lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.0904281425040.2455@galaxy.riz.pl>
Date:	Tue, 28 Apr 2009 14:43:37 +0200 (CEST)
From:	Bart <mmx@....pl>
To:	FUJITA Tomonori <fujita.tomonori@....ntt.co.jp>
cc:	rientjes@...gle.com, cl@...ux.com, penberg@...helsinki.fi,
	linux-kernel@...r.kernel.org, kernel-testers@...r.kernel.org,
	rjw@...k.pl, akpm@...ux-foundation.org, jens.axboe@...cle.com
Subject: Re: [Bug #13112] Oops in drain_array

> On Mon, 27 Apr 2009 13:36:46 -0700 (PDT)
> David Rientjes <rientjes@...gle.com> wrote:
>
>> On Mon, 27 Apr 2009, Bart wrote:
>>
>>> After turning the suggested debuging options I've got tons of these when
>>> trying to stress the tape device like before:
>>>
>>> Apr 27 16:57:30 fs kernel: [   96.446708] slab error in verify_redzone_free():
>>> cache `size-128': memory outside object was overwritten
>>> Apr 27 16:57:30 fs kernel: [   96.446713] Pid: 0, comm: swapper Not tainted
>>> 2.6.29.1-64 #2
>>> Apr 27 16:57:30 fs kernel: [   96.446715] Call Trace:
>>> Apr 27 16:57:30 fs kernel: [   96.446717]  <IRQ>  [<ffffffff8029adc5>]
>>> __slab_error+0x1f/0x25
>>> Apr 27 16:57:30 fs kernel: [   96.446728]  [<ffffffff8029b24b>]
>>> cache_free_debugcheck+0x108/0x1d6
>>> Apr 27 16:57:30 fs kernel: [   96.446731]  [<ffffffff8029b473>]
>>> kfree+0x81/0xc2
>>> Apr 27 16:57:30 fs kernel: [   96.446735]  [<ffffffff802bd311>]
>>> bio_free_map_data+0xc/0x1e
>>
>> This appears to be kfree(bmd->iovecs) in bio_free_map_data().  It looks
>> like the memcpy size in bio_set_map_data() overrides the kmalloc size; in
>> other words, for a redzone error, bio->bi_vcnt > nr_pages in
>> bio_copy_user_iov().
>
> Can you try this?
>
> diff --git a/fs/bio.c b/fs/bio.c
> index 7bbc98f..6a09356 100644
> --- a/fs/bio.c
> +++ b/fs/bio.c
> @@ -817,6 +817,9 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
> 		len += iov[i].iov_len;
> 	}
>
> +	if (offset)
> +		nr_pages += 1;
> +
> 	bmd = bio_alloc_map_data(nr_pages, iov_count, gfp_mask);
> 	if (!bmd)
> 		return ERR_PTR(-ENOMEM);
>

There are no more errors in the dmesg after applying this patch to 
2.6.29.2.

Without this patch I can reproduce this kind of errors on 
2.6.29.1, 2.6.29.2.

I've not tested this patch with 2.6.29.1 and 2.6.30rc3-git3.
I will try to reproduce the error on 2.6.30rc3-git3 as soon as I compile 
it.

-- 
  Regards
  Bart mmx@....pl
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ