Re: Linux 2.6.39-rc6 (pps ktimer uses freed memory)

From: Randy Dunlap
Date: Fri May 06 2011 - 15:48:13 EST


Loading and unloading pps-ktimer.ko (on x86_64) causes this:


pps pps0: ktimer PPS source unregistered
=============================================================================
BUG kmalloc-512: Poison overwritten
-----------------------------------------------------------------------------

INFO: 0xffff88005d3b45e0-0xffff88005d3b45e0. First byte 0x6a instead of 0x6b
INFO: Allocated in pps_register_source+0xf0/0x1f3 [pps_core] age=277 cpu=0 pid=8778
INFO: Freed in pps_device_destruct+0x7f/0x8b [pps_core] age=16 cpu=1 pid=8786
INFO: Slab 0xffffea0001464f60 objects=28 used=2 fp=0xffff88005d3b4490 flags=0x100000000040c1
INFO: Object 0xffff88005d3b4490 @offset=1168 fp=0xffff88005d3b46d8

Bytes b4 0xffff88005d3b4480: 1c c1 34 00 01 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a .Á4.....ZZZZZZZZ
Object 0xffff88005d3b4490: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b44a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b44b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b44c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b44d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b44e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b44f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4500: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4510: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4520: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4530: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4540: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4550: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4560: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4570: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4580: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4590: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b45a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b45b0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b45c0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b45d0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b45e0: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk
Object 0xffff88005d3b45f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4600: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4610: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4640: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4650: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4660: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4670: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
Object 0xffff88005d3b4680: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk¥
Redzone 0xffff88005d3b4690: bb bb bb bb bb bb bb bb »»»»»»»»
Padding 0xffff88005d3b46d0: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
Pid: 8789, comm: sleep Not tainted 2.6.39-rc6 #1
Call Trace:
[<ffffffff811b0d32>] print_trailer+0x18d/0x19d
[<ffffffff8122f76b>] ? load_elf_interp+0xb1/0x640
[<ffffffff811b1481>] check_bytes_and_report+0xf5/0x12d
[<ffffffff8122f7bb>] ? load_elf_interp+0x101/0x640
[<ffffffff811b15b3>] check_object+0xfa/0x238
[<ffffffff8122f78d>] ? load_elf_interp+0xd3/0x640
[<ffffffff811b20ee>] alloc_debug_processing+0xcc/0x184
[<ffffffff811b4091>] __slab_alloc+0x40d/0x457
[<ffffffff810b034e>] ? sched_clock_local+0x1a/0xc0
[<ffffffff8122f78d>] ? load_elf_interp+0xd3/0x640
[<ffffffff8122f78d>] ? load_elf_interp+0xd3/0x640
[<ffffffff811b5005>] __kmalloc+0x143/0x21b
[<ffffffff8122f78d>] load_elf_interp+0xd3/0x640
[<ffffffff812d20d4>] ? __clear_user+0x47/0x73
[<ffffffff812d20ae>] ? __clear_user+0x21/0x73
[<ffffffff812309e0>] load_elf_binary+0xbc1/0x1108
[<ffffffff811d70ca>] search_binary_handler+0x112/0x386
[<ffffffff8122fe1f>] ? set_brk+0x125/0x125
[<ffffffff811d97f1>] do_execve+0x269/0x3db
[<ffffffff81017843>] sys_execve+0x5a/0x7f
[<ffffffff8157552c>] stub_execve+0x6c/0xc0
FIX kmalloc-512: Restoring 0xffff88005d3b45e0-0xffff88005d3b45e0=0x6b

FIX kmalloc-512: Marking all objects used

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/