fs,eventfd: BUG kmalloc-128, Poison overwritten

From: Sasha Levin
Date: Thu May 24 2012 - 14:22:19 EST

Next message: Cyrill Gorcunov: "Re: [rfc v2 0/7] procfs fdinfo extension v2"
Previous message: Shuah Khan: "Re: [PATCH v4 4/6] ACPI: Add _OST support for ACPI memory hotplug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

During fuzzing with trinity inside a KVM tools guest, using latest linux-next, I've stumbled on the following:

[ 1113.948407] =============================================================================
[ 1113.949014] BUG kmalloc-128 (Tainted: G W ): Poison overwritten
[ 1113.949014] -----------------------------------------------------------------------------
[ 1113.949014]
[ 1113.949014] INFO: 0xffff8800496c8000-0xffff8800496c8000. First byte 0x6a instead of 0x6b
[ 1113.949014] INFO: Allocated in eventfd_file_create+0x4d/0xd0 age=54768 cpu=4 pid=15908
[ 1113.949014] __slab_alloc+0x638/0x6f0
[ 1113.949014] kmem_cache_alloc_trace+0xbb/0x230
[ 1113.949014] eventfd_file_create+0x4d/0xd0
[ 1113.949014] sys_eventfd2+0x3a/0x80
[ 1113.949014] system_call_fastpath+0x16/0x1b
[ 1113.949014] INFO: Freed in eventfd_ctx_put+0x14/0x20 age=51749 cpu=4 pid=15908
[ 1113.949014] __slab_free+0x33/0x560
[ 1113.949014] kfree+0x2bb/0x2d0
[ 1113.949014] eventfd_ctx_put+0x14/0x20
[ 1113.949014] eventfd_release+0x30/0x40
[ 1113.949014] __fput+0x11a/0x2c0
[ 1113.949014] fput+0x15/0x20
[ 1113.949014] filp_close+0x82/0xa0
[ 1113.949014] close_files+0x1b4/0x200
[ 1113.949014] put_files_struct+0x21/0x180
[ 1113.949014] exit_files+0x4d/0x60
[ 1113.949014] do_exit+0x322/0x510
[ 1113.949014] do_group_exit+0xa1/0xe0
[ 1113.949014] sys_exit_group+0x12/0x20
[ 1113.949014] system_call_fastpath+0x16/0x1b
[ 1113.949014] INFO: Slab 0xffffea000125b200 objects=17 used=17 fp=0x (null) flags=0x150000000004080
[ 1113.949014] INFO: Object 0xffff8800496c8000 @offset=0 fp=0xffff8800496c81c8
[ 1113.949014]
[ 1113.949014] Object ffff8800496c8000: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk
[ 1113.949014] Object ffff8800496c8010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 1113.949014] Object ffff8800496c8020: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 1113.949014] Object ffff8800496c8030: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 1113.949014] Object ffff8800496c8040: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 1113.949014] Object ffff8800496c8050: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 1113.949014] Object ffff8800496c8060: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 1113.949014] Object ffff8800496c8070: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
[ 1113.949014] Redzone ffff8800496c8080: bb bb bb bb bb bb bb bb ........
[ 1113.949014] Padding ffff8800496c81c0: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
[ 1113.949014] Pid: 16574, comm: trinity Tainted: G W 3.4.0-next-20120524-sasha-00003-ge89ff01 #281
[ 1113.949014] Call Trace:
[ 1113.949014] [<ffffffff81217b12>] print_trailer+0x132/0x140
[ 1113.949014] [<ffffffff81217f51>] check_bytes_and_report+0xe1/0x130
[ 1113.949014] [<ffffffff8121a17c>] check_object+0xcc/0x220
[ 1113.949014] [<ffffffff812adaaf>] ? sysfs_get_open_dirent+0x9f/0x150
[ 1113.949014] [<ffffffff8121a726>] alloc_debug_processing+0xb6/0x160
[ 1113.949014] [<ffffffff8121cd08>] __slab_alloc+0x638/0x6f0
[ 1113.949014] [<ffffffff8114932d>] ? trace_hardirqs_on+0xd/0x10
[ 1113.949014] [<ffffffff812adaaf>] ? sysfs_get_open_dirent+0x9f/0x150
[ 1113.949014] [<ffffffff81146c6d>] ? __lock_acquired+0x3d/0x2e0
[ 1113.949014] [<ffffffff812ada36>] ? sysfs_get_open_dirent+0x26/0x150
[ 1113.949014] [<ffffffff8121de4b>] kmem_cache_alloc_trace+0xbb/0x230
[ 1113.949014] [<ffffffff812adaaf>] ? sysfs_get_open_dirent+0x9f/0x150
[ 1113.949014] [<ffffffff812adaaf>] sysfs_get_open_dirent+0x9f/0x150
[ 1113.949014] [<ffffffff812adc9d>] sysfs_open_file+0x13d/0x190
[ 1113.949014] [<ffffffff812adb60>] ? sysfs_get_open_dirent+0x150/0x150
[ 1113.949014] [<ffffffff8122f5c9>] __dentry_open+0x229/0x370
[ 1113.949014] [<ffffffff8122f775>] nameidata_to_filp+0x65/0x80
[ 1113.949014] [<ffffffff8124019c>] do_last+0x67c/0x850
[ 1113.949014] [<ffffffff81241187>] path_openat+0xd7/0x4a0
[ 1113.949014] [<ffffffff81241664>] do_filp_open+0x44/0xa0
[ 1113.949014] [<ffffffff82f71a50>] ? _raw_spin_unlock+0x30/0x60
[ 1113.949014] [<ffffffff81250abd>] ? alloc_fd+0x1ed/0x200
[ 1113.949014] [<ffffffff81230a05>] do_sys_open+0x125/0x1c0
[ 1113.949014] [<ffffffff81230adc>] sys_open+0x1c/0x20
[ 1113.949014] [<ffffffff82f72bf9>] system_call_fastpath+0x16/0x1b
[ 1113.949014] FIX kmalloc-128: Restoring 0xffff8800496c8000-0xffff8800496c8000=0x6b
[ 1113.949014]
[ 1113.949014] FIX kmalloc-128: Marking all objects used

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Cyrill Gorcunov: "Re: [rfc v2 0/7] procfs fdinfo extension v2"
Previous message: Shuah Khan: "Re: [PATCH v4 4/6] ACPI: Add _OST support for ACPI memory hotplug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]