Re: 2.6.13-rc3 udev/hotplug use memory after free
On Mon, 25 Jul 2005 15:01:19 -0700, Andrew Morton <[EMAIL PROTECTED]> wrote: >Keith Owens <[EMAIL PROTECTED]> wrote: >> >> 2.6.13-rc3 + kdb (which does not touch udev/hotplug) on IA64 (Altix). >> gcc version 3.3.3 (SuSE Linux). Compiled with DEBUG_SLAB, >> DEBUG_PREEMPT, DEBUG_SPINLOCK, DEBUG_SPINLOCK_SLEEP, DEBUG_KOBJECT. >> >> There is a use after free somewhere above class_device_attr_show. > >Can we obtain a backtrace for this one, Keith? The function itself is >pretty innocuous and is used by many callers. I'd be suspectng a bug in >the caller. I no longer have the backtrace. This 2.6.13-rc3 system has been booted 50+ times (ia64 MCA testing) and only once did it break. If it recurs, I'll do some more digging. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: 2.6.13-rc3 udev/hotplug use memory after free
On Mon, 25 Jul 2005 15:01:19 -0700, Andrew Morton [EMAIL PROTECTED] wrote: Keith Owens [EMAIL PROTECTED] wrote: 2.6.13-rc3 + kdb (which does not touch udev/hotplug) on IA64 (Altix). gcc version 3.3.3 (SuSE Linux). Compiled with DEBUG_SLAB, DEBUG_PREEMPT, DEBUG_SPINLOCK, DEBUG_SPINLOCK_SLEEP, DEBUG_KOBJECT. There is a use after free somewhere above class_device_attr_show. Can we obtain a backtrace for this one, Keith? The function itself is pretty innocuous and is used by many callers. I'd be suspectng a bug in the caller. I no longer have the backtrace. This 2.6.13-rc3 system has been booted 50+ times (ia64 MCA testing) and only once did it break. If it recurs, I'll do some more digging. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: 2.6.13-rc3 udev/hotplug use memory after free
Keith Owens <[EMAIL PROTECTED]> wrote: > > 2.6.13-rc3 + kdb (which does not touch udev/hotplug) on IA64 (Altix). > gcc version 3.3.3 (SuSE Linux). Compiled with DEBUG_SLAB, > DEBUG_PREEMPT, DEBUG_SPINLOCK, DEBUG_SPINLOCK_SLEEP, DEBUG_KOBJECT. > > There is a use after free somewhere above class_device_attr_show. Can we obtain a backtrace for this one, Keith? The function itself is pretty innocuous and is used by many callers. I'd be suspectng a bug in the caller. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: 2.6.13-rc3 udev/hotplug use memory after free
Keith Owens [EMAIL PROTECTED] wrote: 2.6.13-rc3 + kdb (which does not touch udev/hotplug) on IA64 (Altix). gcc version 3.3.3 (SuSE Linux). Compiled with DEBUG_SLAB, DEBUG_PREEMPT, DEBUG_SPINLOCK, DEBUG_SPINLOCK_SLEEP, DEBUG_KOBJECT. There is a use after free somewhere above class_device_attr_show. Can we obtain a backtrace for this one, Keith? The function itself is pretty innocuous and is used by many callers. I'd be suspectng a bug in the caller. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
2.6.13-rc3 udev/hotplug use memory after free
2.6.13-rc3 + kdb (which does not touch udev/hotplug) on IA64 (Altix). gcc version 3.3.3 (SuSE Linux). Compiled with DEBUG_SLAB, DEBUG_PREEMPT, DEBUG_SPINLOCK, DEBUG_SPINLOCK_SLEEP, DEBUG_KOBJECT. There is a use after free somewhere above class_device_attr_show. <7>fill_kobj_path: path = '/class/vc/vcs13' <7>kobject_hotplug: /sbin/hotplug vc seq=1377 HOME=/ PATH=/sbin:/bin:/usr/sbin:/usr/bin ACTION=remove DEVPATH=/class/vc/vcs13 SUBSYSTEM=vc <7>kobject vcs13: cleaning up <7>kobject_hotplug <7>fill_kobj_path: path = '/class/vc/vcsa13' <1>Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b6b <4>udev[13708]: Oops 8813272891392 [1] <7>kobject_hotplug: /sbin/hotplug vc seq=1378 HOME=/ PATH=/sbin:/bin:/usr/sbin:/usr/bin ACTION=remove DEVPATH=/class/vc/vcsa13 SUBSYSTEM=vc <4>Modules linked in: md5 ipv6 usbcore raid0 md_mod nls_iso8859_1 nls_cp437 dm_mod sg st osst <4> <4>Pid: 13708, CPU 0, comm: udev <4>psr : 101008126038 ifs : 8308 ip : [] Not tainted <4>ip is at class_device_attr_show+0x50/0xa0 The offending code is [0]kdb> id class_device_attr_show 0xa001004c8e80 class_device_attr_show[MII] alloc r36=ar.pfs,8,6,0 0xa001004c8e86 class_device_attr_show+0x6mov r8=r0;; 0xa001004c8e8c class_device_attr_show+0xcadds r2=24,r33 0xa001004c8e90 class_device_attr_show+0x10[MMI] mov r37=r1 0xa001004c8e96 class_device_attr_show+0x16mov r39=r34 0xa001004c8e9c class_device_attr_show+0x1cadds r38=-16,r32 0xa001004c8ea0 class_device_attr_show+0x20[MII] nop.m 0x0 0xa001004c8ea6 class_device_attr_show+0x26mov r35=b0;; 0xa001004c8eac class_device_attr_show+0x2cmov.i ar.pfs=r36 0xa001004c8eb0 class_device_attr_show+0x30[MII] ld8 r33=[r2] 0xa001004c8eb6 class_device_attr_show+0x36mov b0=r35;; 0xa001004c8ebc class_device_attr_show+0x3ccmp.eq p8,p9=0,r33 0xa001004c8ec0 class_device_attr_show+0x40[MBB] nop.m 0x0 0xa001004c8ec6 class_device_attr_show+0x46 (p09) br.cond.dpnt.few 0xa001004c8ed0 class_device_attr_show+0x50 0xa001004c8ecc class_device_attr_show+0x4cbr.ret.sptk.many b0 0xa001004c8ed0 class_device_attr_show+0x50[MMI] ld8 r8=[r33],8;; 0xa001004c8ed6 class_device_attr_show+0x56ld8 r1=[r33],-8 0xa001004c8edc class_device_attr_show+0x5cmov b7=r8 At the oops, r33 has been loaded from [r2], r33 contains 0x6b6b6b6b6b6b6b6b. IOW, use after free. [0]kdb> r psr: 0x101008126038 ifs: 0x8308ip: 0xa001004c8ed0 unat: 0x pfs: 0x0711 rsc: 0x0003 rnat: 0xe0b47a429e78 bsps: 0xe0b00bf5d320pr: 0x00155659 ldrs: 0x ccv: 0x fpsr: 0x0009804c0270033f b0: 0xa001001fc830b6: 0xa001f4e0b7: 0xa001004c8e80 r1: 0xa00100d31900r2: 0xe03473de5080r3: 0xe03008f78da4 r8: 0xr9: 0xa00100b4b818 r10: 0xe0b07727 r11: 0x02c1dc9c r12: 0xe03008f7fe20 r13: 0xe03008f78000 r14: 0xa001004c8e80 r15: 0xe0b07727 r16: 0x6db6db6db6db6db7 r17: 0x9a684220 r18: 0xa0007fff62138000 r19: 0xe0b003031318 r20: 0xe0b003030080 r21: 0x0001 r22: 0xa00100b4b818 r23: 0xa00100d23100 r24: 0x134d0844 r25: 0x9a684220 r26: 0xa001008732d8 r27: 0xe03004fe8188 r28: 0xe0b003030080 r29: 0xa00100d23120 r30: 0x0004 r31: 0x0100 [0]kdb> r s r32: e034714fbb30 r33: 6b6b6b6b6b6b6b6b r34: e0b07727 r35: a001001fc830 r36: 0711 r37: a00100d31900 r38: e034714fbb20 r39: e0b07727 Dumping where r2 points, the area has been reused by the time that the oops occurred. Again, use after free. [0]kdb> mds 0xe03473de5080-24 0xe03473de5068 2d646c2f62696c2f /lib/ld- 0xe03473de5070 61692d78756e696c linux-ia 0xe03473de5078 322e6f732e3436 64.so.2. 0xe03473de5080 5a5a5a5a5a5a5a5a 0xe03473de5088 5a5a5a5a5a5a5a5a 0xe03473de5090 5a5a5a5a5a5a5a5a 0xe03473de5098 5a5a5a5a5a5a5a5a 0xe03473de50a0 a55a5a5a5a5a5a5a ZZZ. ps. Handy things, kernel debuggers ... - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
2.6.13-rc3 udev/hotplug use memory after free
2.6.13-rc3 + kdb (which does not touch udev/hotplug) on IA64 (Altix). gcc version 3.3.3 (SuSE Linux). Compiled with DEBUG_SLAB, DEBUG_PREEMPT, DEBUG_SPINLOCK, DEBUG_SPINLOCK_SLEEP, DEBUG_KOBJECT. There is a use after free somewhere above class_device_attr_show. 7fill_kobj_path: path = '/class/vc/vcs13' 7kobject_hotplug: /sbin/hotplug vc seq=1377 HOME=/ PATH=/sbin:/bin:/usr/sbin:/usr/bin ACTION=remove DEVPATH=/class/vc/vcs13 SUBSYSTEM=vc 7kobject vcs13: cleaning up 7kobject_hotplug 7fill_kobj_path: path = '/class/vc/vcsa13' 1Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b6b 4udev[13708]: Oops 8813272891392 [1] 7kobject_hotplug: /sbin/hotplug vc seq=1378 HOME=/ PATH=/sbin:/bin:/usr/sbin:/usr/bin ACTION=remove DEVPATH=/class/vc/vcsa13 SUBSYSTEM=vc 4Modules linked in: md5 ipv6 usbcore raid0 md_mod nls_iso8859_1 nls_cp437 dm_mod sg st osst 4 4Pid: 13708, CPU 0, comm: udev 4psr : 101008126038 ifs : 8308 ip : [a001004c8ed0] Not tainted 4ip is at class_device_attr_show+0x50/0xa0 The offending code is [0]kdb id class_device_attr_show 0xa001004c8e80 class_device_attr_show[MII] alloc r36=ar.pfs,8,6,0 0xa001004c8e86 class_device_attr_show+0x6mov r8=r0;; 0xa001004c8e8c class_device_attr_show+0xcadds r2=24,r33 0xa001004c8e90 class_device_attr_show+0x10[MMI] mov r37=r1 0xa001004c8e96 class_device_attr_show+0x16mov r39=r34 0xa001004c8e9c class_device_attr_show+0x1cadds r38=-16,r32 0xa001004c8ea0 class_device_attr_show+0x20[MII] nop.m 0x0 0xa001004c8ea6 class_device_attr_show+0x26mov r35=b0;; 0xa001004c8eac class_device_attr_show+0x2cmov.i ar.pfs=r36 0xa001004c8eb0 class_device_attr_show+0x30[MII] ld8 r33=[r2] 0xa001004c8eb6 class_device_attr_show+0x36mov b0=r35;; 0xa001004c8ebc class_device_attr_show+0x3ccmp.eq p8,p9=0,r33 0xa001004c8ec0 class_device_attr_show+0x40[MBB] nop.m 0x0 0xa001004c8ec6 class_device_attr_show+0x46 (p09) br.cond.dpnt.few 0xa001004c8ed0 class_device_attr_show+0x50 0xa001004c8ecc class_device_attr_show+0x4cbr.ret.sptk.many b0 0xa001004c8ed0 class_device_attr_show+0x50[MMI] ld8 r8=[r33],8;; 0xa001004c8ed6 class_device_attr_show+0x56ld8 r1=[r33],-8 0xa001004c8edc class_device_attr_show+0x5cmov b7=r8 At the oops, r33 has been loaded from [r2], r33 contains 0x6b6b6b6b6b6b6b6b. IOW, use after free. [0]kdb r psr: 0x101008126038 ifs: 0x8308ip: 0xa001004c8ed0 unat: 0x pfs: 0x0711 rsc: 0x0003 rnat: 0xe0b47a429e78 bsps: 0xe0b00bf5d320pr: 0x00155659 ldrs: 0x ccv: 0x fpsr: 0x0009804c0270033f b0: 0xa001001fc830b6: 0xa001f4e0b7: 0xa001004c8e80 r1: 0xa00100d31900r2: 0xe03473de5080r3: 0xe03008f78da4 r8: 0xr9: 0xa00100b4b818 r10: 0xe0b07727 r11: 0x02c1dc9c r12: 0xe03008f7fe20 r13: 0xe03008f78000 r14: 0xa001004c8e80 r15: 0xe0b07727 r16: 0x6db6db6db6db6db7 r17: 0x9a684220 r18: 0xa0007fff62138000 r19: 0xe0b003031318 r20: 0xe0b003030080 r21: 0x0001 r22: 0xa00100b4b818 r23: 0xa00100d23100 r24: 0x134d0844 r25: 0x9a684220 r26: 0xa001008732d8 r27: 0xe03004fe8188 r28: 0xe0b003030080 r29: 0xa00100d23120 r30: 0x0004 r31: 0x0100 [0]kdb r s r32: e034714fbb30 r33: 6b6b6b6b6b6b6b6b r34: e0b07727 r35: a001001fc830 r36: 0711 r37: a00100d31900 r38: e034714fbb20 r39: e0b07727 Dumping where r2 points, the area has been reused by the time that the oops occurred. Again, use after free. [0]kdb mds 0xe03473de5080-24 0xe03473de5068 2d646c2f62696c2f /lib/ld- 0xe03473de5070 61692d78756e696c linux-ia 0xe03473de5078 322e6f732e3436 64.so.2. 0xe03473de5080 5a5a5a5a5a5a5a5a 0xe03473de5088 5a5a5a5a5a5a5a5a 0xe03473de5090 5a5a5a5a5a5a5a5a 0xe03473de5098 5a5a5a5a5a5a5a5a 0xe03473de50a0 a55a5a5a5a5a5a5a ZZZ. ps. Handy things, kernel debuggers ... - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/