On Fri, Jun 24, 2016 at 3:33 PM, Takashi Iwai tiwai@suse.de wrote:
On Tue, 21 Jun 2016 19:41:28 +0200, Dmitry Vyukov wrote:
On Mon, Jun 6, 2016 at 6:39 PM, Takashi Iwai tiwai@suse.de wrote:
On Mon, 06 Jun 2016 18:29:25 +0200, Dmitry Vyukov wrote:
On Mon, Jun 6, 2016 at 4:11 PM, Takashi Iwai tiwai@suse.de wrote:
On Sat, 04 Jun 2016 20:27:50 +0200, Dmitry Vyukov wrote:
On Sat, Jun 4, 2016 at 8:00 PM, Dmitry Vyukov dvyukov@google.com wrote: > Hello, > > The following program triggers use-after-free:
Forget to mention that you need to run it in a tight parallel loop. It takes around 5 minutes to reproduce for me.
Hmm, this again is a bug that is difficult to trigger... At least, I couldn't reproduce locally. How many processes are you running with stress program?
I use a VM with 4 cores and use 20 parallel test processes.
It seems that there is nothing more than opening /dev/audio and does some mmap in the job. Is there any other relevant thing there?
I think poll with timeout is related. It is poll who sets hrtimer, right?
If it's about snd-dummy driver, hrtimer is created at open, and started/stopped at PCM trigger, and removed at close.
Is there any good way to decode which syscalls are executed in the test code?
What do you mean? Here are the syscalls in the program:
r[2] = syscall(SYS_open, "/dev/audio", 0xa40ul, 0, 0, 0); // r[2] is in the descriptor passed to SYS_poll r[15] = syscall(SYS_poll, 0x2001dde8ul, 0x4ul, 0x8ul, 0, 0, 0); r[18] = syscall(SYS_readv, r[2], 0x20dc13c0ul, 0x1ul, 0, 0, 0); r[19] = syscall(SYS_read, r[2], 0x20dbefe0ul, 0x20ul, 0, 0, 0);I meant some nice way to decode these magic numbers to be more understandable :)
Short term, run it under strace. It should show file names, decode most of flags and structs.