[Crash-utility] [PATCH]: double free in trace extension
Per Fransson
per.xx.fransson at stericsson.com
Wed May 9 09:07:54 UTC 2012
Hi Dave and other list readers,
First, just like some other contributors, I've come across an issue
triggered by a dump being corrupt. In my case it's this code in
kernel.c:cpu_maps_init():
if (*maskptr & (0x1UL << c)) {
cpu = (i * BITS_PER_LONG) + c;
kt->cpu_flags[cpu] |= mapinfo[m].cpu_flag;
}
The mask is corrupt, making Crash believe there are more CPU's than the
four we have allocated space for in kernel.c:kernel_init. How do you
think this should be handled?
Second, I believe there is a double free in the trace extension. When
ftrace_init_pages() fails it will free
cpu_buffer->pages
and
cpu_buffer->linear_pages
But when ftrace_init_pages() fails, ftrace_init_buffers() will call
ftrace_destroy_buffers() which also free's this space. For me this
resulted in a segfault in a malloc() a little later.
Regards,
Per
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trace.patch
Type: text/x-diff
Size: 263 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/crash-utility/attachments/20120509/20265c65/attachment.bin>
More information about the Crash-utility
mailing list