From: Eric Dumazet <eric.dumazet@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: netdev@vger.kernel.org, bugzilla-daemon@bugzilla.kernel.org,
bugme-daemon@bugzilla.kernel.org, casteyde.christian@free.fr,
Vegard Nossum <vegardno@ifi.uio.no>,
Pekka Enberg <penberg@kernel.org>,
Christoph Lameter <cl@linux-foundation.org>
Subject: Re: [Bugme-new] [Bug 33502] New: Caught 64-bit read from uninitialized memory in __alloc_skb
Date: Tue, 19 Apr 2011 04:51:06 +0200 [thread overview]
Message-ID: <1303181466.4152.39.camel@edumazet-laptop> (raw)
In-Reply-To: <20110418153852.153d3ed3.akpm@linux-foundation.org>
Le lundi 18 avril 2011 à 15:38 -0700, Andrew Morton a écrit :
> (switched to email. Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
>
> On Sun, 17 Apr 2011 19:29:39 GMT
> bugzilla-daemon@bugzilla.kernel.org wrote:
>
> > https://bugzilla.kernel.org/show_bug.cgi?id=33502
> >
> > Summary: Caught 64-bit read from uninitialized memory in
> > __alloc_skb
> > Product: Networking
> > Version: 2.5
> > Kernel Version: 2.6.39-rc3
> > Platform: All
> > OS/Version: Linux
> > Tree: Mainline
> > Status: NEW
> > Severity: normal
> > Priority: P1
> > Component: IPV4
> > AssignedTo: shemminger@linux-foundation.org
> > ReportedBy: casteyde.christian@free.fr
> > Regression: Yes
> >
> >
> > Acer Aspire 1511LMi
> > Athlon 64 3GHz in 64bits mode
> > Slackware 64 13.1
> >
> > Since 2.6.39-rc3 with kmemcheck enabled, I get the following warning:
> > ...
> > pcmcia_socket pcmcia_socket0: cs: memory probe 0x0c0000-0x0fffff: excluding
> > 0xc0000-0xfffff
> > pcmcia_socket pcmcia_socket0: cs: memory probe 0x60000000-0x60ffffff: excluding
> > 0x60000000-0x
> > 60ffffff
> > pcmcia_socket pcmcia_socket0: cs: memory probe 0xa0000000-0xa0ffffff: excluding
> > 0xa0000000-0x
> > a0ffffff
> > udev: renamed network interface wlan0 to eth1
> > WARNING: kmemcheck: Caught 64-bit read from uninitialized memory
> > (ffff88001b0bb800)
> > 00b00b1b0088ffff0000000000000000cafe1dea20009b0000299a3100000000
> > u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u
> > ^
> >
> > Pid: 1511, comm: udevd Not tainted 2.6.39-rc3 #1 Acer,Inc. Aspire 1510 /Aspire
> > 1510
> > RIP: 0010:[<ffffffff810c2f0c>] [<ffffffff810c2f0c>]
> > __kmalloc_track_caller+0xbc/0x1d0
> > RSP: 0018:ffff88001d3a7a18 EFLAGS: 00010246
> > RAX: 0000000000000000 RBX: 0000000000000010 RCX: 000000000000284f
> > RDX: 000000000000284e RSI: ffff88001fe5b160 RDI: ffffffff8177e39a
> > RBP: ffff88001d3a7a48 R08: 0000000000000000 R09: ffff88001b931100
> > R10: 0000000000000000 R11: 0000000000000003 R12: ffff88001b0bb800
> > R13: ffff88001f803840 R14: 00000000000004d0 R15: ffffffff814769c6
> > FS: 00007f6ee81f1700(0000) GS:ffffffff81a1b000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> > CR2: ffff88001d0b3938 CR3: 000000001d38b000 CR4: 00000000000006f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
> > [<ffffffff8147ccf2>] __alloc_skb+0x72/0x190
> > [<ffffffff814769c6>] sock_alloc_send_pskb+0x236/0x3a0
> > [<ffffffff81476b40>] sock_alloc_send_skb+0x10/0x20
> > [<ffffffff81523c18>] unix_dgram_sendmsg+0x298/0x770
> > [<ffffffff814715f3>] sock_sendmsg+0xe3/0x110
> > [<ffffffff81472603>] sys_sendmsg+0x243/0x3c0
> > [<ffffffff815e7238>] system_call_fastpath+0x16/0x1b
> > [<ffffffffffffffff>] 0xffffffffffffffff
>
> hum. I wonder if kmemcheck is disliking prefetchw()?
Nope, prefetchw() is OK versus kmemcheck.
This is in __kmalloc_track_caller(), not in networking stuff.
CC Christoph Lameter
I guess this_cpu_cmpxchg16b() is the offender.
A disassembly of __kmalloc_track_caller() would help, but I feel its the
read of s->cpu_slab->freelist
It seems to be at address
0xffff88001b0bb800 and contains 0xffff88001b0bb000 but kmemcheck thinks
its not initialized.
Its located in percpu zone, maybe kmemcheck has a problem with it ?
alloc_kmem_cache_cpus() does a call to __alloc_percpu(), so this must
have been zeroed at the very beginning of kmem_cache life.
Hmm, looking at mm/slub.c, I wonder what prevents "object" from pointing
to a now freed and unreachable zone of memory. (Say we are interrupted,
object given to interrupt handler and this one wants to change page bits
to trap access)
next prev parent reply other threads:[~2011-04-19 2:51 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <bug-33502-10286@https.bugzilla.kernel.org/>
2011-04-18 22:38 ` [Bugme-new] [Bug 33502] New: Caught 64-bit read from uninitialized memory in __alloc_skb Andrew Morton
2011-04-19 2:51 ` Eric Dumazet [this message]
2011-04-19 3:09 ` Eric Dumazet
2011-04-19 3:20 ` Eric Dumazet
2011-04-19 17:10 ` Christoph Lameter
2011-04-19 20:17 ` Eric Dumazet
2011-04-19 21:18 ` Christoph Lameter
2011-04-20 5:04 ` Eric Dumazet
2011-04-20 14:04 ` Christoph Lameter
2011-04-20 5:56 ` Pekka Enberg
2011-04-20 6:04 ` Eric Dumazet
2011-04-20 7:45 ` casteyde.christian
2011-04-20 7:49 ` Pekka Enberg
2011-04-20 8:09 ` Eric Dumazet
2011-04-20 8:21 ` Pekka Enberg
2011-04-20 9:07 ` Eric Dumazet
2011-04-20 10:02 ` Eric Dumazet
2011-04-20 14:05 ` Christoph Lameter
2011-04-20 14:26 ` Eric Dumazet
2011-04-20 14:42 ` Christoph Lameter
2011-04-20 15:01 ` Eric Dumazet
2011-04-20 15:15 ` Vegard Nossum
2011-04-20 15:34 ` Eric Dumazet
2011-04-20 15:17 ` Christoph Lameter
2011-04-20 15:30 ` Eric Dumazet
2011-04-20 19:36 ` Christian Casteyde
2011-04-20 19:55 ` Eric Dumazet
2011-04-20 20:32 ` Eric Dumazet
2011-05-05 6:18 ` Eric Dumazet
2011-05-05 6:22 ` Pekka Enberg
2011-05-05 6:50 ` Eric Dumazet
2011-05-05 18:40 ` Christoph Lameter
2011-05-05 18:48 ` Eric Dumazet
2011-05-05 19:05 ` Christoph Lameter
2011-05-09 19:44 ` Pekka Enberg
2011-05-09 20:04 ` Christoph Lameter
2011-05-09 20:06 ` Pekka Enberg
2011-05-10 8:43 ` Eric Dumazet
2011-05-10 9:47 ` Pekka Enberg
2011-05-10 10:03 ` Eric Dumazet
2011-05-10 10:10 ` Pekka Enberg
2011-05-10 10:03 ` Pekka Enberg
2011-05-10 10:17 ` Eric Dumazet
2011-05-10 10:19 ` Pekka Enberg
2011-05-10 11:52 ` Eric Dumazet
2011-05-10 12:24 ` Vegard Nossum
2011-05-10 16:39 ` Christoph Lameter
2011-05-10 17:14 ` Eric Dumazet
2011-05-10 17:30 ` Christoph Lameter
2011-05-10 17:43 ` Christoph Lameter
2011-05-10 18:05 ` Eric Dumazet
2011-05-10 18:28 ` Christoph Lameter
2011-05-10 19:05 ` Christoph Lameter
2011-05-10 19:32 ` Eric Dumazet
2011-05-10 19:38 ` Christoph Lameter
2011-05-10 20:06 ` Eric Dumazet
2011-05-10 20:33 ` Christoph Lameter
2011-05-10 20:45 ` Eric Dumazet
2011-05-10 21:22 ` Christoph Lameter
2011-05-11 3:12 ` Eric Dumazet
2011-05-12 14:36 ` Christoph Lameter
2011-05-13 21:15 ` [PATCH] slub: Make CONFIG_PAGE_ALLOC work with new fastpath Christoph Lameter
2011-05-13 21:26 ` Eric Dumazet
2011-05-10 18:07 ` [Bugme-new] [Bug 33502] New: Caught 64-bit read from uninitialized memory in __alloc_skb Christoph Lameter
2011-05-10 16:33 ` Christoph Lameter
2011-04-19 17:09 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1303181466.4152.39.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=bugme-daemon@bugzilla.kernel.org \
--cc=bugzilla-daemon@bugzilla.kernel.org \
--cc=casteyde.christian@free.fr \
--cc=cl@linux-foundation.org \
--cc=netdev@vger.kernel.org \
--cc=penberg@kernel.org \
--cc=vegardno@ifi.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox