Re: Crash with kfree(null) on MacBook? kobject_set_name_vargs

[RafaÅ MiÅecki]

W dniu 11 kwietnia 2011 19:41 uÅytkownik Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> napisaÅ:
> 2011/4/10 RafaÅ MiÅecki <zajec5@xxxxxxxxx>:
>> I'm writing new axi bus driver and one of the early testers reported
>> it crashing for him. Andy is using MacBook and backtrace+debugging
>> pretty clearly point to kfree being called on null string.
>>
>> The most interesting part of code is:
>> axi_info("[axi_register_cores][%d] current name: %s\n", i, core->dev.kobj.name);
>> axi_info("[axi_register_cores][%d] calling dev_set_name with %d, %d
>> for 0x%03X\n", i, 0/*bus->busnumber*/, dev_id, core->id.id);
>> err = dev_set_name(&core->dev, "axi%d:%d", 0/*bus->busnumber*/, dev_id);
>> axi_info("[axi_register_cores][%d] dev_set_name result: %d\n", i, err);
>>
>> The result is:
>> [axi_register_cores][1] current name: (null)
>> [axi_register_cores][1] calling dev_set_name with 0, 0 for 0x812
>> BUG: unable to handle kernel paging request at ffffeba400000000
>> IP: [<ffffffff8108c4d4>] kfree+0x2a/0x8a
>>
>> Whole code: http://pastie.org/1779473
>> Whole result: http://pastie.org/1779416
>>
>> Can you help me with this issue, please? On my machine everything goes fine:
>> [axi_register_cores][1] current name: (null)
>> [axi_register_cores][1] calling dev_set_name with 0, 0 for 0x812
>> [axi_register_cores][1] dev_set_name result: 0
>> [axi_register_cores][1] Register dev for core 0x812
>>
>> bcopeland on #linux-wireless suggested turning on SLAB or SLUB. Is
>> this going to provide some interesting info?
>
> The disassembly of the oopsing code (kfree()) is:
>
>  0:  41 54          push  %r12
>  2:  48 83 ff 10       cmp  Â$0x10,%rdi
>  6:  55           Âpush  %rbp
>  7:  53           Âpush  %rbx
>  8:  48 89 fb        Âmov  Â%rdi,%rbx
>  b:  76 78          jbe  Â0x85
>  d:  9c           Âpushfq
>  e:  5d           Âpop  Â%rbp
>  f:  fa           Âcli
> Â10:  e8 85 21 f9 ff     Âcallq Â0xfffffffffff9219a
> Â15: Â 48 ba 00 00 00 00 00 Â Âmovabs $0xffffea0000000000,%rdx
> Â1c: Â ea ff ff
> Â1f:  48 c1 e8 0c       shr  Â$0xc,%rax
> Â23:  48 6b c0 38       imul  $0x38,%rax,%rax
> Â27:  48 01 d0        Âadd  Â%rdx,%rax
> Â2a:* Â48 8b 10        Âmov  Â(%rax),%rdx   <-- trapping instruction
> Â2d:  66 85 d2        Âtest  %dx,%dx
> Â30:  79 04          jns  Â0x36
>
> and from that you can see that the parameter that was passed in to
> kfree (which was originally in %rdi) is now in %rbx.
>
> That, in turn, is 0x202.
>
> So it's not NULL. The fact that
>
> Âaxi_info("[axi_register_cores][%d] current name: %s\n", i,
> core->dev.kobj.name);
>
> prints out NULL is because the string printout code does this:
>
> Â Â Â Âif ((unsigned long)s < PAGE_SIZE)
> Â Â Â Â Â Â Â Âs = "(null)";
>
>
> which admittedly is not very helpful in this case (but it's usually
> nicer than just oopsing).
>
> So code->dev.kobj.name is corrupt even before.
>
> Where that corruption comes from, I have no idea, but there is no
> point in blaming kfree() or dev_set_name().

Thank you Linus, now when you made it clear to me that NULL ~!= NULL,
I realized I didn't zeroed struct which contains struct dev.

struct axi_device core;
vs.
struct axi_device core = { };

-- 
RafaÅ
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/