BUG kmalloc-16: Object already free - Kernel

This is a discussion on BUG kmalloc-16: Object already free - Kernel ; After frying my system, I'm finally up and running. Not sure if this was due to a git-pull (only be a few days since the last pull), or what: when waking from suspend I see this (I know it says ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: BUG kmalloc-16: Object already free

  1. BUG kmalloc-16: Object already free

    After frying my system, I'm finally up and
    running. Not sure if this was due to a git-pull
    (only be a few days since the last pull), or what:
    when waking from suspend I see this
    (I know it says tainted in it, so this will be the only noise you'll
    here from me on this);

    [ 274.327003] ================================================== ===========================
    [ 274.327528] BUG kmalloc-16: Object already free
    [ 274.327877] -----------------------------------------------------------------------------
    [ 274.327879]
    [ 274.327890] INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=0
    cpu=1 pid=3763
    [ 274.327899] INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=0
    cpu=1 pid=3763
    [ 274.327905] INFO: Slab 0xc139a100 objects=64 used=62 fp=0xdcd08100
    flags=0x400000c3
    [ 274.327909] INFO: Object 0xdcd08100 @offset=256 fp=0xdcd08140
    [ 274.327912]
    [ 274.327914] Bytes b4 0xdcd080f0: 32 0d 00 00 c8 ba ff ff 5a 5a 5a
    5a 5a 5a 5a 5a 2...Čŗ’’ZZZZZZZZ
    [ 274.327928] Object 0xdcd08100: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
    6b 6b 6b 6b a5 kkkkkkkkkkkkkkk„
    [ 274.327940] Redzone 0xdcd08110: bb bb bb bb
    »»»»
    [ 274.327952] Padding 0xdcd08138: 5a 5a 5a 5a 5a 5a 5a 5a
    ZZZZZZZZ
    [ 274.327966] Pid: 3763, comm: hcid Tainted: P
    2.6.27-rc7-00106-g6ef190c #34
    [ 274.327973] [] print_trailer+0xc8/0xd0
    [ 274.327982] [] object_err+0x25/0x30
    [ 274.327989] [] __slab_free+0x1be/0x271
    [ 274.327995] [] ? __slab_free+0x239/0x271
    [ 274.328001] [] kfree+0x9c/0xb2
    [ 274.328006] [] ? urb_destroy+0x14/0x1e
    [ 274.328013] [] ? urb_destroy+0x14/0x1e
    [ 274.328018] [] ? urb_destroy+0x0/0x1e
    [ 274.328024] [] urb_destroy+0x14/0x1e
    [ 274.328028] [] kref_put+0x39/0x44
    [ 274.328035] [] usb_free_urb+0x11/0x13
    [ 274.328040] [] btusb_open+0x147/0x16f [btusb]
    [ 274.328049] [] hci_dev_open+0x50/0x168 [bluetooth]
    [ 274.328077] [] hci_sock_ioctl+0xd4/0x20e [bluetooth]
    [ 274.328094] [] sock_ioctl+0x1b4/0x1d8
    [ 274.328101] [] ? sock_ioctl+0x0/0x1d8
    [ 274.328107] [] vfs_ioctl+0x22/0x67
    [ 274.328113] [] do_vfs_ioctl+0x245/0x253
    [ 274.328118] [] ? selinux_file_ioctl+0x37/0x3a
    [ 274.328125] [] sys_ioctl+0x40/0x5a
    [ 274.328130] [] sysenter_do_call+0x12/0x2f
    [ 274.328137] =======================
    [ 274.328141] FIX kmalloc-16: Object at 0xdcd08100 not freed


    If anybody needs the full dmesg let me know
    regards;
    --
    Justin P. Mattock
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  2. Re: BUG kmalloc-16: Object already free

    On Sun, Sep 28, 2008 at 03:54:23PM -0700, Justin Mattock wrote:
    > After frying my system, I'm finally up and
    > running. Not sure if this was due to a git-pull
    > (only be a few days since the last pull), or what:
    > when waking from suspend I see this
    > (I know it says tainted in it, so this will be the only noise you'll
    > here from me on this);
    >
    > [ 274.327003] ================================================== ===========================
    > [ 274.327528] BUG kmalloc-16: Object already free
    > [ 274.327877] -----------------------------------------------------------------------------
    > [ 274.327879]
    > [ 274.327890] INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=0
    > cpu=1 pid=3763
    > [ 274.327899] INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=0
    > cpu=1 pid=3763
    > [ 274.327905] INFO: Slab 0xc139a100 objects=64 used=62 fp=0xdcd08100
    > flags=0x400000c3


    There's a commit in the latest git which looks like it will solve the
    btusb suspend/resume issues: 5fbcd260.. ("[Bluetooth] Fix USB disconnect
    handling of btusb driver").

    Marcel / linux-bluetooth, I think this double free is a separate issue
    with the error handling, and the following patch should fix it.

    ---
    From: Rabin Vincent
    Subject: [PATCH] btusb, bpa10x: fix double frees on error paths

    Justin Mattock reported this double free in btusb:

    BUG kmalloc-16: Object already free
    -----------------------------------------------------------------------------

    INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763
    INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763

    This occurs because the urb's transfer buffer is being freed separately
    in the error path even though the URB_FREE_BUFFER transfer_flag is set
    on the urb.

    There are similar cases elsewhere in btusb and in bpa10x. Fix all of
    them by removing the additional kfree()'s.

    Reported-by: Justin Mattock
    Signed-off-by: Rabin Vincent
    ---
    drivers/bluetooth/bpa10x.c | 2 --
    drivers/bluetooth/btusb.c | 3 ---
    2 files changed, 0 insertions(+), 5 deletions(-)

    diff --git a/drivers/bluetooth/bpa10x.c b/drivers/bluetooth/bpa10x.c
    index 1e55a65..32f3a8e 100644
    --- a/drivers/bluetooth/bpa10x.c
    +++ b/drivers/bluetooth/bpa10x.c
    @@ -256,7 +256,6 @@ static inline int bpa10x_submit_intr_urb(struct hci_dev *hdev)
    BT_ERR("%s urb %p submission failed (%d)",
    hdev->name, urb, -err);
    usb_unanchor_urb(urb);
    - kfree(buf);
    }

    usb_free_urb(urb);
    @@ -298,7 +297,6 @@ static inline int bpa10x_submit_bulk_urb(struct hci_dev *hdev)
    BT_ERR("%s urb %p submission failed (%d)",
    hdev->name, urb, -err);
    usb_unanchor_urb(urb);
    - kfree(buf);
    }

    usb_free_urb(urb);
    diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
    index 29ae998..262e9be 100644
    --- a/drivers/bluetooth/btusb.c
    +++ b/drivers/bluetooth/btusb.c
    @@ -271,7 +271,6 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev)
    BT_ERR("%s urb %p submission failed (%d)",
    hdev->name, urb, -err);
    usb_unanchor_urb(urb);
    - kfree(buf);
    }

    usb_free_urb(urb);
    @@ -354,7 +353,6 @@ static int btusb_submit_bulk_urb(struct hci_dev *hdev)
    BT_ERR("%s urb %p submission failed (%d)",
    hdev->name, urb, -err);
    usb_unanchor_urb(urb);
    - kfree(buf);
    }

    usb_free_urb(urb);
    @@ -475,7 +473,6 @@ static int btusb_submit_isoc_urb(struct hci_dev *hdev)
    BT_ERR("%s urb %p submission failed (%d)",
    hdev->name, urb, -err);
    usb_unanchor_urb(urb);
    - kfree(buf);
    }

    usb_free_urb(urb);
    --
    1.5.6.5

    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  3. Re: BUG kmalloc-16: Object already free

    On Mon, Sep 29, 2008 at 11:17 AM, Rabin Vincent wrote:
    > On Sun, Sep 28, 2008 at 03:54:23PM -0700, Justin Mattock wrote:
    >> After frying my system, I'm finally up and
    >> running. Not sure if this was due to a git-pull
    >> (only be a few days since the last pull), or what:
    >> when waking from suspend I see this
    >> (I know it says tainted in it, so this will be the only noise you'll
    >> here from me on this);
    >>
    >> [ 274.327003] ================================================== ===========================
    >> [ 274.327528] BUG kmalloc-16: Object already free
    >> [ 274.327877] -----------------------------------------------------------------------------
    >> [ 274.327879]
    >> [ 274.327890] INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=0
    >> cpu=1 pid=3763
    >> [ 274.327899] INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=0
    >> cpu=1 pid=3763
    >> [ 274.327905] INFO: Slab 0xc139a100 objects=64 used=62 fp=0xdcd08100
    >> flags=0x400000c3

    >
    > There's a commit in the latest git which looks like it will solve the
    > btusb suspend/resume issues: 5fbcd260.. ("[Bluetooth] Fix USB disconnect
    > handling of btusb driver").
    >
    > Marcel / linux-bluetooth, I think this double free is a separate issue
    > with the error handling, and the following patch should fix it.
    >
    > ---
    > From: Rabin Vincent
    > Subject: [PATCH] btusb, bpa10x: fix double frees on error paths
    >
    > Justin Mattock reported this double free in btusb:
    >
    > BUG kmalloc-16: Object already free
    > -----------------------------------------------------------------------------
    >
    > INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763
    > INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763
    >
    > This occurs because the urb's transfer buffer is being freed separately
    > in the error path even though the URB_FREE_BUFFER transfer_flag is set
    > on the urb.
    >
    > There are similar cases elsewhere in btusb and in bpa10x. Fix all of
    > them by removing the additional kfree()'s.
    >
    > Reported-by: Justin Mattock
    > Signed-off-by: Rabin Vincent
    > ---
    > drivers/bluetooth/bpa10x.c | 2 --
    > drivers/bluetooth/btusb.c | 3 ---
    > 2 files changed, 0 insertions(+), 5 deletions(-)
    >
    > diff --git a/drivers/bluetooth/bpa10x.c b/drivers/bluetooth/bpa10x.c
    > index 1e55a65..32f3a8e 100644
    > --- a/drivers/bluetooth/bpa10x.c
    > +++ b/drivers/bluetooth/bpa10x.c
    > @@ -256,7 +256,6 @@ static inline int bpa10x_submit_intr_urb(struct hci_dev *hdev)
    > BT_ERR("%s urb %p submission failed (%d)",
    > hdev->name, urb, -err);
    > usb_unanchor_urb(urb);
    > - kfree(buf);
    > }
    >
    > usb_free_urb(urb);
    > @@ -298,7 +297,6 @@ static inline int bpa10x_submit_bulk_urb(struct hci_dev *hdev)
    > BT_ERR("%s urb %p submission failed (%d)",
    > hdev->name, urb, -err);
    > usb_unanchor_urb(urb);
    > - kfree(buf);
    > }
    >
    > usb_free_urb(urb);
    > diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
    > index 29ae998..262e9be 100644
    > --- a/drivers/bluetooth/btusb.c
    > +++ b/drivers/bluetooth/btusb.c
    > @@ -271,7 +271,6 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev)
    > BT_ERR("%s urb %p submission failed (%d)",
    > hdev->name, urb, -err);
    > usb_unanchor_urb(urb);
    > - kfree(buf);
    > }
    >
    > usb_free_urb(urb);
    > @@ -354,7 +353,6 @@ static int btusb_submit_bulk_urb(struct hci_dev *hdev)
    > BT_ERR("%s urb %p submission failed (%d)",
    > hdev->name, urb, -err);
    > usb_unanchor_urb(urb);
    > - kfree(buf);
    > }
    >
    > usb_free_urb(urb);
    > @@ -475,7 +473,6 @@ static int btusb_submit_isoc_urb(struct hci_dev *hdev)
    > BT_ERR("%s urb %p submission failed (%d)",
    > hdev->name, urb, -err);
    > usb_unanchor_urb(urb);
    > - kfree(buf);
    > }
    >
    > usb_free_urb(urb);
    > --
    > 1.5.6.5
    >
    >


    Cool, depending on the status of
    this patch. either I'll apply this one, or just wait
    until it gets commited,and then just do a git-pull.

    --
    Justin P. Mattock
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  4. Re: BUG kmalloc-16: Object already free

    Hi Rabin,

    > > After frying my system, I'm finally up and
    > > running. Not sure if this was due to a git-pull
    > > (only be a few days since the last pull), or what:
    > > when waking from suspend I see this
    > > (I know it says tainted in it, so this will be the only noise you'll
    > > here from me on this);
    > >
    > > [ 274.327003] ================================================== ===========================
    > > [ 274.327528] BUG kmalloc-16: Object already free
    > > [ 274.327877] -----------------------------------------------------------------------------
    > > [ 274.327879]
    > > [ 274.327890] INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=0
    > > cpu=1 pid=3763
    > > [ 274.327899] INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=0
    > > cpu=1 pid=3763
    > > [ 274.327905] INFO: Slab 0xc139a100 objects=64 used=62 fp=0xdcd08100
    > > flags=0x400000c3

    >
    > There's a commit in the latest git which looks like it will solve the
    > btusb suspend/resume issues: 5fbcd260.. ("[Bluetooth] Fix USB disconnect
    > handling of btusb driver").
    >
    > Marcel / linux-bluetooth, I think this double free is a separate issue
    > with the error handling, and the following patch should fix it.
    >
    > ---
    > From: Rabin Vincent
    > Subject: [PATCH] btusb, bpa10x: fix double frees on error paths
    >
    > Justin Mattock reported this double free in btusb:
    >
    > BUG kmalloc-16: Object already free
    > -----------------------------------------------------------------------------
    >
    > INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763
    > INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763
    >
    > This occurs because the urb's transfer buffer is being freed separately
    > in the error path even though the URB_FREE_BUFFER transfer_flag is set
    > on the urb.
    >
    > There are similar cases elsewhere in btusb and in bpa10x. Fix all of
    > them by removing the additional kfree()'s.


    I haven't verified it yet, but it looks like a good catch. Let me double
    check this on my test machine. Weird that we never noticed this before
    since I have been using the btusb driver for a very long time now.

    Regards

    Marcel


    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  5. Re: BUG kmalloc-16: Object already free

    On Mon, Sep 29, 2008 at 4:47 PM, Marcel Holtmann wrote:
    > Hi Rabin,
    >
    >> > After frying my system, I'm finally up and
    >> > running. Not sure if this was due to a git-pull
    >> > (only be a few days since the last pull), or what:
    >> > when waking from suspend I see this
    >> > (I know it says tainted in it, so this will be the only noise you'll
    >> > here from me on this);
    >> >
    >> > [ 274.327003] ================================================== ===========================
    >> > [ 274.327528] BUG kmalloc-16: Object already free
    >> > [ 274.327877] -----------------------------------------------------------------------------
    >> > [ 274.327879]
    >> > [ 274.327890] INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=0
    >> > cpu=1 pid=3763
    >> > [ 274.327899] INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=0
    >> > cpu=1 pid=3763
    >> > [ 274.327905] INFO: Slab 0xc139a100 objects=64 used=62 fp=0xdcd08100
    >> > flags=0x400000c3

    >>
    >> There's a commit in the latest git which looks like it will solve the
    >> btusb suspend/resume issues: 5fbcd260.. ("[Bluetooth] Fix USB disconnect
    >> handling of btusb driver").
    >>
    >> Marcel / linux-bluetooth, I think this double free is a separate issue
    >> with the error handling, and the following patch should fix it.
    >>
    >> ---
    >> From: Rabin Vincent
    >> Subject: [PATCH] btusb, bpa10x: fix double frees on error paths
    >>
    >> Justin Mattock reported this double free in btusb:
    >>
    >> BUG kmalloc-16: Object already free
    >> -----------------------------------------------------------------------------
    >>
    >> INFO: Allocated in btusb_open+0x82/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763
    >> INFO: Freed in btusb_open+0x13d/0x16f [btusb] age=3D0 cpu=3D1 pid=3D3763
    >>
    >> This occurs because the urb's transfer buffer is being freed separately
    >> in the error path even though the URB_FREE_BUFFER transfer_flag is set
    >> on the urb.
    >>
    >> There are similar cases elsewhere in btusb and in bpa10x. Fix all of
    >> them by removing the additional kfree()'s.

    >
    > I haven't verified it yet, but it looks like a good catch. Let me double
    > check this on my test machine. Weird that we never noticed this before
    > since I have been using the btusb driver for a very long time now.
    >
    > Regards
    >
    > Marcel
    >
    >
    >


    This was the first time I've seen this,
    I can apply the patch myself, but first
    I need to figure why dbus can be such a bitch : )
    Need to figure out how to write dbus rules(if this is the case)
    keep getting the permissions denied crap.

    --
    Justin P. Mattock
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

+ Reply to Thread