Re: 2.6.23-rc6-mm1: BUG kmalloc-16: Object padding overwritten(sysfs?)

[Christoph Lameter]

On Thu, 20 Sep 2007, Alexey Dobriyan wrote:

> The winner is slub-avoid-touching-page-struct-when-freeing-to-per-cpu-slab.patch
> Blind bisecting pointed to it and reverting the patch from full -mm makes
> the problem go away

Hmmm.. This means likely that the c->node is used somewhere for 
indexing.... Ahhh... If we count objects for sysfs output then c->node may 
be used to index into the statistics array. The offset from the poison 
also makes sense now since we increment values there.

Does this patch fix the issue?



SLUB: Fix slab object counting.

We can only use the node value of the per cpu structure for counting if it 
is positive. A negative value indicates that the slab is not valid.

Signed-off-by: Christoph Lameter <clameter@xxxxxxx>

---
 mm/slub.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Index: linux-2.6.23-rc6-mm1/mm/slub.c
===================================================================
--- linux-2.6.23-rc6-mm1.orig/mm/slub.c	2007-09-20 10:31:04.000000000 -0700
+++ linux-2.6.23-rc6-mm1/mm/slub.c	2007-09-20 10:32:19.000000000 -0700
@@ -3412,12 +3412,16 @@ static unsigned long slab_objects(struct
 
 	for_each_possible_cpu(cpu) {
 		struct page *page;
+		int node;
 		struct kmem_cache_cpu *c = get_cpu_slab(s, cpu);
 
 		if (!c)
 			continue;
 
 		page = c->page;
+		node = c->node;
+		if (node < 0)
+			continue;
 		if (page) {
 			if (flags & SO_CPU) {
 				int x = 0;
@@ -3427,9 +3431,9 @@ static unsigned long slab_objects(struct
 				else
 					x = 1;
 				total += x;
-				nodes[c->node] += x;
+				nodes[node] += x;
 			}
-			per_cpu[c->node]++;
+			per_cpu[node]++;
 		}
 	}
 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/