Re: Crash with kfree(null) on MacBook? kobject_set_name_vargs

From: Linus Torvalds
Date: Mon Apr 11 2011 - 13:42:11 EST

2011/4/10 RafaÅ MiÅecki <zajec5@xxxxxxxxx>:
> I'm writing new axi bus driver and one of the early testers reported
> it crashing for him. Andy is using MacBook and backtrace+debugging
> pretty clearly point to kfree being called on null string.
> The most interesting part of code is:
> axi_info("[axi_register_cores][%d] current name: %s\n", i, core->;
> axi_info("[axi_register_cores][%d] calling dev_set_name with %d, %d
> for 0x%03X\n", i, 0/*bus->busnumber*/, dev_id, core->;
> err = dev_set_name(&core->dev, "axi%d:%d", 0/*bus->busnumber*/, dev_id);
> axi_info("[axi_register_cores][%d] dev_set_name result: %d\n", i, err);
> The result is:
> [axi_register_cores][1] current name: (null)
> [axi_register_cores][1] calling dev_set_name with 0, 0 for 0x812
> BUG: unable to handle kernel paging request at ffffeba400000000
> IP: [<ffffffff8108c4d4>] kfree+0x2a/0x8a
> Whole code:
> Whole result:
> Can you help me with this issue, please? On my machine everything goes fine:
> [axi_register_cores][1] current name: (null)
> [axi_register_cores][1] calling dev_set_name with 0, 0 for 0x812
> [axi_register_cores][1] dev_set_name result: 0
> [axi_register_cores][1] Register dev for core 0x812
> bcopeland on #linux-wireless suggested turning on SLAB or SLUB. Is
> this going to provide some interesting info?

The disassembly of the oopsing code (kfree()) is:

0: 41 54 push %r12
2: 48 83 ff 10 cmp $0x10,%rdi
6: 55 push %rbp
7: 53 push %rbx
8: 48 89 fb mov %rdi,%rbx
b: 76 78 jbe 0x85
d: 9c pushfq
e: 5d pop %rbp
f: fa cli
10: e8 85 21 f9 ff callq 0xfffffffffff9219a
15: 48 ba 00 00 00 00 00 movabs $0xffffea0000000000,%rdx
1c: ea ff ff
1f: 48 c1 e8 0c shr $0xc,%rax
23: 48 6b c0 38 imul $0x38,%rax,%rax
27: 48 01 d0 add %rdx,%rax
2a:* 48 8b 10 mov (%rax),%rdx <-- trapping instruction
2d: 66 85 d2 test %dx,%dx
30: 79 04 jns 0x36

and from that you can see that the parameter that was passed in to
kfree (which was originally in %rdi) is now in %rbx.

That, in turn, is 0x202.

So it's not NULL. The fact that

axi_info("[axi_register_cores][%d] current name: %s\n", i,

prints out NULL is because the string printout code does this:

if ((unsigned long)s < PAGE_SIZE)
s = "(null)";

which admittedly is not very helpful in this case (but it's usually
nicer than just oopsing).

So code-> is corrupt even before.

Where that corruption comes from, I have no idea, but there is no
point in blaming kfree() or dev_set_name().

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at