Bug 10202 - KMalloc redzone overwritten at very old battery insertion - Acer 1511 LMi laptop
Summary: KMalloc redzone overwritten at very old battery insertion - Acer 1511 LMi laptop
Status: CLOSED DUPLICATE of bug 8573
Alias: None
Product: ACPI
Classification: Unclassified
Component: Power-Battery (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Alexey Starikovskiy
URL:
Keywords:
Depends on:
Blocks: 9243
  Show dependency tree
 
Reported: 2008-03-09 00:48 UTC by Christian Casteyde
Modified: 2008-06-13 22:16 UTC (History)
2 users (show)

See Also:
Kernel Version: 2.6.25-rc4
Tree: Mainline
Regression: Yes


Attachments
DSDT file for this laptop (22.76 KB, application/octet-stream)
2008-03-14 23:44 UTC, Christian Casteyde
Details
Don't fail on broken package (1.00 KB, patch)
2008-03-15 05:53 UTC, Alexey Starikovskiy
Details | Diff

Description Christian Casteyde 2008-03-09 00:48:37 UTC
Latest working kernel version:Unknown <2.6.24
Earliest failing kernel version: 2.6.24
Distribution: Bluewhite64
Hardware Environment: Acer 1511 LMi laptop + very old battery (new battery doesn't crash!)
Software Environment: /proc, cat
Problem Description:
When I plug a battery that has nearly no lifetime anymore, the kernel crashes at any filesystem access (tested under 2.6.24), even if the cord is plugged.
With 2.6.25-rc4+debug options (especially kmalloc), it doesn't crash anymore, but I got a very bad bug report:

=============================================================================
BUG kmalloc-96: Redzone overwritten
-----------------------------------------------------------------------------

INFO: 0xffff81004d9c8840-0xffff81004d9c8847. First byte 0x1 instead of 0xcc
INFO: Freed in scsi_execute_req+0xa1/0xf0 age=510 cpu=0 pid=3261
INFO: Slab 0xffffe200010fa3c0 used=5 fp=0xffff81004d9c8bd0 flags=0x4a0000000000c3
INFO: Object 0xffff81004d9c87e0 @offset=2016 fp=0x0000000000000002

Bytes b4 0xffff81004d9c87d0:  5d bb fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ]»þÿ....ZZZZZZZZ
  Object 0xffff81004d9c87e0:  04 00 00 00 04 00 00 00 f8 87 9c 4d 00 81 ff ff ........ø..M..ÿÿ
  Object 0xffff81004d9c87f0:  00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
  Object 0xffff81004d9c8800:  02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  Object 0xffff81004d9c8810:  01 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ........ÿÿÿÿ....
  Object 0xffff81004d9c8820:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  Object 0xffff81004d9c8830:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 Redzone 0xffff81004d9c8840:  01 00 00 00 00 00 00 00                         ........
 Padding 0xffff81004d9c8880:  5a 5a 5a 5a 5a 5a 5a 5a                         ZZZZZZZZ
Pid: 3458, comm: cat Not tainted 2.6.25-rc4 #1

Call Trace:
 [<ffffffff802889c7>] print_trailer+0xe7/0x170
 [<ffffffff80288af5>] check_bytes_and_report+0xa5/0xd0
 [<ffffffff8039f47a>] ? acpi_battery_get_state+0xe7/0xf8
 [<ffffffff80288d85>] check_object+0x65/0x250
 [<ffffffff8028a4a3>] __slab_free+0x263/0x370
 [<ffffffff8028a738>] kfree+0xb8/0x130
 [<ffffffff8039f47a>] ? acpi_battery_get_state+0xe7/0xf8
 [<ffffffff8039f47a>] acpi_battery_get_state+0xe7/0xf8
 [<ffffffff8039f67b>] acpi_battery_update+0x1f0/0x217
 [<ffffffff802541b5>] ? trace_hardirqs_on+0xd5/0x160
 [<ffffffff8039f6e6>] acpi_battery_read+0x1b/0x2c
 [<ffffffff8039f71b>] acpi_battery_read_state+0x11/0x13
 [<ffffffff802ab6bc>] seq_read+0x8c/0x2e0
 [<ffffffff802ab630>] ? seq_read+0x0/0x2e0
 [<ffffffff802ab630>] ? seq_read+0x0/0x2e0
 [<ffffffff802d046f>] proc_reg_read+0x7f/0xc0
 [<ffffffff8028ead4>] vfs_read+0xc4/0x160
 [<ffffffff8028ef70>] sys_read+0x50/0x90
 [<ffffffff8020b50b>] system_call_after_swapgs+0x7b/0x80

FIX kmalloc-96: Restoring 0xffff81004d9c8840-0xffff81004d9c8847=0xcc


Steps to reproduce:
I've never seen this one until this battery got dead (less than 4s of power). I bought a new battery and it is OK, so I suspect battery power calculation to do something wrong. At first, I thought the battery was demanding too much power on the power supply, but since I've seen the kmalloc crash I reported this bug.
Comment 1 Christian Casteyde 2008-03-09 01:01:32 UTC
I also can reproduce it each time i do:

cat /proc/acpi/battery/BAT1/state

with this battery.
Comment 2 ykzhao 2008-03-09 18:56:34 UTC
Will you please attach the output of acpidump?
Thanks.
Comment 3 Christian Casteyde 2008-03-14 23:44:52 UTC
Created attachment 15272 [details]
DSDT file for this laptop

Here is the dsdt.
Please note that this bug is **not** a regression, the crash also occurred with 2.6.24 (and maybe previous kernels, but at that time the battery was OK).
Comment 4 Alexey Starikovskiy 2008-03-15 00:49:53 UTC
Please check the patch attached to original bug report.

*** This bug has been marked as a duplicate of bug 8573 ***
Comment 5 Christian Casteyde 2008-03-15 04:46:25 UTC
The computer does not crash anymore with 8573 patch.
However, I get "bad address" errors:

christian@athor:~$ cat /proc/acpi/battery/BAT1/state
cat: /proc/acpi/battery/BAT1/state: Bad address

That may be the right behaviour, the most important is that now it doesn't crash.
Comment 6 Alexey Starikovskiy 2008-03-15 05:31:43 UTC
Ok, this is -EFAULT returned.
Comment 7 Alexey Starikovskiy 2008-03-15 05:53:43 UTC
Created attachment 15274 [details]
Don't fail on broken package

Please check if adding this patch to the mix helps :)
Comment 8 Christian Casteyde 2008-03-15 07:26:46 UTC
It works now:
christian@athor:~$ cat /proc/acpi/battery/BAT1/state
present:                 yes
capacity state:          ok
charging state:          charged
present rate:            unknown
remaining capacity:      unknown
present voltage:         0 mV
christian@athor:~$ cat /proc/acpi/battery/BAT1/info
present:                 yes
design capacity:         4400 mAh
last full capacity:      65524 mAh
battery technology:      rechargeable
design voltage:          14800 mV
design capacity warning: 300 mAh
design capacity low:     132 mAh
capacity granularity 1:  32 mAh
capacity granularity 2:  32 mAh
model number:            ZP02
serial number:           1
battery type:            LION
OEM info:                SIMPLO

The last small detail ;-) is the "last full capacity > design capacity"... but the battery is simply dead so I consider this as normal. However, I would have expected 65536, no -32... funny.

Thanks a lot.
Comment 9 Alexey Starikovskiy 2008-03-15 08:37:10 UTC
Thanks for report and testing :)
Comment 10 Len Brown 2008-03-17 15:02:56 UTC
This seems like a case of BIOS bug triggering a Linux bug.

    External (Z005)

            Name (PBST, Package (0x04)
            {
                0x00,
                Z005,
                Z005,
                0x2710
            })

Z005 is undefined.

In the case of a functional battery, the Z005 references in PBST
(referenced by _BST) are over-written with the run-time present-rate
and remaining-capacity.  But in the case of a failing battery,
these entries are not over-written, but instead the bogus
reference to Z005 is attempted, which confuses Linux.

Note You need to log in before you can comment on or make changes to this bug.