| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Apr 2011 10:41:44 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Rafał Miłecki <zajec5@...il.com>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Andy Botting <andy@...ybotting.com>
Subject: Re: Crash with kfree(null) on MacBook? kobject_set_name_vargs
2011/4/10 Rafał Miłecki <zajec5@...il.com>:
> I'm writing new axi bus driver and one of the early testers reported
> it crashing for him. Andy is using MacBook and backtrace+debugging
> pretty clearly point to kfree being called on null string.
>
> The most interesting part of code is:
> axi_info("[axi_register_cores][%d] current name: %s\n", i, core->dev.kobj.name);
> axi_info("[axi_register_cores][%d] calling dev_set_name with %d, %d
> for 0x%03X\n", i, 0/*bus->busnumber*/, dev_id, core->id.id);
> err = dev_set_name(&core->dev, "axi%d:%d", 0/*bus->busnumber*/, dev_id);
> axi_info("[axi_register_cores][%d] dev_set_name result: %d\n", i, err);
>
> The result is:
> [axi_register_cores][1] current name: (null)
> [axi_register_cores][1] calling dev_set_name with 0, 0 for 0x812
> BUG: unable to handle kernel paging request at ffffeba400000000
> IP: [<ffffffff8108c4d4>] kfree+0x2a/0x8a
>
> Whole code: http://pastie.org/1779473
> Whole result: http://pastie.org/1779416
>
> Can you help me with this issue, please? On my machine everything goes fine:
> [axi_register_cores][1] current name: (null)
> [axi_register_cores][1] calling dev_set_name with 0, 0 for 0x812
> [axi_register_cores][1] dev_set_name result: 0
> [axi_register_cores][1] Register dev for core 0x812
>
> bcopeland on #linux-wireless suggested turning on SLAB or SLUB. Is
> this going to provide some interesting info?
The disassembly of the oopsing code (kfree()) is:
0: 41 54 push %r12
2: 48 83 ff 10 cmp $0x10,%rdi
6: 55 push %rbp
7: 53 push %rbx
8: 48 89 fb mov %rdi,%rbx
b: 76 78 jbe 0x85
d: 9c pushfq
e: 5d pop %rbp
f: fa cli
10: e8 85 21 f9 ff callq 0xfffffffffff9219a
15: 48 ba 00 00 00 00 00 movabs $0xffffea0000000000,%rdx
1c: ea ff ff
1f: 48 c1 e8 0c shr $0xc,%rax
23: 48 6b c0 38 imul $0x38,%rax,%rax
27: 48 01 d0 add %rdx,%rax
2a:* 48 8b 10 mov (%rax),%rdx <-- trapping instruction
2d: 66 85 d2 test %dx,%dx
30: 79 04 jns 0x36
and from that you can see that the parameter that was passed in to
kfree (which was originally in %rdi) is now in %rbx.
That, in turn, is 0x202.
So it's not NULL. The fact that
axi_info("[axi_register_cores][%d] current name: %s\n", i,
core->dev.kobj.name);
prints out NULL is because the string printout code does this:
if ((unsigned long)s < PAGE_SIZE)
s = "(null)";
which admittedly is not very helpful in this case (but it's usually
nicer than just oopsing).
So code->dev.kobj.name is corrupt even before.
Where that corruption comes from, I have no idea, but there is no
point in blaming kfree() or dev_set_name().
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists