On Sat, 5 Apr 2014, Sasha Levin wrote: > [ 1035.193166] Call Trace: > [ 1035.193166] ? init_object (mm/slub.c:679) > [ 1035.193166] setup_object.isra.34 (mm/slub.c:1071 mm/slub.c:1399) > [ 1035.193166] new_slab (mm/slub.c:286 mm/slub.c:1439) > [ 1035.193166] __slab_alloc (mm/slub.c:2203 mm/slub.c:2363) > [ 1035.193166] ? kmem_cache_alloc (mm/slub.c:2469 mm/slub.c:2480 > mm/slub.c:2485)
Ok so the story here is that slub decided it needed a new slab and requested memory from the page allocator. setup_object() tries to write to the page which fails. Could the page allocator have delivered a reference to a page struct that creates an invalid address? The code that fails is: page = allocate_slab(s, flags & (GFP_RECLAIM_MASK | GFP_CONSTRAINT_MASK), node); if (!page) goto out; --- So we got a page from teh page allocator order = compound_order(page); inc_slabs_node(s, page_to_nid(page), page->objects); memcg_bind_pages(s, order); page->slab_cache = s; __SetPageSlab(page); -- Writing to the page struct works. if (page->pfmemalloc) SetPageSlabPfmemalloc(page); start = page_address(page); if (unlikely(s->flags & SLAB_POISON)) memset(start, POISON_INUSE, PAGE_SIZE << order); --- This should have triggered since we write to the page but maybe this slab has a ctor set and therefore no poisining is possible. last = start; for_each_object(p, s, start, page->objects) { setup_object(s, page, last); *** This is where the write access to the page fails. set_freepointer(s, last, p); last = p; } setup_object(s, page, last); -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/