slab memory的错误类型(2)

本文主要是介绍slab memory的错误类型(2)，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

/******************************************************************/

1] use the object after free:

/*调用kmem_cache_free后，object就是inactive的，当有申请就会被分配
*一段时间后可能被回收。
*如果不打开slab_debug是不会有问题的，只是内容被改变而已; 打开则crash
**/
[   13.072735:0] Slab corruption (Tainted: G        W   ): my_cache start=ee14f478, len=32
[   13.081033:0] Redzone: 0x9f911029d74e35b/0x9f911029d74e35b.
[   13.087072:0] Last user: [<c02a3ec4>](slab_test+0x78/0xcc)
[   13.101280:0] 000: dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd ................
[   13.109835:0] 010: dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd ................
[   13.128925:0] Prev obj: start=ee14f440, len=32
[   13.146059:0] Redzone: 0x9f911029d74e35b/0x9f911029d74e35b.
[   13.152306:0] Last user: [< (null)>](0x0)
[   13.156688:0] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[   13.165924:0] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
[   13.175003:0] Next obj: start=ee14f4b0, len=32
[   13.180320:0] Redzone: 0x9f911029d74e35b/0x9f911029d74e35b.
[   13.187112:0] Last user: [< (null)>](0x0)
[   13.191314:0] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[   13.203392:0] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk.
[   13.212974:0] ------------[ cut here ]------------
[   13.217779:0] kernel BUG at mm/slab.c:2037!
[   13.221967:0] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
[   13.227966:0] Modules linked in: memalloc
[   13.232018:0] CPU: 0    Tainted: G        W     (3.4.0-gc093057-dirty #596)
[   13.238986:0] PC is at check_poison_obj+0x194/0x1b4
[   13.243868:0] LR is at console_unlock+0x1c8/0x1d8

[   14.198441:0] Backtrace:
[   14.201081:0] [<c00d59fc>] (check_poison_obj+0x0/0x1b4) from [<c00d6938>] (slab_destroy+0x50/0x148)
[   14.210096:0] [<c00d68e8>] (slab_destroy+0x0/0x148) from [<c00d6d9c>] (drain_freelist+0xa0/0xc8)
[   14.218845:0] r8:ee14c1f0 r7:ee14c204 r6:00000001 r5:ee14ea00 r4:ee14c1e0
[   14.225564:0] r3:00000000
[   14.228377:0] [<c00d6cfc>] (drain_freelist+0x0/0xc8) from [<c00d6ea4>] (cache_reap+0xe0/0x140)
[   14.236963:0] [<c00d6dc4>] (cache_reap+0x0/0x140) from [<c004240c>] (process_one_work+0x274/0x420)
[   14.245883:0] r7:00000000 r6:c1130100 r5:c112b620 r4:ed8f5f20
[   14.251752:0] [<c0042198>] (process_one_work+0x0/0x420) from [<c0042954>] (worker_thread+0x1c4/0x2c4)
[   14.260940:0] [<c0042790>] (worker_thread+0x0/0x2c4) from [<c0048ad8>] (kthread+0x98/0xa4)
[   14.269177:0] [<c0048a40>] (kthread+0x0/0xa4) from [<c002e0d0>] (do_exit+0x0/0x758)

2] the used size beyond the application:

int slab_test(void)
{
   void *object;

   pr_err("slab_test: Cache name is %s\n", my_cachep->name);
   pr_err("slab_test: Cache object size is %d\n", kmem_cache_size(my_cachep));
   object = kmem_cache_alloc(my_cachep,GFP_KERNEL );
   if (object){
       pr_err("slab_test: get an object size 32 but used as 64 %p\n", object);
       memset(object, 0xDD, 64);
   }
   if(0){
       kmem_cache_free(my_cachep, object );
       memset(object, 0xee, 64);
   }
   trace_printk("slab_test: trace printk %p\n", object);
   pr_err("slab_test: after free but write still %p\n", object);

   return 0;
}

<3>[    4.509251:1] slabtest_driver_init
<3>[    4.513412:1] slab_test: Cache name is my_cache
<3>[    4.517997:1] slab_test: Cache object size is 32
<3>[    4.522887:1] slab_test: get an object size 32 but used as 64 ee296478
<3>[    4.529506:1] slab_test: after free but write still ee296478

ee296478 and ee2c0470
这里可能有点疑问：打印出来是 ee2c0478，通过命令kmem看到怎是ee2c0470.
不用忘了，如果slab_debug开关打开，会加上read zone and user caller等。

crash> kmem -S my_cache
CACHE    NAME                 OBJSIZE ALLOCATED     TOTAL SLABS SSIZE
ee17fa00 my_cache                  56          1        67      1     4k

SLAB      MEMORY    TOTAL ALLOCATED FREE
ee2c0000 ee2c0128     67          1    66
FREE / [ALLOCATED]

crash> rd FREE: ee2c0ef0 /*正常的还没使用的object*/
ee2c0ef0: 9d74e35b 09f91102 6b6b6b6b 6b6b6b6b   [.t.....kkkkkkkk
ee2c0f00: 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b   kkkkkkkkkkkkkkkk
ee2c0f10: 6b6b6b6b a56b6b6b 9d74e35b 09f91102   kkkkkkk.[.t.....
[4*3*4 +2*4 = 48+8 =56]

/*如果写入的数据超过界限，也就是向后写，后面数据会被覆盖*/
crash> rd [ALLOCATED] ee2c0470
ee2c0470: 635688c0 d84156c5 dddddddd dddddddd   ..Vc.VA.........
ee2c0480: dddddddd dddddddd dddddddd dddddddd   ................
ee2c0490: dddddddd dddddddd dddddddd dddddddd   ................
ee2c04a0: dddddddd dddddddd dddddddd dddddddd   ................
ee2c04b0: dddddddd dddddddd
32有效字节的对象，却写入了64，结果就是覆盖。

/*请注意：此时看 kmalloc的 cache： size-xxx, 是没有包含red zone and user call的，但是

*poison element是起作用的，why?

**/

crash> kmem -S size-32
CACHE    NAME                 OBJSIZE ALLOCATED     TOTAL SLABS SSIZE
ee000080 size-32                   32      13959     16498    146     4k

crash> rd e82176c0 0x30
e82176c0: 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b   kkkkkkkkkkkkkkkk
e82176d0: 6b6b6b6b 6b6b6b6b 6b6b6b6b a56b6b6b   kkkkkkkkkkkkkkk.

这篇关于slab memory的错误类型(2)的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！