Bug 36512

Summary: Caught 64-bit read from uninitialized memory in getname_flags
Product: File System Reporter: Christian Casteyde (casteyde.christian)
Component: VFSAssignee: fs_vfs
Status: RESOLVED UNREPRODUCIBLE    
Severity: normal    
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.0-rc1 Subsystem:
Regression: No Bisected commit-id:

Description Christian Casteyde 2011-06-02 13:36:28 UTC
Acer Aspire 7750G
Core i7 in 64bits mode
Slackware64 13.37

With 3.0-rc1 at least (not tested with 2.6.39, and previous kernel do not work well on this machine), I get the following:
WARNING: kmemcheck: Caught 64-bit read from uninitialized memory (ffff8801c3b2d000)
0080b2c30188ffff72652f69636f6e732f6869636f6c6f722f36347836342f61
 u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u
 ^

Pid: 2184, comm: gtk-update-icon Not tainted 3.0.0-rc1 #6 Acer Aspire 7750G/JE70_HR
RIP: 0010:[<ffffffff8111e071>]  [<ffffffff8111e071>] kmem_cache_alloc+0x71/0x150
RSP: 0018:ffff8801c15d1d58  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000010 RCX: 00000000000d9d00
RDX: 00000000000d9cf8 RSI: 00000000001d3f20 RDI: ffffffff81c92bc9
RBP: ffff8801c15d1d88 R08: 00676e702e726f74 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8801c3b2d000
R13: ffff8801c7404d00 R14: 00000000000000d0 R15: ffffffff81131bdf
FS:  00007fe0775bc720(0000) GS:ffff8801c7800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801c38e1680 CR3: 00000001c1644000 CR4: 00000000000406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
 [<ffffffff81131bdf>] getname_flags+0x2f/0x200
 [<ffffffff811335fe>] user_path_at+0x2e/0xa0
 [<ffffffff811299c4>] vfs_fstatat+0x44/0x80
 [<ffffffff81129a19>] vfs_lstat+0x19/0x20
 [<ffffffff81129e1f>] sys_newlstat+0x1f/0x40
 [<ffffffff817fcbfb>] system_call_fastpath+0x16/0x1b
 [<ffffffffffffffff>] 0xffffffffffffffff
Comment 1 Christian Casteyde 2011-06-02 13:40:33 UTC
I've forgotten to say this is with kmemcheck activated.
Comment 2 Christian Casteyde 2011-06-11 15:36:01 UTC
Update:
This is still present in -rc2.
With the following:
WARNING: kmemcheck: Caught 64-bit read from uninitialized memory (ffff8801c3b4f000)
00b0b4c30188ffff72652f6c6f63616c652f66722f4c435f534352495054532f
 u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u
 ^

Pid: 2521, comm: plasma-desktop Not tainted 3.0.0-rc2 #8 Acer Aspire 7750G/JE70_HR
RIP: 0010:[<ffffffff8111e071>]  [<ffffffff8111e071>] kmem_cache_alloc+0x71/0x150
RSP: 0018:ffff8801a9df7dc8  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000010 RCX: 000000000024fee0
RDX: 000000000024fed8 RSI: 00000000001d3f20 RDI: ffffffff81a80611
RBP: ffff8801a9df7df8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8801c3b4f000
R13: ffff8801c7404d00 R14: 00000000000000d0 R15: ffffffff81131bdf
FS:  00007f1326225780(0000) GS:ffff8801c7800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801c673fd08 CR3: 00000001aa421000 CR4: 00000000000406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
 [<ffffffff81131bdf>] getname_flags+0x2f/0x200
 [<ffffffff811335fe>] user_path_at+0x2e/0xa0
 [<ffffffff8112352c>] sys_faccessat+0xcc/0x1e0
 [<ffffffff81123653>] sys_access+0x13/0x20
 [<ffffffff817b2e7b>] system_call_fastpath+0x16/0x1b
 [<ffffffffffffffff>] 0xffffffffffffffff

I get in gdb:
(gdb) l *0xffffffff8111e071
0xffffffff8111e071 is in kmem_cache_alloc (mm/slub.c:1947).
1942                     * 3. If they were not changed replace tid and freelist
1943                     *
1944                     * Since this is without lock semantics the protection is only against
1945                     * code executing on this cpu *not* from access by other cpus.
1946                     */
1947                    if (unlikely(!irqsafe_cpu_cmpxchg_double(
1948                                    s->cpu_slab->freelist, s->cpu_slab->tid,
1949                                    object, tid,
1950                                    get_freepointer_safe(s, object), next_tid(tid)))) {
1951
Comment 3 Christian Casteyde 2011-06-11 15:51:14 UTC
Please note I also get the same in a more severe case (read from FREED memory), such as:

WARNING: kmemcheck: Caught 64-bit read from freed memory (ffff8801c1c88000)
2f6574632f6d6f6470726f62652e642f697361706e702e636f6e66006e660074
 f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f
 ^

Pid: 1688, comm: udevd Not tainted 3.0.0-rc2 #8 Acer Aspire 7750G/JE70_HR
RIP: 0010:[<ffffffff8111e071>]  [<ffffffff8111e071>] kmem_cache_alloc+0x71/0x150
RSP: 0018:ffff8801c1d2fdc8  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000010 RCX: 00000000000210c0
RDX: 00000000000210b8 RSI: 00000000001d3f20 RDI: ffffffff81a80611
RBP: ffff8801c1d2fdf8 R08: 30303a4430433050 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8801c1c88000
R13: ffff8801c7404d00 R14: 00000000000000d0 R15: ffffffff81131bdf
FS:  00007f5fac84a720(0000) GS:ffff8801c7800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801c7452f88 CR3: 00000001c237e000 CR4: 00000000000406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
 [<ffffffff81131bdf>] getname_flags+0x2f/0x200
 [<ffffffff81131dbb>] getname+0xb/0x10
 [<ffffffff81133699>] user_path_parent+0x29/0x80
 [<ffffffff8113371e>] do_unlinkat+0x2e/0x1c0
 [<ffffffff81134bc1>] sys_unlink+0x11/0x20
 [<ffffffff817b2e7b>] system_call_fastpath+0x16/0x1b
 [<ffffffffffffffff>] 0xffffffffffffffff

Another example:

WARNING: kmemcheck: Caught 64-bit read from uninitialized memory (ffff8801c34b4000)
00004bc30188ffff696365732f4c4e58535953544d3a30302f6465766963653a
 u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u
 ^

Pid: 2271, comm: udevadm Not tainted 3.0.0-rc2 #8 Acer Aspire 7750G/JE70_HR
RIP: 0010:[<ffffffff8111e071>]  [<ffffffff8111e071>] kmem_cache_alloc+0x71/0x150
RSP: 0018:ffff8801c2373e88  EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000010 RCX: 00000000000f60f8
RDX: 00000000000f60f0 RSI: 00000000001d3f20 RDI: ffffffff81a80611
RBP: ffff8801c2373eb8 R08: 000000000041b570 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8801c34b4000
R13: ffff8801c7404d00 R14: 00000000000000d0 R15: ffffffff81131bdf
FS:  00007fef56386720(0000) GS:ffff8801c7800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801c673fd08 CR3: 00000001c1c66000 CR4: 00000000000406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
 [<ffffffff81131bdf>] getname_flags+0x2f/0x200
 [<ffffffff81131dbb>] getname+0xb/0x10
 [<ffffffff81123dc8>] do_sys_open+0xc8/0x1e0
 [<ffffffff81123efb>] sys_open+0x1b/0x20
 [<ffffffff817b2e7b>] system_call_fastpath+0x16/0x1b
 [<ffffffffffffffff>] 0xffffffffffffffff
Comment 4 Christian Casteyde 2011-07-13 18:45:10 UTC
Update: Still present in 3.0-rc7
Comment 5 Christian Casteyde 2011-09-01 16:50:26 UTC
Update: Still present in 3.1-rc4
Comment 6 Christian Casteyde 2012-04-22 15:36:02 UTC
Not reproduced in 3.4-rc4, at least not at the same source code place.
So closing.
Comment 7 Christian Casteyde 2012-04-22 15:36:55 UTC
*** Bug 42202 has been marked as a duplicate of this bug. ***