lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <dd18b0c30809301124o3ddc6001t4fe55c23a02f3895@mail.gmail.com>
Date:	Tue, 30 Sep 2008 11:24:58 -0700
From:	"Justin Mattock" <justinmattock@...il.com>
To:	"Marcel Holtmann" <marcel@...tmann.org>
Cc:	"Rabin Vincent" <rabin@....in>,
	"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>,
	linux-bluetooth@...r.kernel.org
Subject: Re: BUG kmalloc-16: Object already free

On Mon, Sep 29, 2008 at 10:21 PM, Justin Mattock
<justinmattock@...il.com> wrote:
> On Mon, Sep 29, 2008 at 4:47 PM, Marcel Holtmann <marcel@...tmann.org> wrote:
>> Hi Rabin,
>>
>>> > After frying my system, I'm finally up and
>>> > running. Not sure if this was due to a git-pull
>>> > (only be a few days since the last pull), or what:
>>> > when waking from suspend I see this
>>> > (I know it says tainted in it, so this will be the only noise you'll
>>> > here from me on this);
>>> >
>>> > [  274.327003] =============================================================================
>>> > [  274.327528] BUG kmalloc-16: Object already free
>>> > [  274.327877] -----------------------------------------------------------------------------
>>> > [  274.327879]
>>> > [  274.327890] INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=0
>>> > cpu=1 pid=3763
>>> > [  274.327899] INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=0
>>> > cpu=1 pid=3763
>>> > [  274.327905] INFO: Slab 0xc139a100 objects=64 used=62 fp=0xdcd08100
>>> > flags=0x400000c3
>>>
>>> There's a commit in the latest git which looks like it will solve the
>>> btusb suspend/resume issues: 5fbcd260.. ("[Bluetooth] Fix USB disconnect
>>> handling of btusb driver").
>>>
>>> Marcel / linux-bluetooth, I think this double free is a separate issue
>>> with the error handling, and the following patch should fix it.
>>>
>>> ---
>>> From: Rabin Vincent <rabin@....in>
>>> Subject: [PATCH] btusb, bpa10x: fix double frees on error paths
>>>
>>> Justin Mattock reported this double free in btusb:
>>>
>>>   BUG kmalloc-16: Object already free
>>>   -----------------------------------------------------------------------------
>>>
>>>   INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763
>>>   INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763
>>>
>>> This occurs because the urb's transfer buffer is being freed separately
>>> in the error path even though the URB_FREE_BUFFER transfer_flag is set
>>> on the urb.
>>>
>>> There are similar cases elsewhere in btusb and in bpa10x.  Fix all of
>>> them by removing the additional kfree()'s.
>>
>> I haven't verified it yet, but it looks like a good catch. Let me double
>> check this on my test machine. Weird that we never noticed this before
>> since I have been using the btusb driver for a very long time now.
>>
>> Regards
>>
>> Marcel
>>
>>
>>
>
> This was the first time I've seen this,
> I can apply the patch myself, but first
> I need to figure why dbus can be such a bitch : )
> Need to figure out how to write dbus rules(if this is the case)
> keep getting the permissions denied crap.
>
> --
> Justin P. Mattock
>

O.k. after messing around with /etc/dbus
I've applied the patch that was supplied.
Looks good!! attached is a before the patch was
applied and after the patch was applied.

-- 
Justin P. Mattock

Download attachment "after" of type "application/octet-stream" (57079 bytes)

Download attachment "before" of type "application/octet-stream" (63691 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ