Hi Sudip/Greg,
I am seeing the following double free from pp_release() in Linux 4.9-rc4
Is this a known problem?
-- Shuah
[ 54.732175] device: 'ppdev0.0': device_add
[ 54.732220] bus: 'parport': add device ppdev0.0
[ 54.732388] PM: Adding info for parport:ppdev0.0
[ 54.732804] bus: 'parport': driver_probe_device: matched device
ppdev0.0 with driver ppdev
[ 54.732810] bus: 'parport': really_probe: probing driver ppdev with
device ppdev0.0
[ 54.732851] devices_kset: Moving ppdev0.0 to end of list
[ 54.732857] driver: 'ppdev': driver_bound: bound to device 'ppdev0.0'
[ 54.732872] bus: 'parport': really_probe: bound device ppdev0.0 to
driver ppdev
[ 54.785001] device: 'ppdev0.0': device_unregister
[ 54.785133] bus: 'parport': remove device ppdev0.0
[ 54.785161] PM: Removing info for parport:ppdev0.0
[ 54.785315] ==================================================================
[ 54.785326] BUG: Double free or freeing an invalid pointer
[ 54.785332] Unexpected shadow byte: 0xFB
[ 54.785344] CPU: 1 PID: 973 Comm: colord-sane Tainted: G B W
4.9.0-rc4+ #1
[ 54.785348] Hardware name: Hewlett-Packard HP ProBook 6475b/180F,
BIOS 68TTU Ver. F.04 08/03/2012
[ 54.785353] ffff8801f6197d20 ffffffff81b372e3 ffff8801fa403cc0
ffff8801b1f15048
[ 54.785367] ffff8801f6197d48 ffffffff8156bf71 00000000fffffffb
ffff8801fa403cc0
[ 54.785378] ffff8801b1f15048 ffff8801f6197d78 ffffffff8156c8e9
0000000000000296
[ 54.785387] Call Trace:
[ 54.785402] [<ffffffff81b372e3>] dump_stack+0x67/0x94
[ 54.785411] [<ffffffff8156bf71>] kasan_object_err+0x21/0x70
[ 54.785417] [<ffffffff8156c8e9>] kasan_report_double_free+0x49/0x60
[ 54.785424] [<ffffffff8156bb6b>] kasan_slab_free+0x9b/0xb0
[ 54.785431] [<ffffffff81567999>] kfree+0xd9/0x280
[ 54.785443] [<ffffffffa029048b>] pp_release+0x1db/0xa00 [ppdev]
[ 54.785451] [<ffffffff815ab3db>] __fput+0x24b/0x690
[ 54.785459] [<ffffffff815ab88e>] ____fput+0xe/0x10
[ 54.785466] [<ffffffff8117df6e>] task_work_run+0xde/0x140
[ 54.785474] [<ffffffff810039d1>] exit_to_usermode_loop+0xf1/0x110
[ 54.785483] [<ffffffff81006450>] syscall_return_slowpath+0x150/0x190
[ 54.785491] [<ffffffff828fb3fd>] entry_SYSCALL_64_fastpath+0xab/0xad
[ 54.785497] Object at ffff8801b1f15048, in cache kmalloc-8 size: 8
[ 54.785503] Allocated:
[ 54.785510] PID = 973
[ 54.785517]
[ 54.785524] [<ffffffff8108088b>] save_stack_trace+0x1b/0x20
[ 54.785527]
[ 54.785533] [<ffffffff8156b2e6>] save_stack+0x46/0xd0
[ 54.785535]
[ 54.785541] [<ffffffff8156b55d>] kasan_kmalloc+0xad/0xe0
[ 54.785543]
[ 54.785549] [<ffffffff8156bac2>] kasan_slab_alloc+0x12/0x20
[ 54.785551]
[ 54.785558] [<ffffffff8156a565>] __kmalloc_track_caller+0xd5/0x290
[ 54.785560]
[ 54.785567] [<ffffffff814bf661>] kstrdup+0x31/0x60
[ 54.785569]
[ 54.785583] [<ffffffffa031c236>]
parport_register_dev_model+0x226/0xe20 [parport]
[ 54.785585]
[ 54.785593] [<ffffffffa0291025>] register_device+0x115/0x210 [ppdev]
[ 54.785596]
[ 54.785604] [<ffffffffa0292181>] pp_ioctl+0xec1/0x20a0 [ppdev]
[ 54.785606]
[ 54.785612] [<ffffffff815e0074>] do_vfs_ioctl+0x184/0xf30
[ 54.785614]
[ 54.785620] [<ffffffff815e0e99>] SyS_ioctl+0x79/0x90
[ 54.785622]
[ 54.785628] [<ffffffff828fb36a>] entry_SYSCALL_64_fastpath+0x18/0xad
[ 54.785631] Freed:
[ 54.785636] PID = 973
[ 54.785641]
[ 54.785647] [<ffffffff8108088b>] save_stack_trace+0x1b/0x20
[ 54.785649]
[ 54.785655] [<ffffffff8156b2e6>] save_stack+0x46/0xd0
[ 54.785657]
[ 54.785664] [<ffffffff8156bb41>] kasan_slab_free+0x71/0xb0
[ 54.785667]
[ 54.785672] [<ffffffff81567999>] kfree+0xd9/0x280
[ 54.785676]
[ 54.785686] [<ffffffffa03189b4>] free_pardevice+0x34/0x50 [parport]
[ 54.785689]
[ 54.785696] [<ffffffff81f0e296>] device_release+0x76/0x1e0
[ 54.785698]
[ 54.785706] [<ffffffff81b3d947>] kobject_release+0x107/0x370
[ 54.785707]
[ 54.785714] [<ffffffff81b3d55e>] kobject_put+0x4e/0xa0
[ 54.785716]
[ 54.785722] [<ffffffff81f0fc16>] device_unregister+0x66/0xa0
[ 54.785725]
[ 54.785736] [<ffffffffa031b7d4>]
parport_unregister_device+0x3d4/0x670 [parport]
[ 54.785738]
[ 54.785747] [<ffffffffa0290483>] pp_release+0x1d3/0xa00 [ppdev]
[ 54.785749]
[ 54.785755] [<ffffffff815ab3db>] __fput+0x24b/0x690
[ 54.785757]
[ 54.785763] [<ffffffff815ab88e>] ____fput+0xe/0x10
[ 54.785765]
[ 54.785771] [<ffffffff8117df6e>] task_work_run+0xde/0x140
[ 54.785773]
[ 54.785778] [<ffffffff810039d1>] exit_to_usermode_loop+0xf1/0x110
[ 54.785780]
[ 54.785786] [<ffffffff81006450>] syscall_return_slowpath+0x150/0x190
[ 54.785788]
[ 54.785795] [<ffffffff828fb3fd>] entry_SYSCALL_64_fastpath+0xab/0xad
[ 54.785798] ==================================================================
Hi Shuah
On Wednesday 09 November 2016 10:04 PM, Shuah Khan wrote:
> Hi Sudip/Greg,
>
> I am seeing the following double free from pp_release() in Linux 4.9-rc4
> Is this a known problem?
Can you please check if the patch at [1] fixes the problem.
[1] https://patchwork.kernel.org/patch/9404815/
Regards
Sudip
On 11/09/2016 03:59 PM, Sudip Mukherjee wrote:
> Hi Shuah
>
> On Wednesday 09 November 2016 10:04 PM, Shuah Khan wrote:
>> Hi Sudip/Greg,
>>
>> I am seeing the following double free from pp_release() in Linux 4.9-rc4
>> Is this a known problem?
>
> Can you please check if the patch at [1] fixes the problem.
>
> [1] https://patchwork.kernel.org/patch/9404815/
>
>
> Regards
> Sudip
>
>
Hi Sudip,
Yes the above patch fixed the problem. I tested it on 4.9-rc5
thanks,
-- Shuah