| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Jul 2008 22:20:45 +0200 From: "Rafael J. Wysocki" <rjw@...k.pl> To: "Vegard Nossum" <vegard.nossum@...il.com> Cc: "Dmitry Adamushko" <dmitry.adamushko@...il.com>, "Pekka Enberg" <penberg@...helsinki.fi>, "Christoph Lameter" <clameter@....com>, Yanmin <yanmin_zhang@...ux.intel.com>, "Rusty Russell" <rusty@...tcorp.com.au>, "Ingo Molnar" <mingo@...e.hu>, "Peter Zijlstra" <a.p.zijlstra@...llo.nl>, "Dhaval Giani" <dhaval@...ux.vnet.ibm.com>, "Gautham R Shenoy" <ego@...ibm.com>, "Heiko Carstens" <heiko.carstens@...ibm.com>, miaox@...fujitsu.com, "Lai Jiangshan" <laijs@...fujitsu.com>, "Avi Kivity" <avi@...ranet.com>, linux-kernel@...r.kernel.org Subject: Re: v2.6.26-rc9: kernel BUG at kernel/sched.c:5858! On Thursday, 10 of July 2008, Vegard Nossum wrote: > Okay, some more info on this one... > > On Thu, Jul 10, 2008 at 4:16 PM, Vegard Nossum <vegard.nossum@...il.com> wrote: > > BUG: unable to handle kernel paging request at da87d000 > > IP: [<c01991c7>] kmem_cache_alloc+0xc7/0xe0 > > *pde = 28180163 *pte = 1a87d160 > > Oops: 0002 [#1] PREEMPT SMP DEBUG_PAGEALLOC > > Pid: 3850, comm: grep Not tainted (2.6.26-rc9-00059-gb190333 #5) > > EIP: 0060:[<c01991c7>] EFLAGS: 00210203 CPU: 0 > > EIP is at kmem_cache_alloc+0xc7/0xe0 > > EAX: 00000000 EBX: da87c100 ECX: 1adad71a EDX: 6b6b6b6b > > ESI: 00200282 EDI: da87d000 EBP: f60bfe74 ESP: f60bfe54 > > DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 > > The register %ecx looks innocent but is very important here. The disassembly: > > mov %edx,%ecx > shr $0x2,%ecx > rep stos %eax,%es:(%edi) <-- the fault > > So %ecx has been loaded from %edx... which is 0x6b6b6b6b/POISON_FREE. > (0x6b6b6b6b >> 2 == 0x1adadada.) > > %ecx is the counter for the memset, from here: > > memset(object, 0, c->objsize); > > i.e. %ecx was loaded from c->objsize, so "c" must have been freed. > Where did "c" come from? Uh-oh... > > c = get_cpu_slab(s, smp_processor_id()); > > This looks like it has very much to do with CPU hotplug/unplug. Is > there a race between SLUB/hotplug since the CPU slab is used after it > has been freed? I wonder if this is related to the fix at: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=70ff05554f91a1edda1f11684da1dbde09e2feea Rafael -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists