Re: task_struct slab cache use after free in 2.5.66

From: Andrew Morton (akpm@digeo.com)
Date: Thu Mar 27 2003 - 23:23:48 EST

Next message: Zwane Mwaikambo: "Re: task_struct slab cache use after free in 2.5.66"
Previous message: Martin J. Bligh: "[Bug 515] New: kernel panics when bttv compiled in"
In reply to: Zwane Mwaikambo: "task_struct slab cache use after free in 2.5.66"
Next in thread: Zwane Mwaikambo: "Re: task_struct slab cache use after free in 2.5.66"
Reply: Zwane Mwaikambo: "Re: task_struct slab cache use after free in 2.5.66"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zwane Mwaikambo <zwane@linuxpower.ca> wrote:
>
> I'm having a few stability problems with 2.5.66 under test loads. I
> can't quite parse the slab debugging stuff. Is this actually useful to
> anyone?
>
> Slab corruption: start=c1f23380, expend=c1f2399f, problemat=c1f23388
> Data: ********6A
> *******************************************************************************************************
> Next: ********************************
> slab error in check_poison_obj(): cache `task_struct': object was modified after freeing
> Call Trace:
> [<c0142953>] check_poison_obj+0x123/0x170
> [<c0144337>] kmem_cache_alloc+0x117/0x160
> [<c011fdde>] dup_task_struct+0x9e/0xc0
> [<c011fdde>] dup_task_struct+0x9e/0xc0
> [<c0120b82>] copy_process+0x82/0xe30
> [<c0126d3b>] do_softirq+0xbb/0xc0
> [<c012196f>] do_fork+0x3f/0x170
> [<c01077b7>] sys_fork+0x17/0x30
> [<c0109497>] syscall_call+0x7/0xb
>

That's the second report of this. Someone did a put_task_struct against a
freed task_struct. I'll cook up a debug patch to trap it. Something like
this:

diff -puN include/linux/sched.h~put_task_struct-debug include/linux/sched.h
--- 25/include/linux/sched.h~put_task_struct-debug 2003-03-27 20:21:16.000000000 -0800
+++ 25-akpm/include/linux/sched.h 2003-03-27 20:22:49.000000000 -0800
@@ -443,12 +443,17 @@ struct task_struct {

         unsigned long ptrace_message;
         siginfo_t *last_siginfo; /* For ptrace use. */
+ long debug;
};

extern void __put_task_struct(struct task_struct *tsk);
#define get_task_struct(tsk) do { atomic_inc(&(tsk)->usage); } while(0)
-#define put_task_struct(tsk) \
-do { if (atomic_dec_and_test(&(tsk)->usage)) __put_task_struct(tsk); } while(0)
+#define put_task_struct(tsk) \
+ do { \
+ BUG_ON((tsk)->debug == 0x6b6b6b6b); \
+ if (atomic_dec_and_test(&(tsk)->usage)) \
+ __put_task_struct(tsk); \
+ } while (0)

/*
  * Per process flags

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Zwane Mwaikambo: "Re: task_struct slab cache use after free in 2.5.66"
Previous message: Martin J. Bligh: "[Bug 515] New: kernel panics when bttv compiled in"
In reply to: Zwane Mwaikambo: "task_struct slab cache use after free in 2.5.66"
Next in thread: Zwane Mwaikambo: "Re: task_struct slab cache use after free in 2.5.66"
Reply: Zwane Mwaikambo: "Re: task_struct slab cache use after free in 2.5.66"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Mar 31 2003 - 22:00:31 EST