Bug 183599 - ext3 slab corruption.
Summary: ext3 slab corruption.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Dave Jones
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-02 07:57 UTC by Dax Kelson
Modified: 2015-01-04 22:25 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-03-13 22:05:05 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Dax Kelson 2006-03-02 07:57:17 UTC
Description of problem:
I have an AMD64 FX-55 CPU with a fresh March 1st 2006 install of rawhide.

I got a lockup part way through the boot while the init scripts were starting on
the first boot, but before I could get a console. There is another (new) bug
that prevents me from switch to the text VT so I couldn't see any kernel messages.

I hit the reset button and was able to use the box for about 50 minutes when the
X server  and keyboard wedged tight. I was able to ssh into the box, and dmesg gave:

Slab corruption: (Not tainted) start=db669a68, len=128
Redzone: 0xdb669a64/0xdaf73069.
Last user: [<0000000b>](0xb)
 [<c0150c07>] check_poison_obj+0x6a/0x154     [<f88b12e4>] ext3fs_dirhash+0xef/0
x1bb [ext3]
 [<c0150d10>] cache_alloc_debugcheck_after+0x1f/0xea     [<f88ad0a8>] htree_dirb
lock_to_tree+0x83/0xaa [ext3]
 [<c0151d8e>] __kmalloc_track_caller+0xa8/0xb2     [<f88ad0a8>] htree_dirblock_t
o_tree+0x83/0xaa [ext3]
 [<f88a653f>] ext3_htree_store_dirent+0x31/0x105 [ext3]     [<f88ad0a8>] htree_d
irblock_to_tree+0x83/0xaa [ext3]
 [<f88ad127>] ext3_htree_fill_tree+0x58/0x1a0 [ext3]     [<f88a66a6>] ext3_readd
ir+0x93/0x551 [ext3]
 [<c0151e0a>] kmem_cache_alloc+0x72/0x7c     [<f88a67e6>] ext3_readdir+0x1d3/0x5
51 [ext3]
 [<c01637cc>] filldir64+0x0/0xc3     [<c016396e>] vfs_readdir+0x49/0x90
 [<c012d318>] debug_mutex_add_waiter+0x14/0x24     [<c016396e>] vfs_readdir+0x49
/0x90
 [<c02de7b6>] __mutex_lock_slowpath+0x2c2/0x3a8     [<c016398b>] vfs_readdir+0x6
6/0x90
 [<c01637cc>] filldir64+0x0/0xc3     [<c0163a18>] sys_getdents64+0x63/0xa5
 [<c0102bc1>] syscall_call+0x7/0xb    <3>000: 64 9a 66 db 14 6b 66 db 14 6b 66 d
b 5a 5a 5a 5a
010: 00 00 00 00 54 34 44 f7 00 00 00 00 00 00 00 00
020: 00 00 00 00 00 00 00 00 31 33 39 32 2e 48 45 41
030: 44 45 52 00 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
040: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a a5 a5 c2 0f 17
050: 8b 7b 16 c0 a5 c2 0f 17 00 00 00 00 00 00 00 00
Prev obj: start=db669980, len=128
Redzone: 0x170fc2a5/0x5a5a5a5a.
Last user: [<5a5a5a5a>](0x5a5a5a5a)
000: 00 00 00 00 00 00 00 00 01 00 00 00 ad 4e ad de
010: ff ff ff ff ff ff ff ff 78 68 66 db 00 00 00 00
Next obj: start=db669a98, len=128
Redzone: 0x4145482e/0x0.
Last user: [<f7443454>](0xf7443454)
000: 44 45 52 00 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
010: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a a5 a5 c2 0f 17
slab error in cache_alloc_debugcheck_after(): cache `size-128': double free, or
memory outside object was overwritten
 [<c0150d6c>] cache_alloc_debugcheck_after+0x7b/0xea
 [<f88ad0a8>] htree_dirblock_to_tree+0x83/0xaa [ext3]     [<c0151d8e>] __kmalloc
_track_caller+0xa8/0xb2
 [<f88ad0a8>] htree_dirblock_to_tree+0x83/0xaa [ext3]     [<f88a653f>] ext3_htre
e_store_dirent+0x31/0x105 [ext3]
 [<f88ad0a8>] htree_dirblock_to_tree+0x83/0xaa [ext3]     [<f88ad127>] ext3_htre
e_fill_tree+0x58/0x1a0 [ext3]
 [<f88a66a6>] ext3_readdir+0x93/0x551 [ext3]     [<c0151e0a>] kmem_cache_alloc+0
x72/0x7c
 [<f88a67e6>] ext3_readdir+0x1d3/0x551 [ext3]     [<c01637cc>] filldir64+0x0/0xc 3
 [<c016396e>] vfs_readdir+0x49/0x90     [<c012d318>] debug_mutex_add_waiter+0x14
/0x24
 [<c016396e>] vfs_readdir+0x49/0x90     [<c02de7b6>] __mutex_lock_slowpath+0x2c2
/0x3a8
 [<c016398b>] vfs_readdir+0x66/0x90     [<c01637cc>] filldir64+0x0/0xc3
 [<c0163a18>] sys_getdents64+0x63/0xa5     [<c0102bc1>] syscall_call+0x7/0xb
db669a64: redzone 1: 0xdb669a64, redzone 2: 0xdaf73069.
slab error in cache_free_debugcheck(): cache `dentry_cache': double free, or mem
ory outside object was overwritten
 [<c0150ac3>] cache_free_debugcheck+0xc5/0x198     [<f88a63f0>] free_rb_tree_fna
me+0x2b/0x73 [ext3]
 [<c0151161>] kfree+0x49/0x79     [<f88a63f0>] free_rb_tree_fname+0x2b/0x73 [ext 3]
 [<f88a6440>] ext3_htree_free_dir_info+0x8/0x10 [ext3]     [<f88a6457>] ext3_rel
ease_dir+0xf/0x12 [ext3]
 [<c0155095>] __fput+0xae/0x14b     [<c0152bbf>] filp_close+0x4e/0x54
 [<c0102bc1>] syscall_call+0x7/0xb    <3>db669a64: redzone 1: 0x170fc2a5, redzon
e 2: 0xdb669b9c.
------------[ cut here ]------------
kernel BUG at mm/slab.c:2542!
invalid opcode: 0000 [#1]
last sysfs file: /block/dm-1/stat
Modules linked in: nls_utf8 ppdev autofs4 hidp rfcomm l2cap bluetooth sunrpc vid
eo button battery ac ipv6 lp parport_pc parport floppy nvram ohci1394 ehci_hcd i
eee1394 ohci_hcd sg skge snd_intel8x0 snd_ac97_codec snd_ac97_bus snd_seq_dummy
snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss
snd_pcm forcedeth snd_timer snd i2c_nforce2 i2c_core soundcore snd_page_alloc dm
_snapshot dm_zero dm_mirror dm_mod ext3 jbd sata_nv libata sd_mod scsi_mod
CPU:    0
EIP:    0060:[<c0150b3f>]    Not tainted VLI
EFLAGS: 00210016   (2.6.15-1.1996_FC5 #1)
EIP is at cache_free_debugcheck+0x141/0x198
eax: db669a1c   ebx: db6690bc   ecx: 000000a0   edx: 00000048
esi: f7ff6b00   edi: db669a64   ebp: db669040   esp: d7eeff40
ds: 007b   es: 007b   ss: 0068
Process ldconfig (pid: 22124, threadinfo=d7eef000 task=d7ed5000)
Stack: <0>f88a63f0 f7ff6b00 f7ff75d4 db669a68 00200282 c0151161 00000000 ed2d785 c
       db669a70 00000000 f88a63f0 cabd01f4 cabd01f4 00000000 ec5c2dec f7e1a8b8
       f88a6440 40000010 f88a6457 c0155095 f7e3c6c0 f7ff4cd0 ec5c2dec 00000000
Call Trace:
 [<f88a63f0>] free_rb_tree_fname+0x2b/0x73 [ext3]
 [<c0151161>] kfree+0x49/0x79     [<f88a63f0>] free_rb_tree_fname+0x2b/0x73 [ext 3]
 [<f88a6440>] ext3_htree_free_dir_info+0x8/0x10 [ext3]     [<f88a6457>] ext3_rel
ease_dir+0xf/0x12 [ext3]
 [<c0155095>] __fput+0xae/0x14b     [<c0152bbf>] filp_close+0x4e/0x54
 [<c0102bc1>] syscall_call+0x7/0xb    <0>Code: ff 8b 14 24 89 10 8b 5d 0c 8b 4e
10 89 f8 29 d8 31 d2 f7 f1 3b 46 1c 72 08 0f 0b ed 09 42 ea 2f c0 0f af c1 8d 04
 03 39 c7 74 08 <0f> 0b ee 09 42 ea 2f c0 f6 46 19 02 74 12 89 f8 03 86 94 00 00 
Continuing in 1 seconds.
 <3>Debug: sleeping function called from invalid context at include/linux/rwsem.
h:43
in_atomic():0, irqs_disabled():1
 [<c011b387>] profile_task_exit+0x13/0x3e
 [<c011cc05>] do_exit+0x1c/0x6cf     [<c0104022>] register_die_notifier+0x0/0x2f
 [<c010455d>] do_invalid_op+0x0/0x9d     [<c01045ee>] do_invalid_op+0x91/0x9d
 [<c0150b3f>] cache_free_debugcheck+0x141/0x198     [<c0102bc1>] syscall_call+0x
7/0xb
 [<c010367b>] error_code+0x4f/0x54     [<c0150b3f>] cache_free_debugcheck+0x141/
0x198
 [<f88a63f0>] free_rb_tree_fname+0x2b/0x73 [ext3]     [<c0151161>] kfree+0x49/0x 79
 [<f88a63f0>] free_rb_tree_fname+0x2b/0x73 [ext3]     [<f88a6440>] ext3_htree_fr
ee_dir_info+0x8/0x10 [ext3]
 [<f88a6457>] ext3_release_dir+0xf/0x12 [ext3]     [<c0155095>] __fput+0xae/0x14 b
 [<c0152bbf>] filp_close+0x4e/0x54     [<c0102bc1>] syscall_call+0x7/0xb
slab dentry_cache: redzone mismatch in slab db669040, obj db669a1c, bufctl 0xfff
ffffe
Redzone: 0x170fc2a5/0x5a5a5a5a.
Last user: [<5a5a5a5a>](0x5a5a5a5a)
000: 00 00 00 00 00 00 00 00 01 00 00 00 ad 4e ad de
010: ff ff ff ff ff ff ff ff fc 6a 66 db 00 00 00 00
slab dentry_cache: redzone mismatch in slab db669040, obj db669abc, bufctl 0xfff
ffffe
Redzone: 0x5a5a5a5a/0x170fc2a5.
Last user: [<c0167b8b>](d_alloc+0x1d/0x1c0)
000: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
010: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a

I hope this helps!

Comment 1 Dax Kelson 2006-03-13 22:05:05 UTC
This is probably the Maxtor SATA II and Nvidia nforce4 incompatibility problem.


Note You need to log in before you can comment on or make changes to this bug.