lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20111122084513.GA1688@x4.trippels.de>
Date:	Tue, 22 Nov 2011 09:45:13 +0100
From:	Markus Trippelsdorf <markus@...ppelsdorf.de>
To:	Christoph Lameter <cl@...ux.com>
Cc:	Christian Kujau <lists@...dbynature.de>,
	Benjamin Herrenschmidt <benh@...nel.crashing.org>,
	Eric Dumazet <eric.dumazet@...il.com>,
	"Alex,Shi" <alex.shi@...el.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-mm@...ck.org" <linux-mm@...ck.org>,
	Pekka Enberg <penberg@...nel.org>,
	Matt Mackall <mpm@...enic.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	Tejun Heo <tj@...nel.org>
Subject: Re: WARNING: at mm/slub.c:3357, kernel BUG at mm/slub.c:3413

On 2011.11.21 at 21:18 -0600, Christoph Lameter wrote:
> On Mon, 21 Nov 2011, Christian Kujau wrote:
> 
> > On Tue, 22 Nov 2011 at 07:27, Benjamin Herrenschmidt wrote:
> > > Note that I hit a similar looking crash (sorry, I couldn't capture a
> > > backtrace back then) on a PowerMac G5 (ppc64) while doing a large rsync
> > > transfer yesterday with -rc2-something (cfcfc9ec) and
> > > Christian Kujau (CC) seems to be able to reproduce something similar on
> > > some other ppc platform (Christian, what is your setup ?)
> >
> > I seem to hit it with heavy disk & cpu IO is in progress on this PowerBook
> > G4. Full dmesg & .config: http://nerdbynature.de/bits/3.2.0-rc1/oops/
> >
> > I've enabled some debug options and now it really points to slub.c:2166
> 

I sometimes see the following pattern. Is this a false positive?


=============================================================================
BUG anon_vma: Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0xffff88020f347c80-0xffff88020f347c87. First byte 0xbb instead of 0xcc
INFO: Allocated in anon_vma_fork+0x51/0x140 age=1 cpu=2 pid=1826
	__slab_alloc.constprop.70+0x1ac/0x1e8
	kmem_cache_alloc+0x12e/0x160
	anon_vma_fork+0x51/0x140
	dup_mm+0x1f2/0x4a0
	copy_process+0xd10/0xf70
	do_fork+0x100/0x2b0
	sys_clone+0x23/0x30
	stub_clone+0x13/0x20
INFO: Freed in __put_anon_vma+0x54/0xa0 age=0 cpu=1 pid=1827
	__slab_free+0x33/0x2d0
	kmem_cache_free+0x10e/0x120
	__put_anon_vma+0x54/0xa0
	unlink_anon_vmas+0x12f/0x1c0
	free_pgtables+0x83/0xe0
	exit_mmap+0xee/0x140
	mmput+0x43/0xf0
	flush_old_exec+0x33f/0x630
	load_elf_binary+0x340/0x1960
	search_binary_handler+0x8f/0x180
	do_execve+0x2d3/0x370
	sys_execve+0x42/0x70
	stub_execve+0x6c/0xc0
INFO: Slab 0xffffea00083cd1c0 objects=10 used=9 fp=0xffff88020f347ab8 flags=0x4000000000000081
INFO: Object 0xffff88020f347c40 @offset=3136 fp=0xffff88020f347ab8

Bytes b4 ffff88020f347c30: 39 b6 fb ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  9.......ZZZZZZZZ
Object ffff88020f347c40: 30 c9 9b 0d 02 88 ff ff 01 00 00 00 00 00 5a 5a  0.............ZZ
Object ffff88020f347c50: 50 7c 34 0f 02 88 ff ff 50 7c 34 0f 02 88 ff ff  P|4.....P|4.....
Object ffff88020f347c60: 00 00 00 00 00 00 00 00 00 00 00 00 5a 5a 5a 5a  ............ZZZZ
Object ffff88020f347c70: 70 7c 34 0f 02 88 ff ff 70 7c 34 0f 02 88 ff ff  p|4.....p|4.....
Redzone ffff88020f347c80: bb bb bb bb bb bb bb bb                          ........
Padding ffff88020f347dc0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
Pid: 1820, comm: slabinfo Not tainted 3.2.0-rc2-00369-gbbbc479-dirty #83
Call Trace:
 [<ffffffff81105df8>] ? print_section+0x38/0x40
 [<ffffffff811062f3>] print_trailer+0xe3/0x150
 [<ffffffff811064f0>] check_bytes_and_report+0xe0/0x100
 [<ffffffff81107313>] check_object+0x183/0x240
 [<ffffffff81107eb0>] validate_slab_slab+0x1c0/0x230
 [<ffffffff8110a4a6>] validate_store+0xa6/0x190
 [<ffffffff8110573c>] slab_attr_store+0x1c/0x30
 [<ffffffff81168838>] sysfs_write_file+0xc8/0x140
 [<ffffffff811124a3>] vfs_write+0xa3/0x160
 [<ffffffff81112635>] sys_write+0x45/0x90
 [<ffffffff814d3ffb>] system_call_fastpath+0x16/0x1b
FIX anon_vma: Restoring 0xffff88020f347c80-0xffff88020f347c87=0xcc

=============================================================================
BUG kmalloc-64: Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0xffff880214361970-0xffff880214361977. First byte 0xbb instead of 0xcc
INFO: Allocated in drm_mm_kmalloc+0x37/0xd0 age=14 cpu=0 pid=1539
	__slab_alloc.constprop.70+0x1ac/0x1e8
	kmem_cache_alloc_trace+0x136/0x170
	drm_mm_kmalloc+0x37/0xd0
	drm_mm_get_block_range_generic+0x37/0x80
	ttm_bo_man_get_node+0x8f/0xd0
	ttm_bo_mem_space+0x192/0x380
	ttm_bo_move_buffer+0xe8/0x150
	ttm_bo_validate+0x94/0x110
	ttm_bo_init+0x2a2/0x360
	radeon_bo_create+0x16a/0x2b0
	radeon_gem_object_create+0x55/0xf0
	radeon_gem_create_ioctl+0x52/0xc0
	drm_ioctl+0x404/0x4f0
	do_vfs_ioctl+0x8c/0x500
	sys_ioctl+0x4a/0x80
	system_call_fastpath+0x16/0x1b
INFO: Freed in drm_mm_put_block+0x70/0x80 age=0 cpu=1 pid=766
	__slab_free+0x33/0x2d0
	kfree+0x12b/0x150
	drm_mm_put_block+0x70/0x80
	ttm_bo_man_put_node+0x34/0x50
	ttm_bo_cleanup_memtype_use+0x59/0x80
	ttm_bo_cleanup_refs+0xee/0x150
	ttm_bo_delayed_delete+0xf2/0x150
	ttm_bo_delayed_workqueue+0x1a/0x40
	process_one_work+0x11a/0x430
	worker_thread+0x126/0x2d0
	kthread+0x87/0x90
	kernel_thread_helper+0x4/0x10
INFO: Slab 0xffffea000850d840 objects=10 used=6 fp=0xffff880214361dc8 flags=0x4000000000000081
INFO: Object 0xffff880214361930 @offset=2352 fp=0xffff880214361dc8

Bytes b4 ffff880214361920: 58 ac fb ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  X.......ZZZZZZZZ
Object ffff880214361930: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object ffff880214361940: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object ffff880214361950: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object ffff880214361960: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
Redzone ffff880214361970: bb bb bb bb bb bb bb bb                          ........
Padding ffff880214361ab0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
Pid: 1820, comm: slabinfo Not tainted 3.2.0-rc2-00369-gbbbc479-dirty #83
Call Trace:
 [<ffffffff81105df8>] ? print_section+0x38/0x40
 [<ffffffff811062f3>] print_trailer+0xe3/0x150
 [<ffffffff811064f0>] check_bytes_and_report+0xe0/0x100
 [<ffffffff81107313>] check_object+0x183/0x240
 [<ffffffff81107eb0>] validate_slab_slab+0x1c0/0x230
 [<ffffffff8110a4a6>] validate_store+0xa6/0x190
 [<ffffffff8110573c>] slab_attr_store+0x1c/0x30
 [<ffffffff81168838>] sysfs_write_file+0xc8/0x140
 [<ffffffff811124a3>] vfs_write+0xa3/0x160
 [<ffffffff81112635>] sys_write+0x45/0x90
 [<ffffffff814d3ffb>] system_call_fastpath+0x16/0x1b
FIX kmalloc-64: Restoring 0xffff880214361970-0xffff880214361977=0xcc

=============================================================================
BUG kmalloc-64: Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0xffff880214361970-0xffff880214361977. First byte 0xcc instead of 0xbb
INFO: Allocated in drm_mm_kmalloc+0x37/0xd0 age=1028 cpu=0 pid=1539
	__slab_alloc.constprop.70+0x1ac/0x1e8
	kmem_cache_alloc_trace+0x136/0x170
	drm_mm_kmalloc+0x37/0xd0
	drm_mm_get_block_range_generic+0x37/0x80
	ttm_bo_man_get_node+0x8f/0xd0
	ttm_bo_mem_space+0x192/0x380
	ttm_bo_move_buffer+0xe8/0x150
	ttm_bo_validate+0x94/0x110
	ttm_bo_init+0x2a2/0x360
	radeon_bo_create+0x16a/0x2b0
	radeon_gem_object_create+0x55/0xf0
	radeon_gem_create_ioctl+0x52/0xc0
	drm_ioctl+0x404/0x4f0
	do_vfs_ioctl+0x8c/0x500
	sys_ioctl+0x4a/0x80
	system_call_fastpath+0x16/0x1b
INFO: Freed in drm_mm_put_block+0x70/0x80 age=1014 cpu=1 pid=766
	__slab_free+0x33/0x2d0
	kfree+0x12b/0x150
	drm_mm_put_block+0x70/0x80
	ttm_bo_man_put_node+0x34/0x50
	ttm_bo_cleanup_memtype_use+0x59/0x80
	ttm_bo_cleanup_refs+0xee/0x150
	ttm_bo_delayed_delete+0xf2/0x150
	ttm_bo_delayed_workqueue+0x1a/0x40
	process_one_work+0x11a/0x430
	worker_thread+0x126/0x2d0
	kthread+0x87/0x90
	kernel_thread_helper+0x4/0x10
INFO: Slab 0xffffea000850d840 objects=10 used=10 fp=0x          (null) flags=0x4000000000000080
INFO: Object 0xffff880214361930 @offset=2352 fp=0xffff880214361dc8

Bytes b4 ffff880214361920: 9d b7 fb ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
Object ffff880214361930: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object ffff880214361940: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object ffff880214361950: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
Object ffff880214361960: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
Redzone ffff880214361970: cc cc cc cc cc cc cc cc                          ........
Padding ffff880214361ab0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
Pid: 1837, comm: uptime Not tainted 3.2.0-rc2-00369-gbbbc479-dirty #83
Call Trace:
 [<ffffffff81105df8>] ? print_section+0x38/0x40
 [<ffffffff811062f3>] print_trailer+0xe3/0x150
 [<ffffffff811064f0>] check_bytes_and_report+0xe0/0x100
 [<ffffffff81107313>] check_object+0x183/0x240
 [<ffffffff8115ab86>] ? proc_reg_open+0x46/0x170
 [<ffffffff814ccbbb>] alloc_debug_processing+0x62/0xe4
 [<ffffffff814cd479>] __slab_alloc.constprop.70+0x1ac/0x1e8
 [<ffffffff8115ab86>] ? proc_reg_open+0x46/0x170
 [<ffffffff8108e416>] ? bit_waitqueue+0x16/0xb0
 [<ffffffff81125b3d>] ? __d_instantiate+0xbd/0xf0
 [<ffffffff811091b6>] kmem_cache_alloc_trace+0x136/0x170
 [<ffffffff8115ab86>] ? proc_reg_open+0x46/0x170
 [<ffffffff8116051e>] ? proc_lookup_de+0xde/0xf0
 [<ffffffff8115ab86>] proc_reg_open+0x46/0x170
 [<ffffffff8115ab40>] ? init_once+0x10/0x10
 [<ffffffff8111055e>] __dentry_open.isra.15+0x20e/0x2f0
 [<ffffffff81095569>] ? in_group_p+0x29/0x30
 [<ffffffff8111122e>] nameidata_to_filp+0x4e/0x60
 [<ffffffff8111f124>] do_last.isra.46+0x2a4/0x7f0
 [<ffffffff8111f736>] path_openat+0xc6/0x370
 [<ffffffff810f634d>] ? do_brk+0x2fd/0x3b0
 [<ffffffff8111c1c6>] ? getname_flags+0x36/0x230
 [<ffffffff810f0582>] ? handle_mm_fault+0x192/0x290
 [<ffffffff8111fa1c>] do_filp_open+0x3c/0x90
 [<ffffffff8112c96c>] ? alloc_fd+0xdc/0x120
 [<ffffffff81111687>] do_sys_open+0xe7/0x1c0
 [<ffffffff8111177b>] sys_open+0x1b/0x20
 [<ffffffff814d3ffb>] system_call_fastpath+0x16/0x1b
FIX kmalloc-64: Restoring 0xffff880214361970-0xffff880214361977=0xbb

FIX kmalloc-64: Marking all objects used
=============================================================================
BUG anon_vma: Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0xffff88020f347c80-0xffff88020f347c87. First byte 0xcc instead of 0xbb
INFO: Allocated in anon_vma_fork+0x51/0x140 age=1034 cpu=2 pid=1826
	__slab_alloc.constprop.70+0x1ac/0x1e8
	kmem_cache_alloc+0x12e/0x160
	anon_vma_fork+0x51/0x140
	dup_mm+0x1f2/0x4a0
	copy_process+0xd10/0xf70
	do_fork+0x100/0x2b0
	sys_clone+0x23/0x30
	stub_clone+0x13/0x20
INFO: Freed in __put_anon_vma+0x54/0xa0 age=1033 cpu=1 pid=1827
	__slab_free+0x33/0x2d0
	kmem_cache_free+0x10e/0x120
	__put_anon_vma+0x54/0xa0
	unlink_anon_vmas+0x12f/0x1c0
	free_pgtables+0x83/0xe0
	exit_mmap+0xee/0x140
	mmput+0x43/0xf0
	flush_old_exec+0x33f/0x630
	load_elf_binary+0x340/0x1960
	search_binary_handler+0x8f/0x180
	do_execve+0x2d3/0x370
	sys_execve+0x42/0x70
	stub_execve+0x6c/0xc0
INFO: Slab 0xffffea00083cd1c0 objects=10 used=10 fp=0x          (null) flags=0x4000000000000080
INFO: Object 0xffff88020f347c40 @offset=3136 fp=0xffff88020f347620

Bytes b4 ffff88020f347c30: 39 b6 fb ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  9.......ZZZZZZZZ
Object ffff88020f347c40: 30 c9 9b 0d 02 88 ff ff 01 00 00 00 00 00 5a 5a  0.............ZZ
Object ffff88020f347c50: 50 7c 34 0f 02 88 ff ff 50 7c 34 0f 02 88 ff ff  P|4.....P|4.....
Object ffff88020f347c60: 00 00 00 00 00 00 00 00 00 00 00 00 5a 5a 5a 5a  ............ZZZZ
Object ffff88020f347c70: 70 7c 34 0f 02 88 ff ff 70 7c 34 0f 02 88 ff ff  p|4.....p|4.....
Redzone ffff88020f347c80: cc cc cc cc cc cc cc cc                          ........
Padding ffff88020f347dc0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
Pid: 1839, comm: date Not tainted 3.2.0-rc2-00369-gbbbc479-dirty #83
Call Trace:
 [<ffffffff81105df8>] ? print_section+0x38/0x40
 [<ffffffff811062f3>] print_trailer+0xe3/0x150
 [<ffffffff811064f0>] check_bytes_and_report+0xe0/0x100
 [<ffffffff81107313>] check_object+0x183/0x240
 [<ffffffff810f9955>] ? anon_vma_prepare+0x115/0x180
 [<ffffffff814ccbbb>] alloc_debug_processing+0x62/0xe4
 [<ffffffff814cd479>] __slab_alloc.constprop.70+0x1ac/0x1e8
 [<ffffffff810f9955>] ? anon_vma_prepare+0x115/0x180
 [<ffffffff810d5a5e>] ? __alloc_pages_nodemask+0xfe/0x7a0
 [<ffffffff8110904e>] kmem_cache_alloc+0x12e/0x160
 [<ffffffff810f9955>] ? anon_vma_prepare+0x115/0x180
 [<ffffffff810f9895>] ? anon_vma_prepare+0x55/0x180
 [<ffffffff810f9955>] anon_vma_prepare+0x115/0x180
 [<ffffffff810f00f1>] handle_pte_fault+0x611/0x7d0
 [<ffffffff8105c79a>] ? pte_alloc_one+0x3a/0x40
 [<ffffffff810edf46>] ? __pte_alloc+0x76/0x110
 [<ffffffff8110fb42>] do_huge_pmd_anonymous_page+0xb2/0x2f0
 [<ffffffff810f634d>] ? do_brk+0x2fd/0x3b0
 [<ffffffff810f0524>] handle_mm_fault+0x134/0x290
 [<ffffffff810591b2>] do_page_fault+0x112/0x440
 [<ffffffff810f428b>] ? vma_link+0x9b/0xa0
 [<ffffffff810f62ba>] ? do_brk+0x26a/0x3b0
 [<ffffffff81045429>] ? init_fpu+0xb9/0x150
 [<ffffffff814d3bef>] page_fault+0x1f/0x30
FIX anon_vma: Restoring 0xffff88020f347c80-0xffff88020f347c87=0xbb

FIX anon_vma: Marking all objects used

-- 
Markus
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ