| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 3 May 2008 13:09:51 -0500 From: Jay Cliburn <jacliburn@...lsouth.net> To: linux-kernel@...r.kernel.org, netdev@...r.kernel.org Cc: Chris Snook <csnook@...hat.com> Subject: Need help debugging memory corruption I'm trying to track down a memory corruption bug in the atl1 network device driver that is exposed only when operating with 4GB or more memory. (NB: The driver uses a 32-bit DMA mask.) The bug is hit under certain conditions whenever the network interface is commanded down. The information provided here is against recent -git, but this problem also afflicts the atl1 driver in kernels 2.6.2[345].y. Dmesg and config attached. I can reproduce the bug at will by simply using scp to copy a few hundred megabytes from a remote host, then by executing 'ifconfig eth0 down'. Here is the relevant console output when the bug is hit. I note that the apparent corrupting data beginning at address 0xffff81010fcff402 is actually a received ethernet frame. (The value 00:17:31:4e:9d:41 is the MAC address of the local host, corresponding to the destination address of a received frame.) Can someone with more experience than me please take a look and give me some advice or explain what might be happening here? (What may be obvious to you is probably not obvious to me.) ============================================================================= BUG kmalloc-2048: Poison overwritten ----------------------------------------------------------------------------- INFO: 0xffff81010fcff402-0xffff81010fcff9f9. First byte 0x0 instead of 0x6b INFO: Allocated in dev_alloc_skb+0x16/0x2c age=9459 cpu=0 pid=2754 INFO: Freed in skb_release_data+0xa8/0xad age=9434 cpu=0 pid=2754 INFO: Slab 0xffffe20005d6f540 objects=15 used=0 fp=0xffff81010fcfb1b0 flags=0x8000000000002082 INFO: Object 0xffff81010fcff3f0 @offset=29680 fp=0xffff81010fcfd2d0 Bytes b4 0xffff81010fcff3e0: 3b bd 00 00 01 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ;�......ZZZZZZZZ Object 0xffff81010fcff3f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xffff81010fcff400: 6b 6b 00 17 31 4e 9d 41 00 1b fc 95 53 da 08 00 kk..1N.A..�.S�.. Object 0xffff81010fcff410: 45 08 02 2c 83 1f 40 00 40 06 31 e1 c0 a8 01 03 E..,..@.@.1���.. Object 0xffff81010fcff420: c0 a8 01 70 58 b9 c0 18 93 5f c2 41 51 d2 a7 5d ��.pX��.._�AQҧ] Object 0xffff81010fcff430: 80 18 00 e8 ee ef 00 00 01 01 08 0a 00 e2 58 16 ...���.......�X. Object 0xffff81010fcff440: 00 00 bd 38 4b 93 e4 7f 3e 8d 8c 2b 41 dc 9b 36 ..�8K.�.>..+A�.6 Object 0xffff81010fcff450: 4d 9f b7 cf 2a 2c 07 06 d8 2f 23 de 5a 34 90 cb M.��*,..�/#�Z4. Object 0xffff81010fcff460: 6d d7 36 5b 2c 04 19 06 74 95 3f c5 3c c8 a5 9a m�6[,...t.?�<ȥ. Redzone 0xffff81010fcffbf0: bb bb bb bb bb bb bb bb �������� Padding 0xffff81010fcffc30: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ Pid: 2757, comm: ifconfig Not tainted 2.6.25 #1 Call Trace: [<ffffffff8108cf02>] print_trailer+0x123/0x12c [<ffffffff8108cfaf>] check_bytes_and_report+0xa4/0xcb [<ffffffff8108d2de>] check_object+0xca/0x212 [<ffffffff8108d66d>] __free_slab+0x85/0xfd [<ffffffff811e5cf2>] ? skb_release_data+0xa8/0xad [<ffffffff8108d71d>] discard_slab+0x38/0x3a [<ffffffff8108e0f2>] __slab_free+0xdb/0x2ac [<ffffffff8108e3fa>] kfree+0xbc/0xcc [<ffffffff811e5cf2>] ? skb_release_data+0xa8/0xad [<ffffffff811e5cf2>] skb_release_data+0xa8/0xad [<ffffffff811e63b3>] skb_release_all+0xc9/0xce [<ffffffff811e5b4d>] __kfree_skb+0x11/0x78 [<ffffffff811e5bdb>] kfree_skb+0x27/0x29 [<ffffffffa00e63aa>] :atl1:atl1_clean_rx_ring+0x7e/0xe2 [<ffffffffa00e64d7>] :atl1:atl1_down+0xc9/0xce [<ffffffffa00e8dcd>] :atl1:atl1_close+0x18/0x27 [<ffffffff811ebd43>] dev_close+0x57/0x72 [<ffffffff811eba47>] dev_change_flags+0xa8/0x164 [<ffffffff8122f380>] devinet_ioctl+0x26a/0x5f6 [<ffffffff8122fbad>] inet_ioctl+0x92/0xaa [<ffffffff811df5f4>] sock_ioctl+0x1da/0x202 [<ffffffff8109f186>] vfs_ioctl+0x2a/0x77 [<ffffffff8109f435>] do_vfs_ioctl+0x262/0x27f [<ffffffff8109f4a9>] sys_ioctl+0x57/0x7a [<ffffffff8100bff7>] tracesys+0xd5/0xda FIX kmalloc-2048: Restoring 0xffff81010fcff402-0xffff81010fcff9f9=0x6b Thanks, Jay View attachment "atl1-4g-corrupt-dmesg.txt" of type "text/plain" (50786 bytes) View attachment "atl1-4g-corrupt-config.txt" of type "text/plain" (58853 bytes)
Powered by blists - more mailing lists