Re: 32-bit Amlogic (ARM) SoC: kernel BUG in kfree()

From: Matthew Wilcox
Date: Thu Mar 21 2019 - 17:44:08 EST

Next message: Ville Syrjälä: "Re: [RFC PATCH 18/20] lib: image-formats: Add v4l2 formats support"
Previous message: NeilBrown: "Re: [PATCH] staging: mt7621-pci: Add spaces to Macros in pci-mt7621.c"
In reply to: Martin Blumenstingl: "32-bit Amlogic (ARM) SoC: kernel BUG in kfree()"
Next in thread: Martin Blumenstingl: "Re: 32-bit Amlogic (ARM) SoC: kernel BUG in kfree()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 21, 2019 at 09:17:34PM +0100, Martin Blumenstingl wrote:
> Hello,
>
> I am experiencing the following crash:
> ------------[ cut here ]------------
> kernel BUG at mm/slub.c:3950!

if (unlikely(!PageSlab(page))) {
BUG_ON(!PageCompound(page));

You called kfree() on the address of a page which wasn't allocated by slab.

> I have traced this crash to the kfree() in meson_nfc_read_buf().
> my observation is as follows:
> - meson_nfc_read_buf() is called 7 times without any crash, the
> kzalloc() call returns 0xe9e6c600 (virtual address) / 0x29e6c600
> (physical address)
> - the eight time meson_nfc_read_buf() is called kzalloc() call returns
> 0xee39a38b (virtual address) / 0x2e39a38b (physical address) and the
> final kfree() crashes
> - changing the size in the kzalloc() call from PER_INFO_BYTE (= 8) to
> PAGE_SIZE works around that crash

I suspect you're doing something which corrupts memory. Overrunning
the end of your allocation or something similar. Have you tried KASAN
or even the various slab debugging (eg redzones)?

Next message: Ville Syrjälä: "Re: [RFC PATCH 18/20] lib: image-formats: Add v4l2 formats support"
Previous message: NeilBrown: "Re: [PATCH] staging: mt7621-pci: Add spaces to Macros in pci-mt7621.c"
In reply to: Martin Blumenstingl: "32-bit Amlogic (ARM) SoC: kernel BUG in kfree()"
Next in thread: Martin Blumenstingl: "Re: 32-bit Amlogic (ARM) SoC: kernel BUG in kfree()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]