kmemcheck caught read from freed memory (cfq_free_io_context)

Hi, This appeared in my logs: kmemcheck: Caught 32-bit read from freed memory (f7042348) Pid: 1374, comm: bash Not tainted (2.6.25-rc7 #92) EIP: 0060:[<c0502f0d>] EFLAGS: 00210202 CPU: 0 EIP is at call_for_each_cic+0x2d/0x44 EAX: 00200286 EBX: 00000001 ECX: c200e908 EDX: f7042348 ESI: f6c26c60 EDI: c0503310 EBP: f70fff38 ESP: c082ec88 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 CR0: 8005003b CR2: f7826904 CR3: 36cd7000 CR4: 000006c0 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: ffff4ff0 DR7: 00000400 [<c041cff8>] kmemcheck_read+0xa8/0xe0 [<c041d1d5>] kmemcheck_access+0x1a5/0x244 [<c0668252>] do_page_fault+0x622/0x6fc [<c06666aa>] error_code+0x72/0x78 [<c050323f>] cfq_free_io_context+0xf/0x70 [<c04fc4d7>] put_io_context+0x4f/0x58 [<c04fc568>] exit_io_context+0x60/0x6c [<c042f871>] do_exit+0x4d9/0x6f0 [<c042fab1>] do_group_exit+0x29/0x88 [<c042fb1f>] sys_exit_group+0xf/0x14 [<c0406105>] sysenter_past_esp+0x6d/0xa4 [<ffffffff>] 0xffffffff The error occurs in cfq_free_io_context()'s call to call_for_each_cic() which looks like this: rcu_read_lock(); hlist_for_each_entry_rcu(cic, n, &ioc->cic_list, cic_list) { func(ioc, cic); called++; } rcu_read_unlock(); The function that is called is cic_free_func(). It is postulated that hlist_for_each_entry_rcu() will dereference the previously freed list element to get the ->next pointer. After a short discussion with Pekka Enberg and Peter Zijlstra, it seemed evident that this list traversal should use hlist_for_each_entry_safe_rcu() instead, which would buffer the next pointer before the object is freed. Does this report seem to be valid? The kernel is 2.6.25-rc7. Kind regards, Vegard Nossum --

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Alan Cox	[PATCH 00/76] Queued TTY Patches
Linus Torvalds	Linux 2.6.27
Eric W. Biederman	[PATCH] nfsd/nfs4state: Remove unnecessary daemonize call.
Artem Bityutskiy	[PATCH 10/44 take 2] [UBI] debug unit implementation
git:
Daniel Barkalow	Re: I don't want the .git directory next to my code.
Johannes Schindelin	Re: [PATCH] RFC: git lazy clone proof-of-concept
Johannes Schindelin	Re: [ANNOUNCE] GIT 1.5.4
Johannes Schindelin	Re: git-diff on touched files: bug or feature?
openbsd-misc:
Richard Stallman	Real men don't attack straw men
Juan Miscaro	When will OpenBSD support UTF8?
Stefan Beke	mail dovecot: pipe() failed: Too many open files
L. V. Lammert	Re: About Xen: maybe a reiterative question but ..
linux-netdev:
Michael Buesch	Re: Mark IPW2100 as BROKEN: Fatal interrupt. Scheduling firmware restart.
Johannes Berg	Re: mac80211 truesize bugs
Vitaliy Gusev	[TCP]: TCP_DEFER_ACCEPT causes leak sockets
Alexey Dobriyan	[PATCH 10/33] netns ct: per-netns /proc/net/nf_conntrack_expect


Shared swap partition	37 minutes ago	Linux general
high memory	1 day ago	Linux kernel
semaphore access speed	1 day ago	Applications and Utilities
the kernel how to power off the machine	2 days ago	Linux kernel
Easter Eggs in windows XP	2 days ago	Windows
Root password	2 days ago	Linux general
Where/when DNOTIFY is used?	2 days ago	Linux kernel
How to convert Linux Kernel built-in module into a loadable module	2 days ago	Linux kernel
Linux 2.6.24 and I/O schedulers	2 days ago	Linux kernel
USB Driver -- Interrupt Polling -- A Little Help Please	2 days ago	Linux general

kmemcheck caught read from freed memory (cfq_free_io_context)

Online users