From: Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
To: Konrad Rzeszutek Wilk <konrad@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Dave Jones <davej@redhat.com>,
Linux Kernel <linux-kernel@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Srivatsa Vaddagiri <vatsa@linux.vnet.ibm.com>,
Suzuki Poulose <suzuki@in.ibm.com>
Subject: Re: 3.6rc6 slab corruption.
Date: Thu, 20 Sep 2012 18:25:51 +0530 [thread overview]
Message-ID: <505B1257.5060702@linux.vnet.ibm.com> (raw)
In-Reply-To: <20120919191652.GA14631@phenom.dumpdata.com>
On 09/20/2012 12:46 AM, Konrad Rzeszutek Wilk wrote:
> On Tue, Sep 18, 2012 at 01:49:52PM -0700, Linus Torvalds wrote:
>> On Tue, Sep 18, 2012 at 1:37 PM, Konrad Rzeszutek Wilk
>> <konrad.wilk@oracle.com> wrote:
>>>
>>> 30 words. ~360 + 29 spaces + NULL = 390?
>>
>> Just allocate the max then. That's tiny.
>>
>> And it's actually just 330: max ten characters for an unsigned 32-bit number.
>
> Linus,
> Could you take a look at these two patches to see if I missed anything?
> Thank you.
>
>> From 0806b133b5b28081adf23d0d04a99636ed3b861b Mon Sep 17 00:00:00 2001
> From: Konrad Rzeszutek Wilk<konrad.wilk@oracle.com>
> Date: Wed, 19 Sep 2012 11:23:01 -0400
> Subject: [PATCH 1/2] debugfs: Add lock for u32_array_read
>
> Dave Jones spotted that the u32_array_read was doing something funny:
>
> =============================================================================
> BUG kmalloc-64 (Not tainted): Redzone overwritten
> -----------------------------------------------------------------------------
>
> INFO: 0xffff88001f4b4970-0xffff88001f4b4977. First byte 0xbb instead of 0xcc
> INFO: Allocated in u32_array_read+0xd1/0x110 age=0 cpu=6 pid=32767
> __slab_alloc+0x516/0x5a5
> __kmalloc+0x213/0x2c0
> u32_array_read+0xd1/0x110
> .. snip..
> INFO: Freed in u32_array_read+0x99/0x110 age=0 cpu=0 pid=32749
> __slab_free+0x3f/0x3bf
> kfree+0x2d5/0x310
> u32_array_read+0x99/0x110
>
> Linus tracked it down and found out that "debugfs is racy for that case
> [read calls in parallel on the debugfs]. At least the file->private_data
> accesses are, for the case of that "u32_array" case.
>
> In fact it is racy in ... the whole "file->private_data" access ..
> If you have multiple readers on the same file, the whole
>
> if (file->private_data) {
> kfree(file->private_data);
> file->private_data = NULL;
> }
>
> file->private_data = format_array_alloc("%u", data->array,
> data->elements);
>
> thing is just a disaster waiting to happen." He suggested
> putting a lock which this patch does.
>
> The consequence of this is that it will trigger more spinlock usage,
> as this particular debugfs is used to provide a histogram of spinlock
> contention. But memory corruption is a worst offender then that.
>
> Reported-by: Dave Jones<davej@redhat.com>
> Suggested-by: Linus Torvalds<torvalds@linux-foundation.org>
Tested-by: Raghavendra <raghavendra.kt@linux.vnet.ibm.com>
> ---
> fs/debugfs/file.c | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
> index 2340f69..c6d9088 100644
> --- a/fs/debugfs/file.c
> +++ b/fs/debugfs/file.c
> @@ -524,6 +524,7 @@ EXPORT_SYMBOL_GPL(debugfs_create_blob);
> struct array_data {
> void *array;
> u32 elements;
> + struct mutex lock;
> };
>
> static int u32_array_open(struct inode *inode, struct file *file)
> @@ -580,6 +581,7 @@ static ssize_t u32_array_read(struct file *file, char __user *buf, size_t len,
> struct array_data *data = inode->i_private;
> size_t size;
>
> + mutex_lock(&data->lock);
> if (*ppos == 0) {
> if (file->private_data) {
> kfree(file->private_data);
> @@ -594,8 +596,10 @@ static ssize_t u32_array_read(struct file *file, char __user *buf, size_t len,
> if (file->private_data)
> size = strlen(file->private_data);
>
> - return simple_read_from_buffer(buf, len, ppos,
> + size = simple_read_from_buffer(buf, len, ppos,
> file->private_data, size);
> + mutex_unlock(&data->lock);
> + return size;
> }
>
> static int u32_array_release(struct inode *inode, struct file *file)
> @@ -643,6 +647,7 @@ struct dentry *debugfs_create_u32_array(const char *name, umode_t mode,
>
> data->array = array;
> data->elements = elements;
> + mutex_init(&data->lock);
>
> return debugfs_create_file(name, mode, parent, data,&u32_array_fops);
> }
I was also able to reproduce the problem with pthread usage and
David's msleep trick.
[ 65.438698] BUG kmalloc-96 (Not tainted): Object already free
[ 65.534572] BUG kmalloc-96 (Not tainted): Poison overwritten
[ 2488.195923] BUG kmalloc-96 (Not tainted): Redzone overwritten
all the above BUG without David's array allocation in open patch
and Konrad's mutex patch.
(Both the patches tested separately)
prev parent reply other threads:[~2012-09-20 12:59 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-18 14:35 3.6rc6 slab corruption Dave Jones
2012-09-18 18:38 ` Linus Torvalds
2012-09-18 18:53 ` Dave Jones
2012-09-19 14:00 ` Raghavendra K T
2012-09-19 17:09 ` Linus Torvalds
2012-09-19 21:27 ` David Rientjes
2012-09-19 21:41 ` Dave Jones
2012-09-18 19:23 ` Konrad Rzeszutek Wilk
2012-09-18 20:24 ` David Rientjes
2012-09-18 20:31 ` Konrad Rzeszutek Wilk
2012-09-18 20:36 ` Linus Torvalds
2012-09-19 0:57 ` Raghavendra K T
2012-09-18 20:35 ` Linus Torvalds
2012-09-18 20:37 ` Konrad Rzeszutek Wilk
2012-09-18 20:49 ` Linus Torvalds
2012-09-19 1:16 ` Raghavendra K T
2012-09-19 19:16 ` Konrad Rzeszutek Wilk
2012-09-19 21:29 ` David Rientjes
2012-09-19 21:49 ` David Rientjes
2012-09-19 23:01 ` Linus Torvalds
2012-09-19 23:20 ` David Rientjes
2012-09-20 21:14 ` Konrad Rzeszutek Wilk
2012-09-20 2:29 ` Raghavendra K T
2012-09-20 2:46 ` David Rientjes
2012-09-20 2:55 ` Raghavendra K T
2012-09-20 21:18 ` Konrad Rzeszutek Wilk
2012-09-21 9:16 ` [patch for-3.6] fs, debugfs: fix race in u32_array_read and allocate array at open David Rientjes
2012-09-21 10:22 ` Raghavendra K T
2012-09-24 22:26 ` David Rientjes
2012-09-25 2:54 ` Raghavendra K T
2012-09-20 12:57 ` 3.6rc6 slab corruption Raghavendra K T
2012-09-20 21:18 ` Konrad Rzeszutek Wilk
2012-09-20 12:55 ` Raghavendra K T [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=505B1257.5060702@linux.vnet.ibm.com \
--to=raghavendra.kt@linux.vnet.ibm.com \
--cc=davej@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=konrad.wilk@oracle.com \
--cc=konrad@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=suzuki@in.ibm.com \
--cc=torvalds@linux-foundation.org \
--cc=vatsa@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.