Thread (23 messages) 23 messages, 8 authors, 2011-06-13

Re: 3.0rc2 oops in mem_cgroup_from_task

From: KAMEZAWA Hiroyuki <hidden>
Date: 2011-06-10 04:02:50
Also in: lkml

Possibly related (same subject, not in this thread)

On Fri, 10 Jun 2011 12:19:49 +0900
KAMEZAWA Hiroyuki [off-list ref] wrote:
On Fri, 10 Jun 2011 11:33:11 +0900
KAMEZAWA Hiroyuki [off-list ref] wrote:
quoted
On Thu, 9 Jun 2011 18:30:49 -0700 (PDT)
Hugh Dickins [off-list ref] wrote:
 
quoted
quoted
781cc621 <mem_cgroup_from_task>:
781cc621:	55                   	push   %ebp
781cc622:	31 c0                	xor    %eax,%eax
781cc624:	89 e5                	mov    %esp,%ebp
781cc626:	8b 55 08             	mov    0x8(%ebp),%edx
781cc629:	85 d2                	test   %edx,%edx
781cc62b:	74 09                	je     781cc636 <mem_cgroup_from_task+0x15>
781cc62d:	8b 82 fc 08 00 00    	mov    0x8fc(%edx),%eax
781cc633:	8b 40 1c             	mov    0x1c(%eax),%eax   <==========
781cc636:	c9                   	leave  
781cc637:	c3                   	ret    
then, access to task->cgroups->subsys[?] causes access to 6b6b6b87...

Then, task->cgroups or task->cgroups->subsys contains bad pointer.
Considering khugepaged, it grabs mm_struct and memcg make an access to
(mm->owner)->cgroups->subsys.

Then, from memcg's point of view, we need to doubt mm->owner is valid or not
for this kind of tasks.
Dave's log shows 6b6b6b6b6b..., too.

I guess it as "POISON_FREE" of slab object. Then, task->cgroups may used after free.
Ah, sorry.

0x1c(%eax) == 6b6b6b87 means %eax was 0x6b6b6b6b.
The %eax was the contents of [task->cgroups]....hmm, then, task itself is freed
pointer (and poisoned). So, it seems a problem of accessing mm->owner..

Thanks,
-Kame












--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help