lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 27 Jun 2016 15:13:01 +0200 (CEST)
From:	Thomas Gleixner <tglx@...utronix.de>
To:	Vegard Nossum <vegard.nossum@...il.com>
cc:	Sasha Levin <sasha.levin@...cle.com>, Tejun Heo <tj@...nel.org>,
	Lai Jiangshan <jiangshanlai@...il.com>,
	Changbin Du <changbin.du@...el.com>, giometti@...eenne.com,
	LKML <linux-kernel@...r.kernel.org>,
	syzkaller <syzkaller@...glegroups.com>
Subject: Re: Freeing active kobject in pps_device_destruct

On Sat, 25 Jun 2016, Vegard Nossum wrote:
> On 27 November 2015 at 05:30, Sasha Levin <sasha.levin@...cle.com> wrote:

> > (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90

> > [ 1167.394563] Workqueue: events kobject_delayed_cleanup

> > [ 1167.410301]  [<ffffffffab7aac4c>] kfree+0x1fc/0x2f0
> > [ 1167.410734]  [<ffffffffb1f7a447>] pps_device_destruct+0x107/0x110
> > [ 1167.413495]  [<fffffffface715ad>] kobject_delayed_cleanup+0x34d/0x3b0
> > [ 1167.414049]  [<ffffffffab39fa37>] process_one_work+0xab7/0x13b0
> > [ 1167.417188]  [<ffffffffab3a0c6d>] worker_thread+0x93d/0xd20
> > [ 1167.418782]  [<ffffffffab3b34a0>] kthread+0x290/0x2b0
> > [ 1167.422467]  [<ffffffffb4a1290f>] ret_from_fork+0x3f/0x70

> ODEBUG: free active (active state 0) object type: timer_list hint:
> delayed_work_timer_fn+0x0/0x50

> [<ffffffff8132c563>] kfree+0x103/0x2f0
> [<ffffffff8163af91>] disk_release+0x141/0x180
> [<ffffffff818bcc5a>] device_release+0x4a/0x100
> [<ffffffff816763ac>] kobject_delayed_cleanup+0x6c/0xb0
> [<ffffffff810f698d>] process_one_work+0x46d/0xa60
> [<ffffffff810f700b>] worker_thread+0x8b/0x730
> [<ffffffff81100fe2>] kthread+0x192/0x1b0
> [<ffffffff81d6240f>] ret_from_fork+0x1f/0x40

> As far as I can tell, it seems like a general problem with
> kobject_delayed_cleanup() OR delayed work handling. debugobjects is
> complaining about the timer used to delay the work is still "active"
> (not as in hasn't fired but as in not destroyed) when disk_release()

State active means: The timer is queued and has not yet fired.

Which is completely confusing because the delayed work will only be processed
after the timer has fired. And when the timer fires it is deactivated in debug
objects before the callback function is invoked.

So it's really puzzling why the debug objects state of the timer would be
ODEBUG_STATE_ACTIVE, which is the only way that the debug objects free check
can trigger.

Confused!

	tglx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ