[PATCH RT 4/7] mm/slub: do not rely on slab_cached passed to free_delayed()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

3.8.13.13-rt25-rc1 stable review patch.
If anyone has any objections, please let me know.

------------------

From: Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx>

You can get this backtrace:
| =============================================================================
| BUG dentry (Not tainted): Padding overwritten. 0xf15e1ec0-0xf15e1f1f
| -----------------------------------------------------------------------------
|
| Disabling lock debugging due to kernel taint
| INFO: Slab 0xf6f10b00 objects=21 used=0 fp=0xf15e0480 flags=0x2804080
| CPU: 6 PID: 1 Comm: systemd Tainted: G    B        3.10.17-rt12+ #197
| Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
|  f6f10b00 f6f10b00 f20a3be8 c149da9e f20a3c74 c110b0d6 c15e010c f6f10b00
|  00000015 00000000 f15e0480 02804080 64646150 20676e69 7265766f 74697277
|  2e6e6574 66783020 31653531 2d306365 31667830 66316535 00006631 00000046
| Call Trace:
|  [<c149da9e>] dump_stack+0x16/0x18
|  [<c110b0d6>] slab_err+0x76/0x80
|  [<c110c231>] ? deactivate_slab+0x3f1/0x4a0
|  [<c110c231>] ? deactivate_slab+0x3f1/0x4a0
|  [<c110b56f>] slab_pad_check.part.54+0xbf/0x150
|  [<c110ba04>] __free_slab+0x124/0x130
|  [<c149bb79>] ? __slab_alloc.constprop.69+0x27b/0x5d3
|  [<c110ba39>] free_delayed+0x29/0x40
|  [<c149bec5>] __slab_alloc.constprop.69+0x5c7/0x5d3
|  [<c1126062>] ? __d_alloc+0x22/0x150
|  [<c1126062>] ? __d_alloc+0x22/0x150
|  [<c11265b0>] ? __d_lookup_rcu+0x160/0x160
|  [<c110d912>] kmem_cache_alloc+0x162/0x190
|  [<c112668b>] ? __d_lookup+0xdb/0x1d0
|  [<c1126062>] ? __d_alloc+0x22/0x150
|  [<c1126062>] __d_alloc+0x22/0x150
|  [<c11261a5>] d_alloc+0x15/0x60
|  [<c111aec1>] lookup_dcache+0x71/0xa0
|  [<c111af0e>] __lookup_hash+0x1e/0x40
|  [<c111b374>] lookup_slow+0x34/0x90
|  [<c111c3c7>] link_path_walk+0x737/0x780
|  [<c111a3d4>] ? path_get+0x24/0x40
|  [<c111a3df>] ? path_get+0x2f/0x40
|  [<c111bfb2>] link_path_walk+0x322/0x780
|  [<c111e3ed>] path_openat.isra.54+0x7d/0x400
|  [<c111f32b>] do_filp_open+0x2b/0x70
|  [<c11110a2>] do_sys_open+0xe2/0x1b0
|  [<c14a319f>] ? restore_all+0xf/0xf
|  [<c102bb80>] ? vmalloc_sync_all+0x10/0x10
|  [<c1111192>] SyS_open+0x22/0x30
|  [<c14a393e>] sysenter_do_call+0x12/0x36
| Padding f15e1de0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
| Padding f15e1df0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
| Padding f15e1e00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
| Padding f15e1e10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
| Padding f15e1e20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
| Padding f15e1e30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
| Padding f15e1e40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
| Padding f15e1e50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
| Padding f15e1e60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
| Padding f15e1e70: 6b 6b 6b 6b 6b 6b 6b a5 bb bb bb bb 80 01 5e f1  kkkkkkk.......^.
| Padding f15e1e80: 53 7e 0d c1 c3 bd 49 c1 12 d9 10 c1 53 7e 0d c1  S~....I.....S~..
| Padding f15e1e90: 60 7f 0d c1 e0 05 14 c1 ce d1 13 c1 96 d4 13 c1  `...............
| Padding f15e1ea0: e9 e0 13 c1 f7 48 17 c1 13 6a 17 c1 41 fb 17 c1  .....H...j..A...
| Padding f15e1eb0: 07 a4 11 c1 22 af 11 c1 74 b3 11 c1 06 d2 11 c1  ...."...t.......
| Padding f15e1ec0: c6 d2 11 c1 06 00 00 00 01 00 00 00 f3 dc fe ff  ................
| Padding f15e1ed0: 73 7e 0d c1 5d b4 49 c1 ec c4 10 c1 73 7e 0d c1  s~..].I.....s~..
| Padding f15e1ee0: 50 83 0d c1 79 09 14 c1 fd b9 13 c1 5a f2 13 c1  P...y.......Z...
| Padding f15e1ef0: 7b 1c 28 c1 03 20 28 c1 9e 25 28 c1 b3 26 28 c1  {.(.. (..%(..&(.
| Padding f15e1f00: f4 ab 34 c1 bc 89 30 c1 e5 0d 0a c1 c1 0f 0a c1  ..4...0.........
| Padding f15e1f10: ae 34 0a c1 00 00 00 00 00 00 00 00 f3 dc fe ff  .4..............
| FIX dentry: Restoring 0xf15e1de0-0xf15e1f1f=0x5a
|
| =============================================================================
| BUG dentry (Tainted: G    B       ): Redzone overwritten
| -----------------------------------------------------------------------------
|
| INFO: 0xf15e009c-0xf15e009f. First byte 0x96 instead of 0xbb
| INFO: Allocated in __ext4_get_inode_loc+0x3b7/0x460 age=1054261382 cpu=3239295485 pid=-1055657382
|  ext4_iget+0x63/0x9c0
|  ext4_lookup+0x71/0x180
|  lookup_real+0x17/0x40
|  do_last.isra.53+0x72b/0xbc0
|  path_openat.isra.54+0x9d/0x400
|  do_filp_open+0x2b/0x70
|  do_sys_open+0xe2/0x1b0
|  0x7
|  0x1
|  0xfffedcf2
|  mempool_free_slab+0x13/0x20
|  __slab_free+0x3d/0x3ae
|  kmem_cache_free+0x1bc/0x1d0
|  mempool_free_slab+0x13/0x20
|  mempool_free+0x40/0x90
|  bio_put+0x59/0x70
| INFO: Freed in blk_update_bidi_request+0x13/0x70 age=2779021993 cpu=1515870810 pid=1515870810
|  __blk_end_bidi_request+0x1e/0x50
|  __blk_end_request_all+0x23/0x40
|  virtblk_done+0xf4/0x260
|  vring_interrupt+0x2c/0x50
|  handle_irq_event_percpu+0x45/0x1f0
|  handle_irq_event+0x31/0x50
|  handle_edge_irq+0x6e/0x130
|  0x5
| INFO: Slab 0xf6f10b00 objects=21 used=0 fp=0xf15e0480 flags=0x2804080
| INFO: Object 0xf15e0000 @offset=0 fp=0xc113e0e9

If you try to free memory in irqs_disabled(). This is then added to the
slub_free_list list. The following allocation then might be from a
different kmem_cache. If the two caches have a different SLAB_DEBUG_FLAGS
then one might complain about bad bad marker which are actually not
used.

Cc: stable-rt@xxxxxxxxxxxxxxx
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx>
Signed-off-by: Steven Rostedt <rostedt@xxxxxxxxxxx>
---
 mm/slub.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/mm/slub.c b/mm/slub.c
index f6871c5..7c925ae 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1427,13 +1427,13 @@ static void __free_slab(struct kmem_cache *s, struct page *page)
 	__free_memcg_kmem_pages(page, order);
 }
 
-static void free_delayed(struct kmem_cache *s, struct list_head *h)
+static void free_delayed(struct list_head *h)
 {
 	while(!list_empty(h)) {
 		struct page *page = list_first_entry(h, struct page, lru);
 
 		list_del(&page->lru);
-		__free_slab(s, page);
+		__free_slab(page->slab_cache, page);
 	}
 }
 
@@ -2004,7 +2004,7 @@ static int put_cpu_partial(struct kmem_cache *s, struct page *page, int drain)
 				list_splice_init(&f->list, &tofree);
 				raw_spin_unlock(&f->lock);
 				local_irq_restore(flags);
-				free_delayed(s, &tofree);
+				free_delayed(&tofree);
 				oldpage = NULL;
 				pobjects = 0;
 				pages = 0;
@@ -2081,7 +2081,7 @@ static void flush_all(struct kmem_cache *s)
 		raw_spin_lock_irq(&f->lock);
 		list_splice_init(&f->list, &tofree);
 		raw_spin_unlock_irq(&f->lock);
-		free_delayed(s, &tofree);
+		free_delayed(&tofree);
 	}
 }
 
@@ -2329,7 +2329,7 @@ out:
 	list_splice_init(&f->list, &tofree);
 	raw_spin_unlock(&f->lock);
 	local_irq_restore(flags);
-	free_delayed(s, &tofree);
+	free_delayed(&tofree);
 	return freelist;
 
 new_slab:
-- 
1.8.4.rc3


--
To unsubscribe from this list: send the line "unsubscribe linux-rt-users" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [RT Stable]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux