From: "Shawn Starr" <spstarr@sh0n.net>
To: "Andrew Morton" <akpm@digeo.com>
Cc: <rml@tech9.net>, <linux-kernel@vger.kernel.org>
Subject: Re: [OOPS][2.5.66bk3+] run_timer_softirq - IRQ Mishandlings
Date: Sat, 29 Mar 2003 17:34:04 -0500 [thread overview]
Message-ID: <007601c2f643$4e222ee0$030aa8c0@unknown> (raw)
In-Reply-To: 20030329142835.40fa8eb9.akpm@digeo.com
Perhaps adding this to the kernel as a config option might be handy for
people looking for not freed timers?
Shawn.
----- Original Message -----
From: "Andrew Morton" <akpm@digeo.com>
To: "Shawn Starr" <spstarr@sh0n.net>
Cc: <rml@tech9.net>; <linux-kernel@vger.kernel.org>
Sent: Saturday, March 29, 2003 5:28 PM
Subject: Re: [OOPS][2.5.66bk3+] run_timer_softirq - IRQ Mishandlings
> "Shawn Starr" <spstarr@sh0n.net> wrote:
> >
> > How can I go about debugging this? How can I find the path causing the
> > problem?
> >
>
> Someone did
>
> kfree(foo);
>
> insead of
>
> del_timer_sync(&foo->timer);
> kfree(foo);
>
> so you have a freed-but-pending timer.
>
>
> This is a horrid bug. One way to find it would be to change
> cache_free_debugcheck() to walk the just-freed-up memory looking for an
> instance of TIMER_MAGIC. If that is found and timer_pending() is true
then
> drop a backtrace and print out timer->function.
>
> err.... Here you go, this may find it.
>
>
>
> fs/open.c | 33 +++++++++++++++++++++++++++++++++
> include/linux/timer.h | 3 ++-
> mm/slab.c | 30 ++++++++++++++++++++++++++++++
> 3 files changed, 65 insertions(+), 1 deletion(-)
>
> diff -puN include/linux/timer.h~freed-timer-finder include/linux/timer.h
> --- 25/include/linux/timer.h~freed-timer-finder 2003-03-29
14:10:15.000000000 -0800
> +++ 25-akpm/include/linux/timer.h 2003-03-29 14:10:26.000000000 -0800
> @@ -8,11 +8,12 @@
> struct tvec_t_base_s;
>
> struct timer_list {
> + unsigned long magic;
> +
> struct list_head entry;
> unsigned long expires;
>
> spinlock_t lock;
> - unsigned long magic;
>
> void (*function)(unsigned long);
> unsigned long data;
> diff -puN mm/slab.c~freed-timer-finder mm/slab.c
> --- 25/mm/slab.c~freed-timer-finder 2003-03-29 14:10:30.000000000 -0800
> +++ 25-akpm/mm/slab.c 2003-03-29 14:16:23.000000000 -0800
> @@ -800,6 +800,35 @@ static void poison_obj(kmem_cache_t *cac
> *(unsigned char *)(addr+size-1) = POISON_END;
> }
>
> +static void timer_hunt(kmem_cache_t *cachep, void *addr)
> +{
> + int size = cachep->objsize;
> + void *p;
> +
> + if (cachep->flags & SLAB_RED_ZONE) {
> + addr += BYTES_PER_WORD;
> + size -= 2*BYTES_PER_WORD;
> + }
> + if (cachep->flags & SLAB_STORE_USER) {
> + size -= BYTES_PER_WORD;
> + }
> +
> + for (p = addr; p < addr + size; p += sizeof(unsigned long)) {
> + unsigned long *laddr = p;
> +
> + if (*laddr == TIMER_MAGIC) {
> + struct timer_list *timer;
> +
> + timer = (struct timer_list *)laddr;
> + if (timer_pending(timer)) {
> + printk("free of pending timer at %p\n", timer);
> + printk("function=%p\n", timer->function);
> + dump_stack();
> + }
> + }
> + }
> +}
> +
> static void *fprob(unsigned char* addr, unsigned int size)
> {
> unsigned char *end;
> @@ -1603,6 +1632,7 @@ static inline void *cache_free_debugchec
> else
> cachep->dtor(objp, cachep, 0);
> }
> + timer_hunt(cachep, objp);
> if (cachep->flags & SLAB_POISON)
> poison_obj(cachep, objp, POISON_AFTER);
> #endif
> diff -puN fs/open.c~freed-timer-finder fs/open.c
> --- 25/fs/open.c~freed-timer-finder 2003-03-29 14:17:32.000000000 -0800
> +++ 25-akpm/fs/open.c 2003-03-29 14:21:20.000000000 -0800
> @@ -793,11 +793,44 @@ void fd_install(unsigned int fd, struct
> write_unlock(&files->file_lock);
> }
>
> +#include <linux/timer.h>
> +
> +struct foo_thing {
> + int a;
> + struct timer_list t;
> + int b;
> +};
> +
> +static void my_foo(unsigned long data)
> +{
> + printk("the handler\n");
> +}
> +
> +static void timer_thing(void)
> +{
> + static int did_it;
> + struct foo_thing *f;
> +
> + if (did_it)
> + return;
> + did_it = 1;
> +
> + f = kmalloc(sizeof(*f), GFP_KERNEL);
> + init_timer(&f->t);
> + f->t.expires = jiffies + HZ;
> + f->t.function = my_foo;
> + add_timer(&f->t);
> + kfree(f);
> +}
> +
> asmlinkage long sys_open(const char * filename, int flags, int mode)
> {
> char * tmp;
> int fd, error;
>
> + if (current->uid == 9999)
> + timer_thing();
> +
> #if BITS_PER_LONG != 32
> flags |= O_LARGEFILE;
> #endif
>
> _
>
>
next prev parent reply other threads:[~2003-03-29 22:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-29 20:45 [PANIC][2.5.66bk3+] run_timer_softirq - IRQ Mishandlings Shawn Starr
2003-03-29 21:15 ` Robert Love
2003-03-29 21:42 ` [OOPS][2.5.66bk3+] " Shawn Starr
2003-03-29 22:11 ` Robert Love
2003-03-29 22:28 ` Andrew Morton
2003-03-29 22:33 ` Shawn Starr
2003-03-29 22:34 ` Shawn Starr [this message]
2003-03-31 2:52 ` [PANIC][2.5.66bk3+] " Zwane Mwaikambo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='007601c2f643$4e222ee0$030aa8c0@unknown' \
--to=spstarr@sh0n.net \
--cc=akpm@digeo.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rml@tech9.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox