lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Aug 2011 14:14:30 +0800 From: Xiaotian Feng <xtfeng@...il.com> To: Pekka Enberg <penberg@...nel.org> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Dave Jones <davej@...hat.com>, Christoph Lameter <cl@...ux.com>, Markus Trippelsdorf <markus@...ppelsdorf.de>, Linux Kernel <linux-kernel@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org>, Jens Axboe <jaxboe@...ionio.com> Subject: Re: list corruption in the last few days. (block ? crypto ?) On Mon, Aug 8, 2011 at 1:18 PM, Pekka Enberg <penberg@...nel.org> wrote: > Hi Linus, > > On Sun, Aug 7, 2011 at 11:58 AM, Pekka Enberg <penberg@...nel.org> wrote: >>> >>> Christoph, I've been reading the code and spotted two potential issues in >>> __slab_free(). The first one seems like an off-by-one where our >>> comparison >>> in deactivate_slab() doesn't match __slab_free. >>> >>> The other one is remove_full() call in __slab_free() that can get called >>> even if cache debugging is not enabled. >>> >>> Hmm? > > On Sun, 7 Aug 2011, Linus Torvalds wrote: >> >> I'd like to do -rc1 today, regardless of whether this fixes things or >> not (-rc1 is already a few days delayed). >> >> The patch seems to be a good fix, and a likely candidate for the >> corruption. Commit log and sign-off? I assume you've given it some >> testing, even if you couldn't reproduce the original issue? > > No, I haven't tested the patch myself but here's one in proper format in > case someone wants to test it. I applied it and I'm still seeing the corruption warning start from this :( [ 3674.255030] ------------[ cut here ]------------ [ 3674.255040] WARNING: at lib/list_debug.c:53 __list_del_entry+0xa1/0xd0() [ 3674.255042] Hardware name: 42424XC [ 3674.255045] list_del corruption. prev->next should be ffffea0000493420, but was ffffea0001ab0520 [ 3674.255047] Modules linked in: ip6table_filter ip6_tables ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ipt_REJECT xt_CHECKSUM iptable_mangle xt_tcpudp iptable_filter ip_tables x_tables binfmt_misc bridge stp parport_pc ppdev snd_hda_codec_conexant snd_hda_intel snd_hda_codec snd_hwdep snd_pcm thinkpad_acpi arc4 cryptd aes_x86_64 aes_generic snd_seq_midi i915 snd_rawmidi snd_seq_midi_event snd_seq joydev iwlagn btusb snd_timer snd_seq_device drm_kms_helper bluetooth uvcvideo snd videodev drm mac80211 cfg80211 i2c_algo_bit soundcore tpm_tis tpm tpm_bios lp snd_page_alloc psmouse serio_raw v4l2_compat_ioctl32 nvram video parport usbhid hid sdhci_pci firewire_ohci ahci libahci sdhci firewire_core crc_itu_t e1000e [ 3674.255129] Pid: 3, comm: ksoftirqd/0 Not tainted 3.1.0-rc1+ #38 [ 3674.255131] Call Trace: [ 3674.255138] [<ffffffff8106db3f>] warn_slowpath_common+0x7f/0xc0 [ 3674.255143] [<ffffffff8106dc36>] warn_slowpath_fmt+0x46/0x50 [ 3674.255147] [<ffffffff81331851>] __list_del_entry+0xa1/0xd0 [ 3674.255151] [<ffffffff81331891>] list_del+0x11/0x40 [ 3674.255156] [<ffffffff81179631>] __slab_free+0x3d1/0x3e0 [ 3674.255162] [<ffffffff811c5b06>] ? bvec_free_bs+0x26/0x40 [ 3674.255166] [<ffffffff8117ab27>] ? kmem_cache_free+0x97/0x220 [ 3674.255170] [<ffffffff811c5b06>] ? bvec_free_bs+0x26/0x40 [ 3674.255174] [<ffffffff811c5b06>] ? bvec_free_bs+0x26/0x40 [ 3674.255179] [<ffffffff8117ac9f>] kmem_cache_free+0x20f/0x220 [ 3674.255183] [<ffffffff811c5b06>] bvec_free_bs+0x26/0x40 [ 3674.255187] [<ffffffff811c5b54>] bio_free+0x34/0x70 [ 3674.255191] [<ffffffff811c5ba5>] bio_fs_destructor+0x15/0x20 [ 3674.255195] [<ffffffff811c491b>] bio_put+0x2b/0x30 [ 3674.255199] [<ffffffff81244543>] ext4_end_bio+0x63/0x270 [ 3674.255204] [<ffffffff811c47cd>] bio_endio+0x1d/0x40 [ 3674.255208] [<ffffffff8130140b>] req_bio_endio.clone.35+0xab/0xf0 [ 3674.255212] [<ffffffff813043e4>] blk_update_request+0x104/0x5f0 [ 3674.255216] [<ffffffff81304679>] ? blk_update_request+0x399/0x5f0 [ 3674.255220] [<ffffffff81304904>] blk_update_bidi_request+0x34/0xa0 [ 3674.255224] [<ffffffff81304aef>] blk_end_bidi_request+0x2f/0x80 [ 3674.255228] [<ffffffff81304b80>] blk_end_request+0x10/0x20 [ 3674.255233] [<ffffffff8142ef8f>] scsi_io_completion+0xaf/0x630 [ 3674.255238] [<ffffffff814253b8>] scsi_finish_command+0xc8/0x130 [ 3674.255242] [<ffffffff8142edd7>] scsi_softirq_done+0x147/0x170 [ 3674.255247] [<ffffffff8130aeec>] blk_done_softirq+0x8c/0xa0 [ 3674.255252] [<ffffffff810761a4>] __do_softirq+0xd4/0x340 [ 3674.255256] [<ffffffff81076547>] run_ksoftirqd+0x137/0x210 [ 3674.255260] [<ffffffff81076410>] ? __do_softirq+0x340/0x340 [ 3674.255264] [<ffffffff81094b16>] kthread+0xb6/0xc0 [ 3674.255269] [<ffffffff81655a64>] kernel_thread_helper+0x4/0x10 [ 3674.255274] [<ffffffff8164b274>] ? retint_restore_args+0x13/0x13 [ 3674.255279] [<ffffffff81094a60>] ? __init_kthread_worker+0x70/0x70 [ 3674.255283] [<ffffffff81655a60>] ? gs_change+0x13/0x13 > > Pekka > > From 85380c605764927576d6ef54e4e8a3354df05d47 Mon Sep 17 00:00:00 2001 > From: Pekka Enberg <penberg@...nel.org> > Date: Mon, 8 Aug 2011 07:56:49 +0300 > Subject: [PATCH] slub: Fix partial and full list handling in __slab_free > > Dave Jones and Xiaotian Feng reported SLUB list corruption: > > https://lkml.org/lkml/2011/8/4/375 > > https://lkml.org/lkml/2011/8/3/37 > > While I haven't able to reproduce the issue, I spotted two problems in > __slab_free() during code review: > > - The ->nr_partial check in __slab_free() has an off-by-one bug > when compared to similar check in deactivate_slab() > > - remove_full() is called even if cache debugging has not been enabled > > Reported-by: Dave Jones <davej@...hat.com> > Reported-by: Xiaotian Feng <xtfeng@...il.com> > Signed-off-by: Pekka Enberg <penberg@...nel.org> > --- > mm/slub.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/mm/slub.c b/mm/slub.c > index eb5a8f9..cee8c20 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -2368,7 +2368,7 @@ static void __slab_free(struct kmem_cache *s, struct > page *page, > if (was_frozen) > stat(s, FREE_FROZEN); > else { > - if (unlikely(!inuse && n->nr_partial > s->min_partial)) > + if (unlikely(!inuse && n->nr_partial >= s->min_partial)) > goto slab_empty; > > /* > @@ -2376,7 +2376,8 @@ static void __slab_free(struct kmem_cache *s, struct > page *page, > * then add it. > */ > if (unlikely(!prior)) { > - remove_full(s, page); > + if (kmem_cache_debug(s)) > + remove_full(s, page); > add_partial(n, page, 0); > stat(s, FREE_ADD_PARTIAL); > } > -- > 1.7.0.4 > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists