Re: 2.6.28-rc2: USB/INPUT: slab error in cache_alloc_debugcheck_after(): double free?

LKML Archive on lore.kernel.org
help / color / mirror / Atom feed

From: Jiri Kosina <jkosina@suse.cz>
To: Helge Deller <deller@gmx.de>
Cc: linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-parisc@vger.kernel.org, Jiri Slaby <jslaby@suse.cz>
Subject: Re: 2.6.28-rc2: USB/INPUT: slab error in cache_alloc_debugcheck_after(): double free?
Date: Fri, 31 Oct 2008 02:10:04 +0100 (CET)	[thread overview]
Message-ID: <alpine.LRH.1.10.0810310209410.7585@twin.jikos.cz> (raw)
In-Reply-To: <200810310011.08618.deller@gmx.de>

On Fri, 31 Oct 2008, Helge Deller wrote:

> I noticed various slab errors with complete kernel crashes with my USB keyboard/mouse on a 32bit parisc machine with both 2.6.28-rc1 and -rc2.
> Kernel 2.6.27 was still OK.
> 
> Linux kernel bootlog shows:
> ---------------
> ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
> ohci_hcd 0000:00:0e.2: OHCI Host Controller
> ohci_hcd 0000:00:0e.2: new USB bus registered, assigned bus number 1
> ohci_hcd 0000:00:0e.2: irq 1, io mem 0xf2007000
> usb usb1: configuration #1 chosen from 1 choice
> hub 1-0:1.0: USB hub found
> hub 1-0:1.0: 3 ports detected
> usb usb1: New USB device found, idVendor=1d6b, idProduct=0001
> usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
> usb usb1: Product: OHCI Host Controller
> usb usb1: Manufacturer: Linux 2.6.28-rc2 ohci_hcd
> usb usb1: SerialNumber: 0000:00:0e.2
> uhci_hcd: USB Universal Host Controller Interface driver
> 
> 
> After sucessful bootup (without any USB devices attached)
> I get this when I insert a USB keyboard:
> ---------------
> usb 1-1: new low speed USB device using ohci_hcd and address 2
> usb 1-1: configuration #1 chosen from 1 choice
> input: SILITEK USB Keyboard and Mouse as /class/input/input0
> Slab corruption: size-4096 start=8dd9b000, len=4096
> 000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> generic-usb 0004:047B:0002.0001: input,hidraw0: USB HID v1.00 Keyboard [SILITEK USB Keyboard and Mouse] on usb-0000:00:0e.2-1/input0
> input: SILITEK USB Keyboard and Mouse as /class/input/input1
> generic-usb 0003:047B:0002.0002: input,hidraw1: USB HID v1.00 Mouse [SILITEK USB Keyboard and Mouse] on usb-0000:00:0e.2-1/input1
> usb 1-1: New USB device found, idVendor=047b, idProduct=0002
> usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
> usb 1-1: Product: USB Keyboard and Mouse
> usb 1-1: Manufacturer: SILITEK
> 
> 
> Similiar when I insert a mouse:
> ------------------
> usb 1-1: new low speed USB device using ohci_hcd and address 2
> usb 1-1: configuration #1 chosen from 1 choice
> input: Logitech N48 as /class/input/input0
> Slab corruption: shmem_inode_cache start=8bd9daa0, len=640
> Redzone: 0x0/0x9f911029d74e35b.
> Last user: [<00000000>](0x0)
> 000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Prev obj: start=8bd9d870, len=640
> Redzone: 0x6b6b6b6b6b6b6b6b/0x0.
> Last user: [<00000000>](0x0)
> 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
> 010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> slab error in cache_alloc_debugcheck_after(): cache `shmem_inode_cache': double free, or memory outside objecn
> Backtrace:
>  [<101a4e84>] cache_alloc_debugcheck_after+0xd8/0x200
>  [<101a540c>] kmem_cache_alloc+0x1a0/0x1e8
>  [<101a26e4>] shmem_alloc_inode+0x18/0x34
>  [<101be158>] alloc_inode+0x28/0x238
>  [<101bf204>] new_inode+0x20/0xc0
>  [<101a0eb8>] shmem_get_inode+0x34/0x1ac
>  [<101a1be0>] shmem_symlink+0x60/0x260
>  [<101b6034>] vfs_symlink+0x74/0xc8
>  [<101b6118>] sys_symlinkat+0x90/0xfc
>  [<101190c0>] syscall_exit+0x0/0x28
> 
> 8bd9da98: redzone 1:0x0, redzone 2:0x9f911029d74e35b
> Slab corruption: size-4096 start=8bd18000, len=4096
> 000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> generic-usb 0003:046D:C001.0001: input,hidraw0: USB HID v1.00 Mouse [Logitech N48] on usb-0000:00:0e.2-1/inpu0
> usb 1-1: New USB device found, idVendor=046d, idProduct=c001
> usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
> usb 1-1: Product: N48
> usb 1-1: Manufacturer: Logitech
> 
> 
> On 2.6.28-rc1 I saw e.g. this:
> --------------------
> usbcore: registered new interface driver usbhid
> usbhid: v2.6:USB HID core driver
> usb 1-1: new low speed USB device using ohci_hcd and address 2
> usb 1-1: configuration #1 chosen from 1 choice
> input: Logitech N48 as /class/input/input0
> generic-usb 0003:046D:C001.0001: input,hidraw0: USB HID v1.00 Mouse 
> [Logitech N48] on usb-0000:00:0e.2-1/inpu0
> usb 1-1: New USB device found, idVendor=046d, idProduct=c001
> usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
> usb 1-1: Product: N48
> usb 1-1: Manufacturer: Logitech
> usb 1-2: new low speed USB device using ohci_hcd and address 3
> usb 1-2: configuration #1 chosen from 1 choice
> slab error in cache_alloc_debugcheck_after(): cache `size-512': double free, or memory outside object was oven
> Backtrace:
>    [<101a5724>] cache_alloc_debugcheck_after+0xd8/0x200
>    [<101a5cac>] kmem_cache_alloc+0x1a0/0x1e8
>    [<1042e294>] hid_register_report+0x60/0xc4
>    [<1042e5f8>] hid_add_field+0x40/0x1a4
>    [<1042ec40>] hid_parser_main+0x94/0xc4

Was Redzone 1 in this case also 0x0 please?

-- 
Jiri Kosina
SUSE Labs

next prev parent reply	other threads:[~2008-10-31  1:10 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-30 23:11 Helge Deller
2008-10-31  1:10 ` Jiri Kosina [this message]
2008-10-31  2:09 ` Jiri Kosina
2008-10-31  3:45 ` Jeroen Roovers
2008-10-31 11:55   ` Jiri Kosina
2008-10-31 15:16     ` Jeroen Roovers
2008-10-31 15:27       ` Jiri Kosina
2008-11-01 17:56         ` Grant Grundler
2008-10-31 13:41   ` Jiri Kosina
2008-10-31 19:45   ` Jiri Slaby

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.LRH.1.10.0810310209410.7585@twin.jikos.cz \
    --to=jkosina@suse.cz \
    --cc=deller@gmx.de \
    --cc=jslaby@suse.cz \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-parisc@vger.kernel.org \
    --subject='Re: 2.6.28-rc2: USB/INPUT: slab error in cache_alloc_debugcheck_after(): double free?' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).