Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754335Ab3C2P7D (ORCPT ); Fri, 29 Mar 2013 11:59:03 -0400 Received: from mx1.redhat.com ([209.132.183.28]:50804 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753712Ab3C2P7A (ORCPT ); Fri, 29 Mar 2013 11:59:00 -0400 Date: Fri, 29 Mar 2013 11:58:55 -0400 From: Dave Jones To: tytso@mit.edu Cc: Linux Kernel , linux-ext4@vger.kernel.org Subject: ext4 object already free. Message-ID: <20130329155855.GB5313@redhat.com> Mail-Followup-To: Dave Jones , tytso@mit.edu, Linux Kernel , linux-ext4@vger.kernel.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4413 Lines: 73 Just hit this very quickly after boot while fuzzing. (top of tree is 0776ce03b1348d39ba3035ea3ee3d268a42912ce) [ 93.602628] ============================================================================= [ 93.603689] BUG kmalloc-64 (Not tainted): Object already free [ 93.604441] ----------------------------------------------------------------------------- [ 93.604441] [ 93.605674] Disabling lock debugging due to kernel taint [ 93.606377] INFO: Allocated in ext4_htree_store_dirent+0x34/0x120 age=3 cpu=2 pid=2120 [ 93.607400] __slab_alloc+0x44a/0x502 [ 93.607870] __kmalloc+0x323/0x3e0 [ 93.608330] ext4_htree_store_dirent+0x34/0x120 [ 93.608925] htree_dirblock_to_tree+0x169/0x1c0 [ 93.609526] ext4_htree_fill_tree+0x77/0x1e0 [ 93.610093] ext4_readdir+0x51c/0x820 [ 93.610586] vfs_readdir+0xb8/0xf0 [ 93.611046] sys_getdents+0x8f/0x120 [ 93.611528] system_call_fastpath+0x16/0x1b [ 93.612085] INFO: Freed in free_rb_tree_fname+0x6c/0xd0 age=3 cpu=2 pid=2120 [ 93.612999] __slab_free+0x41/0x3a0 [ 93.613469] kfree+0x2ca/0x300 [ 93.613885] free_rb_tree_fname+0x6c/0xd0 [ 93.614420] ext4_release_dir+0x1e/0x30 [ 93.614935] __fput+0xf5/0x2d0 [ 93.615352] ____fput+0xe/0x10 [ 93.615769] task_work_run+0xa4/0xd0 [ 93.616251] do_notify_resume+0x71/0xb0 [ 93.616764] int_signal+0x12/0x17 [ 93.617212] INFO: Slab 0xffffea0002665f80 objects=20 used=12 fp=0xffff88009997fb90 flags=0x3000000000004081 [ 93.618457] INFO: Object 0xffff88009997e620 @offset=1568 fp=0xffff88009997f570 [ 93.618457] [ 93.619575] Bytes b4 ffff88009997e610: fd ae ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ [ 93.620789] Object ffff88009997e620: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 93.621983] Object ffff88009997e630: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 93.623176] Object ffff88009997e640: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk [ 93.624341] Object ffff88009997e650: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk. [ 93.625505] Redzone ffff88009997e660: bb bb bb bb bb bb bb bb ........ [ 93.626594] Padding ffff88009997e7a0: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ [ 93.627684] Pid: 1850, comm: trinity-child37 Tainted: G B 3.9.0-rc4+ #7 [ 93.628623] Call Trace: [ 93.628943] [] print_trailer+0x154/0x210 [ 93.629648] [] ? hugetlb_fault+0x494/0x6b0 [ 93.630373] [] free_debug_processing+0x134/0x22b [ 93.631164] [] ? put_lock_stats.isra.27+0xe/0x40 [ 93.631955] [] ? _raw_spin_unlock_irqrestore+0x65/0x80 [ 93.632808] [] ? free_msg+0x21/0x40 [ 93.635318] [] ? free_msg+0x21/0x40 [ 93.637800] [] __slab_free+0x41/0x3a0 [ 93.640304] [] ? trace_hardirqs_on+0xd/0x10 [ 93.642868] [] ? _raw_spin_unlock_irqrestore+0x42/0x80 [ 93.645524] [] ? debug_check_no_obj_freed+0x155/0x250 [ 93.648134] [] ? kfree+0x9d/0x300 [ 93.650521] [] ? free_msg+0x21/0x40 [ 93.652924] [] kfree+0x2ca/0x300 [ 93.655294] [] ? delay_tsc+0x90/0xe0 [ 93.657696] [] free_msg+0x21/0x40 [ 93.660059] [] freeque+0xcf/0x140 [ 93.662400] [] msgctl_down.constprop.9+0x183/0x200 [ 93.664918] [] ? up_read+0x1f/0x40 [ 93.667261] [] ? __do_page_fault+0x214/0x5b0 [ 93.669717] [] ? lock_release_non_nested+0x23e/0x320 [ 93.672257] [] sys_msgctl+0x139/0x400 [ 93.674641] [] ? retint_swapgs+0xe/0x13 [ 93.677056] [] ? trace_hardirqs_on_caller+0x115/0x1a0 [ 93.679626] [] ? trace_hardirqs_on_thunk+0x3a/0x3f [ 93.682159] [] system_call_fastpath+0x16/0x1b [ 93.799329] FIX kmalloc-64: Object at 0xffff88009997e620 not freed -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/