Re: SLUB Corruption from witin drivers/usb/core/devio.c

[Oncaphillis <oncaphillis@xxxxxxxx>]

On 05/14/2012 04:10 PM, Alan Stern wrote:
> On Mon, 14 May 2012, Oncaphillis wrote:
>
> > But I defonitely see changes in the memory chunk which is assumed to be
> > free.
> > The following shows the contents of the memory chunk which has been freed
> > recently
> >
> > proc_do_submiturb uurb->type==1:USBDEVFS_URB_TYPE_INTERRUPT alloc
> > tb:0xffff880077e7f138
> > async_completed tb:0xffff880077e7f138[00][41] last
> > tb:0xffff88007a2b5a40[6b][6b]
> > free_async free tb:0xffff880077e7f138
> >
> > proc_do_submiturb uurb->type==1:USBDEVFS_URB_TYPE_INTERRUPT alloc
> > tb:0xffff880077e7f138
> > async_completed tb:0xffff880077e7f138[6b][6b] last
> > tb:0xffff880077e7f138[6b][6b]
> > free_async free tb:0xffff880077e7f138
> What is the value of urb->actual_length in async_completed()?

 length m/n tells you the actual_length/transfer_buffer_length
The last pair while accessing the tranfer_buffer seems to be 0/512

<snip>
 === proc_do_submiturb uurb->type==1:USBDEVFS_URB_TYPE_INTERRUPT alloc 
tb:0xffff880077cfadf0 (512)
 === async_completed status==0 length:2/512 e=0 
tb:0xffff880077cfadf0[00][41] last tb:0xffff880079612690[6b][6b]
 === free_async free tb:0xffff880077cfadf0
 === proc_do_submiturb uurb->type==1:USBDEVFS_URB_TYPE_INTERRUPT alloc 
tb:0xffff880077cfadf0 (512)
 === async_completed status==-2 length:0/512 e=0 
tb:0xffff880077cfadf0[6b][6b] last tb:0xffff880077cfadf0[6b][6b]
 === free_async free tb:0xffff880077cfadf0
 === proc_do_submiturb uurb->type==3:USBDEVFS_URB_TYPE_BULK alloc 
tb:0xffff880079612690 (2)
 === async_completed status==0 length:2/2 e=0 
tb:0xffff880079612690[9d][8d] last tb:0xffff880077cfadf0[9d][8d]
 === free_async free tb:0xffff880079612690
 =============================================================================
 BUG kmalloc-512 (Not tainted): Poison overwritten
 -----------------------------------------------------------------------------
 INFO: 0xffff880077cfadf0-0xffff880077cfadf1. First byte 0x9d instead 
of 0x6b
</snip>

> > proc_do_submiturb uurb->type==3:USBDEVFS_URB_TYPE_BULK alloc
> > tb:0xffff88007a2b5a40
> > async_completed tb:0xffff88007a2b5a40[00][41] last
> > tb:0xffff880077e7f138[00][41]<= 'last tb' is assumed to be freed in the
> > last free_async
> > free_async free tb:0xffff88007a2b5a40
> Does the same thing happen on different computers?
 I'm setting up a new machine trying to test this.

 Thanks

> Alan Stern
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-usb" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html