lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <19f34abd0902102355o5bf51096o9aa3737e87104fb9@mail.gmail.com>
Date:	Wed, 11 Feb 2009 08:55:08 +0100
From:	Vegard Nossum <vegard.nossum@...il.com>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	Eric Sesterhenn <snakebyte@....de>, linux-kernel@...r.kernel.org
Subject: Re: namespaces?: bug at mm/slub.c:2750

On Sat, Feb 7, 2009 at 1:15 AM, Andrew Morton <akpm@...ux-foundation.org> wrote:
> On Fri, 6 Feb 2009 12:35:56 +0100
> Eric Sesterhenn <snakebyte@....de> wrote:
>>
>> with todays -git i get the following bug when i reboot the machine
>>
>> [   94.369135] ------------[ cut here ]------------
>> [   94.369344] kernel BUG at mm/slub.c:2750!

[...]

> Well that's ugly.  We seem to have passed a non-slab address into
> kfree().
>
> void kfree(const void *x)
> {
>        struct page *page;
>        void *object = (void *)x;
>
>        if (unlikely(ZERO_OR_NULL_PTR(x)))
>                return;
>
>        page = virt_to_head_page(x);
>        if (unlikely(!PageSlab(page))) {
>                BUG_ON(!PageCompound(page));
>
>
> doing BUG_ON(!PageCompound) is a rather odd way of reporting that.
>

This might be pointing out the obvious, but page allocator
pass-through means that we can't really tell slab pages from page
allocator pages. But since pass-through uses GFP_COMP, we know it'd be
a bug to pass a non-compound page into this function.

> I'm unsure what could have caused this.  Could you have a play around
> please?  Set all the memory debug options, try using slab instead of
> slub, etc?

I think it is trying to free the init_user_ns (because of a
refcounting bug). I am able to reproduce it with a clean stack trace:

[  648.864710] ------------[ cut here ]------------
[  648.865554] kernel BUG at mm/slub.c:2750!
[  648.865554] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
[  648.865554] last sysfs file: /sys/devices/pnp0/00:0d/id
[  648.865554] CPU 1
[  648.865554] Modules linked in:
[  648.865554] Pid: 917, comm: udevd Not tainted 2.6.29-rc3 #223
[  648.865554] RIP: 0010:[<ffffffff810b99c9>]  [<ffffffff810b99c9>]
kfree+0x29/0x87
[  648.865554] RSP: 0018:ffff88003f187e28  EFLAGS: 00010246
[  648.865554] RAX: 0100000000000400 RBX: ffffffff8171fe00 RCX: 0000000000000086
[  648.865554] RDX: ffffe20000050ec8 RSI: 0000000000000085 RDI: ffffe20000050ec8
[  648.865554] RBP: ffff88003f187e38 R08: 0000000000000000 R09: ffffffff81819cb0
[  648.865554] R10: 0000000000000002 R11: ffff88003f187e98 R12: ffffffff81072144
[  648.865554] R13: 00000000000000cf R14: ffffffff818b13e0 R15: 000000000000000a
[  648.865554] FS:  0000000000000000(0000) GS:ffff88003f156f80(0063)
knlGS:00000000f7fac700
[  648.865554] CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
[  648.865554] CR2: 0000000009b2d630 CR3: 000000003e92c000 CR4: 00000000000006a0
[  648.865554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  648.865554] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  648.865554] Process udevd (pid: 917, threadinfo ffff88003e458000,
task ffff88003f1b8e80)
[  648.865554] Stack:
[  648.865554]  ffffffff8171fe00 ffffffff81072144 ffff88003f187e58
ffffffff81072169
[  648.865554]  ffffffff818b13e0 ffffffff8171fe00 ffff88003f187e78
ffffffff811b2f68
[  648.865554]  ffff88003dd4c500 0000000000000286 ffff88003f187e98
ffffffff81046712
[  648.865554] Call Trace:
[  648.865554]  <IRQ> <0> [<ffffffff81072144>] ? free_user_ns+0x0/0x29
[  648.865554]  [<ffffffff81072169>] free_user_ns+0x25/0x29
[  648.865554]  [<ffffffff811b2f68>] kref_put+0x66/0x72
[  648.865554]  [<ffffffff81046712>] free_uid+0x4f/0x90
[  648.865554]  [<ffffffff810555b8>] put_cred_rcu+0xa5/0xb9
[  648.865554]  [<ffffffff8107ea86>] __rcu_process_callbacks+0x1f4/0x263
[  648.865554]  [<ffffffff8107eb2c>] rcu_process_callbacks+0x37/0x5d
[  648.865554]  [<ffffffff81041bd3>] __do_softirq+0x88/0x149
[  648.865554]  [<ffffffff8100d53c>] call_softirq+0x1c/0x28
[  648.865554]  [<ffffffff8100e4e9>] do_softirq+0x39/0x7b
[  648.865554]  [<ffffffff81041946>] irq_exit+0x44/0x7e
[  648.865554]  [<ffffffff814c3d8f>] smp_apic_timer_interrupt+0x98/0xb1
[  648.865554]  [<ffffffff8100cf73>] apic_timer_interrupt+0x13/0x20
[  648.865554]  <EOI> <0>Code: c9 c3 55 48 89 e5 41 54 53 0f 1f 44 00
00 48 83 ff 10 48 89 fb 7
6 6d e8 1d ed ff ff 48 89 c7 48 8b 00 84 c0 78 10 f6 c4 60 75 04 <0f>
0b eb fe e8 f4 cd fd ff e
b 4e 48 8b 4d 08 4c 8b 4f 10 9c 41
[  648.865554] RIP  [<ffffffff810b99c9>] kfree+0x29/0x87
[  648.865554]  RSP <ffff88003f187e28>
[  649.131912] ---[ end trace a48f49f69d2bcb3e ]---
[  649.136840] Kernel panic - not syncing: Fatal exception in interrupt
[  649.143558] Rebooting in 10 seconds..

And if you look closely in the stack dump, you will find init_user_ns:

ffffffff8171fe00 D init_user_ns

In case you missed it, KOSAKI Motohiro posted a similar stack-trace
(but not the same BUG) in this thread:
http://lkml.org/lkml/2009/2/10/7


Vegard

-- 
"The animistic metaphor of the bug that maliciously sneaked in while
the programmer was not looking is intellectually dishonest as it
disguises that the error is the programmer's own creation."
	-- E. W. Dijkstra, EWD1036
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ