Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753271Ab3COHiY (ORCPT ); Fri, 15 Mar 2013 03:38:24 -0400 Received: from mail-vc0-f171.google.com ([209.85.220.171]:64666 "EHLO mail-vc0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752363Ab3COHiX (ORCPT ); Fri, 15 Mar 2013 03:38:23 -0400 MIME-Version: 1.0 In-Reply-To: <5142ABD3.4040106@gmail.com> References: <20130307052854.GA23745@redhat.com> <20130307060230.GA31738@kroah.com> <20130307062626.GA25095@redhat.com> <51429D7A.30906@gmail.com> <5142ABD3.4040106@gmail.com> Date: Fri, 15 Mar 2013 15:38:22 +0800 Message-ID: Subject: Re: use after free in sysfs_find_dirent From: Ming Lei To: Sasha Levin Cc: Dave Jones , Greg Kroah-Hartman , Linux Kernel Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3136 Lines: 55 Hi, On Fri, Mar 15, 2013 at 1:04 PM, Sasha Levin wrote: > On 03/15/2013 12:03 AM, Sasha Levin wrote: >> >> [ 350.140100] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC >> [ 350.141468] Dumping ftrace buffer: >> [ 350.142048] (ftrace buffer empty) >> [ 350.142619] Modules linked in: >> [ 350.143128] CPU 0 >> [ 350.143434] Pid: 25064, comm: trinity-child14 Tainted: G W 3.9.0-rc2-next-20130314-sasha-00046-g3897511 #295 >> [ 350.145415] RIP: 0010:[] [] rb_next+0x23/0x60 >> [ 350.146680] RSP: 0018:ffff88007b9dde48 EFLAGS: 00010202 >> [ 350.147528] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8800b8524b70 RCX: ffff8800b8524b70 >> [ 350.148738] RDX: 6b6b6b6b6b6b6b6b RSI: ffff8800b63b96e0 RDI: ffff8800b8524bb8 >> [ 350.149939] RBP: ffff88007b9dde48 R08: 2222222222222222 R09: 2222222222222222 >> [ 350.150035] R10: 2222222222222222 R11: 0000000000000000 R12: ffff88008c5cb180 >> [ 350.150035] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000010 >> [ 350.150035] FS: 00007fec4eae2700(0000) GS:ffff8800bb800000(0000) knlGS:0000000000000000 >> [ 350.150035] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> [ 350.150035] CR2: 0000000000000001 CR3: 000000007c32d000 CR4: 00000000000406f0 >> [ 350.150035] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >> [ 350.150035] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 >> [ 350.150035] Process trinity-child14 (pid: 25064, threadinfo ffff88007b9dc000, task ffff880096413000) >> [ 350.150035] Stack: >> [ 350.150035] ffff88007b9ddeb8 ffffffff812fa959 2222222222222222 2222222200000008 >> [ 350.150035] 000000000000293e ffffffff8128cca0 ffff88007b9ddf28 ffff8800b63b96e0 >> [ 350.150035] ffff8800a14e9b78 ffff88008c5cb180 ffff88007b9ddf28 ffffffff8128cca0 >> [ 350.150035] Call Trace: >> [ 350.150035] [] sysfs_readdir+0x219/0x280 >> [ 350.150035] [] ? filldir+0x100/0x100 >> [ 350.150035] [] ? filldir+0x100/0x100 >> [ 350.150035] [] vfs_readdir+0x78/0xc0 >> [ 350.150035] [] ? trace_hardirqs_on+0xd/0x10 >> [ 350.150035] [] SyS_getdents64+0x90/0x120 >> [ 350.150035] [] tracesys+0xe1/0xe6 >> [ 350.150035] Code: 85 d2 75 f4 5d c3 66 90 55 31 c0 48 8b 17 48 89 e5 48 39 d7 74 4a 48 8b 47 08 48 85 c0 75 0c eb 17 0f 1f 80 >> 00 00 00 00 48 89 d0 <48> 8b 50 10 48 85 d2 75 f4 eb 2a 66 90 48 89 d1 48 83 e1 fc 74 >> [ 350.150035] RIP [] rb_next+0x23/0x60 >> [ 350.150035] RSP >> [ 350.179705] ---[ end trace a39f58a515b594d5 ]--- > > And on the bright side, unlike in Dave's case, similar issues reproduce rather easily > over here: Could you share how to reproduce that easily? Thanks, -- Ming Lei -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/