Query:Regarding object poison overwritten in binder_transaction

From: Kohli, Gaurav
Date: Sat Mar 03 2018 - 09:52:52 EST

Next message: Jeff Layton: "Re: [PATCH v7 08/61] xarray: Add the xa_lock to the radix_tree_root"
Previous message: Sergey Senozhatsky: "Re: linux-next: build failure after merge of the printk tree"
Next in thread: Greg Kroah-Hartman: "Re: Query:Regarding object poison overwritten in binder_transaction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

HI ,

Is there any known issue of slab poisoning in binder_transaction variable on kernel 4.9,

Âit seems owner variable of spinlock is
getting corrupted(which is last 8th byte of binder_transaction struct).

ÂÂ 368.423462:ÂÂ <2> [<ffffff918ec3177c>] print_trailer+0x13c/0x214

ÂÂ 368.428998:ÂÂ <2> [<ffffff918ec3193c>] check_bytes_and_report+0xe8/0xfc

ÂÂ 368.435144:ÂÂ <2> [<ffffff918ec31d8c>] check_object+0x248/0x280

ÂÂ 368.440592:ÂÂ <2> [<ffffff918ec31f0c>] alloc_debug_processing+0x148/0x1a0

ÂÂ 368.446913:ÂÂ <2> [<ffffff918ec333d0>] ___slab_alloc.constprop.72+0x654/0x690

ÂÂ 368.453586:ÂÂ <2> [<ffffff918ec33464>] __slab_alloc.isra.68.constprop.71+0x58/0x98

ÂÂ 368.460693:ÂÂ <2> [<ffffff918ec338fc>] kmem_cache_alloc_trace+0x198/0x2c4

ÂÂ 368.467011:ÂÂ <2> [<ffffff918f7ae24c>] binder_transaction+0xcb8/0x244c

ÂÂ 368.473065:ÂÂ <2> [<ffffff918f7b03b8>] binder_thread_write+0x9d8/0x1410

ÂÂ 368.479206:ÂÂ <2> [<ffffff918f7b0f20>] binder_ioctl_write_read+0x130/0x370

ÂÂ 368.485615:ÂÂ <2> [<ffffff918f7b16b0>] binder_ioctl+0x550/0x7dc

ÂÂ 368.491065:ÂÂ <2> [<ffffff918ec5ac0c>] do_vfs_ioctl+0xcc/0x888

ÂÂ 368.496424:ÂÂ <2> [<ffffff918ec5b458>] SyS_ioctl+0x90/0xa4

ÂÂ 368.501430:ÂÂ <2> [<ffffff918ea83770>] el0_svc_naked+0x24/0x28

ÂÂ 368.506798:ÂÂ <6> Kernel panic - not syncing: object poison overwritten

ÂÂ 368.287743:ÂÂ <6> Object ffffffc5a0692e20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6bÂ kkkkkkkkkkkkkkkk

ÂÂ 368.297117:ÂÂ <6> Object ffffffc5a0692e30: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6bÂ kkkkkkkkkkkkkkkk

ÂÂ 368.306487:ÂÂ <6> Object ffffffc5a0692e40: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6bÂ kkkkkkkkkkkkkkkk

ÂÂ 368.315866:ÂÂ <6> Object ffffffc5a0692e50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6bÂ kkkkkkkkkkkkkkkk

ÂÂ 368.325241:ÂÂ <6> Object ffffffc5a0692e60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6bÂ kkkkkkkkkkkkkkkk

ÂÂ 368.334618:ÂÂ <6> Object ffffffc5a0692e70: 6b 6b 6b 6b 6b 6b 6b 6b 67 6b 6b 6b 6b 6b 6b a5Â kkkkkkkkgkkkkkk.ÂÂ here it is corrupted(seems write after free case)

ÂÂ 368.343997:ÂÂ <6> Redzone ffffffc5a0692e80: bb bb bb bb bb bb bb bbÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ ........

ÂÂ 368.352755:ÂÂ <6> Padding ffffffc5a0692fc0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5aÂ ZZZZZZZZZZZZZZZZ

ÂÂ 368.362215:ÂÂ <6> Padding ffffffc5a0692fd0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5aÂ ZZZZZZZZZZZZZZZZ

ÂÂ 368.371681:ÂÂ <6> Padding ffffffc5a0692fe0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5aÂ ZZZZZZZZZZZZZZZZ

ÂÂ 368.381146:ÂÂ <6> Padding ffffffc5a0692ff0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5aÂ ZZZZZZZZZZZZZZZZ

Regards

Gaurav

--

Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,

a Linux Foundation Collaborative Project.

Next message: Jeff Layton: "Re: [PATCH v7 08/61] xarray: Add the xa_lock to the radix_tree_root"
Previous message: Sergey Senozhatsky: "Re: linux-next: build failure after merge of the printk tree"
Next in thread: Greg Kroah-Hartman: "Re: Query:Regarding object poison overwritten in binder_transaction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]