From mboxrd@z Thu Jan  1 00:00:00 1970
Subject: Re: 2.6.28-rc1: EIP: slab_destroy+0x84/0x142
From: Matt Mackall <mpm@selenic.com>
In-Reply-To: <20081025025408.GA27684@x200.localdomain>
References: <alpine.LFD.2.00.0810232028500.3287@nehalem.linux-foundation.org>
	 <20081024185952.GA18526@x200.localdomain> <1224884318.3248.54.camel@calx>
	 <20081024220750.GA22973@x200.localdomain>
	 <Pine.LNX.4.64.0810241829140.25302@quilx.com>
	 <20081025002406.GA20024@x200.localdomain>
	 <20081025025408.GA27684@x200.localdomain>
Content-Type: text/plain
Date: Fri, 24 Oct 2008 22:00:45 -0500
Message-Id: <1224903645.3248.106.camel@calx>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: owner-linux-mm@kvack.org
Return-Path: <owner-linux-mm@kvack.org>
To: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Christoph Lameter <cl@linux-foundation.org>, Linus Torvalds <torvalds@linux-foundation.org>, linux-mm@kvack.org, penberg@cs.helsinki.fi, akpm@linux-foundation.org, avi@qumranet.com
List-ID: <linux-mm.kvack.org>

On Sat, 2008-10-25 at 06:54 +0400, Alexey Dobriyan wrote:
> On Sat, Oct 25, 2008 at 04:24:06AM +0400, Alexey Dobriyan wrote:
> > On Fri, Oct 24, 2008 at 06:29:47PM -0500, Christoph Lameter wrote:
> > > On Sat, 25 Oct 2008, Alexey Dobriyan wrote:
> > >
> > >> Fault occured at slab_destroy in KVM guest kernel.
> > >
> > > Please switch on all SLAB debug options and rerun.
> > 
> > They're already on!
> > 
> > New knowledge: turning off just DEBUG_PAGEALLOC makes oops dissapear,
> > other debugging options don't matter.
> 
> Here is typical scenario:
> cache -- filp or dentry, ->buffer_size = 4096, objp = c643d000, dbg_redzone1 = c643df78.
> 
> Unable to handle ... at c643df7c. which is not next page.

Huh. That sounds more like an actual use-after-free. Possible that the
object is getting freed twice?

There's a call to kernel_map_pages(..., 0) on line 2905 of slab.c.
Commenting it out will nullify the debugging effect of DEBUG_PAGEALLOC
without changing the layout decisions and other behavior. If that kernel
works, that probably means your oops is a genuine use-after-free.

-- 
Mathematics is the supreme nostalgia of our time.

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>