Re: [git pull] Input update for 2.6.17

On Tue, 27 Jun 2006, Linus Torvalds wrote:
>
>	slab error in verify_redzone_free(): cache `size-512': memory outside object was overwritten
	...
> 	 dd977458: redzone 1:0x5a5a5a5a, redzone 2:0x170fc2a5.

Ok, it's definitely repeatable, although with small variations.

Now, in verify_redzone_free(), the redzone values _should_ have been 
RED_ACTIVE (which is 0x170FC2A5), so here the end-of-zone marker is ok, 
but the beginning has been overwritten with the normal kmalloc poison 
bytes (5a).

In the second version, I got:

	slab error in verify_redzone_free(): cache `size-512': memory outside object was overwritten
	 <c0103d31> show_trace+0xd/0x10  <c0104317> dump_stack+0x19/0x1b
	 <c015c5a8> __slab_error+0x17/0x1c  <c015c657> cache_free_debugcheck+0xaa/0x181
	 <c015cc61> kfree+0x75/0xaa  <df0d5146> hci_usb_close+0xbf/0x11d [hci_usb]
	 <df0d51cb> hci_usb_disconnect+0x27/0x67 [hci_usb]  <c02ab0c7> usb_unbind_interface+0x37/0x6e
	 <c024276f> __device_release_driver+0x63/0x79  <c02429c1> device_release_driver+0x2e/0x3e
	 <c02420b8> bus_remove_device+0x7e/0x8e  <c024104a> device_del+0x115/0x149
	 <c02a96f0> usb_disable_device+0xca/0x12d  <c02a5617> usb_disconnect+0x9d/0x117
	 <c02a676e> hub_thread+0x5d4/0xd8a  <c0132ec1> kthread+0xc5/0xf1
	 <c0101005> kernel_thread_helper+0x5/0xb 
	d570528c: redzone 1:0x5a5a5a5a, redzone 2:0x5a2cf071.

ie now "redzone 2" (which again should be RED_ACTIVE: 0x170FC2A5) is 
actually RED_INACTIVE (0x5A2CF071), which means that the thing basically 
got free'd twice (and corrupted in between).

So I think "hci_usb_close()" is freeing a pointer that it (or somebody 
else) already freed once, and depending on what has happened in the 
meantime to it, it's either allocated by somebody else, or got freed 
again. 

It seems to be inside hci_usb_unlink_urbs() (which has been inlined).

I _think_ it's the

                        kfree(urb->transfer_buffer);

in the "released completed requests" loop. That's if I read the assembly 
right.. (and I'm pretty sure I do - it's just before releasing the urb 
itself which ends up being just another kfree()).

Anyway, "urb->transfer_buffer" was initialized with

	urb->transfer_buffer = skb->data;

and I'm pretty damn sure you're supposed to just kfree() it.

So Marcel, I think this is a hci_usb.c bug. But I'm not able to fix it, 
unless the fix is to just remove that kfree entirely.

			Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: [git pull] Input update for 2.6.17
  - From: Jeff Garzik <[email protected]>

References:
- [git pull] Input update for 2.6.17
  - From: Dmitry Torokhov <[email protected]>
- Re: [git pull] Input update for 2.6.17
  - From: Linus Torvalds <[email protected]>
- Re: [git pull] Input update for 2.6.17
  - From: Greg KH <[email protected]>
- Re: [git pull] Input update for 2.6.17
  - From: Linus Torvalds <[email protected]>
- Re: [git pull] Input update for 2.6.17
  - From: Linus Torvalds <[email protected]>
- Re: [git pull] Input update for 2.6.17
  - From: Linus Torvalds <[email protected]>
- Re: [git pull] Input update for 2.6.17
  - From: Marcel Holtmann <[email protected]>
- Re: [git pull] Input update for 2.6.17
  - From: Linus Torvalds <[email protected]>

Prev by Date: Re: Network namespaces a path to mergable code.
Next by Date: [klibc 02/31] Main Makefile changes for klibc
Previous by thread: Re: [git pull] Input update for 2.6.17
Next by thread: Re: [git pull] Input update for 2.6.17
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]