Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754566AbcKIWEQ (ORCPT <rfc822;w@1wt.eu>);
        Wed, 9 Nov 2016 17:04:16 -0500
Received: from mail-it0-f42.google.com ([209.85.214.42]:37110 "EHLO
        mail-it0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752621AbcKIWEO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 9 Nov 2016 17:04:14 -0500
MIME-Version: 1.0
From: Shuah Khan <shuahkhan@gmail.com>
Date: Wed, 9 Nov 2016 15:04:13 -0700
Message-ID: <CAKocOOMf9mo7ZLtvBUZW_mjOC06i0G6peAbZi-CB9YKD76Kt+g@mail.gmail.com>
Subject: Linux 4.9-rc4 double free from pp_release()
To: sudipm.mukherjee@gmail.com, Greg KH <gregkh@linuxfoundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>, shuahkh@osg.samsung.com
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4807
Lines: 113

Hi Sudip/Greg,

I am seeing the following double free from pp_release() in Linux 4.9-rc4
Is this a known problem?

-- Shuah

[   54.732175] device: 'ppdev0.0': device_add
[   54.732220] bus: 'parport': add device ppdev0.0
[   54.732388] PM: Adding info for parport:ppdev0.0
[   54.732804] bus: 'parport': driver_probe_device: matched device
ppdev0.0 with driver ppdev
[   54.732810] bus: 'parport': really_probe: probing driver ppdev with
device ppdev0.0
[   54.732851] devices_kset: Moving ppdev0.0 to end of list
[   54.732857] driver: 'ppdev': driver_bound: bound to device 'ppdev0.0'
[   54.732872] bus: 'parport': really_probe: bound device ppdev0.0 to
driver ppdev
[   54.785001] device: 'ppdev0.0': device_unregister
[   54.785133] bus: 'parport': remove device ppdev0.0
[   54.785161] PM: Removing info for parport:ppdev0.0
[   54.785315] ==================================================================
[   54.785326] BUG: Double free or freeing an invalid pointer
[   54.785332] Unexpected shadow byte: 0xFB
[   54.785344] CPU: 1 PID: 973 Comm: colord-sane Tainted: G    B   W
    4.9.0-rc4+ #1
[   54.785348] Hardware name: Hewlett-Packard HP ProBook 6475b/180F,
BIOS 68TTU Ver. F.04 08/03/2012
[   54.785353]  ffff8801f6197d20 ffffffff81b372e3 ffff8801fa403cc0
ffff8801b1f15048
[   54.785367]  ffff8801f6197d48 ffffffff8156bf71 00000000fffffffb
ffff8801fa403cc0
[   54.785378]  ffff8801b1f15048 ffff8801f6197d78 ffffffff8156c8e9
0000000000000296
[   54.785387] Call Trace:
[   54.785402]  [<ffffffff81b372e3>] dump_stack+0x67/0x94
[   54.785411]  [<ffffffff8156bf71>] kasan_object_err+0x21/0x70
[   54.785417]  [<ffffffff8156c8e9>] kasan_report_double_free+0x49/0x60
[   54.785424]  [<ffffffff8156bb6b>] kasan_slab_free+0x9b/0xb0
[   54.785431]  [<ffffffff81567999>] kfree+0xd9/0x280
[   54.785443]  [<ffffffffa029048b>] pp_release+0x1db/0xa00 [ppdev]
[   54.785451]  [<ffffffff815ab3db>] __fput+0x24b/0x690
[   54.785459]  [<ffffffff815ab88e>] ____fput+0xe/0x10
[   54.785466]  [<ffffffff8117df6e>] task_work_run+0xde/0x140
[   54.785474]  [<ffffffff810039d1>] exit_to_usermode_loop+0xf1/0x110
[   54.785483]  [<ffffffff81006450>] syscall_return_slowpath+0x150/0x190
[   54.785491]  [<ffffffff828fb3fd>] entry_SYSCALL_64_fastpath+0xab/0xad
[   54.785497] Object at ffff8801b1f15048, in cache kmalloc-8 size: 8
[   54.785503] Allocated:
[   54.785510] PID = 973
[   54.785517]
[   54.785524] [<ffffffff8108088b>] save_stack_trace+0x1b/0x20
[   54.785527]
[   54.785533] [<ffffffff8156b2e6>] save_stack+0x46/0xd0
[   54.785535]
[   54.785541] [<ffffffff8156b55d>] kasan_kmalloc+0xad/0xe0
[   54.785543]
[   54.785549] [<ffffffff8156bac2>] kasan_slab_alloc+0x12/0x20
[   54.785551]
[   54.785558] [<ffffffff8156a565>] __kmalloc_track_caller+0xd5/0x290
[   54.785560]
[   54.785567] [<ffffffff814bf661>] kstrdup+0x31/0x60
[   54.785569]
[   54.785583] [<ffffffffa031c236>]
parport_register_dev_model+0x226/0xe20 [parport]
[   54.785585]
[   54.785593] [<ffffffffa0291025>] register_device+0x115/0x210 [ppdev]
[   54.785596]
[   54.785604] [<ffffffffa0292181>] pp_ioctl+0xec1/0x20a0 [ppdev]
[   54.785606]
[   54.785612] [<ffffffff815e0074>] do_vfs_ioctl+0x184/0xf30
[   54.785614]
[   54.785620] [<ffffffff815e0e99>] SyS_ioctl+0x79/0x90
[   54.785622]
[   54.785628] [<ffffffff828fb36a>] entry_SYSCALL_64_fastpath+0x18/0xad
[   54.785631] Freed:
[   54.785636] PID = 973
[   54.785641]
[   54.785647] [<ffffffff8108088b>] save_stack_trace+0x1b/0x20
[   54.785649]
[   54.785655] [<ffffffff8156b2e6>] save_stack+0x46/0xd0
[   54.785657]
[   54.785664] [<ffffffff8156bb41>] kasan_slab_free+0x71/0xb0
[   54.785667]
[   54.785672] [<ffffffff81567999>] kfree+0xd9/0x280
[   54.785676]
[   54.785686] [<ffffffffa03189b4>] free_pardevice+0x34/0x50 [parport]
[   54.785689]
[   54.785696] [<ffffffff81f0e296>] device_release+0x76/0x1e0
[   54.785698]
[   54.785706] [<ffffffff81b3d947>] kobject_release+0x107/0x370
[   54.785707]
[   54.785714] [<ffffffff81b3d55e>] kobject_put+0x4e/0xa0
[   54.785716]
[   54.785722] [<ffffffff81f0fc16>] device_unregister+0x66/0xa0
[   54.785725]
[   54.785736] [<ffffffffa031b7d4>]
parport_unregister_device+0x3d4/0x670 [parport]
[   54.785738]
[   54.785747] [<ffffffffa0290483>] pp_release+0x1d3/0xa00 [ppdev]
[   54.785749]
[   54.785755] [<ffffffff815ab3db>] __fput+0x24b/0x690
[   54.785757]
[   54.785763] [<ffffffff815ab88e>] ____fput+0xe/0x10
[   54.785765]
[   54.785771] [<ffffffff8117df6e>] task_work_run+0xde/0x140
[   54.785773]
[   54.785778] [<ffffffff810039d1>] exit_to_usermode_loop+0xf1/0x110
[   54.785780]
[   54.785786] [<ffffffff81006450>] syscall_return_slowpath+0x150/0x190
[   54.785788]
[   54.785795] [<ffffffff828fb3fd>] entry_SYSCALL_64_fastpath+0xab/0xad
[   54.785798] ==================================================================