Re: [2.6.37-rc8] BUG kmalloc-256: Poison overwritten.

From: Pekka Enberg
Date: Thu Dec 30 2010 - 10:59:37 EST

Next message: Konrad Rzeszutek Wilk: "Re: [PATCH R2 5/7] xen/balloon: Protect before CPU exhaust byevent/x process"
Previous message: Arnd Bergmann: "Re: [PATCH v0] add nano semaphore in kernel"
In reply to: Pekka Enberg: "Re: [2.6.37-rc8] BUG kmalloc-256: Poison overwritten."
Next in thread: PaweÅ Sikora: "Re: [2.6.37-rc8] BUG kmalloc-256: Poison overwritten."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 30, 2010 at 5:31 PM, Pekka Enberg <penberg@xxxxxxxxxxxxxx> wrote:
> On Thu, 2010-12-30 at 16:08 +0100, Pawel Sikora wrote:
>> [ 1863.448308] =============================================================================
>> [ 1863.448313] BUG kmalloc-256: Poison overwritten
>> [ 1863.448315] -----------------------------------------------------------------------------
>> [ 1863.448316]
>> [ 1863.448319] INFO: 0xffff8807ffc7e7c4-0xffff8807ffc7e7c5. First byte 0x6c instead of 0x6b
>> [ 1863.448331] INFO: Allocated in setup_conf+0x12b/0x360 [raid10] age=554800 cpu=5 pid=2766
>> [ 1863.448336] INFO: Freed in stop+0x66/0x80 [raid10] age=4271 cpu=3 pid=5266
>> [ 1863.448339] INFO: Slab 0xffffea001bff3b90 objects=24 used=11 fp=0xffff8807ffc7e7b0 flags=0x6000000000040c1
>> [ 1863.448341] INFO: Object 0xffff8807ffc7e7b0 @offset=1968 fp=0xffff8807ffc7f338
>> [ 1863.448343]
>> [ 1863.448345] Bytes b4 0xffff8807ffc7e7a0: Âa9 c6 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ïïïï....ZZZZZZZZ
>> [ 1863.448353] Â Object 0xffff8807ffc7e7b0: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448362] Â Object 0xffff8807ffc7e7c0: Â6b 6b 6b 6b 6c 6c 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkllkkkkkkkkkk
>> [ 1863.448369] Â Object 0xffff8807ffc7e7d0: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448377] Â Object 0xffff8807ffc7e7e0: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448384] Â Object 0xffff8807ffc7e7f0: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448391] Â Object 0xffff8807ffc7e800: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448399] Â Object 0xffff8807ffc7e810: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448406] Â Object 0xffff8807ffc7e820: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448413] Â Object 0xffff8807ffc7e830: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448421] Â Object 0xffff8807ffc7e840: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448428] Â Object 0xffff8807ffc7e850: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448435] Â Object 0xffff8807ffc7e860: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448442] Â Object 0xffff8807ffc7e870: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448450] Â Object 0xffff8807ffc7e880: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448457] Â Object 0xffff8807ffc7e890: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
>> [ 1863.448464] Â Object 0xffff8807ffc7e8a0: Â6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkkï
>> [ 1863.448472] ÂRedzone 0xffff8807ffc7e8b0: Âbb bb bb bb bb bb bb bb Â Â Â Â Â Â Â Â Â Â Â Â ïïïïïïïï
>> [ 1863.448478] ÂPadding 0xffff8807ffc7e8f0: Â5a 5a 5a 5a 5a 5a 5a 5a Â Â Â Â Â Â Â Â Â Â Â Â ZZZZZZZZ
>> [ 1863.448487] Pid: 5282, comm: udevd Not tainted 2.6.37-rc8 #1
>> [ 1863.448489] Call Trace:
>> [ 1863.448499] Â[<ffffffff8111ea1e>] print_trailer+0xfe/0x160
>> [ 1863.448503] Â[<ffffffff8111f074>] check_bytes_and_report+0xf4/0x130
>> [ 1863.448506] Â[<ffffffff8111f2da>] check_object+0x22a/0x270
>> [ 1863.448512] Â[<ffffffff81137cc9>] ? do_execve+0x59/0x390
>> [ 1863.448515] Â[<ffffffff81137cc9>] ? do_execve+0x59/0x390
>> [ 1863.448519] Â[<ffffffff81120380>] alloc_debug_processing+0x110/0x1f0
>> [ 1863.448522] Â[<ffffffff811211c9>] __slab_alloc+0x3a9/0x410
>> [ 1863.448528] Â[<ffffffff8140254c>] ? do_page_fault+0x1cc/0x4b0
>> [ 1863.448531] Â[<ffffffff81137cc9>] ? do_execve+0x59/0x390
>> [ 1863.448534] Â[<ffffffff81121888>] kmem_cache_alloc_notrace+0xb8/0xc0
>> [ 1863.448538] Â[<ffffffff81137cc9>] do_execve+0x59/0x390
>> [ 1863.448543] Â[<ffffffff8121f0c1>] ? strncpy_from_user+0x31/0x50
>> [ 1863.448548] Â[<ffffffff8100b205>] sys_execve+0x45/0x70
>> [ 1863.448553] Â[<ffffffff8100319c>] stub_execve+0x6c/0xc0
>> [ 1863.448556] FIX kmalloc-256: Restoring 0xffff8807ffc7e7c4-0xffff8807ffc7e7c5=0x6b
>> [ 1863.448557]
>> [ 1863.448559] FIX kmalloc-256: Marking all objects used
>
> This looks like a use-after-free bug somewhere in drivers/md/raid10.c.

Does reverting commit 4e78064f42ad474ce9c31760861f7fb0cfc22532 ("md:
Fix possible deadlock with multiple mempool allocations.") fix the
problem?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Konrad Rzeszutek Wilk: "Re: [PATCH R2 5/7] xen/balloon: Protect before CPU exhaust byevent/x process"
Previous message: Arnd Bergmann: "Re: [PATCH v0] add nano semaphore in kernel"
In reply to: Pekka Enberg: "Re: [2.6.37-rc8] BUG kmalloc-256: Poison overwritten."
Next in thread: PaweÅ Sikora: "Re: [2.6.37-rc8] BUG kmalloc-256: Poison overwritten."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]