Re: 2.6.21-mm1 and now 2.6.21-git: SLUB Crashes on boot - crypto?

Christoph Lameter wrote:

On Tue, 8 May 2007, Kevin Winchester wrote:

Here's the dmesg of the slub_debug run, I'll try the patch next:


Ok someone wrote to an object after it was freed. Not slubs problem.

[    1.367129]     Object 0xffff810001bdecd0:  80 b7 b1 01 00 81 ff ff 6b 6b
6b 6b 6b 6b 6b 6b .·±...kkkkkkkk


The first 8 bytes of the freed object were overwritten.

[    1.374455] Last alloc: cryptomgr_notify+0x28/0x190 jiffies_ago=0 cpu=0
pid=1
[    1.374611] Last free : cryptomgr_probe+0x85/0xb0 jiffies_ago=0 cpu=0
pid=405

Here are some potential candidates that have recently handled the object.That was less than a jiffy ago. So very recent.

Not having any idea what I'm doing, I looked at cryptomgr_probe andcryptomgr_notify, and can't seem to see much, except for the followingodd lines.

From cryptomgr_schedule_probe, which is almost certainly inlined intocrypto_notify:


-----

param = kzalloc(sizeof(*param), GFP_KERNEL);
...
param->thread = kthread_run(cryptomgr_probe, param, "cryptomgr");
if (IS_ERR(param->thread))
   goto err_free_param;

   return NOTIFY_STOP;

err_free_param:
       kfree(param);
err_put_module:
       module_put(THIS_MODULE);
err:
       return NOTIFY_OK;

-----

while cryptomgr_probe does (with a local variable param that points tothe same data):


-----
...
if (err)
   goto err;

out:
   kfree(param);
   module_put_and_exit(0);
-----

Now perhaps I am wrong, but would it be possible for the kthread_run()call to cause cryptomgr_probe to run before the return result is storedinto param->thread? That would mean that param would be accessed afterfreeing.

<changes thread to a local variable in the cryptomgr_schedule_probemethod...compile...test...still fails>


I guess that's not it.

Any thoughts on what might be the cause of this (I've added Herbert Xuto the CC list since he seems to be the crypto maintainer)?


I'll try to add some printk's in there to see if that enlightens me.

Kevin


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: 2.6.21-mm1 and now 2.6.21-git: SLUB Crashes on boot - crypto?
  - From: Herbert Xu <[email protected]>

References:
- 2.6.21-mm1
  - From: Andrew Morton <[email protected]>
- 2.6.21-mm1 and now 2.6.21-git: SLUB Crashes on boot
  - From: Kevin Winchester <[email protected]>
- Re: 2.6.21-mm1 and now 2.6.21-git: SLUB Crashes on boot
  - From: Christoph Lameter <[email protected]>
- Re: 2.6.21-mm1 and now 2.6.21-git: SLUB Crashes on boot
  - From: Kevin Winchester <[email protected]>
- Re: 2.6.21-mm1 and now 2.6.21-git: SLUB Crashes on boot
  - From: Christoph Lameter <[email protected]>

Prev by Date: Re: [2.6.22 PATCH 23/26] dm delay:
Next by Date: Re: [PATCH] change zonelist order v5 [1/3] implements zonelist order selection
Previous by thread: Re: 2.6.21-mm1 and now 2.6.21-git: SLUB Crashes on boot
Next by thread: Re: 2.6.21-mm1 and now 2.6.21-git: SLUB Crashes on boot - crypto?
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]