialNumber: 001E4CE6DA8F usb 4-1.3: configuration #1 chosen from 1 choice input: Logitech BT Mini-Receiver as /devices/pci0000:00/0000:00:1a.1/usb4/4-1/4-1.3/4-1.3:1.0/input/input6 sdb1 sdb2 sdb3 sdb4 < generic-usb 0003:046D:C719.0004: input,hiddev96,hidraw3: USB HID v1.11 Mouse [Logitech BT Mini-Receiver] on usb-0000:00:1a.1-1.3/input0 sd 0:0:0:0: [sda] Attached SCSI disk sdb5 > sd 1:0:0:0: [sdb] Attached SCSI disk PM: Resume from disk failed. registered taskstats version 1 Magic number: 9:250:925 Initalizing network drop monitor service Freeing unused kernel memory: 3192k freed Write protecting the kernel read-only data: 7564k EXT4-fs (sdb2): INFO: recovery required on readonly filesystem EXT4-fs (sdb2): write access will be enabled during recovery EXT4-fs (sdb2): barriers enabled kjournald2 starting: pid 142, dev sdb2:8, commit interval 5 seconds EXT4-fs (sdb2): delayed allocation enabled EXT4-fs: file extents enabled EXT4-fs: mballoc enabled EXT4-fs (sdb2): recovery complete EXT4-fs (sdb2): mounted filesystem with ordered data mode type=1404 audit(1252396540.116:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 SELinux: 8192 avtab hash slots, 123724 rules. SELinux: 8192 avtab hash slots, 123724 rules. SELinux: 8 users, 11 roles, 2722 types, 127 bools, 1 sens, 1024 cats SELinux: 74 classes, 123724 rules SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev sdb2, type ext4), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev anon_inodefs, type anon_inodefs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts type=1403 audit(1252396540.773:3): policy loaded auid=4294967295 ses=4294967295 udev: starting version 141 iTCO_vendor_support: vendor-support=0 Initializing USB Mass Storage driver... scsi4 : SCSI emulation for USB Mass Storage devices usb-storage: device found at 3 usb-storage: waiting for device to settle before scanning usbcore: registered new interface driver usb-storage USB Mass Storage support registered. dcdbas dcdbas: Dell Systems Management Base Driver (version 5.6.0-3.2) e1000e: Intel(R) PRO/1000 Network Driver - 1.0.2-k2 e1000e: Copyright (c) 1999-2008 Intel Corporation. alloc irq_desc for 20 on node 0 alloc kstat_irqs on node 0 e1000e 0000:00:19.0: PCI INT A -> GSI 20 (level, low) -> IRQ 20 e1000e 0000:00:19.0: pci_enable_pcie_error_reporting failed 0xfffffffb e1000e 0000:00:19.0: setting latency timer to 64 alloc irq_desc for 29 on node 0 alloc kstat_irqs on node 0 e1000e 0000:00:19.0: irq 29 for MSI/MSI-X 0000:00:19.0: eth0: (PCI Express:2.5GB/s:Width x1) 00:21:9b:26:66:21 0000:00:19.0: eth0: Intel(R) PRO/1000 Network Connection 0000:00:19.0: eth0: MAC: 7, PHY: 8, PBA No: ffffff-0ff iTCO_wdt: Intel TCO WatchDog Timer Driver v1.05 iTCO_wdt: Found a ICH10R TCO device (Version=2, TCOBASE=0x0860) iTCO_wdt: initialized. heartbeat=30 sec (nowayout=0) input: PC Speaker as /devices/platform/pcspkr/input/input7 i801_smbus 0000:00:1f.3: PCI INT C -> GSI 18 (level, low) -> IRQ 18 Bluetooth: Core ver 2.15 NET: Registered protocol family 31 Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized firewire_ohci 0000:02:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17 firewire_ohci 0000:02:00.0: setting latency timer to 64 Bluetooth: Generic Bluetooth USB driver ver 0.5 usbcore: registered new interface driver btusb firewire_ohci: Added fw-ohci device 0000:02:00.0, OHCI version 1.10 [drm] Initialized drm 1.1.0 20060810 [drm] radeon default to kernel modesetting. [drm] radeon kernel modesetting enabled. radeon 0000:04:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16 radeon 0000:04:00.0: setting latency timer to 64 [drm] radeon: Initializing kernel modesetting. [drm:radeon_driver_load_kms] *ERROR* Failed to initialize radeon, disabling IOCTL radeon 0000:04:00.0: PCI INT A disabled radeon: probe of 0000:04:00.0 failed with error -22 alloc irq_desc for 22 on node 0 alloc kstat_irqs on node 0 HDA Intel 0000:00:1b.0: PCI INT A -> GSI 22 (level, low) -> IRQ 22 HDA Intel 0000:00:1b.0: setting latency timer to 64 firewire_core: created device fw0: GUID 00219b8000266621, S400 hda_codec: Unknown model for ALC1200, trying auto-probe from BIOS... ALSA /home/arc/Sources/linux-2.6/sound/pci/hda/hda_codec.c:3857: autoconfig: line_outs=4 (0x14/0x15/0x16/0x17/0x0) ALSA /home/arc/Sources/linux-2.6/sound/pci/hda/hda_codec.c:3861: speaker_outs=0 (0x0/0x0/0x0/0x0/0x0) ALSA /home/arc/Sources/linux-2.6/sound/pci/hda/hda_codec.c:3865: hp_outs=1 (0x1b/0x0/0x0/0x0/0x0) ALSA /home/arc/Sources/linux-2.6/sound/pci/hda/hda_codec.c:3866: mono: mono_out=0x0 ALSA /home/arc/Sources/linux-2.6/sound/pci/hda/hda_codec.c:3869: dig-out=0x11/0x1e ALSA /home/arc/Sources/linux-2.6/sound/pci/hda/hda_codec.c:3877: inputs: mic=0x18, fmic=0x19, line=0x1a, fline=0x0, cd=0x0, aux=0x0 ALSA /home/arc/Sources/linux-2.6/sound/pci/hda/hda_codec.c:3879: dig-in=0x1f ALSA /home/arc/Sources/linux-2.6/sound/pci/hda/patch_realtek.c:1181: realtek: No valid SSID, checking pincfg 0x4016a619 for NID 0x1d ALSA /home/arc/Sources/linux-2.6/sound/pci/hda/patch_realtek.c:1197: realtek: Enabling init ASM_ID=0xa619 CODEC_ID=10ec0888 input: HDA Digital PCBeep as /devices/pci0000:00/0000:00:1b.0/input/input8 HDA Intel 0000:04:00.1: PCI INT B -> GSI 17 (level, low) -> IRQ 17 HDA Intel 0000:04:00.1: setting latency timer to 64 alsactl used greatest stack depth: 2808 bytes left device-mapper: multipath: version 1.1.0 loaded EXT4-fs (sdb2): internal journal on sdb2:8 kjournald starting. Commit interval 5 seconds EXT3 FS on sdb1, internal journal EXT3-fs: mounted filesystem with writeback data mode. SELinux: initialized (dev sdb1, type ext3), uses xattr EXT4-fs (sdb3): barriers enabled kjournald2 starting: pid 1239, dev sdb3:8, commit interval 5 seconds EXT4-fs (sdb3): internal journal on sdb3:8 EXT4-fs (sdb3): delayed allocation enabled EXT4-fs: file extents enabled EXT4-fs: mballoc enabled EXT4-fs (sdb3): mounted filesystem with ordered data mode SELinux: initialized (dev sdb3, type ext4), uses xattr SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs usb-storage: device scan complete scsi 4:0:0:0: Direct-Access DELL USB HS-CF Card 7.08 PQ: 0 ANSI: 0 scsi 4:0:0:1: Direct-Access DELL USB HS-xD/SM 7.08 PQ: 0 ANSI: 0 scsi 4:0:0:2: Direct-Access DELL USB HS-MS Card 7.08 PQ: 0 ANSI: 0 scsi 4:0:0:3: Direct-Access DELL USB HS-SD Card 7.08 PQ: 0 ANSI: 0 sd 4:0:0:0: Attached scsi generic sg3 type 0 sd 4:0:0:0: [sdc] Attached SCSI removable disk sd 4:0:0:1: Attached scsi generic sg4 type 0 sd 4:0:0:1: [sdd] Attached SCSI removable disk sd 4:0:0:2: Attached scsi generic sg5 type 0 sd 4:0:0:2: [sde] Attached SCSI removable disk sd 4:0:0:3: Attached scsi generic sg6 type 0 sd 4:0:0:3: [sdf] Attached SCSI removable disk Adding 8191992k swap on /dev/sdb5. Priority:-1 extents:1 across:8191992k SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts microcode: CPU0 sig=0x106a4, pf=0x2, revision=0xa platform microcode: firmware: requesting intel-ucode/06-1a-04 microcode: CPU1 sig=0x106a4, pf=0x2, revision=0xa platform microcode: firmware: requesting intel-ucode/06-1a-04 microcode: CPU2 sig=0x106a4, pf=0x2, revision=0xa platform microcode: firmware: requesting intel-ucode/06-1a-04 microcode: CPU3 sig=0x106a4, pf=0x2, revision=0xa platform microcode: firmware: requesting intel-ucode/06-1a-04 microcode: CPU4 sig=0x106a4, pf=0x2, revision=0xa platform microcode: firmware: requesting intel-ucode/06-1a-04 microcode: CPU5 sig=0x106a4, pf=0x2, revision=0xa platform microcode: firmware: requesting intel-ucode/06-1a-04 microcode: CPU6 sig=0x106a4, pf=0x2, revision=0xa platform microcode: firmware: requesting intel-ucode/06-1a-04 microcode: CPU7 sig=0x106a4, pf=0x2, revision=0xa platform microcode: firmware: requesting intel-ucode/06-1a-04 Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co.uk>, Peter Oruba Microcode Update Driver: v2.00 removed. NET: Registered protocol family 10 lo: Disabled Privacy Extensions type=1305 audit(1252396619.571:18920): auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove rule" key=(null) list=2 res=1 type=1305 audit(1252396619.572:18921): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 res=1 e1000e 0000:00:19.0: irq 29 for MSI/MSI-X e1000e 0000:00:19.0: irq 29 for MSI/MSI-X ADDRCONF(NETDEV_UP): eth0: link is not ready e1000e: eth0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: None 0000:00:19.0: eth0: 10/100 speed: disabling TSO ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready e1000e 0000:00:19.0: irq 29 for MSI/MSI-X e1000e 0000:00:19.0: irq 29 for MSI/MSI-X ADDRCONF(NETDEV_UP): eth0: link is not ready e1000e: eth0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: None 0000:00:19.0: eth0: 10/100 speed: disabling TSO ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready eth0: no IPv6 routers present type=1400 audit(1252396670.094:18922): avc: denied { getattr } for pid=2101 comm="ck-collect-sess" path="/home/arc/.vnc/git:1.log" dev=sdb3 ino=90 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file type=1400 audit(1252396670.129:18923): avc: denied { connectto } for pid=2102 comm="ck-get-x11-serv" path=002F746D702F2E5831312D756E69782F5831 scontext=system_u:system_r:consolekit_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_notrans_t:s0-s0:c0.c1023 tclass=unix_stream_socket fuse init (API version 7.12) SELinux: initialized (dev fuse, type fuse), uses genfs_contexts general protection fault: 0000 [#1] SMP last sysfs file: /sys/devices/virtual/tty/tty9/uevent CPU 2 Modules linked in: fuse ipv6 cpufreq_ondemand acpi_cpufreq freq_table dm_multipath uinput snd_hda_codec_atihdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec radeon ttm snd_hwdep drm btusb firewire_ohci snd_pcm bluetooth serio_raw i2c_i801 i2c_algo_bit pcspkr snd_timer iTCO_wdt firewire_core i2c_core e1000e crc_itu_t dcdbas usb_storage iTCO_vendor_support snd soundcore snd_page_alloc joydev ata_generic pata_acpi [last unloaded: microcode] Pid: 2398, comm: gvfsd-trash Not tainted 2.6.31-rc9-dirty #2 Studio XPS 435MT RIP: 0010:[<ffffffff814f9162>] [<ffffffff814f9162>] unix_write_space+0x52/0x9d RSP: 0018:ffff880190921c48 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6bab RBX: ffff880185daf500 RCX: ffffffff814f9141 RDX: ffff8800325cf500 RSI: ffffffff814f9141 RDI: 6b6b6b6b6b6b6b6b RBP: ffff880190921c68 R08: ffff88018d91abb0 R09: 0000000000000000 R10: ffffffff81df9440 R11: 0000000000000000 R12: ffff880185daf828 R13: 0000000000000139 R14: ffff8801a1926c01 R15: ffff8801b6aebe00 FS: 00007f30fdb5d790(0000) GS:ffff8800325be000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000003940291410 CR3: 000000018d805000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process gvfsd-trash (pid: 2398, threadinfo ffff880190920000, task ffff88018d91a3f0) Stack: ffff880190921c58 000000003e910435 ffff880185daf500 00000000fffffec8 <0> ffff880190921ca8 ffffffff8145c35c ffff880185dad610 000000003e910435 <0> ffff880190921cb8 ffff8801b6aebe00 0000000000000000 ffffffff814f95b3 Call Trace: [<ffffffff8145c35c>] sock_wfree+0x55/0x86 [<ffffffff814f95b3>] ? unix_release_sock+0x1cd/0x23f [<ffffffff814608fc>] skb_release_head_state+0x89/0xfd [<ffffffff814605bf>] __kfree_skb+0x25/0xa7 [<ffffffff81460710>] kfree_skb+0x79/0x98 [<ffffffff814f95b3>] unix_release_sock+0x1cd/0x23f [<ffffffff814f95ab>] unix_release_sock+0x1c5/0x23f [<ffffffff814f965c>] unix_release+0x37/0x4d [<ffffffff814580e6>] sock_release+0x32/0x98 [<ffffffff81458184>] sock_close+0x38/0x50 [<ffffffff8113c943>] __fput+0x137/0x1f8 [<ffffffff8113ca31>] fput+0x2d/0x43 [<ffffffff81138c2c>] filp_close+0x77/0x97 [<ffffffff81138d0c>] sys_close+0xc0/0x110 [<ffffffff81012f02>] system_call_fastpath+0x16/0x1b Code: 31 c0 4c 89 e7 e8 09 76 03 00 8b 83 84 01 00 00 c1 e0 02 3b 83 8c 01 00 00 7f 37 48 8b bb 20 01 00 00 48 85 ff 74 19 48 8d 47 40 <48> 39 47 40 74 0f ba 01 00 00 00 be 01 00 00 00 e8 53 7a b5 ff RIP [<ffffffff814f9162>] unix_write_space+0x52/0x9d RSP <ffff880190921c48> ---[ end trace ea93400906b3aa89 ]--- ============================================================================= BUG UNIX: Poison overwritten ----------------------------------------------------------------------------- INFO: 0xffff880185daf858-0xffff880185daf867. First byte 0x2 instead of 0x6b INFO: Allocated in sk_prot_alloc+0x48/0x111 age=4205 cpu=5 pid=3008 INFO: Freed in __sk_free+0xe8/0x119 age=4242 cpu=5 pid=3008 INFO: Slab 0xffffea0009e60c40 objects=19 used=15 fp=0xffff880185daf500 flags=0x400000000040c3 INFO: Object 0xffff880185daf500 @offset=29952 fp=0xffff880185dadb00 Bytes b4 0xffff880185daf4f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Object 0xffff880185daf500: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf510: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf520: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf530: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf540: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf550: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf560: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf570: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf580: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf590: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf5a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf5b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf5c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf5d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf5e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf5f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf600: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf610: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf640: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf650: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf660: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf670: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf680: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf690: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf6a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf6b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf6c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf6d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf6e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf6f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf700: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf710: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf720: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf730: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf740: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf750: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf760: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf770: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf780: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf790: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf7a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf7b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf7c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf7d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf7e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf7f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf800: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf810: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf820: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf830: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf840: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf850: 6b 6b 6b 6b 6b 6b 6b 6b 02 00 00 00 6b 6b 6b 6b kkkkkkkk....kkkk Object 0xffff880185daf860: 41 91 4f 81 ff ff ff ff 6b 6b 6b 6b 6b 6b 6b 6b A.O.ÿÿÿÿkkkkkkkk Object 0xffff880185daf870: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf880: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf890: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf8a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf8b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf8c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf8d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf8e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf8f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf900: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf910: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf920: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf930: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf940: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf950: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf960: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf970: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf980: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf990: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf9a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf9b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf9c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf9d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf9e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185daf9f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa70: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa80: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafa90: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafaa0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafab0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafac0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafad0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafae0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880185dafaf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk¥ Redzone 0xffff880185dafb00: bb bb bb bb bb bb bb bb »»»»»»»» Padding 0xffff880185dafb40: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding 0xffff880185dafb50: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding 0xffff880185dafb60: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding 0xffff880185dafb70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Pid: 3074, comm: nautilus Tainted: G D 2.6.31-rc9-dirty #2 Call Trace: [<ffffffff8112c645>] print_trailer+0x153/0x174 [<ffffffff8112cc7d>] check_bytes_and_report+0xc9/0x10e [<ffffffff8112cd9b>] check_object+0xd9/0x1d3 [<ffffffff8112f1c7>] __slab_alloc+0x332/0x3f0 [<ffffffff8145c620>] ? sk_prot_alloc+0x48/0x111 [<ffffffff8112f501>] kmem_cache_alloc+0xcb/0x18a [<ffffffff8145c620>] ? sk_prot_alloc+0x48/0x111 [<ffffffff8145c620>] sk_prot_alloc+0x48/0x111 [<ffffffff8145c7e8>] sk_alloc+0x3d/0x92 [<ffffffff814f9a50>] unix_create1+0x5e/0x1a3 [<ffffffff814f9f22>] unix_stream_connect+0xa0/0x440 [<ffffffff8113c670>] ? fget_light+0x66/0x113 [<ffffffff81458bec>] sys_connect+0x95/0xd5 [<ffffffff8109694b>] ? trace_hardirqs_on_caller+0x32/0x175 [<ffffffff8152f70e>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff81012f02>] system_call_fastpath+0x16/0x1b FIX UNIX: Restoring 0xffff880185daf858-0xffff880185daf867=0x6b FIX UNIX: Marking all objects used general protection fault: 0000 [#2] SMP last sysfs file: /sys/devices/virtual/tty/tty9/uevent CPU 2 Modules linked in: fuse ipv6 cpufreq_ondemand acpi_cpufreq freq_table dm_multipath uinput snd_hda_codec_atihdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec radeon ttm snd_hwdep drm btusb firewire_ohci snd_pcm bluetooth serio_raw i2c_i801 i2c_algo_bit pcspkr snd_timer iTCO_wdt firewire_core i2c_core e1000e crc_itu_t dcdbas usb_storage iTCO_vendor_support snd soundcore snd_page_alloc joydev ata_generic pata_acpi [last unloaded: microcode] Pid: 3013, comm: gvfsd-trash Tainted: G D 2.6.31-rc9-dirty #2 Studio XPS 435MT RIP: 0010:[<ffffffff814f9162>] [<ffffffff814f9162>] unix_write_space+0x52/0x9d RSP: 0018:ffff880185d8fc48 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6bab RBX: ffff880184d0a080 RCX: ffffffff814f9141 RDX: 0000000000000000 RSI: ffff880184d0a3c0 RDI: 6b6b6b6b6b6b6b6b RBP: ffff880185d8fc68 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff880184d0a3a8 R13: 0000000000000139 R14: ffff88019f8a2001 R15: ffff8801b6aebb80 FS: 00007fdaaa893790(0000) GS:ffff8800325be000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000002af01c8 CR3: 0000000185c19000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process gvfsd-trash (pid: 3013, threadinfo ffff880185d8e000, task ffff880192d547e0) Stack: ffff880185d8fcb8 000000005212050f ffff880184d0a080 00000000fffffec8 <0> ffff880185d8fca8 ffffffff8145c35c ffff880185d8fcd8 000000005212050f <0> ffff880185d8fcb8 ffff8801b6aebb80 0000000000000000 ffffffff814f95b3 Call Trace: [<ffffffff8145c35c>] sock_wfree+0x55/0x86 [<ffffffff814f95b3>] ? unix_release_sock+0x1cd/0x23f [<ffffffff814608fc>] skb_release_head_state+0x89/0xfd [<ffffffff814605bf>] __kfree_skb+0x25/0xa7 [<ffffffff81460710>] kfree_skb+0x79/0x98 [<ffffffff814f95b3>] unix_release_sock+0x1cd/0x23f [<ffffffff814f95ab>] unix_release_sock+0x1c5/0x23f [<ffffffff814f965c>] unix_release+0x37/0x4d [<ffffffff814580e6>] sock_release+0x32/0x98 [<ffffffff81458184>] sock_close+0x38/0x50 [<ffffffff8113c943>] __fput+0x137/0x1f8 [<ffffffff81138c92>] ? sys_close+0x46/0x110 [<ffffffff8113ca31>] fput+0x2d/0x43 [<ffffffff81138c2c>] filp_close+0x77/0x97 [<ffffffff81138d0c>] sys_close+0xc0/0x110 [<ffffffff81012f02>] system_call_fastpath+0x16/0x1b Code: 31 c0 4c 89 e7 e8 09 76 03 00 8b 83 84 01 00 00 c1 e0 02 3b 83 8c 01 00 00 7f 37 48 8b bb 20 01 00 00 48 85 ff 74 19 48 8d 47 40 <48> 39 47 40 74 0f ba 01 00 00 00 be 01 00 00 00 e8 53 7a b5 ff RIP [<ffffffff814f9162>] unix_write_space+0x52/0x9d RSP <ffff880185d8fc48> ---[ end trace ea93400906b3aa8a ]--- ============================================================================= BUG UNIX: Poison overwritten ----------------------------------------------------------------------------- INFO: 0xffff880184d0a3a8-0xffff880184d0a3a8. First byte 0x6a instead of 0x6b INFO: Allocated in sk_prot_alloc+0x48/0x111 age=348 cpu=5 pid=3539 INFO: Freed in __sk_free+0xe8/0x119 age=347 cpu=5 pid=3539 INFO: Slab 0xffffea0009df4b40 objects=19 used=3 fp=0xffff880184d0a080 flags=0x400000000040c3 INFO: Object 0xffff880184d0a080 @offset=8320 fp=0xffff880184d0a700 Bytes b4 0xffff880184d0a070: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Object 0xffff880184d0a080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a0a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a0b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a0c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a0d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a0e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a0f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a120: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a130: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a140: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a150: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a160: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a170: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a180: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a190: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a1a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a1b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a1c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a1d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a1e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a1f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a200: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a210: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a220: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a230: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a240: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a250: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a260: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a270: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a280: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a290: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a2a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a2b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a2c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a2d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a2e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a2f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a300: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a310: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a320: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a330: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a340: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a350: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a360: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a370: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a380: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a390: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a3a0: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b kkkkkkkkjkkkkkkk Object 0xffff880184d0a3b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a3c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a3d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a3e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a3f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a400: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a410: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a420: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a430: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a440: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a450: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a460: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a470: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a480: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a490: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a4a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a4b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a4c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a4d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a4e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a4f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a500: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a510: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a520: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a530: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a540: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a550: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a560: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a570: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a580: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a590: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a5a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a5b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a5c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a5d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a5e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a5f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a600: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a610: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a640: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a650: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a660: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff880184d0a670: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk¥ Redzone 0xffff880184d0a680: bb bb bb bb bb bb bb bb »»»»»»»» Padding 0xffff880184d0a6c0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding 0xffff880184d0a6d0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding 0xffff880184d0a6e0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Padding 0xffff880184d0a6f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Pid: 3543, comm: nautilus Tainted: G D 2.6.31-rc9-dirty #2 Call Trace: [<ffffffff8112c645>] print_trailer+0x153/0x174 [<ffffffff8112cc7d>] check_bytes_and_report+0xc9/0x10e [<ffffffff8112cd9b>] check_object+0xd9/0x1d3 [<ffffffff8112f1c7>] __slab_alloc+0x332/0x3f0 [<ffffffff8145c620>] ? sk_prot_alloc+0x48/0x111 [<ffffffff8112f501>] kmem_cache_alloc+0xcb/0x18a [<ffffffff8145c620>] ? sk_prot_alloc+0x48/0x111 [<ffffffff8145c620>] sk_prot_alloc+0x48/0x111 [<ffffffff81151361>] ? new_inode+0x43/0x99 [<ffffffff8145c7e8>] sk_alloc+0x3d/0x92 [<ffffffff814f9a50>] unix_create1+0x5e/0x1a3 [<ffffffff814f9c0d>] unix_create+0x78/0x97 [<ffffffff8145833d>] __sock_create+0x1a1/0x270 [<ffffffff814582a7>] ? __sock_create+0x10b/0x270 [<ffffffff8145849c>] sock_create+0x43/0x59 [<ffffffff8145871f>] sys_socket+0x3a/0x7f [<ffffffff81012f02>] system_call_fastpath+0x16/0x1b FIX UNIX: Restoring 0xffff880184d0a3a8-0xffff880184d0a3a8=0x6b FIX UNIX: Marking all objects used ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 2009-09-08 8:09 ` Jike Song @ 2009-09-08 12:12 ` Eric Dumazet 2009-09-08 22:49 ` [PATCH] net: Fix sock_wfree() race Eric Dumazet 0 siblings, 1 reply; 18+ messages in thread From: Eric Dumazet @ 2009-09-08 12:12 UTC (permalink / raw) To: Jike Song; +Cc: Parag Warudkar, linux-kernel, netdev Jike Song a écrit : > On Tue, Sep 8, 2009 at 3:38 PM, Eric Dumazet<eric.dumazet@gmail.com> wrote: >> We decrement a refcnt while object already freed. >> >> (SLUB DEBUG poisons the zone with 0x6B pattern) >> >> You might add this patch to trigger a WARN_ON when refcnt >= 0x60000000U >> in sk_free() : We'll see the path trying to delete an already freed sock >> >> diff --git a/net/core/sock.c b/net/core/sock.c >> index 7633422..1cb85ff 100644 >> --- a/net/core/sock.c >> +++ b/net/core/sock.c >> @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) >> >> void sk_free(struct sock *sk) >> { >> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >> /* >> * We substract one from sk_wmem_alloc and can know if >> * some packets are still in some tx queue. >> >> > > The output of dmesg with this patch appllied is attached. > > Unfortunatly this WARN_ON was not triggered, maybe freeing comes from sock_wfree() Could you try this patch instead ? Thanks diff --git a/net/core/sock.c b/net/core/sock.c index 7633422..30469dc 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) void sk_free(struct sock *sk) { + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); /* * We substract one from sk_wmem_alloc and can know if * some packets are still in some tx queue. @@ -1220,6 +1221,7 @@ void sock_wfree(struct sk_buff *skb) struct sock *sk = skb->sk; int res; + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); /* In case it might be waiting for more memory. */ res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) ^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH] net: Fix sock_wfree() race 2009-09-08 12:12 ` Eric Dumazet @ 2009-09-08 22:49 ` Eric Dumazet 2009-09-09 7:14 ` Jike Song 2009-09-11 18:43 ` David Miller 0 siblings, 2 replies; 18+ messages in thread From: Eric Dumazet @ 2009-09-08 22:49 UTC (permalink / raw) To: David S. Miller; +Cc: Jike Song, Parag Warudkar, linux-kernel, netdev Eric Dumazet a écrit : > Jike Song a écrit : >> On Tue, Sep 8, 2009 at 3:38 PM, Eric Dumazet<eric.dumazet@gmail.com> wrote: >>> We decrement a refcnt while object already freed. >>> >>> (SLUB DEBUG poisons the zone with 0x6B pattern) >>> >>> You might add this patch to trigger a WARN_ON when refcnt >= 0x60000000U >>> in sk_free() : We'll see the path trying to delete an already freed sock >>> >>> diff --git a/net/core/sock.c b/net/core/sock.c >>> index 7633422..1cb85ff 100644 >>> --- a/net/core/sock.c >>> +++ b/net/core/sock.c >>> @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) >>> >>> void sk_free(struct sock *sk) >>> { >>> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >>> /* >>> * We substract one from sk_wmem_alloc and can know if >>> * some packets are still in some tx queue. >>> >>> >> The output of dmesg with this patch appllied is attached. >> >> > > Unfortunatly this WARN_ON was not triggered, > maybe freeing comes from sock_wfree() > > Could you try this patch instead ? > > Thanks > > diff --git a/net/core/sock.c b/net/core/sock.c > index 7633422..30469dc 100644 > --- a/net/core/sock.c > +++ b/net/core/sock.c > @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) > > void sk_free(struct sock *sk) > { > + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); > /* > * We substract one from sk_wmem_alloc and can know if > * some packets are still in some tx queue. > @@ -1220,6 +1221,7 @@ void sock_wfree(struct sk_buff *skb) > struct sock *sk = skb->sk; > int res; > > + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); > /* In case it might be waiting for more memory. */ > res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); > if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) > David, I believe problem could come from a race in sock_wfree() It used to have two atomic ops. One doing the atomic_sub(skb->truesize, &sk->sk_wmem_alloc); then one sock_put() doing the atomic_dec_and_test(&sk->sk_refcnt) Now, if two cpus are both : CPU 1 calling sock_wfree() CPU 2 calling the 'final' sock_put(), CPU 1 doing sock_wfree() might call sk->sk_write_space(sk) while CPU 2 is already freeing the socket. Please note I did not test this patch, its very late here and I should get some sleep now... Thanks [PATCH] net: Fix sock_wfree() race Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 (net: No more expensive sock_hold()/sock_put() on each tx) opens a window in sock_wfree() where another cpu might free the socket we are working on. Fix is to call sk->sk_write_space(sk) only while still holding a reference on sk. Since doing this call is done before the atomic_sub(truesize, &sk->sk_wmem_alloc), we should pass truesize as a bias for possible sk_wmem_alloc evaluations. Reported-by: Jike Song <albcamus@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> --- include/linux/sunrpc/svcsock.h | 2 +- include/net/sock.h | 9 +++++++-- net/core/sock.c | 14 +++++++------- net/core/stream.c | 2 +- net/dccp/output.c | 4 ++-- net/ipv4/tcp_input.c | 2 +- net/phonet/pep-gprs.c | 4 ++-- net/phonet/pep.c | 4 ++-- net/sunrpc/svcsock.c | 8 ++++---- net/sunrpc/xprtsock.c | 10 +++++----- net/unix/af_unix.c | 12 ++++++------ 11 files changed, 38 insertions(+), 33 deletions(-) diff --git a/include/linux/sunrpc/svcsock.h b/include/linux/sunrpc/svcsock.h index 04dba23..f80ebff 100644 --- a/include/linux/sunrpc/svcsock.h +++ b/include/linux/sunrpc/svcsock.h @@ -23,7 +23,7 @@ struct svc_sock { /* We keep the old state_change and data_ready CB's here */ void (*sk_ostate)(struct sock *); void (*sk_odata)(struct sock *, int bytes); - void (*sk_owspace)(struct sock *); + void (*sk_owspace)(struct sock *, unsigned int bias); /* private TCP part */ u32 sk_reclen; /* length of record */ diff --git a/include/net/sock.h b/include/net/sock.h index 950409d..eee3312 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -296,7 +296,7 @@ struct sock { /* XXX 4 bytes hole on 64 bit */ void (*sk_state_change)(struct sock *sk); void (*sk_data_ready)(struct sock *sk, int bytes); - void (*sk_write_space)(struct sock *sk); + void (*sk_write_space)(struct sock *sk, unsigned int bias); void (*sk_error_report)(struct sock *sk); int (*sk_backlog_rcv)(struct sock *sk, struct sk_buff *skb); @@ -554,7 +554,7 @@ static inline int sk_stream_wspace(struct sock *sk) return sk->sk_sndbuf - sk->sk_wmem_queued; } -extern void sk_stream_write_space(struct sock *sk); +extern void sk_stream_write_space(struct sock *sk, unsigned int bias); static inline int sk_stream_memory_free(struct sock *sk) { @@ -1433,6 +1433,11 @@ static inline int sock_writeable(const struct sock *sk) return atomic_read(&sk->sk_wmem_alloc) < (sk->sk_sndbuf >> 1); } +static inline int sock_writeable_bias(const struct sock *sk, unsigned int bias) +{ + return (atomic_read(&sk->sk_wmem_alloc) - bias) < (sk->sk_sndbuf >> 1); +} + static inline gfp_t gfp_any(void) { return in_softirq() ? GFP_ATOMIC : GFP_KERNEL; diff --git a/net/core/sock.c b/net/core/sock.c index 30d5446..da672c0 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -512,7 +512,7 @@ set_sndbuf: * Wake up sending tasks if we * upped the value. */ - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); break; case SO_SNDBUFFORCE: @@ -1230,10 +1230,10 @@ void sock_wfree(struct sk_buff *skb) struct sock *sk = skb->sk; int res; - /* In case it might be waiting for more memory. */ - res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) - sk->sk_write_space(sk); + sk->sk_write_space(sk, skb->truesize); + + res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); /* * if sk_wmem_alloc reached 0, we are last user and should * free this sock, as sk_free() call could not do it. @@ -1776,20 +1776,20 @@ static void sock_def_readable(struct sock *sk, int len) read_unlock(&sk->sk_callback_lock); } -static void sock_def_write_space(struct sock *sk) +static void sock_def_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); /* Do not wake up a writer until he can make "significant" * progress. --DaveM */ - if ((atomic_read(&sk->sk_wmem_alloc) << 1) <= sk->sk_sndbuf) { + if (((atomic_read(&sk->sk_wmem_alloc) - bias) << 1) <= sk->sk_sndbuf) { if (sk_has_sleeper(sk)) wake_up_interruptible_sync_poll(sk->sk_sleep, POLLOUT | POLLWRNORM | POLLWRBAND); /* Should agree with poll, otherwise some programs break */ - if (sock_writeable(sk)) + if (sock_writeable_bias(sk, bias)) sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); } diff --git a/net/core/stream.c b/net/core/stream.c index a37debf..df720e9 100644 --- a/net/core/stream.c +++ b/net/core/stream.c @@ -25,7 +25,7 @@ * * FIXME: write proper description */ -void sk_stream_write_space(struct sock *sk) +void sk_stream_write_space(struct sock *sk, unsigned int bias) { struct socket *sock = sk->sk_socket; diff --git a/net/dccp/output.c b/net/dccp/output.c index c96119f..cf0635e 100644 --- a/net/dccp/output.c +++ b/net/dccp/output.c @@ -192,14 +192,14 @@ unsigned int dccp_sync_mss(struct sock *sk, u32 pmtu) EXPORT_SYMBOL_GPL(dccp_sync_mss); -void dccp_write_space(struct sock *sk) +void dccp_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); if (sk_has_sleeper(sk)) wake_up_interruptible(sk->sk_sleep); /* Should agree with poll, otherwise some programs break */ - if (sock_writeable(sk)) + if (sock_writeable_bias(sk, bias)) sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); read_unlock(&sk->sk_callback_lock); diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index af6d6fa..bde1437 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4818,7 +4818,7 @@ static void tcp_new_space(struct sock *sk) tp->snd_cwnd_stamp = tcp_time_stamp; } - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } static void tcp_check_space(struct sock *sk) diff --git a/net/phonet/pep-gprs.c b/net/phonet/pep-gprs.c index d183509..cc36c31 100644 --- a/net/phonet/pep-gprs.c +++ b/net/phonet/pep-gprs.c @@ -38,7 +38,7 @@ struct gprs_dev { struct sock *sk; void (*old_state_change)(struct sock *); void (*old_data_ready)(struct sock *, int); - void (*old_write_space)(struct sock *); + void (*old_write_space)(struct sock *, unsigned int); struct net_device *dev; }; @@ -157,7 +157,7 @@ static void gprs_data_ready(struct sock *sk, int len) } } -static void gprs_write_space(struct sock *sk) +static void gprs_write_space(struct sock *sk, unsigned int bias) { struct gprs_dev *gp = sk->sk_user_data; diff --git a/net/phonet/pep.c b/net/phonet/pep.c index b8252d2..d76e2ea 100644 --- a/net/phonet/pep.c +++ b/net/phonet/pep.c @@ -268,7 +268,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) return -EOPNOTSUPP; } if (wake) - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); return 0; } @@ -394,7 +394,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb) case PNS_PIPE_ENABLED_IND: if (!pn_flow_safe(pn->tx_fc)) { atomic_set(&pn->tx_credits, 1); - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } if (sk->sk_state == TCP_ESTABLISHED) break; /* Nothing to do */ diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index 23128ee..8c1642c 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -380,7 +380,7 @@ static void svc_sock_setbufsize(struct socket *sock, unsigned int snd, sock->sk->sk_sndbuf = snd * 2; sock->sk->sk_rcvbuf = rcv * 2; sock->sk->sk_userlocks |= SOCK_SNDBUF_LOCK|SOCK_RCVBUF_LOCK; - sock->sk->sk_write_space(sock->sk); + sock->sk->sk_write_space(sock->sk, 0); release_sock(sock->sk); #endif } @@ -405,7 +405,7 @@ static void svc_udp_data_ready(struct sock *sk, int count) /* * INET callback when space is newly available on the socket. */ -static void svc_write_space(struct sock *sk) +static void svc_write_space(struct sock *sk, unsigned int bias) { struct svc_sock *svsk = (struct svc_sock *)(sk->sk_user_data); @@ -422,13 +422,13 @@ static void svc_write_space(struct sock *sk) } } -static void svc_tcp_write_space(struct sock *sk) +static void svc_tcp_write_space(struct sock *sk, unsigned int bias) { struct socket *sock = sk->sk_socket; if (sk_stream_wspace(sk) >= sk_stream_min_wspace(sk) && sock) clear_bit(SOCK_NOSPACE, &sock->flags); - svc_write_space(sk); + svc_write_space(sk, bias); } /* diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 83c73c4..11e4d35 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -262,7 +262,7 @@ struct sock_xprt { */ void (*old_data_ready)(struct sock *, int); void (*old_state_change)(struct sock *); - void (*old_write_space)(struct sock *); + void (*old_write_space)(struct sock *, unsigned int); void (*old_error_report)(struct sock *); }; @@ -1491,12 +1491,12 @@ static void xs_write_space(struct sock *sk) * progress, otherwise we'll waste resources thrashing kernel_sendmsg * with a bunch of small requests. */ -static void xs_udp_write_space(struct sock *sk) +static void xs_udp_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); /* from net/core/sock.c:sock_def_write_space */ - if (sock_writeable(sk)) + if (sock_writeable_bias(sk, bias)) xs_write_space(sk); read_unlock(&sk->sk_callback_lock); @@ -1512,7 +1512,7 @@ static void xs_udp_write_space(struct sock *sk) * progress, otherwise we'll waste resources thrashing kernel_sendmsg * with a bunch of small requests. */ -static void xs_tcp_write_space(struct sock *sk) +static void xs_tcp_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); @@ -1535,7 +1535,7 @@ static void xs_udp_do_set_buffer_size(struct rpc_xprt *xprt) if (transport->sndsize) { sk->sk_userlocks |= SOCK_SNDBUF_LOCK; sk->sk_sndbuf = transport->sndsize * xprt->max_reqs * 2; - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } } diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index fc3ebb9..9f90ead 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -306,15 +306,15 @@ found: return s; } -static inline int unix_writable(struct sock *sk) +static inline int unix_writable(struct sock *sk, unsigned int bias) { - return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; + return ((atomic_read(&sk->sk_wmem_alloc) - bias) << 2) <= sk->sk_sndbuf; } -static void unix_write_space(struct sock *sk) +static void unix_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); - if (unix_writable(sk)) { + if (unix_writable(sk, bias)) { if (sk_has_sleeper(sk)) wake_up_interruptible_sync(sk->sk_sleep); sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); @@ -2010,7 +2010,7 @@ static unsigned int unix_poll(struct file *file, struct socket *sock, poll_table * we set writable also when the other side has shut down the * connection. This prevents stuck sockets. */ - if (unix_writable(sk)) + if (unix_writable(sk, 0)) mask |= POLLOUT | POLLWRNORM | POLLWRBAND; return mask; @@ -2048,7 +2048,7 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, } /* writable? */ - writable = unix_writable(sk); + writable = unix_writable(sk, 0); if (writable) { other = unix_peer_get(sk); if (other) { ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH] net: Fix sock_wfree() race 2009-09-08 22:49 ` [PATCH] net: Fix sock_wfree() race Eric Dumazet @ 2009-09-09 7:14 ` Jike Song 2009-09-11 18:43 ` David Miller 1 sibling, 0 replies; 18+ messages in thread From: Jike Song @ 2009-09-09 7:14 UTC (permalink / raw) To: Eric Dumazet, Linux Kernel Mailing List, netdev, David Miller, Parag Warudkar [-- Attachment #1: Type: text/plain, Size: 3580 bytes --] On Wed, Sep 9, 2009 at 6:49 AM, Eric Dumazet<eric.dumazet@gmail.com> wrote: > Eric Dumazet a écrit : >> Jike Song a écrit : >>> On Tue, Sep 8, 2009 at 3:38 PM, Eric Dumazet<eric.dumazet@gmail.com> wrote: >>>> We decrement a refcnt while object already freed. >>>> >>>> (SLUB DEBUG poisons the zone with 0x6B pattern) >>>> >>>> You might add this patch to trigger a WARN_ON when refcnt >= 0x60000000U >>>> in sk_free() : We'll see the path trying to delete an already freed sock >>>> >>>> diff --git a/net/core/sock.c b/net/core/sock.c >>>> index 7633422..1cb85ff 100644 >>>> --- a/net/core/sock.c >>>> +++ b/net/core/sock.c >>>> @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) >>>> >>>> void sk_free(struct sock *sk) >>>> { >>>> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >>>> /* >>>> * We substract one from sk_wmem_alloc and can know if >>>> * some packets are still in some tx queue. >>>> >>>> >>> The output of dmesg with this patch appllied is attached. >>> >>> >> >> Unfortunatly this WARN_ON was not triggered, >> maybe freeing comes from sock_wfree() >> >> Could you try this patch instead ? >> >> Thanks >> >> diff --git a/net/core/sock.c b/net/core/sock.c >> index 7633422..30469dc 100644 >> --- a/net/core/sock.c >> +++ b/net/core/sock.c >> @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) >> >> void sk_free(struct sock *sk) >> { >> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >> /* >> * We substract one from sk_wmem_alloc and can know if >> * some packets are still in some tx queue. >> @@ -1220,6 +1221,7 @@ void sock_wfree(struct sk_buff *skb) >> struct sock *sk = skb->sk; >> int res; >> >> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >> /* In case it might be waiting for more memory. */ >> res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); >> if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) >> > > > David, I believe problem could come from a race in sock_wfree() > > It used to have two atomic ops. > > One doing the atomic_sub(skb->truesize, &sk->sk_wmem_alloc); > then one sock_put() doing the atomic_dec_and_test(&sk->sk_refcnt) > > Now, if two cpus are both : > > CPU 1 calling sock_wfree() > CPU 2 calling the 'final' sock_put(), > CPU 1 doing sock_wfree() might call sk->sk_write_space(sk) > while CPU 2 is already freeing the socket. > > > Please note I did not test this patch, its very late here and I should get some sleep now... > > Thanks > > [PATCH] net: Fix sock_wfree() race > > Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 > (net: No more expensive sock_hold()/sock_put() on each tx) > opens a window in sock_wfree() where another cpu > might free the socket we are working on. > > Fix is to call sk->sk_write_space(sk) only > while still holding a reference on sk. > > Since doing this call is done before the > atomic_sub(truesize, &sk->sk_wmem_alloc), we should pass truesize as > a bias for possible sk_wmem_alloc evaluations. > > Reported-by: Jike Song <albcamus@gmail.com> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Eric, I'm unable to apply this patch neatly. I applied it by hand, and did some change necessary. This patch for test is attached. With this patch applied, when run vncviewer, the kerneloops service still reports kernel failure. But I can't see any in dmesg output. -- Thanks, Jike [-- Attachment #2: my.patch --] [-- Type: application/octet-stream, Size: 12139 bytes --] diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 42b6c63..d1040fe 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -843,11 +843,11 @@ static struct rtnl_link_ops tun_link_ops __read_mostly = { .validate = tun_validate, }; -static void tun_sock_write_space(struct sock *sk) +static void tun_sock_write_space(struct sock *sk, unsigned int bias) { struct tun_struct *tun; - if (!sock_writeable(sk)) + if (!sock_writeable_bias(sk, bias)) return; if (!test_and_clear_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags)) diff --git a/include/linux/sunrpc/svcsock.h b/include/linux/sunrpc/svcsock.h index 04dba23..f80ebff 100644 --- a/include/linux/sunrpc/svcsock.h +++ b/include/linux/sunrpc/svcsock.h @@ -23,7 +23,7 @@ struct svc_sock { /* We keep the old state_change and data_ready CB's here */ void (*sk_ostate)(struct sock *); void (*sk_odata)(struct sock *, int bytes); - void (*sk_owspace)(struct sock *); + void (*sk_owspace)(struct sock *, unsigned int bias); /* private TCP part */ u32 sk_reclen; /* length of record */ diff --git a/include/net/sock.h b/include/net/sock.h index 950409d..5fee407 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -296,7 +296,7 @@ struct sock { /* XXX 4 bytes hole on 64 bit */ void (*sk_state_change)(struct sock *sk); void (*sk_data_ready)(struct sock *sk, int bytes); - void (*sk_write_space)(struct sock *sk); + void (*sk_write_space)(struct sock *sk, unsigned int bias); void (*sk_error_report)(struct sock *sk); int (*sk_backlog_rcv)(struct sock *sk, struct sk_buff *skb); @@ -554,7 +554,7 @@ static inline int sk_stream_wspace(struct sock *sk) return sk->sk_sndbuf - sk->sk_wmem_queued; } -extern void sk_stream_write_space(struct sock *sk); +extern void sk_stream_write_space(struct sock *sk, unsigned int bias); static inline int sk_stream_memory_free(struct sock *sk) { @@ -1433,6 +1433,11 @@ static inline int sock_writeable(const struct sock *sk) return atomic_read(&sk->sk_wmem_alloc) < (sk->sk_sndbuf >> 1); } +static inline int sock_writeable_bias(const struct sock *sk, unsigned int bias) +{ + return (atomic_read(&sk->sk_wmem_alloc) - bias) < (sk->sk_sndbuf >> 1); +} + static inline gfp_t gfp_any(void) { return in_softirq() ? GFP_ATOMIC : GFP_KERNEL; diff --git a/net/atm/raw.c b/net/atm/raw.c index cbfcc71..ea14509 100644 --- a/net/atm/raw.c +++ b/net/atm/raw.c @@ -36,7 +36,7 @@ static void atm_pop_raw(struct atm_vcc *vcc,struct sk_buff *skb) sk_wmem_alloc_get(sk), skb->truesize); atomic_sub(skb->truesize, &sk->sk_wmem_alloc); dev_kfree_skb_any(skb); - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } diff --git a/net/core/sock.c b/net/core/sock.c index 7633422..b840c10 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -510,7 +510,7 @@ set_sndbuf: * Wake up sending tasks if we * upped the value. */ - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); break; case SO_SNDBUFFORCE: @@ -1220,10 +1220,10 @@ void sock_wfree(struct sk_buff *skb) struct sock *sk = skb->sk; int res; - /* In case it might be waiting for more memory. */ - res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) - sk->sk_write_space(sk); + sk->sk_write_space(sk, skb->truesize); + + res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); /* * if sk_wmem_alloc reached 0, we are last user and should * free this sock, as sk_free() call could not do it. @@ -1766,20 +1766,20 @@ static void sock_def_readable(struct sock *sk, int len) read_unlock(&sk->sk_callback_lock); } -static void sock_def_write_space(struct sock *sk) +static void sock_def_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); /* Do not wake up a writer until he can make "significant" * progress. --DaveM */ - if ((atomic_read(&sk->sk_wmem_alloc) << 1) <= sk->sk_sndbuf) { + if (((atomic_read(&sk->sk_wmem_alloc) - bias) << 1) <= sk->sk_sndbuf) { if (sk_has_sleeper(sk)) wake_up_interruptible_sync_poll(sk->sk_sleep, POLLOUT | POLLWRNORM | POLLWRBAND); /* Should agree with poll, otherwise some programs break */ - if (sock_writeable(sk)) + if (sock_writeable_bias(sk, bias)) sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); } diff --git a/net/core/stream.c b/net/core/stream.c index a37debf..df720e9 100644 --- a/net/core/stream.c +++ b/net/core/stream.c @@ -25,7 +25,7 @@ * * FIXME: write proper description */ -void sk_stream_write_space(struct sock *sk) +void sk_stream_write_space(struct sock *sk, unsigned int bias) { struct socket *sock = sk->sk_socket; diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c index a27b7f4..bb9cf19 100644 --- a/net/dccp/ccids/ccid3.c +++ b/net/dccp/ccids/ccid3.c @@ -480,7 +480,7 @@ done_computing_x: * As we have calculated new ipi, delta, t_nom it is possible * that we now can send a packet, so wake up dccp_wait_for_ccid */ - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); /* * Update timeout interval for the nofeedback timer. diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h index d6bc473..f32274f 100644 --- a/net/dccp/dccp.h +++ b/net/dccp/dccp.h @@ -235,7 +235,7 @@ extern void dccp_send_sync(struct sock *sk, const u64 seq, const enum dccp_pkt_type pkt_type); extern void dccp_write_xmit(struct sock *sk, int block); -extern void dccp_write_space(struct sock *sk); +extern void dccp_write_space(struct sock *sk, unsigned int); extern void dccp_init_xmit_timers(struct sock *sk); static inline void dccp_clear_xmit_timers(struct sock *sk) diff --git a/net/dccp/output.c b/net/dccp/output.c index c96119f..cf0635e 100644 --- a/net/dccp/output.c +++ b/net/dccp/output.c @@ -192,14 +192,14 @@ unsigned int dccp_sync_mss(struct sock *sk, u32 pmtu) EXPORT_SYMBOL_GPL(dccp_sync_mss); -void dccp_write_space(struct sock *sk) +void dccp_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); if (sk_has_sleeper(sk)) wake_up_interruptible(sk->sk_sleep); /* Should agree with poll, otherwise some programs break */ - if (sock_writeable(sk)) + if (sock_writeable_bias(sk, bias)) sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); read_unlock(&sk->sk_callback_lock); diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 2bdb0da..9c24d07 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4819,7 +4819,7 @@ static void tcp_new_space(struct sock *sk) tp->snd_cwnd_stamp = tcp_time_stamp; } - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } static void tcp_check_space(struct sock *sk) diff --git a/net/phonet/pep-gprs.c b/net/phonet/pep-gprs.c index 480839d..18ccc24 100644 --- a/net/phonet/pep-gprs.c +++ b/net/phonet/pep-gprs.c @@ -38,7 +38,7 @@ struct gprs_dev { struct sock *sk; void (*old_state_change)(struct sock *); void (*old_data_ready)(struct sock *, int); - void (*old_write_space)(struct sock *); + void (*old_write_space)(struct sock *, unsigned int); struct net_device *dev; }; @@ -157,7 +157,7 @@ static void gprs_data_ready(struct sock *sk, int len) } } -static void gprs_write_space(struct sock *sk) +static void gprs_write_space(struct sock *sk, unsigned int bias) { struct gprs_dev *gp = sk->sk_user_data; diff --git a/net/phonet/pep.c b/net/phonet/pep.c index eef833e..0d15822 100644 --- a/net/phonet/pep.c +++ b/net/phonet/pep.c @@ -268,7 +268,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) return -EOPNOTSUPP; } if (wake) - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); return 0; } @@ -389,7 +389,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb) case PNS_PIPE_ENABLED_IND: if (!pn_flow_safe(pn->tx_fc)) { atomic_set(&pn->tx_credits, 1); - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } if (sk->sk_state == TCP_ESTABLISHED) break; /* Nothing to do */ diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index 23128ee..8c1642c 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -380,7 +380,7 @@ static void svc_sock_setbufsize(struct socket *sock, unsigned int snd, sock->sk->sk_sndbuf = snd * 2; sock->sk->sk_rcvbuf = rcv * 2; sock->sk->sk_userlocks |= SOCK_SNDBUF_LOCK|SOCK_RCVBUF_LOCK; - sock->sk->sk_write_space(sock->sk); + sock->sk->sk_write_space(sock->sk, 0); release_sock(sock->sk); #endif } @@ -405,7 +405,7 @@ static void svc_udp_data_ready(struct sock *sk, int count) /* * INET callback when space is newly available on the socket. */ -static void svc_write_space(struct sock *sk) +static void svc_write_space(struct sock *sk, unsigned int bias) { struct svc_sock *svsk = (struct svc_sock *)(sk->sk_user_data); @@ -422,13 +422,13 @@ static void svc_write_space(struct sock *sk) } } -static void svc_tcp_write_space(struct sock *sk) +static void svc_tcp_write_space(struct sock *sk, unsigned int bias) { struct socket *sock = sk->sk_socket; if (sk_stream_wspace(sk) >= sk_stream_min_wspace(sk) && sock) clear_bit(SOCK_NOSPACE, &sock->flags); - svc_write_space(sk); + svc_write_space(sk, bias); } /* diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 83c73c4..11e4d35 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -262,7 +262,7 @@ struct sock_xprt { */ void (*old_data_ready)(struct sock *, int); void (*old_state_change)(struct sock *); - void (*old_write_space)(struct sock *); + void (*old_write_space)(struct sock *, unsigned int); void (*old_error_report)(struct sock *); }; @@ -1491,12 +1491,12 @@ static void xs_write_space(struct sock *sk) * progress, otherwise we'll waste resources thrashing kernel_sendmsg * with a bunch of small requests. */ -static void xs_udp_write_space(struct sock *sk) +static void xs_udp_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); /* from net/core/sock.c:sock_def_write_space */ - if (sock_writeable(sk)) + if (sock_writeable_bias(sk, bias)) xs_write_space(sk); read_unlock(&sk->sk_callback_lock); @@ -1512,7 +1512,7 @@ static void xs_udp_write_space(struct sock *sk) * progress, otherwise we'll waste resources thrashing kernel_sendmsg * with a bunch of small requests. */ -static void xs_tcp_write_space(struct sock *sk) +static void xs_tcp_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); @@ -1535,7 +1535,7 @@ static void xs_udp_do_set_buffer_size(struct rpc_xprt *xprt) if (transport->sndsize) { sk->sk_userlocks |= SOCK_SNDBUF_LOCK; sk->sk_sndbuf = transport->sndsize * xprt->max_reqs * 2; - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } } diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index fc3ebb9..9f90ead 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -306,15 +306,15 @@ found: return s; } -static inline int unix_writable(struct sock *sk) +static inline int unix_writable(struct sock *sk, unsigned int bias) { - return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; + return ((atomic_read(&sk->sk_wmem_alloc) - bias) << 2) <= sk->sk_sndbuf; } -static void unix_write_space(struct sock *sk) +static void unix_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); - if (unix_writable(sk)) { + if (unix_writable(sk, bias)) { if (sk_has_sleeper(sk)) wake_up_interruptible_sync(sk->sk_sleep); sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); @@ -2010,7 +2010,7 @@ static unsigned int unix_poll(struct file *file, struct socket *sock, poll_table * we set writable also when the other side has shut down the * connection. This prevents stuck sockets. */ - if (unix_writable(sk)) + if (unix_writable(sk, 0)) mask |= POLLOUT | POLLWRNORM | POLLWRBAND; return mask; @@ -2048,7 +2048,7 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, } /* writable? */ - writable = unix_writable(sk); + writable = unix_writable(sk, 0); if (writable) { other = unix_peer_get(sk); if (other) { ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH] net: Fix sock_wfree() race @ 2009-09-09 7:14 ` Jike Song 0 siblings, 0 replies; 18+ messages in thread From: Jike Song @ 2009-09-09 7:14 UTC (permalink / raw) To: Eric Dumazet, Linux Kernel Mailing List, netdev, David Miller, Parag Warudkar <parag.lkml [-- Attachment #1: Type: text/plain, Size: 3580 bytes --] On Wed, Sep 9, 2009 at 6:49 AM, Eric Dumazet<eric.dumazet@gmail.com> wrote: > Eric Dumazet a écrit : >> Jike Song a écrit : >>> On Tue, Sep 8, 2009 at 3:38 PM, Eric Dumazet<eric.dumazet@gmail.com> wrote: >>>> We decrement a refcnt while object already freed. >>>> >>>> (SLUB DEBUG poisons the zone with 0x6B pattern) >>>> >>>> You might add this patch to trigger a WARN_ON when refcnt >= 0x60000000U >>>> in sk_free() : We'll see the path trying to delete an already freed sock >>>> >>>> diff --git a/net/core/sock.c b/net/core/sock.c >>>> index 7633422..1cb85ff 100644 >>>> --- a/net/core/sock.c >>>> +++ b/net/core/sock.c >>>> @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) >>>> >>>> void sk_free(struct sock *sk) >>>> { >>>> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >>>> /* >>>> * We substract one from sk_wmem_alloc and can know if >>>> * some packets are still in some tx queue. >>>> >>>> >>> The output of dmesg with this patch appllied is attached. >>> >>> >> >> Unfortunatly this WARN_ON was not triggered, >> maybe freeing comes from sock_wfree() >> >> Could you try this patch instead ? >> >> Thanks >> >> diff --git a/net/core/sock.c b/net/core/sock.c >> index 7633422..30469dc 100644 >> --- a/net/core/sock.c >> +++ b/net/core/sock.c >> @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) >> >> void sk_free(struct sock *sk) >> { >> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >> /* >> * We substract one from sk_wmem_alloc and can know if >> * some packets are still in some tx queue. >> @@ -1220,6 +1221,7 @@ void sock_wfree(struct sk_buff *skb) >> struct sock *sk = skb->sk; >> int res; >> >> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >> /* In case it might be waiting for more memory. */ >> res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); >> if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) >> > > > David, I believe problem could come from a race in sock_wfree() > > It used to have two atomic ops. > > One doing the atomic_sub(skb->truesize, &sk->sk_wmem_alloc); > then one sock_put() doing the atomic_dec_and_test(&sk->sk_refcnt) > > Now, if two cpus are both : > > CPU 1 calling sock_wfree() > CPU 2 calling the 'final' sock_put(), > CPU 1 doing sock_wfree() might call sk->sk_write_space(sk) > while CPU 2 is already freeing the socket. > > > Please note I did not test this patch, its very late here and I should get some sleep now... > > Thanks > > [PATCH] net: Fix sock_wfree() race > > Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 > (net: No more expensive sock_hold()/sock_put() on each tx) > opens a window in sock_wfree() where another cpu > might free the socket we are working on. > > Fix is to call sk->sk_write_space(sk) only > while still holding a reference on sk. > > Since doing this call is done before the > atomic_sub(truesize, &sk->sk_wmem_alloc), we should pass truesize as > a bias for possible sk_wmem_alloc evaluations. > > Reported-by: Jike Song <albcamus@gmail.com> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Eric, I'm unable to apply this patch neatly. I applied it by hand, and did some change necessary. This patch for test is attached. With this patch applied, when run vncviewer, the kerneloops service still reports kernel failure. But I can't see any in dmesg output. -- Thanks, Jike [-- Attachment #2: my.patch --] [-- Type: application/octet-stream, Size: 12139 bytes --] diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 42b6c63..d1040fe 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -843,11 +843,11 @@ static struct rtnl_link_ops tun_link_ops __read_mostly = { .validate = tun_validate, }; -static void tun_sock_write_space(struct sock *sk) +static void tun_sock_write_space(struct sock *sk, unsigned int bias) { struct tun_struct *tun; - if (!sock_writeable(sk)) + if (!sock_writeable_bias(sk, bias)) return; if (!test_and_clear_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags)) diff --git a/include/linux/sunrpc/svcsock.h b/include/linux/sunrpc/svcsock.h index 04dba23..f80ebff 100644 --- a/include/linux/sunrpc/svcsock.h +++ b/include/linux/sunrpc/svcsock.h @@ -23,7 +23,7 @@ struct svc_sock { /* We keep the old state_change and data_ready CB's here */ void (*sk_ostate)(struct sock *); void (*sk_odata)(struct sock *, int bytes); - void (*sk_owspace)(struct sock *); + void (*sk_owspace)(struct sock *, unsigned int bias); /* private TCP part */ u32 sk_reclen; /* length of record */ diff --git a/include/net/sock.h b/include/net/sock.h index 950409d..5fee407 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -296,7 +296,7 @@ struct sock { /* XXX 4 bytes hole on 64 bit */ void (*sk_state_change)(struct sock *sk); void (*sk_data_ready)(struct sock *sk, int bytes); - void (*sk_write_space)(struct sock *sk); + void (*sk_write_space)(struct sock *sk, unsigned int bias); void (*sk_error_report)(struct sock *sk); int (*sk_backlog_rcv)(struct sock *sk, struct sk_buff *skb); @@ -554,7 +554,7 @@ static inline int sk_stream_wspace(struct sock *sk) return sk->sk_sndbuf - sk->sk_wmem_queued; } -extern void sk_stream_write_space(struct sock *sk); +extern void sk_stream_write_space(struct sock *sk, unsigned int bias); static inline int sk_stream_memory_free(struct sock *sk) { @@ -1433,6 +1433,11 @@ static inline int sock_writeable(const struct sock *sk) return atomic_read(&sk->sk_wmem_alloc) < (sk->sk_sndbuf >> 1); } +static inline int sock_writeable_bias(const struct sock *sk, unsigned int bias) +{ + return (atomic_read(&sk->sk_wmem_alloc) - bias) < (sk->sk_sndbuf >> 1); +} + static inline gfp_t gfp_any(void) { return in_softirq() ? GFP_ATOMIC : GFP_KERNEL; diff --git a/net/atm/raw.c b/net/atm/raw.c index cbfcc71..ea14509 100644 --- a/net/atm/raw.c +++ b/net/atm/raw.c @@ -36,7 +36,7 @@ static void atm_pop_raw(struct atm_vcc *vcc,struct sk_buff *skb) sk_wmem_alloc_get(sk), skb->truesize); atomic_sub(skb->truesize, &sk->sk_wmem_alloc); dev_kfree_skb_any(skb); - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } diff --git a/net/core/sock.c b/net/core/sock.c index 7633422..b840c10 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -510,7 +510,7 @@ set_sndbuf: * Wake up sending tasks if we * upped the value. */ - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); break; case SO_SNDBUFFORCE: @@ -1220,10 +1220,10 @@ void sock_wfree(struct sk_buff *skb) struct sock *sk = skb->sk; int res; - /* In case it might be waiting for more memory. */ - res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) - sk->sk_write_space(sk); + sk->sk_write_space(sk, skb->truesize); + + res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); /* * if sk_wmem_alloc reached 0, we are last user and should * free this sock, as sk_free() call could not do it. @@ -1766,20 +1766,20 @@ static void sock_def_readable(struct sock *sk, int len) read_unlock(&sk->sk_callback_lock); } -static void sock_def_write_space(struct sock *sk) +static void sock_def_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); /* Do not wake up a writer until he can make "significant" * progress. --DaveM */ - if ((atomic_read(&sk->sk_wmem_alloc) << 1) <= sk->sk_sndbuf) { + if (((atomic_read(&sk->sk_wmem_alloc) - bias) << 1) <= sk->sk_sndbuf) { if (sk_has_sleeper(sk)) wake_up_interruptible_sync_poll(sk->sk_sleep, POLLOUT | POLLWRNORM | POLLWRBAND); /* Should agree with poll, otherwise some programs break */ - if (sock_writeable(sk)) + if (sock_writeable_bias(sk, bias)) sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); } diff --git a/net/core/stream.c b/net/core/stream.c index a37debf..df720e9 100644 --- a/net/core/stream.c +++ b/net/core/stream.c @@ -25,7 +25,7 @@ * * FIXME: write proper description */ -void sk_stream_write_space(struct sock *sk) +void sk_stream_write_space(struct sock *sk, unsigned int bias) { struct socket *sock = sk->sk_socket; diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c index a27b7f4..bb9cf19 100644 --- a/net/dccp/ccids/ccid3.c +++ b/net/dccp/ccids/ccid3.c @@ -480,7 +480,7 @@ done_computing_x: * As we have calculated new ipi, delta, t_nom it is possible * that we now can send a packet, so wake up dccp_wait_for_ccid */ - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); /* * Update timeout interval for the nofeedback timer. diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h index d6bc473..f32274f 100644 --- a/net/dccp/dccp.h +++ b/net/dccp/dccp.h @@ -235,7 +235,7 @@ extern void dccp_send_sync(struct sock *sk, const u64 seq, const enum dccp_pkt_type pkt_type); extern void dccp_write_xmit(struct sock *sk, int block); -extern void dccp_write_space(struct sock *sk); +extern void dccp_write_space(struct sock *sk, unsigned int); extern void dccp_init_xmit_timers(struct sock *sk); static inline void dccp_clear_xmit_timers(struct sock *sk) diff --git a/net/dccp/output.c b/net/dccp/output.c index c96119f..cf0635e 100644 --- a/net/dccp/output.c +++ b/net/dccp/output.c @@ -192,14 +192,14 @@ unsigned int dccp_sync_mss(struct sock *sk, u32 pmtu) EXPORT_SYMBOL_GPL(dccp_sync_mss); -void dccp_write_space(struct sock *sk) +void dccp_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); if (sk_has_sleeper(sk)) wake_up_interruptible(sk->sk_sleep); /* Should agree with poll, otherwise some programs break */ - if (sock_writeable(sk)) + if (sock_writeable_bias(sk, bias)) sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); read_unlock(&sk->sk_callback_lock); diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 2bdb0da..9c24d07 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -4819,7 +4819,7 @@ static void tcp_new_space(struct sock *sk) tp->snd_cwnd_stamp = tcp_time_stamp; } - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } static void tcp_check_space(struct sock *sk) diff --git a/net/phonet/pep-gprs.c b/net/phonet/pep-gprs.c index 480839d..18ccc24 100644 --- a/net/phonet/pep-gprs.c +++ b/net/phonet/pep-gprs.c @@ -38,7 +38,7 @@ struct gprs_dev { struct sock *sk; void (*old_state_change)(struct sock *); void (*old_data_ready)(struct sock *, int); - void (*old_write_space)(struct sock *); + void (*old_write_space)(struct sock *, unsigned int); struct net_device *dev; }; @@ -157,7 +157,7 @@ static void gprs_data_ready(struct sock *sk, int len) } } -static void gprs_write_space(struct sock *sk) +static void gprs_write_space(struct sock *sk, unsigned int bias) { struct gprs_dev *gp = sk->sk_user_data; diff --git a/net/phonet/pep.c b/net/phonet/pep.c index eef833e..0d15822 100644 --- a/net/phonet/pep.c +++ b/net/phonet/pep.c @@ -268,7 +268,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) return -EOPNOTSUPP; } if (wake) - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); return 0; } @@ -389,7 +389,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb) case PNS_PIPE_ENABLED_IND: if (!pn_flow_safe(pn->tx_fc)) { atomic_set(&pn->tx_credits, 1); - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } if (sk->sk_state == TCP_ESTABLISHED) break; /* Nothing to do */ diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c index 23128ee..8c1642c 100644 --- a/net/sunrpc/svcsock.c +++ b/net/sunrpc/svcsock.c @@ -380,7 +380,7 @@ static void svc_sock_setbufsize(struct socket *sock, unsigned int snd, sock->sk->sk_sndbuf = snd * 2; sock->sk->sk_rcvbuf = rcv * 2; sock->sk->sk_userlocks |= SOCK_SNDBUF_LOCK|SOCK_RCVBUF_LOCK; - sock->sk->sk_write_space(sock->sk); + sock->sk->sk_write_space(sock->sk, 0); release_sock(sock->sk); #endif } @@ -405,7 +405,7 @@ static void svc_udp_data_ready(struct sock *sk, int count) /* * INET callback when space is newly available on the socket. */ -static void svc_write_space(struct sock *sk) +static void svc_write_space(struct sock *sk, unsigned int bias) { struct svc_sock *svsk = (struct svc_sock *)(sk->sk_user_data); @@ -422,13 +422,13 @@ static void svc_write_space(struct sock *sk) } } -static void svc_tcp_write_space(struct sock *sk) +static void svc_tcp_write_space(struct sock *sk, unsigned int bias) { struct socket *sock = sk->sk_socket; if (sk_stream_wspace(sk) >= sk_stream_min_wspace(sk) && sock) clear_bit(SOCK_NOSPACE, &sock->flags); - svc_write_space(sk); + svc_write_space(sk, bias); } /* diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index 83c73c4..11e4d35 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -262,7 +262,7 @@ struct sock_xprt { */ void (*old_data_ready)(struct sock *, int); void (*old_state_change)(struct sock *); - void (*old_write_space)(struct sock *); + void (*old_write_space)(struct sock *, unsigned int); void (*old_error_report)(struct sock *); }; @@ -1491,12 +1491,12 @@ static void xs_write_space(struct sock *sk) * progress, otherwise we'll waste resources thrashing kernel_sendmsg * with a bunch of small requests. */ -static void xs_udp_write_space(struct sock *sk) +static void xs_udp_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); /* from net/core/sock.c:sock_def_write_space */ - if (sock_writeable(sk)) + if (sock_writeable_bias(sk, bias)) xs_write_space(sk); read_unlock(&sk->sk_callback_lock); @@ -1512,7 +1512,7 @@ static void xs_udp_write_space(struct sock *sk) * progress, otherwise we'll waste resources thrashing kernel_sendmsg * with a bunch of small requests. */ -static void xs_tcp_write_space(struct sock *sk) +static void xs_tcp_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); @@ -1535,7 +1535,7 @@ static void xs_udp_do_set_buffer_size(struct rpc_xprt *xprt) if (transport->sndsize) { sk->sk_userlocks |= SOCK_SNDBUF_LOCK; sk->sk_sndbuf = transport->sndsize * xprt->max_reqs * 2; - sk->sk_write_space(sk); + sk->sk_write_space(sk, 0); } } diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index fc3ebb9..9f90ead 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -306,15 +306,15 @@ found: return s; } -static inline int unix_writable(struct sock *sk) +static inline int unix_writable(struct sock *sk, unsigned int bias) { - return (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; + return ((atomic_read(&sk->sk_wmem_alloc) - bias) << 2) <= sk->sk_sndbuf; } -static void unix_write_space(struct sock *sk) +static void unix_write_space(struct sock *sk, unsigned int bias) { read_lock(&sk->sk_callback_lock); - if (unix_writable(sk)) { + if (unix_writable(sk, bias)) { if (sk_has_sleeper(sk)) wake_up_interruptible_sync(sk->sk_sleep); sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); @@ -2010,7 +2010,7 @@ static unsigned int unix_poll(struct file *file, struct socket *sock, poll_table * we set writable also when the other side has shut down the * connection. This prevents stuck sockets. */ - if (unix_writable(sk)) + if (unix_writable(sk, 0)) mask |= POLLOUT | POLLWRNORM | POLLWRBAND; return mask; @@ -2048,7 +2048,7 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, } /* writable? */ - writable = unix_writable(sk); + writable = unix_writable(sk, 0); if (writable) { other = unix_peer_get(sk); if (other) { ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH] net: Fix sock_wfree() race 2009-09-09 7:14 ` Jike Song (?) @ 2009-09-09 9:18 ` Eric Dumazet -1 siblings, 0 replies; 18+ messages in thread From: Eric Dumazet @ 2009-09-09 9:18 UTC (permalink / raw) To: Jike Song; +Cc: Linux Kernel Mailing List, netdev, David Miller, Parag Warudkar Jike Song a écrit : > On Wed, Sep 9, 2009 at 6:49 AM, Eric Dumazet<eric.dumazet@gmail.com> wrote: >> Eric Dumazet a écrit : >>> Jike Song a écrit : >>>> On Tue, Sep 8, 2009 at 3:38 PM, Eric Dumazet<eric.dumazet@gmail.com> wrote: >>>>> We decrement a refcnt while object already freed. >>>>> >>>>> (SLUB DEBUG poisons the zone with 0x6B pattern) >>>>> >>>>> You might add this patch to trigger a WARN_ON when refcnt >= 0x60000000U >>>>> in sk_free() : We'll see the path trying to delete an already freed sock >>>>> >>>>> diff --git a/net/core/sock.c b/net/core/sock.c >>>>> index 7633422..1cb85ff 100644 >>>>> --- a/net/core/sock.c >>>>> +++ b/net/core/sock.c >>>>> @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) >>>>> >>>>> void sk_free(struct sock *sk) >>>>> { >>>>> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >>>>> /* >>>>> * We substract one from sk_wmem_alloc and can know if >>>>> * some packets are still in some tx queue. >>>>> >>>>> >>>> The output of dmesg with this patch appllied is attached. >>>> >>>> >>> Unfortunatly this WARN_ON was not triggered, >>> maybe freeing comes from sock_wfree() >>> >>> Could you try this patch instead ? >>> >>> Thanks >>> >>> diff --git a/net/core/sock.c b/net/core/sock.c >>> index 7633422..30469dc 100644 >>> --- a/net/core/sock.c >>> +++ b/net/core/sock.c >>> @@ -1058,6 +1058,7 @@ static void __sk_free(struct sock *sk) >>> >>> void sk_free(struct sock *sk) >>> { >>> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >>> /* >>> * We substract one from sk_wmem_alloc and can know if >>> * some packets are still in some tx queue. >>> @@ -1220,6 +1221,7 @@ void sock_wfree(struct sk_buff *skb) >>> struct sock *sk = skb->sk; >>> int res; >>> >>> + WARN_ON(atomic_read(&sk->sk_wmem_alloc) >= 0x60000000U); >>> /* In case it might be waiting for more memory. */ >>> res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); >>> if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) >>> >> >> David, I believe problem could come from a race in sock_wfree() >> >> It used to have two atomic ops. >> >> One doing the atomic_sub(skb->truesize, &sk->sk_wmem_alloc); >> then one sock_put() doing the atomic_dec_and_test(&sk->sk_refcnt) >> >> Now, if two cpus are both : >> >> CPU 1 calling sock_wfree() >> CPU 2 calling the 'final' sock_put(), >> CPU 1 doing sock_wfree() might call sk->sk_write_space(sk) >> while CPU 2 is already freeing the socket. >> >> >> Please note I did not test this patch, its very late here and I should get some sleep now... >> >> Thanks >> >> [PATCH] net: Fix sock_wfree() race >> >> Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 >> (net: No more expensive sock_hold()/sock_put() on each tx) >> opens a window in sock_wfree() where another cpu >> might free the socket we are working on. >> >> Fix is to call sk->sk_write_space(sk) only >> while still holding a reference on sk. >> >> Since doing this call is done before the >> atomic_sub(truesize, &sk->sk_wmem_alloc), we should pass truesize as >> a bias for possible sk_wmem_alloc evaluations. >> >> Reported-by: Jike Song <albcamus@gmail.com> >> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> > > Eric, I'm unable to apply this patch neatly. I applied it by hand, > and did some change necessary. This patch for test is attached. > > With this patch applied, when run vncviewer, the kerneloops service > still reports kernel failure. But I can't see any in dmesg output. > > Sorry this was a patch against net-next-2.6 We probably can do something less intrusive for linux-2.6.31 [PATCH] net: Fix sock_wfree() race Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 (net: No more expensive sock_hold()/sock_put() on each tx) opens a window in sock_wfree() where another cpu might free the socket we are working on. A possible fix is to call sk->sk_write_space(sk) only while still holding a reference on sk. Reported-by: Jike Song <albcamus@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> --- diff --git a/net/core/sock.c b/net/core/sock.c index 7633422..aba5cd0 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1220,10 +1220,12 @@ void sock_wfree(struct sk_buff *skb) struct sock *sk = skb->sk; int res; - /* In case it might be waiting for more memory. */ - res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); - if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) + if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) { + atomic_sub(skb->truesize - 1, &sk->sk_wmem_alloc); sk->sk_write_space(sk); + res = atomic_sub_return(1, &sk->sk_wmem_alloc); + } else + res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); /* * if sk_wmem_alloc reached 0, we are last user and should * free this sock, as sk_free() call could not do it. ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH] net: Fix sock_wfree() race 2009-09-08 22:49 ` [PATCH] net: Fix sock_wfree() race Eric Dumazet 2009-09-09 7:14 ` Jike Song @ 2009-09-11 18:43 ` David Miller 2009-09-11 19:52 ` David Miller 1 sibling, 1 reply; 18+ messages in thread From: David Miller @ 2009-09-11 18:43 UTC (permalink / raw) To: eric.dumazet; +Cc: albcamus, parag.lkml, linux-kernel, netdev From: Eric Dumazet <eric.dumazet@gmail.com> Date: Wed, 09 Sep 2009 00:49:31 +0200 > [PATCH] net: Fix sock_wfree() race > > Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 > (net: No more expensive sock_hold()/sock_put() on each tx) > opens a window in sock_wfree() where another cpu > might free the socket we are working on. > > Fix is to call sk->sk_write_space(sk) only > while still holding a reference on sk. > > Since doing this call is done before the > atomic_sub(truesize, &sk->sk_wmem_alloc), we should pass truesize as > a bias for possible sk_wmem_alloc evaluations. > > Reported-by: Jike Song <albcamus@gmail.com> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Applied to net-next-2.6, thanks. I'll queue up your simpler version for -stable. BTW, if most if not all of the sock_writeable() calls are now sock_writeable_bias(), it's probably better to just add the bias argument to sock_writable(). And a quick grep shows that only a few plain sock_writeable() calls remain in the less often used protocols. ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] net: Fix sock_wfree() race 2009-09-11 18:43 ` David Miller @ 2009-09-11 19:52 ` David Miller 2009-09-23 13:44 ` Eric Dumazet 0 siblings, 1 reply; 18+ messages in thread From: David Miller @ 2009-09-11 19:52 UTC (permalink / raw) To: eric.dumazet; +Cc: albcamus, parag.lkml, linux-kernel, netdev From: David Miller <davem@davemloft.net> Date: Fri, 11 Sep 2009 11:43:37 -0700 (PDT) > From: Eric Dumazet <eric.dumazet@gmail.com> > Date: Wed, 09 Sep 2009 00:49:31 +0200 > >> [PATCH] net: Fix sock_wfree() race >> >> Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 >> (net: No more expensive sock_hold()/sock_put() on each tx) >> opens a window in sock_wfree() where another cpu >> might free the socket we are working on. >> >> Fix is to call sk->sk_write_space(sk) only >> while still holding a reference on sk. >> >> Since doing this call is done before the >> atomic_sub(truesize, &sk->sk_wmem_alloc), we should pass truesize as >> a bias for possible sk_wmem_alloc evaluations. >> >> Reported-by: Jike Song <albcamus@gmail.com> >> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> > > Applied to net-next-2.6, thanks. I'll queue up your simpler > version for -stable. Eric, I have to revert, as you didn't update the callbacks of several protocols such as SCTP and RDS in this change. Let me know when you have a fixed version of this patch :-) ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] net: Fix sock_wfree() race 2009-09-11 19:52 ` David Miller @ 2009-09-23 13:44 ` Eric Dumazet 2009-09-24 20:07 ` Jarek Poplawski 0 siblings, 1 reply; 18+ messages in thread From: Eric Dumazet @ 2009-09-23 13:44 UTC (permalink / raw) To: David Miller; +Cc: albcamus, parag.lkml, linux-kernel, netdev David Miller a écrit : > From: David Miller <davem@davemloft.net> > Date: Fri, 11 Sep 2009 11:43:37 -0700 (PDT) > >> From: Eric Dumazet <eric.dumazet@gmail.com> >> Date: Wed, 09 Sep 2009 00:49:31 +0200 >> >>> [PATCH] net: Fix sock_wfree() race >>> >>> Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 >>> (net: No more expensive sock_hold()/sock_put() on each tx) >>> opens a window in sock_wfree() where another cpu >>> might free the socket we are working on. >>> >>> Fix is to call sk->sk_write_space(sk) only >>> while still holding a reference on sk. >>> >>> Since doing this call is done before the >>> atomic_sub(truesize, &sk->sk_wmem_alloc), we should pass truesize as >>> a bias for possible sk_wmem_alloc evaluations. >>> >>> Reported-by: Jike Song <albcamus@gmail.com> >>> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> >> Applied to net-next-2.6, thanks. I'll queue up your simpler >> version for -stable. > > Eric, I have to revert, as you didn't update the callbacks > of several protocols such as SCTP and RDS in this change. > > Let me know when you have a fixed version of this patch :-) Sorry for the delay David. But this is complex. I am not sure we can do a clean and safe thing, not counting the added bloat. If we do : void sock_wfree(struct sk_buff *skb) { struct sock *sk = skb->sk; int res; if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) sk->sk_write_space(sk, skb->truesize); res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); /* * if sk_wmem_alloc reached 0, we are last user and should * free this sock, as sk_free() call could not do it. */ if (res == 0) __sk_free(sk); } There is still a possibility multiple cpus call sock_wfree() for the same socket, and that they all call sk_write_space() with their bias, yet the protocol still has a possible too big estimation of sk_wmem_alloc We could miss to wakeup a blocked writer in case low sk->sk_sndbuf values are setup. (One could argue that with small sk_sndbuf values we should not have many packets in flight : Keep in mind sk_sndbuf can be lowered by the user) With second patch we instead have : void sock_wfree(struct sk_buff *skb) { struct sock *sk = skb->sk; unsigned int len = skb->truesize; if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) { /* * Keep a reference on sk_wmem_alloc, this will be released * after sk_write_space() call */ atomic_sub(len - 1, &sk->sk_wmem_alloc); sk->sk_write_space(sk); len = 1; } /* * if sk_wmem_alloc reaches 0, we must finish what sk_free() * could not do because of in-flight packets */ if (atomic_sub_return(len, &sk->sk_wmem_alloc) == 0) __sk_free(sk); } The accumulated transient error on sk_wmem_alloc is then < num_online_cpus(), that should be OK even for very small sk_sndbuf values. Of course TCP doesnt have to pay the price of sk_write_space() and the second atomic operation re-added by this fix. Here is the patch for reference : [PATCH] net: Fix sock_wfree() race Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 (net: No more expensive sock_hold()/sock_put() on each tx) opens a window in sock_wfree() where another cpu might free the socket we are working on. A fix is to call sk->sk_write_space(sk) while still holding a reference on sk. Reported-by: Jike Song <albcamus@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> --- net/core/sock.c | 19 ++++++++++++------- 1 files changed, 12 insertions(+), 7 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 30d5446..e1f034e 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1228,17 +1228,22 @@ void __init sk_init(void) void sock_wfree(struct sk_buff *skb) { struct sock *sk = skb->sk; - int res; + unsigned int len = skb->truesize; - /* In case it might be waiting for more memory. */ - res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); - if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) + if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) { + /* + * Keep a reference on sk_wmem_alloc, this will be released + * after sk_write_space() call + */ + atomic_sub(len - 1, &sk->sk_wmem_alloc); sk->sk_write_space(sk); + len = 1; + } /* - * if sk_wmem_alloc reached 0, we are last user and should - * free this sock, as sk_free() call could not do it. + * if sk_wmem_alloc reaches 0, we must finish what sk_free() + * could not do because of in-flight packets */ - if (res == 0) + if (atomic_sub_return(len, &sk->sk_wmem_alloc) == 0) __sk_free(sk); } EXPORT_SYMBOL(sock_wfree); ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH] net: Fix sock_wfree() race 2009-09-23 13:44 ` Eric Dumazet @ 2009-09-24 20:07 ` Jarek Poplawski 2009-09-24 20:49 ` Eric Dumazet 0 siblings, 1 reply; 18+ messages in thread From: Jarek Poplawski @ 2009-09-24 20:07 UTC (permalink / raw) To: Eric Dumazet; +Cc: David Miller, albcamus, parag.lkml, linux-kernel, netdev Eric Dumazet wrote, On 09/23/2009 03:44 PM: ... > Here is the patch for reference : > > [PATCH] net: Fix sock_wfree() race > > Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 > (net: No more expensive sock_hold()/sock_put() on each tx) > opens a window in sock_wfree() where another cpu > might free the socket we are working on. > > A fix is to call sk->sk_write_space(sk) while still > holding a reference on sk. > > > Reported-by: Jike Song <albcamus@gmail.com> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> > --- > net/core/sock.c | 19 ++++++++++++------- > 1 files changed, 12 insertions(+), 7 deletions(-) > > diff --git a/net/core/sock.c b/net/core/sock.c > index 30d5446..e1f034e 100644 > --- a/net/core/sock.c > +++ b/net/core/sock.c > @@ -1228,17 +1228,22 @@ void __init sk_init(void) > void sock_wfree(struct sk_buff *skb) > { > struct sock *sk = skb->sk; > - int res; > + unsigned int len = skb->truesize; > > - /* In case it might be waiting for more memory. */ > - res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); > - if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) > + if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) { > + /* > + * Keep a reference on sk_wmem_alloc, this will be released > + * after sk_write_space() call > + */ > + atomic_sub(len - 1, &sk->sk_wmem_alloc); > sk->sk_write_space(sk); > + len = 1; > + } > /* > - * if sk_wmem_alloc reached 0, we are last user and should > - * free this sock, as sk_free() call could not do it. > + * if sk_wmem_alloc reaches 0, we must finish what sk_free() > + * could not do because of in-flight packets > */ > - if (res == 0) > + if (atomic_sub_return(len, &sk->sk_wmem_alloc) == 0) > __sk_free(sk); Probably atomic_sub_and_test() is more popular for this. Jarek P. > } > EXPORT_SYMBOL(sock_wfree); > > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [PATCH] net: Fix sock_wfree() race 2009-09-24 20:07 ` Jarek Poplawski @ 2009-09-24 20:49 ` Eric Dumazet 2009-09-30 23:23 ` David Miller 0 siblings, 1 reply; 18+ messages in thread From: Eric Dumazet @ 2009-09-24 20:49 UTC (permalink / raw) To: Jarek Poplawski; +Cc: David Miller, albcamus, parag.lkml, linux-kernel, netdev Jarek Poplawski a écrit : > Eric Dumazet wrote, On 09/23/2009 03:44 PM: > > ... >> Here is the patch for reference : >> >> [PATCH] net: Fix sock_wfree() race >> >> Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 >> (net: No more expensive sock_hold()/sock_put() on each tx) >> opens a window in sock_wfree() where another cpu >> might free the socket we are working on. >> >> A fix is to call sk->sk_write_space(sk) while still >> holding a reference on sk. >> >> >> Reported-by: Jike Song <albcamus@gmail.com> >> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> >> --- >> net/core/sock.c | 19 ++++++++++++------- >> 1 files changed, 12 insertions(+), 7 deletions(-) >> >> diff --git a/net/core/sock.c b/net/core/sock.c >> index 30d5446..e1f034e 100644 >> --- a/net/core/sock.c >> +++ b/net/core/sock.c >> @@ -1228,17 +1228,22 @@ void __init sk_init(void) >> void sock_wfree(struct sk_buff *skb) >> { >> struct sock *sk = skb->sk; >> - int res; >> + unsigned int len = skb->truesize; >> >> - /* In case it might be waiting for more memory. */ >> - res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); >> - if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) >> + if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) { >> + /* >> + * Keep a reference on sk_wmem_alloc, this will be released >> + * after sk_write_space() call >> + */ >> + atomic_sub(len - 1, &sk->sk_wmem_alloc); >> sk->sk_write_space(sk); >> + len = 1; >> + } >> /* >> - * if sk_wmem_alloc reached 0, we are last user and should >> - * free this sock, as sk_free() call could not do it. >> + * if sk_wmem_alloc reaches 0, we must finish what sk_free() >> + * could not do because of in-flight packets >> */ >> - if (res == 0) >> + if (atomic_sub_return(len, &sk->sk_wmem_alloc) == 0) >> __sk_free(sk); > > > Probably atomic_sub_and_test() is more popular for this. Indeed, as x86 can generate faster code (no need of xadd instruction) Thanks Jarek [PATCH] net: Fix sock_wfree() race Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 (net: No more expensive sock_hold()/sock_put() on each tx) opens a window in sock_wfree() where another cpu might free the socket we are working on. A fix is to call sk->sk_write_space(sk) while still holding a reference on sk. Reported-by: Jike Song <albcamus@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> --- net/core/sock.c | 19 ++++++++++++------- 1 files changed, 12 insertions(+), 7 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 30d5446..e1f034e 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1228,17 +1228,22 @@ void __init sk_init(void) void sock_wfree(struct sk_buff *skb) { struct sock *sk = skb->sk; - int res; + unsigned int len = skb->truesize; - /* In case it might be waiting for more memory. */ - res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc); - if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) + if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) { + /* + * Keep a reference on sk_wmem_alloc, this will be released + * after sk_write_space() call + */ + atomic_sub(len - 1, &sk->sk_wmem_alloc); sk->sk_write_space(sk); + len = 1; + } /* - * if sk_wmem_alloc reached 0, we are last user and should - * free this sock, as sk_free() call could not do it. + * if sk_wmem_alloc reaches 0, we must finish what sk_free() + * could not do because of in-flight packets */ - if (res == 0) + if (atomic_sub_and_test(len, &sk->sk_wmem_alloc)) __sk_free(sk); } EXPORT_SYMBOL(sock_wfree); ^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [PATCH] net: Fix sock_wfree() race 2009-09-24 20:49 ` Eric Dumazet @ 2009-09-30 23:23 ` David Miller 0 siblings, 0 replies; 18+ messages in thread From: David Miller @ 2009-09-30 23:23 UTC (permalink / raw) To: eric.dumazet; +Cc: jarkao2, albcamus, parag.lkml, linux-kernel, netdev From: Eric Dumazet <eric.dumazet@gmail.com> Date: Thu, 24 Sep 2009 22:49:24 +0200 > [PATCH] net: Fix sock_wfree() race > > Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 > (net: No more expensive sock_hold()/sock_put() on each tx) > opens a window in sock_wfree() where another cpu > might free the socket we are working on. > > A fix is to call sk->sk_write_space(sk) while still > holding a reference on sk. > > > Reported-by: Jike Song <albcamus@gmail.com> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Applied to net-2.6 and I'll queue this up for -stable. Thanks! ^ permalink raw reply [flat|nested] 18+ messages in thread
* BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53
@ 2009-08-27 8:45 Jike Song
2009-09-08 2:23 ` Jike Song
0 siblings, 1 reply; 18+ messages in thread
From: Jike Song @ 2009-08-27 8:45 UTC (permalink / raw)
To: Linux Kernel Mailing List
hi, I hit this with vnc. Below is part of dmesg :
general protection fault: 0000 [#1] SMP
last sysfs file: /sys/devices/virtual/tty/tty9/uevent
CPU 1
Modules linked in: fuse ipv6 cpufreq_ondemand acpi_cpufreq freq_table
dm_multipath uinput snd_hda_codec_atihdmi snd_hda_codec_realtek radeon
snd_hda_intel btusb bluetooth snd_hda_codec snd_hwdep ttm drm snd_pcm
snd_timer usb_storage snd i2c_i801 i2c_algo_bit e1000e soundcore
pcspkr i2c_core firewire_ohci firewire_core crc_itu_t dcdbas serio_raw
snd_page_alloc joydev iTCO_wdt iTCO_vendor_support ata_generic
pata_acpi [last unloaded: microcode]
Pid: 2663, comm: gvfsd-trash Not tainted 2.6.31-rc6-00223-g6c30c53 #1
Studio XPS 435MT
RIP: 0010:[<ffffffff814f89fa>] [<ffffffff814f89fa>] unix_write_space+0x52/0x9d
RSP: 0018:ffff88019b3a7c48 EFLAGS: 00010202
RAX: 6b6b6b6b6b6b6bab RBX: ffff88019150a080 RCX: ffffffff814f89d9
RDX: ffff8800323f0500 RSI: ffffffff814f89d9 RDI: 6b6b6b6b6b6b6b6b
RBP: ffff88019b3a7c68 R08: ffff88019b11abb0 R09: 0000000000000000
R10: ffffffff81dfb3f0 R11: 0000000000000000 R12: ffff88019150a3a8
R13: 0000000000000139 R14: ffff88018edc7401 R15: ffff880194842140
FS: 00007f65e4dbb790(0000) GS:ffff8800323df000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000f1a020 CR3: 000000019b038000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process gvfsd-trash (pid: 2663, threadinfo ffff88019b3a6000, task
ffff88019b11a3f0)
Stack:
ffff88019b3a7c58 00000000a3909618 ffff88019150a080 00000000fffffec8
<0> ffff88019b3a7ca8 ffffffff8145bc76 ffff880191508190 00000000a3909618
<0> ffff88019b3a7cb8 ffff880194842140 0000000000000000 ffffffff814f8e4b
Call Trace:
[<ffffffff8145bc76>] sock_wfree+0x55/0x86
[<ffffffff814f8e4b>] ? unix_release_sock+0x1cd/0x23f
[<ffffffff814601e0>] skb_release_head_state+0x89/0xfd
[<ffffffff8145fea3>] __kfree_skb+0x25/0xa7
[<ffffffff8145fff4>] kfree_skb+0x79/0x98
[<ffffffff814f8e4b>] unix_release_sock+0x1cd/0x23f
[<ffffffff814f8e43>] unix_release_sock+0x1c5/0x23f
[<ffffffff814f8ef4>] unix_release+0x37/0x4d
[<ffffffff814579f6>] sock_release+0x32/0x98
[<ffffffff81457a94>] sock_close+0x38/0x50
[<ffffffff8113c92b>] __fput+0x137/0x1f8
[<ffffffff8113ca19>] fput+0x2d/0x43
[<ffffffff81138c14>] filp_close+0x77/0x97
[<ffffffff81138cf4>] sys_close+0xc0/0x110
[<ffffffff81012f02>] system_call_fastpath+0x16/0x1b
Code: 31 c0 4c 89 e7 e8 99 77 03 00 8b 83 84 01 00 00 c1 e0 02 3b 83
8c 01 00 00 7f 37 48 8b bb 20 01 00 00 48 85 ff 74 19 48 8d 47 40 <48>
39 47 40 74 0f ba 01 00 00 00 be 01 00 00 00 e8 ab 81 b5 ff
RIP [<ffffffff814f89fa>] unix_write_space+0x52/0x9d
RSP <ffff88019b3a7c48>
---[ end trace 1fa193deb8611c3d ]---
=============================================================================
BUG UNIX: Poison overwritten
-----------------------------------------------------------------------------
INFO: 0xffff88019150a3a8-0xffff88019150a3e7. First byte 0x6a instead of 0x6b
INFO: Allocated in sk_prot_alloc+0x48/0x111 age=192 cpu=4 pid=3562
INFO: Freed in __sk_free+0xe8/0x119 age=191 cpu=4 pid=3562
INFO: Slab 0xffffea000a308b40 objects=19 used=6 fp=0xffff88019150a080
flags=0x400000000040c3
INFO: Object 0xffff88019150a080 @offset=8320 fp=0xffff88019150ad80
Bytes b4 0xffff88019150a070: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a ZZZZZZZZZZZZZZZZ
Object 0xffff88019150a080: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a090: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a0a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a0b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a0c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a0d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a0e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a0f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a110: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a120: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a130: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a140: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a150: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a160: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a170: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a180: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a190: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a1a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a1b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a1c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a1d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a1e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a1f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a200: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a210: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a220: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a230: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a240: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a250: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a260: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a270: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a280: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a290: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a2a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a2b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a2c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a2d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a2e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a2f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a300: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a310: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a320: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a330: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a340: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a350: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a360: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a370: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a380: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a390: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a3a0: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b
6b 6b 6b kkkkkkkkjkkkkkkk
Object 0xffff88019150a3b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a3c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a3d0: 6b 6b 6b 6b 6b 6b 6b 6b 01 00 00 00 6b
6b 6b 6b kkkkkkkk....kkkk
Object 0xffff88019150a3e0: d9 89 4f 81 ff ff ff ff 6b 6b 6b 6b 6b
6b 6b 6b Ù.O.ÿÿÿÿkkkkkkkk
Object 0xffff88019150a3f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a400: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a410: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a420: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a430: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a440: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a450: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a460: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a470: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a480: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a490: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a4a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a4b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a4c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a4d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a4e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a4f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a500: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a510: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a520: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a530: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a540: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a550: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a560: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a570: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a580: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a590: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a5a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a5b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a5c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a5d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a5e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a5f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a600: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a610: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a640: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a650: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a660: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88019150a670: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
6b 6b a5 kkkkkkkkkkkkkkk¥
Redzone 0xffff88019150a680: bb bb bb bb bb bb bb bb
»»»»»»»»
Padding 0xffff88019150a6c0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding 0xffff88019150a6d0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding 0xffff88019150a6e0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a ZZZZZZZZZZZZZZZZ
Padding 0xffff88019150a6f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a ZZZZZZZZZZZZZZZZ
Pid: 3627, comm: gvfsd-trash Tainted: G D 2.6.31-rc6-00223-g6c30c53 #1
Call Trace:
[<ffffffff8112c651>] print_trailer+0x153/0x174
[<ffffffff8112cc89>] check_bytes_and_report+0xc9/0x10e
[<ffffffff8112cda7>] check_object+0xd9/0x1d3
[<ffffffff8112f1d3>] __slab_alloc+0x332/0x3f0
[<ffffffff8145c060>] ? sk_prot_alloc+0x48/0x111
[<ffffffff8112f50d>] kmem_cache_alloc+0xcb/0x18a
[<ffffffff8145c060>] ? sk_prot_alloc+0x48/0x111
[<ffffffff8145c060>] sk_prot_alloc+0x48/0x111
[<ffffffff811512f1>] ? new_inode+0x43/0x99
[<ffffffff8145c22a>] sk_alloc+0x3d/0x88
[<ffffffff814f92e8>] unix_create1+0x5e/0x1a3
[<ffffffff814f94a5>] unix_create+0x78/0x97
[<ffffffff81457c4d>] __sock_create+0x1a1/0x270
[<ffffffff81457bb7>] ? __sock_create+0x10b/0x270
[<ffffffff81457dac>] sock_create+0x43/0x59
[<ffffffff8145802f>] sys_socket+0x3a/0x7f
[<ffffffff81012f02>] system_call_fastpath+0x16/0x1b
FIX UNIX: Restoring 0xffff88019150a3a8-0xffff88019150a3e7=0x6b
FIX UNIX: Marking all objects used
general protection fault: 0000 [#2] SMP
last sysfs file: /sys/devices/virtual/tty/tty9/uevent
CPU 1
Modules linked in: fuse ipv6 cpufreq_ondemand acpi_cpufreq freq_table
dm_multipath uinput snd_hda_codec_atihdmi snd_hda_codec_realtek radeon
snd_hda_intel btusb bluetooth snd_hda_codec snd_hwdep ttm drm snd_pcm
snd_timer usb_storage snd i2c_i801 i2c_algo_bit e1000e soundcore
pcspkr i2c_core firewire_ohci firewire_core crc_itu_t dcdbas serio_raw
snd_page_alloc joydev iTCO_wdt iTCO_vendor_support ata_generic
pata_acpi [last unloaded: microcode]
Pid: 3627, comm: gvfsd-trash Tainted: G D
2.6.31-rc6-00223-g6c30c53 #1 Studio XPS 435MT
RIP: 0010:[<ffffffff814f89fa>] [<ffffffff814f89fa>] unix_write_space+0x52/0x9d
RSP: 0018:ffff88018c795c48 EFLAGS: 00010202
RAX: 6b6b6b6b6b6b6bab RBX: ffff8801854ece00 RCX: ffffffff814f89d9
RDX: 0000000000000000 RSI: ffff8801854ed140 RDI: 6b6b6b6b6b6b6b6b
RBP: ffff88018c795c68 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801854ed128
R13: 0000000000000139 R14: ffff88018ec18a01 R15: ffff8801a9896280
FS: 00007f3715d90790(0000) GS:ffff8800323df000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000001d0f0e8 CR3: 000000018c4af000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process gvfsd-trash (pid: 3627, threadinfo ffff88018c794000, task
ffff8801b4c20000)
Stack:
ffff88018c795cb8 00000000e5f5a36f ffff8801854ece00 00000000fffffec8
<0> ffff88018c795ca8 ffffffff8145bc76 ffff88018c795cd8 00000000e5f5a36f
<0> ffff88018c795cb8 ffff8801a9896280 0000000000000000 ffffffff814f8e4b
Call Trace:
[<ffffffff8145bc76>] sock_wfree+0x55/0x86
[<ffffffff814f8e4b>] ? unix_release_sock+0x1cd/0x23f
[<ffffffff814601e0>] skb_release_head_state+0x89/0xfd
[<ffffffff8145fea3>] __kfree_skb+0x25/0xa7
[<ffffffff8145fff4>] kfree_skb+0x79/0x98
[<ffffffff814f8e4b>] unix_release_sock+0x1cd/0x23f
[<ffffffff814f8e43>] unix_release_sock+0x1c5/0x23f
[<ffffffff814f8ef4>] unix_release+0x37/0x4d
[<ffffffff814579f6>] sock_release+0x32/0x98
[<ffffffff81457a94>] sock_close+0x38/0x50
[<ffffffff8113c92b>] __fput+0x137/0x1f8
[<ffffffff81138c7a>] ? sys_close+0x46/0x110
[<ffffffff8113ca19>] fput+0x2d/0x43
[<ffffffff81138c14>] filp_close+0x77/0x97
[<ffffffff81138cf4>] sys_close+0xc0/0x110
[<ffffffff81012f02>] system_call_fastpath+0x16/0x1b
Code: 31 c0 4c 89 e7 e8 99 77 03 00 8b 83 84 01 00 00 c1 e0 02 3b 83
8c 01 00 00 7f 37 48 8b bb 20 01 00 00 48 85 ff 74 19 48 8d 47 40 <48>
39 47 40 74 0f ba 01 00 00 00 be 01 00 00 00 e8 ab 81 b5 ff
RIP [<ffffffff814f89fa>] unix_write_space+0x52/0x9d
RSP <ffff88018c795c48>
---[ end trace 1fa193deb8611c3e ]---
^ permalink raw reply [flat|nested] 18+ messages in thread* Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 2009-08-27 8:45 BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 Jike Song @ 2009-09-08 2:23 ` Jike Song 2009-09-08 3:23 ` Eric Dumazet 0 siblings, 1 reply; 18+ messages in thread From: Jike Song @ 2009-09-08 2:23 UTC (permalink / raw) To: Linux Kernel Mailing List On Thu, Aug 27, 2009 at 4:45 PM, Jike Song<albcamus@gmail.com> wrote: > hi, I hit this with vnc. Below is part of dmesg : Still producible in 2.6.31-rc9, anybody helps? -- Thanks, Jike ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 2009-09-08 2:23 ` Jike Song @ 2009-09-08 3:23 ` Eric Dumazet 0 siblings, 0 replies; 18+ messages in thread From: Eric Dumazet @ 2009-09-08 3:23 UTC (permalink / raw) To: Jike Song; +Cc: Linux Kernel Mailing List Jike Song a écrit : > On Thu, Aug 27, 2009 at 4:45 PM, Jike Song<albcamus@gmail.com> wrote: >> hi, I hit this with vnc. Below is part of dmesg : > > Still producible in 2.6.31-rc9, anybody helps? > > How is it triggered ? Is it reproductible ? Please send a new report to netdev@vger.kernel.org, where some people might help. Thanks ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2009-09-30 23:22 UTC | newest] Thread overview: 18+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-09-08 3:56 BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 Parag Warudkar 2009-09-08 4:51 ` Jike Song 2009-09-08 7:38 ` Eric Dumazet 2009-09-08 8:09 ` Jike Song 2009-09-08 12:12 ` Eric Dumazet 2009-09-08 22:49 ` [PATCH] net: Fix sock_wfree() race Eric Dumazet 2009-09-09 7:14 ` Jike Song 2009-09-09 7:14 ` Jike Song 2009-09-09 9:18 ` Eric Dumazet 2009-09-11 18:43 ` David Miller 2009-09-11 19:52 ` David Miller 2009-09-23 13:44 ` Eric Dumazet 2009-09-24 20:07 ` Jarek Poplawski 2009-09-24 20:49 ` Eric Dumazet 2009-09-30 23:23 ` David Miller -- strict thread matches above, loose matches on Subject: below -- 2009-08-27 8:45 BUG UNIX: Poison overwritten with 2.6.31-rc6-00223-g6c30c53 Jike Song 2009-09-08 2:23 ` Jike Song 2009-09-08 3:23 ` Eric Dumazet
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.