|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] bug: slab corruption (net backend?)
Hi,
seems the copy code in netback may triggers this:
[ ... ]
kfree: dc81a000
kmem_cache_alloc: dc81a000
netif_be_start_xmit: copy skb dc927238/db78a022 -> nskb dc83cb30/dc81a010
kmem_cache_alloc: dcf5f000
kfree: db78a000
kfree: dc81a000
Slab corruption: start=dc81a000, i=0, len=4096
Slab name: xen-skb
000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
With the debug patch below
Gerd
Index: linux-2.6.11/mm/slab.c
===================================================================
--- linux-2.6.11.orig/mm/slab.c 2005-03-02 08:38:38.000000000 +0100
+++ linux-2.6.11/mm/slab.c 2005-07-07 14:11:17.000000000 +0200
@@ -1007,6 +1007,9 @@ static void print_objinfo(kmem_cache_t *
int i, size;
char *realobj;
+ if (cachep->name) {
+ printk(KERN_ERR "Slab name: %s\n", cachep->name);
+ }
if (cachep->flags & SLAB_RED_ZONE) {
printk(KERN_ERR "Redzone: 0x%lx/0x%lx.\n",
*dbg_redzone1(cachep, objp),
@@ -1049,8 +1052,8 @@ static void check_poison_obj(kmem_cache_
/* Mismatch ! */
/* Print header */
if (lines == 0) {
- printk(KERN_ERR "Slab corruption: start=%p,
len=%d\n",
- realobj, size);
+ printk(KERN_ERR "Slab corruption: start=%p,
i=%d, len=%d\n",
+ realobj, i, size);
print_objinfo(cachep, objp, 0);
}
/* Hexdump the affected line */
@@ -2294,9 +2297,17 @@ static inline void __cache_free (kmem_ca
* Allocate an object from this cache. The flags are only relevant
* if the cache has no available objects.
*/
+
+extern kmem_cache_t *skbuff_cachep; /* in arch/xen/kernel/skbuff.c */
+
void * kmem_cache_alloc (kmem_cache_t *cachep, int flags)
{
- return __cache_alloc(cachep, flags);
+ void *rc = __cache_alloc(cachep, flags);
+
+ if (skbuff_cachep == cachep) {
+ printk("%s: %p\n", __FUNCTION__, rc);
+ }
+ return rc;
}
EXPORT_SYMBOL(kmem_cache_alloc);
@@ -2530,6 +2541,9 @@ void kmem_cache_free (kmem_cache_t *cach
{
unsigned long flags;
+ if (skbuff_cachep == cachep) {
+ printk("%s: %p\n", __FUNCTION__, objp);
+ }
local_irq_save(flags);
__cache_free(cachep, objp);
local_irq_restore(flags);
@@ -2575,6 +2589,9 @@ void kfree (const void *objp)
local_irq_save(flags);
kfree_debugcheck(objp);
c = GET_PAGE_CACHE(virt_to_page(objp));
+ if (skbuff_cachep == c) {
+ printk("%s: %p\n", __FUNCTION__, objp);
+ }
__cache_free(c, (void*)objp);
local_irq_restore(flags);
}
Index: linux-2.6.11/arch/xen/kernel/skbuff.c
===================================================================
--- linux-2.6.11.orig/arch/xen/kernel/skbuff.c 2005-07-07 11:04:31.000000000
+0200
+++ linux-2.6.11/arch/xen/kernel/skbuff.c 2005-07-07 14:09:37.000000000
+0200
@@ -27,6 +27,8 @@ EXPORT_SYMBOL(__dev_alloc_skb);
struct sk_buff *__dev_alloc_skb(unsigned int length, int gfp_mask)
{
struct sk_buff *skb;
+
+ BUG_ON(length+16 > PAGE_SIZE);
skb = alloc_skb_from_cache(skbuff_cachep, length + 16, gfp_mask);
if ( likely(skb != NULL) )
skb_reserve(skb, 16);
Index: linux-2.6.11/drivers/xen/netback/netback.c
===================================================================
--- linux-2.6.11.orig/drivers/xen/netback/netback.c 2005-07-07
11:04:31.000000000 +0200
+++ linux-2.6.11/drivers/xen/netback/netback.c 2005-07-07 14:12:51.000000000
+0200
@@ -151,6 +151,8 @@ int netif_be_start_xmit(struct sk_buff *
struct sk_buff *nskb = dev_alloc_skb(hlen + skb->len);
if ( unlikely(nskb == NULL) )
goto drop;
+ printk("%s: copy skb %p/%p -> nskb %p/%p\n", __FUNCTION__,
+ skb, skb->data, nskb, nskb->data);
skb_reserve(nskb, hlen);
__skb_put(nskb, skb->len);
if (skb_copy_bits(skb, -hlen, nskb->data - hlen, skb->len + hlen))
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |