From: Peter Zijlstra <a.p.zijlstra@chello.nl>
To: Vegard Nossum <vegard.nossum@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>, Ingo Molnar <mingo@elte.hu>,
Pekka Enberg <penberg@cs.helsinki.fi>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Subject: Re: kmemcheck caught read from freed memory (cfq_free_io_context)
Date: Tue, 01 Apr 2008 23:36:28 +0200 [thread overview]
Message-ID: <1207085788.29991.6.camel@lappy> (raw)
In-Reply-To: <19f34abd0804011408v19e13b6cje1ca89a2a471484c@mail.gmail.com>
On Tue, 2008-04-01 at 23:08 +0200, Vegard Nossum wrote:
> Hi,
>
> This appeared in my logs:
>
> kmemcheck: Caught 32-bit read from freed memory (f7042348)
>
> Pid: 1374, comm: bash Not tainted (2.6.25-rc7 #92)
> EIP: 0060:[<c0502f0d>] EFLAGS: 00210202 CPU: 0
> EIP is at call_for_each_cic+0x2d/0x44
> EAX: 00200286 EBX: 00000001 ECX: c200e908 EDX: f7042348
> ESI: f6c26c60 EDI: c0503310 EBP: f70fff38 ESP: c082ec88
> DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> CR0: 8005003b CR2: f7826904 CR3: 36cd7000 CR4: 000006c0
> DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> DR6: ffff4ff0 DR7: 00000400
> [<c041cff8>] kmemcheck_read+0xa8/0xe0
> [<c041d1d5>] kmemcheck_access+0x1a5/0x244
> [<c0668252>] do_page_fault+0x622/0x6fc
> [<c06666aa>] error_code+0x72/0x78
> [<c050323f>] cfq_free_io_context+0xf/0x70
> [<c04fc4d7>] put_io_context+0x4f/0x58
> [<c04fc568>] exit_io_context+0x60/0x6c
> [<c042f871>] do_exit+0x4d9/0x6f0
> [<c042fab1>] do_group_exit+0x29/0x88
> [<c042fb1f>] sys_exit_group+0xf/0x14
> [<c0406105>] sysenter_past_esp+0x6d/0xa4
> [<ffffffff>] 0xffffffff
>
> The error occurs in cfq_free_io_context()'s call to
> call_for_each_cic() which looks like this:
>
> rcu_read_lock();
> hlist_for_each_entry_rcu(cic, n, &ioc->cic_list, cic_list) {
> func(ioc, cic);
> called++;
> }
> rcu_read_unlock();
>
> The function that is called is cic_free_func(). It is postulated that
> hlist_for_each_entry_rcu() will dereference the previously freed list
> element to get the ->next pointer.
>
> After a short discussion with Pekka Enberg and Peter Zijlstra, it
> seemed evident that this list traversal should use
> hlist_for_each_entry_safe_rcu() instead, which would buffer the next
> pointer before the object is freed.
>
> Does this report seem to be valid?
>
> The kernel is 2.6.25-rc7.
The missing hlist for loop would look something like so:
#define hlist_for_each_entry_safe_rcu(tpos, pos, n, head, member) \
for (pos = (head)->first; \
rcu_dereference(pos) && ({ n = pos->next; 1; }) && \
({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \
pos = n)
next prev parent reply other threads:[~2008-04-01 21:37 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-01 21:08 kmemcheck caught read from freed memory (cfq_free_io_context) Vegard Nossum
2008-04-01 21:36 ` Peter Zijlstra [this message]
2008-04-01 22:51 ` Paul E. McKenney
2008-04-02 6:15 ` Peter Zijlstra
2008-04-02 7:19 ` Jens Axboe
2008-04-02 10:24 ` Paul E. McKenney
2008-04-02 7:17 ` Jens Axboe
2008-04-02 7:20 ` Pekka J Enberg
2008-04-02 7:24 ` Jens Axboe
2008-04-02 7:28 ` Ingo Molnar
2008-04-02 7:31 ` Jens Axboe
2008-04-02 10:55 ` Paul E. McKenney
2008-04-02 10:59 ` Peter Zijlstra
2008-04-02 11:33 ` Fabio Checconi
2008-04-02 11:43 ` Jens Axboe
2008-04-02 12:36 ` Jens Axboe
2008-04-02 12:36 ` Jens Axboe
2008-04-02 12:55 ` Fabio Checconi
2008-04-02 12:58 ` Jens Axboe
2008-04-02 12:58 ` Jens Axboe
2008-04-02 13:16 ` Fabio Checconi
2008-04-02 16:14 ` Paul E. McKenney
2008-04-02 13:37 ` Paul E. McKenney
2008-04-02 13:41 ` Jens Axboe
2008-04-02 15:33 ` Paul E. McKenney
2008-04-02 16:31 ` Jens Axboe
2008-04-02 17:00 ` Paul E. McKenney
2008-04-02 13:32 ` Paul E. McKenney
2008-04-02 13:40 ` Jens Axboe
2008-04-02 16:15 ` Paul E. McKenney
2008-04-02 11:01 ` Pekka Enberg
2008-04-02 11:07 ` Jens Axboe
2008-04-02 11:08 ` Peter Zijlstra
2008-04-02 11:11 ` Pekka Enberg
2008-04-02 11:14 ` Peter Zijlstra
2008-04-02 11:18 ` Pekka Enberg
2008-04-02 17:36 ` Christoph Lameter
2008-04-02 11:14 ` Jens Axboe
2008-04-02 11:20 ` Peter Zijlstra
2008-04-02 11:25 ` Peter Zijlstra
2008-04-02 11:32 ` Jens Axboe
2008-04-02 11:37 ` Peter Zijlstra
2008-04-02 11:42 ` Jens Axboe
2008-04-02 11:47 ` Peter Zijlstra
2008-04-02 11:53 ` Jens Axboe
2008-04-02 12:13 ` Peter Zijlstra
2008-04-02 12:28 ` Jens Axboe
2008-04-02 13:26 ` Paul E. McKenney
2008-04-02 13:43 ` Andi Kleen
2008-04-02 12:26 ` Peter Zijlstra
2008-04-02 12:34 ` Jens Axboe
2008-04-02 16:08 ` Paul E. McKenney
2008-04-02 16:15 ` Vegard Nossum
2008-04-02 16:32 ` Pekka J Enberg
2008-04-02 18:23 ` Paul E. McKenney
2008-04-02 19:53 ` Pekka Enberg
2008-04-02 20:15 ` Paul E. McKenney
2008-04-03 15:18 ` Paul E. McKenney
2008-04-03 19:49 ` Pekka J Enberg
2008-04-03 21:27 ` Paul E. McKenney
2008-04-02 16:59 ` Paul E. McKenney
2008-04-02 17:31 ` Vegard Nossum
2008-04-02 10:40 ` Paul E. McKenney
2008-04-02 10:46 ` Pekka Enberg
2008-04-02 10:49 ` Peter Zijlstra
2008-04-02 10:54 ` Pekka J Enberg
2008-04-02 17:35 ` Christoph Lameter
2008-04-02 10:53 ` Peter Zijlstra
2008-04-02 11:13 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1207085788.29991.6.camel@lappy \
--to=a.p.zijlstra@chello.nl \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=paulmck@linux.vnet.ibm.com \
--cc=penberg@cs.helsinki.fi \
--cc=vegard.nossum@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox