Google Git
Sign in
kernel / pub / scm / linux / kernel / git / paulg / 3.10-rt-patches / v3.10.18-rt14 / . / patches / mm-slub-do-not-rely-on-slab_cached-passed-to-free_de.patch
blob: d70562bf58a0fbb3bbf45bf7e696cc4f538ac905 [file] [log] [blame]
From b5da5582b114c222a5ec924e0cc6d9a418481a5f Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Date: Fri, 8 Nov 2013 12:01:18 +0100
Subject: [PATCH] mm/slub: do not rely on slab_cached passed to free_delayed()
You can get this backtrace:
| =============================================================================
| BUG dentry (Not tainted): Padding overwritten. 0xf15e1ec0-0xf15e1f1f
| -----------------------------------------------------------------------------
|
| Disabling lock debugging due to kernel taint
| INFO: Slab 0xf6f10b00 objects=21 used=0 fp=0xf15e0480 flags=0x2804080
| CPU: 6 PID: 1 Comm: systemd Tainted: G B 3.10.17-rt12+ #197
| Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
| f6f10b00 f6f10b00 f20a3be8 c149da9e f20a3c74 c110b0d6 c15e010c f6f10b00
| 00000015 00000000 f15e0480 02804080 64646150 20676e69 7265766f 74697277
| 2e6e6574 66783020 31653531 2d306365 31667830 66316535 00006631 00000046
| Call Trace:
| [<c149da9e>] dump_stack+0x16/0x18
| [<c110b0d6>] slab_err+0x76/0x80
| [<c110c231>] ? deactivate_slab+0x3f1/0x4a0
| [<c110c231>] ? deactivate_slab+0x3f1/0x4a0
| [<c110b56f>] slab_pad_check.part.54+0xbf/0x150
| [<c110ba04>] __free_slab+0x124/0x130
| [<c149bb79>] ? __slab_alloc.constprop.69+0x27b/0x5d3
| [<c110ba39>] free_delayed+0x29/0x40
| [<c149bec5>] __slab_alloc.constprop.69+0x5c7/0x5d3
| [<c1126062>] ? __d_alloc+0x22/0x150
| [<c1126062>] ? __d_alloc+0x22/0x150
| [<c11265b0>] ? __d_lookup_rcu+0x160/0x160
| [<c110d912>] kmem_cache_alloc+0x162/0x190
| [<c112668b>] ? __d_lookup+0xdb/0x1d0
| [<c1126062>] ? __d_alloc+0x22/0x150
| [<c1126062>] __d_alloc+0x22/0x150
| [<c11261a5>] d_alloc+0x15/0x60
| [<c111aec1>] lookup_dcache+0x71/0xa0
| [<c111af0e>] __lookup_hash+0x1e/0x40
| [<c111b374>] lookup_slow+0x34/0x90
| [<c111c3c7>] link_path_walk+0x737/0x780
| [<c111a3d4>] ? path_get+0x24/0x40
| [<c111a3df>] ? path_get+0x2f/0x40
| [<c111bfb2>] link_path_walk+0x322/0x780
| [<c111e3ed>] path_openat.isra.54+0x7d/0x400
| [<c111f32b>] do_filp_open+0x2b/0x70
| [<c11110a2>] do_sys_open+0xe2/0x1b0
| [<c14a319f>] ? restore_all+0xf/0xf
| [<c102bb80>] ? vmalloc_sync_all+0x10/0x10
| [<c1111192>] SyS_open+0x22/0x30
| [<c14a393e>] sysenter_do_call+0x12/0x36
| Padding f15e1de0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
| Padding f15e1df0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
| Padding f15e1e00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
| Padding f15e1e10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
| Padding f15e1e20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
| Padding f15e1e30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
| Padding f15e1e40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
| Padding f15e1e50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
| Padding f15e1e60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
| Padding f15e1e70: 6b 6b 6b 6b 6b 6b 6b a5 bb bb bb bb 80 01 5e f1 kkkkkkk.......^.
| Padding f15e1e80: 53 7e 0d c1 c3 bd 49 c1 12 d9 10 c1 53 7e 0d c1 S~....I.....S~..
| Padding f15e1e90: 60 7f 0d c1 e0 05 14 c1 ce d1 13 c1 96 d4 13 c1 `...............
| Padding f15e1ea0: e9 e0 13 c1 f7 48 17 c1 13 6a 17 c1 41 fb 17 c1 .....H...j..A...
| Padding f15e1eb0: 07 a4 11 c1 22 af 11 c1 74 b3 11 c1 06 d2 11 c1 ...."...t.......
| Padding f15e1ec0: c6 d2 11 c1 06 00 00 00 01 00 00 00 f3 dc fe ff ................
| Padding f15e1ed0: 73 7e 0d c1 5d b4 49 c1 ec c4 10 c1 73 7e 0d c1 s~..].I.....s~..
| Padding f15e1ee0: 50 83 0d c1 79 09 14 c1 fd b9 13 c1 5a f2 13 c1 P...y.......Z...
| Padding f15e1ef0: 7b 1c 28 c1 03 20 28 c1 9e 25 28 c1 b3 26 28 c1 {.(.. (..%(..&(.
| Padding f15e1f00: f4 ab 34 c1 bc 89 30 c1 e5 0d 0a c1 c1 0f 0a c1 ..4...0.........
| Padding f15e1f10: ae 34 0a c1 00 00 00 00 00 00 00 00 f3 dc fe ff .4..............
| FIX dentry: Restoring 0xf15e1de0-0xf15e1f1f=0x5a
|
| =============================================================================
| BUG dentry (Tainted: G B ): Redzone overwritten
| -----------------------------------------------------------------------------
|
| INFO: 0xf15e009c-0xf15e009f. First byte 0x96 instead of 0xbb
| INFO: Allocated in __ext4_get_inode_loc+0x3b7/0x460 age=1054261382 cpu=3239295485 pid=-1055657382
| ext4_iget+0x63/0x9c0
| ext4_lookup+0x71/0x180
| lookup_real+0x17/0x40
| do_last.isra.53+0x72b/0xbc0
| path_openat.isra.54+0x9d/0x400
| do_filp_open+0x2b/0x70
| do_sys_open+0xe2/0x1b0
| 0x7
| 0x1
| 0xfffedcf2
| mempool_free_slab+0x13/0x20
| __slab_free+0x3d/0x3ae
| kmem_cache_free+0x1bc/0x1d0
| mempool_free_slab+0x13/0x20
| mempool_free+0x40/0x90
| bio_put+0x59/0x70
| INFO: Freed in blk_update_bidi_request+0x13/0x70 age=2779021993 cpu=1515870810 pid=1515870810
| __blk_end_bidi_request+0x1e/0x50
| __blk_end_request_all+0x23/0x40
| virtblk_done+0xf4/0x260
| vring_interrupt+0x2c/0x50
| handle_irq_event_percpu+0x45/0x1f0
| handle_irq_event+0x31/0x50
| handle_edge_irq+0x6e/0x130
| 0x5
| INFO: Slab 0xf6f10b00 objects=21 used=0 fp=0xf15e0480 flags=0x2804080
| INFO: Object 0xf15e0000 @offset=0 fp=0xc113e0e9
If you try to free memory in irqs_disabled(). This is then added to the
slub_free_list list. The following allocation then might be from a
different kmem_cache. If the two caches have a different SLAB_DEBUG_FLAGS
then one might complain about bad bad marker which are actually not
used.
Cc: stable-rt@vger.kernel.org
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
mm/slub.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/mm/slub.c b/mm/slub.c
index 1378cd1..31c6f9f 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1428,13 +1428,13 @@ static void __free_slab(struct kmem_cache *s, struct page *page)
__free_memcg_kmem_pages(page, order);
}
-static void free_delayed(struct kmem_cache *s, struct list_head *h)
+static void free_delayed(struct list_head *h)
{
while(!list_empty(h)) {
struct page *page = list_first_entry(h, struct page, lru);
list_del(&page->lru);
- __free_slab(s, page);
+ __free_slab(page->slab_cache, page);
}
}
@@ -2007,7 +2007,7 @@ static void put_cpu_partial(struct kmem_cache *s, struct page *page, int drain)
list_splice_init(&f->list, &tofree);
raw_spin_unlock(&f->lock);
local_irq_restore(flags);
- free_delayed(s, &tofree);
+ free_delayed(&tofree);
oldpage = NULL;
pobjects = 0;
pages = 0;
@@ -2083,7 +2083,7 @@ static void flush_all(struct kmem_cache *s)
raw_spin_lock_irq(&f->lock);
list_splice_init(&f->list, &tofree);
raw_spin_unlock_irq(&f->lock);
- free_delayed(s, &tofree);
+ free_delayed(&tofree);
}
}
@@ -2331,7 +2331,7 @@ static void *__slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
list_splice_init(&f->list, &tofree);
raw_spin_unlock(&f->lock);
local_irq_restore(flags);
- free_delayed(s, &tofree);
+ free_delayed(&tofree);
return freelist;
new_slab:
--
1.8.4.2