On Sat, 2007-02-17 at 23:27 +0900, Tejun Heo wrote:
> probe_ent is allocated using devm_kzalloc() and thus should be freed
> using devm_kfree(). ata_sas_port_alloc() freed its probe_ent using
> kfree() thus causing double free later.
>
> Signed-off-by: Tejun Heo <htejun@xxxxxxxxx>
> ---
> James, does this fix the bug you mentioned on IRC?
Yes and no. I actually have two devices in this sas setup: a SATA disk
and a SATAPI DVD burner. Originally, I got the bug I reported here
Subject:
BUG in libata from
ata_sas_port_alloc
On my SATA disk. However, the DVD was fine. Now the disk shows up
fine, but I get this from the DVD:
BUG: at drivers/base/devres.c:642 devm_kfree()
[<c0103c0a>] show_trace_log_lvl+0x1a/0x30
[<c0104282>] show_trace+0x12/0x20
[<c0104336>] dump_stack+0x16/0x20
[<c023f09a>] devm_kfree+0x4a/0x50
[<f892eea2>] ata_sas_port_alloc+0x62/0x80 [libata]
[<f897869e>] sas_ata_init_host_and_port+0x5e/0xa0 [libsas]
[<f897832d>] sas_target_alloc+0x4d/0x60 [libsas]
[...]
This time, it's the opposite problem: the SATAPI DVD was kmalloc
allocated. The fault all seems to be in this code:
struct ata_probe_ent *
ata_probe_ent_alloc(struct device *dev, const struct ata_port_info *port)
{
struct ata_probe_ent *probe_ent;
/* XXX - the following if can go away once all LLDs are managed */
if (!list_empty(&dev->devres_head))
probe_ent = devm_kzalloc(dev, sizeof(*probe_ent), GFP_KERNEL);
else
probe_ent = kzalloc(sizeof(*probe_ent), GFP_KERNEL);
So we can't tell how the memory was obtained.
To fix it, it looks like we might have to mark it in some way and then
call a freeing function (ata_probe_ent_free?) to release it via the
correct method.
James
-
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
