lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0705211835140.26666@blonde.wat.veritas.com>
Date:	Mon, 21 May 2007 18:41:12 +0100 (BST)
From:	Hugh Dickins <hugh@...itas.com>
To:	Christoph Lameter <clameter@....com>
cc:	Srihari Vijayaraghavan <sriharivijayaraghavan@...oo.com.au>,
	Oliver Xymoron <oxymoron@...te.org>,
	Jens Axboe <jens.axboe@...cle.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org
Subject: Re: [PROBLEM] 2.6.22-rc2 panics on x86-64 with slub

On Mon, 21 May 2007, Christoph Lameter wrote:
> On Sun, 20 May 2007, Srihari Vijayaraghavan wrote:
> 
> > With no CONFIG_SLUB_DEBUG, things have slightly improved. No more panic. Good.
> > Serial console is working. Good. But there is another problem:
> 
> > Freeing unused kernel memory: 308k freed
> > BUG: spinlock bad magic on CPU#1, init/1
> >  lock: ffff81011ec0a100, .magic: ffff8101, .owner: <none>/-1, .owner_cpu: -1
> > 
> > Call Trace:
> >  [<ffffffff802fc516>] _raw_spin_lock+0x22/0xf6
> >  [<ffffffff8026f684>] vma_adjust+0x219/0x454
> >  [<ffffffff8026f684>] vma_adjust+0x219/0x454
> >  [<ffffffff8026fe0d>] vma_merge+0x147/0x1f4
> >  [<ffffffff80270b55>] do_mmap_pgoff+0x414/0x7c7
> >  [<ffffffff8040aa34>] _spin_unlock_irq+0x24/0x27
> >  [<ffffffff8020f528>] sys_mmap+0xe5/0x110
> >  [<ffffffff80209dde>] system_call+0x7e/0x83
> 
> Hmmmm..... We have seen this before
> 
> http://marc.info/?l=linux-kernel&m=117891943401284&w=2

Yes, sounded the same to me too: I couldn't reproduce it or see anything
wrong in the code back then.  But Srihari's info about CONFIG_DEBUG_SLUB
off has helped a lot: I was then able to reproduce it on my x86_64, and
after a lot of staring at the code, the problem became obvious...

[PATCH] slub: fix size adjustment when SLUB_DEBUG off

SLUB was corrupting the anon_vma's spinlock when not configured for
SLUB_DEBUG: the size adjustment necessary for SLAB_DESTROY_BY_RCU or
constructor was inside the CONFIG_SLUB_DEBUG appropriate for poisoning.

Signed-off-by: Hugh Dickins <hugh@...itas.com>
---
 mm/slub.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

--- 2.6.22-rc2/mm/slub.c	2007-05-21 13:13:20.000000000 +0100
+++ linux/mm/slub.c	2007-05-21 18:05:57.000000000 +0100
@@ -1917,16 +1917,26 @@ static int calculate_sizes(struct kmem_c
 	 */
 	s->inuse = size;
 
+	if ((flags & SLAB_DESTROY_BY_RCU) || s->ctor) {
+		/*
+		 * Relocate free pointer after the object if it is not
+		 * permitted to overwrite the first word of the object on
+		 * kmem_cache_free.
+		 *
+		 * This is the case if we do RCU or have a constructor.
+		 */
+		s->offset = size;
+		size += sizeof(void *);
+	}
+
 #ifdef CONFIG_SLUB_DEBUG
-	if (((flags & (SLAB_DESTROY_BY_RCU | SLAB_POISON)) ||
-		s->ctor)) {
+	if (s->flags & __OBJECT_POISON) {
 		/*
 		 * Relocate free pointer after the object if it is not
 		 * permitted to overwrite the first word of the object on
 		 * kmem_cache_free.
 		 *
-		 * This is the case if we do RCU, have a constructor or
-		 * destructor or are poisoning the objects.
+		 * This is the case if we are poisoning the objects.
 		 */
 		s->offset = size;
 		size += sizeof(void *);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ