It seems like a double free is happening inside bluetoothd by looking at
the line that is referenced in the error above:
in the function kfree(*x):
page = virt_to_head_page(x);
if (unlikely(!PageSlab(page))) {
so a pointer was passed to the kfree function, and it expected a page
datatype and got something else?
I suppose it's only really helpful to know where this function was
called from, I've never really tried to read a stacktrace before but
here goes nothing! I'm assuming that this kfree was initiated from
l2cap_chan_destroy() in bluetooth.
I found the function in net/bluetooth/l2cap_core.c and sure enough,
there is a kfree(chan) at the end of the function.
Now I don't know much about kernel programming, but since we are
apparently dealing with a double free, would it be wise to add an
'assert' here to make sure that chan is valid before we free it? Similar
to how slub.c:2943 uses "BUG_ON()" so we can track down what's actually
happening?
Now I'd really like someone with some kernel expertise to guide me here
and tell me if I'm poking in the right direction. Thanks!
** Changed in: linux (Ubuntu)
Status: Confirmed => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/901770
Title:
Kernel Bug in bluetoothd?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/901770/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
