Re: tty_ldisc_try_get(): BUG kmalloc-8: Poison overwritten
From: Ingo Molnar
Date: Sun Jun 14 2009 - 04:33:21 EST
* Pekka Enberg <penberg@xxxxxxxxxxxxxx> wrote:
> Hi Ingo,
>
> Ingo Molnar wrote:
>> Ok, this is one for those who like to look at weird crashes/bugs.
>>
>> Here's a new regression that popped up in this merge window, there's
>> some sort of slab corruption going on in tty data structures:
>>
>> [ 74.900215] =============================================================================
>> [ 74.908193] BUG kmalloc-8: Poison overwritten
>> [ 74.908193] -----------------------------------------------------------------------------
>> [ 74.908193] [ 74.908193] INFO: 0x5d883a14-0x5d883a14. First byte
>> 0x6a instead of 0x6b
>> [ 74.908193] INFO: Allocated in tty_ldisc_try_get+0x1a/0xb0 age=8015 cpu=0 pid=1
>> [ 74.908193] INFO: Freed in tty_ldisc_put+0x48/0x50 age=4 cpu=3 pid=4236
>> [ 74.908193] INFO: Slab 0x42c6eeb4 objects=73 used=61 fp=0x5d883a10 flags=0x1d0000c3
>> [ 74.908193] INFO: Object 0x5d883a10 @offset=2576 fp=0x5d883d90
>> [ 74.908193] [ 74.908193] Bytes b4 0x5d883a00: 01 00 00 00 de 04
>> ff ff 5a 5a 5a 5a 5a 5a 5a 5a ....ï.ïïZZZZZZZZ
>> [ 74.908193] Object 0x5d883a10: 6b 6b 6b 6b 6a 6b 6b a5
>> kkkkjkkï
>
> This is struct tty_ldisc and the corruption happens in the first byte of
> ->refcount. This probably just means that there's a race condition and
> someone is doing tty_ldisc_deref() after tty_ldisc_put().
>
> You could add something like
>
> WARN_ON(ld->refcount == 0x6b)
>
> to tty_ldisc_deref() to see if that triggers.
I've committed the debug hack below - will let you know if it
triggers.
Ingo
------------->