[haiku-bugs] Re: [Haiku] #9528: stop_watching() KDLs on page fault, monitoring a CDDA

  • From: "ttcoder" <trac@xxxxxxxxxxxx>
  • Date: Tue, 20 May 2014 10:18:32 -0000

#9528: stop_watching() KDLs on page fault, monitoring a CDDA
-----------------------------+----------------------------
   Reporter:  ttcoder        |      Owner:  axeld
       Type:  bug            |     Status:  new
   Priority:  normal         |  Milestone:  R1
  Component:  System/Kernel  |    Version:  R1/Development
 Resolution:                 |   Keywords:
 Blocked By:                 |   Blocking:
Has a Patch:  0              |   Platform:  All
-----------------------------+----------------------------

Comment (by ttcoder):

 Significant milestone reached -- I now know for sure who the "ascii"
 buffer belongs to, it is actually the `Volume::fName` const char*.

 Details:

 I've modified the `Volume` dtor to fill out its fName buffer before
 `free`ing it, here's the diff:

 {{{
 Volume::~Volume()
 {
   ...

 + memset(fName, 'z', strlen(fName));
   free(fName);
 }
 }}}

 (the letter z is 0x7a in hex).

 And sure enough, '''the KDL page fault I get from now on is on indirection
 `0x7a7a7a7a` ''' !

 I've tried to invoke `syslog` in KDL, see if something comes up, since my
 modified driver has some tracing like dprintf("%p\n", fName) ..etc in
 places but nothing was immediately apparent.

 I was hoping to see a clear "use after free" symptom, like somebody
 calling the deleted Volume, making it write to its (long-since free()d)
 fName buffer, for example... I have a feeling it's something like that
 because '''whenever I mount an audio CD it gets a sequential number, like
 Audio CD1, Audio CD2 ..etc (or Jogeir Liljedahl1, Jogeir Liljedahl2
 ..etc), as if somebody is still keeping a handle on the mounted CD''' even
 after I eject it and cdda_unmount() is called, which in turn calls 'delete
 volume'.. but didn't find anything.

 I'm now going to comment out the free() (i.e. leak the memory), see if it
 "fixes" the driver. Failing that I'll try to outright comment out the
 'delete volume', though that would represent a bigger memory leak..

--
Ticket URL: <https://dev.haiku-os.org/ticket/9528#comment:9>
Haiku <https://dev.haiku-os.org>
Haiku - the operating system.

Other related posts: