16092 – Caught 64-bit read from uninitialized memory in memtype_rb_augment_cb

Bug 16092 - Caught 64-bit read from uninitialized memory in memtype_rb_augment_cb

Summary: Caught 64-bit read from uninitialized memory in memtype_rb_augment_cb

Status:	CLOSED CODE_FIX

Alias:	None

Product:	Platform Specific/Hardware
Classification:	Unclassified
Component:	x86-64 (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	platform_x86_64@kernel-bugs.osdl.org

URL:
Keywords:

Depends on:
Blocks:	16055
	Show dependency tree

Reported:	2010-06-01 18:08 UTC by Christian Casteyde
Modified:	2010-10-28 18:42 UTC (History)
CC List:	2 users (show)

See Also:
Kernel Version:	2.6.35-rc1
Subsystem:
Regression:	Yes
Bisected commit-id:

Attachments
dmesg portion with the call stack of the bug (1.98 KB, text/plain) 2010-06-01 18:08 UTC, Christian Casteyde	Details
Add an attachment (proposed patch, testcase, etc.)

Description Christian Casteyde 2010-06-01 18:08:58 UTC

Created attachment 26596 [details]
dmesg portion with the call stack of the bug

Slacwkare 13.1 64bits
2.6.25-rc1 vanilla
Athlon 64 3000
Acer Aspire 1511Lmi laptop

Since 2.6.35-rc1 64bits compiled with kmemcheck, I get this one

Comment 1 Andrew Morton 2010-06-04 20:42:20 UTC

(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Tue, 1 Jun 2010 18:08:59 GMT
bugzilla-daemon@bugzilla.kernel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=16092
> 
>            Summary: Caught 64-bit read from uninitialized memory in
>                     memtype_rb_augment_cb
>            Product: Memory Management
>            Version: 2.5
>     Kernel Version: 2.6.35-rc1
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: Other
>         AssignedTo: akpm@linux-foundation.org
>         ReportedBy: casteyde.christian@free.fr
>         Regression: Yes
> 
> 
> Created an attachment (id=26596)
>  --> (https://bugzilla.kernel.org/attachment.cgi?id=26596)
> dmesg portion with the call stack of the bug
> 
> Slacwkare 13.1 64bits
> 2.6.25-rc1 vanilla
> Athlon 64 3000
> Acer Aspire 1511Lmi laptop
> 
> Since 2.6.35-rc1 64bits compiled with kmemcheck, I get this one
> 

At a guess I'd say it's a bug in
arch/x86/mm/pat_rbtree.c:update_path_max_end().  Possibly related to
the rbtree changes.


> ... event mask:             000000000000000f
> CPU: AMD Athlon 64 Processor 3000+ stepping 0a
> ACPI: Core revision 20100428
> WARNING: kmemcheck: Caught 64-bit read from uninitialized memory
> (ffff88004f832110)
> 0090f74f0000000000f0f74f0000000000000000000000001000000000000000
>  i i i i i i i i i i i i i i i i u u u u u u u u i i i i i i i i
>                                  ^
> 
> Pid: 0, comm: swapper Not tainted 2.6.35-rc1 #1 Aspire 1510/Aspire 1510  
> RIP: 0010:[<ffffffff81026328>]  [<ffffffff81026328>]
> memtype_rb_augment_cb+0x18/0x60
> RSP: 0000:ffffffff81a01d68  EFLAGS: 00010282
> RAX: ffffffff81026310 RBX: 000000004ff79000 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffff88004f832100 RDI: ffff88004f832120
> RBP: ffffffff81a01d68 R08: 0000000000000f00 R09: 00000000000000e0
> R10: ffffffff81a13640 R11: 0000000000000f00 R12: 000000004ff7f000
> R13: 00000000fffffff4 R14: ffff88004f832120 R15: ffffffff81a01eb0
> FS:  0000000000000000(0000) GS:ffffffff81a1c000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> CR2: ffff88004f802a00 CR3: 0000000001a0b000 CR4: 00000000000006f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
>  [<ffffffff8124c963>] rb_insert_color+0x23/0x160
>  [<ffffffff810266bd>] rbt_memtype_check_insert+0x15d/0x200
>  [<ffffffff810250d4>] reserve_memtype+0x294/0x380
>  [<ffffffff81022472>] __ioremap_caller+0x1a2/0x380
>  [<ffffffff81022712>] ioremap_nocache+0x12/0x20
>  [<ffffffff8159eafe>] acpi_os_map_memory+0x12/0x24
>  [<ffffffff81292aef>] acpi_tb_verify_table+0x29/0x57
>  [<ffffffff8129231d>] acpi_load_tables+0x39/0x16d
>  [<ffffffff81ab7e3d>] acpi_early_init+0x6c/0xf7
>  [<ffffffff81aa0b56>] start_kernel+0x32a/0x33c
>  [<ffffffff81aa0288>] x86_64_start_reservations+0x98/0x9c
>  [<ffffffff81aa0385>] x86_64_start_kernel+0xf9/0x100
>  [<ffffffffffffffff>] 0xffffffffffffffff
> kmemcheck: Initialized
> Setting APIC routing to flat
> ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
> NET: Registered protocol family 16
>

Comment 2 Anonymous Emailer 2010-06-04 22:02:35 UTC

Reply-To: venki@google.com

Does this change help?

Thanks,
Venki

---
 arch/x86/mm/pat.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
index acc15b2..64121a1 100644
--- a/arch/x86/mm/pat.c
+++ b/arch/x86/mm/pat.c
@@ -302,7 +302,7 @@ int reserve_memtype(u64 start, u64 end, unsigned long req_type,
 		return -EINVAL;
 	}
 
-	new  = kmalloc(sizeof(struct memtype), GFP_KERNEL);
+	new  = kzalloc(sizeof(struct memtype), GFP_KERNEL);
 	if (!new)
 		return -ENOMEM;

Comment 3 Christian Casteyde 2010-06-05 11:42:51 UTC

Yes, I do not get the warning anymore on 2.6.35-rc1 with this patch.

Comment 4 Rafael J. Wysocki 2010-06-05 21:07:21 UTC

Handled-By : Venki <venki@google.com>
Patch : https://bugzilla.kernel.org/show_bug.cgi?id=16092#c2

Comment 5 Rafael J. Wysocki 2010-06-09 09:48:14 UTC

On Wednesday 09 June 2010, Christian Casteyde wrote:
> Still present in -rc2.

Comment 6 Christian Casteyde 2010-07-05 20:12:44 UTC

Fixed in 2.6.35-rc4.

Comment 7 Rafael J. Wysocki 2010-07-05 20:28:06 UTC

Fixed by commit 6a4f3b523779b67e7d560ed42652f8a59f2f9782 .

Note You need to log in before you can comment on or make changes to this bug.