[Bug 99952] New: Use after free in intel_audo_lpe_teardown
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Fri Feb 24 22:52:59 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=99952
Bug ID: 99952
Summary: Use after free in intel_audo_lpe_teardown
Product: DRI
Version: XOrg git
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: DRM/Intel
Assignee: intel-gfx-bugs at lists.freedesktop.org
Reporter: chris at chris-wilson.co.uk
QA Contact: intel-gfx-bugs at lists.freedesktop.org
CC: intel-gfx-bugs at lists.freedesktop.org
[ 26.691040] BUG: KASAN: use-after-free in intel_lpe_audio_teardown+0x78/0xb0
[i915] at addr ffff880235a50fa0
[ 26.691228] Read of size 8 by task drv_selftest/396
[ 26.691390] CPU: 0 PID: 396 Comm: drv_selftest Not tainted 4.10.0+ #442
[ 26.691547] Hardware name: / , BIOS
PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
[ 26.691704] Call Trace:
[ 26.691872] dump_stack+0x4d/0x63
[ 26.692037] kasan_object_err+0x1c/0x70
[ 26.692222] kasan_report_error+0x1f1/0x4f0
[ 26.692406] ? kfree+0x7e/0x130
[ 26.692570] ? kfree_const+0x1c/0x20
[ 26.692758] kasan_report+0x34/0x40
[ 26.692940] ? online_show+0x30/0x60
[ 26.693762] ? intel_lpe_audio_teardown+0x78/0xb0 [i915]
[ 26.693947] __asan_load8+0x5e/0x70
[ 26.694770] intel_lpe_audio_teardown+0x78/0xb0 [i915]
[ 26.695569] intel_audio_deinit+0x28/0x80 [i915]
[ 26.696311] i915_driver_unload+0xe1/0x340 [i915]
[ 26.697146] ? i915_driver_load+0x1cb0/0x1cb0 [i915]
[ 26.697442] ? kernfs_find_ns+0x96/0x130
[ 26.698278] i915_pci_remove+0x23/0x30 [i915]
[ 26.698579] pci_device_remove+0x5c/0x100
[ 26.698877] device_release_driver_internal+0x1d3/0x2e0
[ 26.699177] driver_detach+0x6e/0xd0
[ 26.699481] bus_remove_driver+0x88/0x150
[ 26.699775] driver_unregister+0x3e/0x60
[ 26.700072] pci_unregister_driver+0x2b/0x100
[ 26.701008] i915_exit+0x1a/0x71 [i915]
[ 26.701306] SyS_delete_module+0x262/0x2b0
[ 26.701609] ? free_module+0x3d0/0x3d0
[ 26.701900] ? mem_cgroup_handle_over_high+0x1c/0xd0
[ 26.702203] ? exit_to_usermode_loop+0x3a/0xa0
[ 26.702496] entry_SYSCALL_64_fastpath+0x17/0x98
[ 26.702781] RIP: 0033:0x7ff9007a5ec7
[ 26.703033] RSP: 002b:00007ffd5a3fbc38 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[ 26.703414] RAX: ffffffffffffffda RBX: 000055c01afcb0c0 RCX:
00007ff9007a5ec7
[ 26.703688] RDX: 0000000000000000 RSI: 0000000000000800 RDI:
000055c01afca6b8
[ 26.703953] RBP: 00007ff900a52440 R08: 0000000000000000 R09:
00007ffd5a3fbc68
[ 26.704212] R10: 0000000000000062 R11: 0000000000000206 R12:
0000000000000000
[ 26.704476] R13: 000055c01afc9440 R14: 0000000000000033 R15:
00007ffd5a3fac10
[ 26.704750] Object at ffff880235a50d80, in cache kmalloc-1024 size: 1024
[ 26.705016] Allocated:
[ 26.705251] PID = 214
[ 26.705505] save_stack_trace+0x16/0x20
[ 26.705767] save_stack+0x46/0xd0
[ 26.706050] kasan_kmalloc+0xad/0xe0
[ 26.706328] __kmalloc+0x101/0x190
[ 26.706612] platform_device_alloc+0x27/0x90
[ 26.706908] platform_device_register_full+0x36/0x220
[ 26.707848] intel_lpe_audio_init+0x444/0x5b0 [i915]
[ 26.708746] intel_audio_init+0xd/0x40 [i915]
[ 26.709573] i915_driver_load+0x1352/0x1cb0 [i915]
[ 26.710407] i915_pci_probe+0x65/0xe0 [i915]
[ 26.710718] pci_device_probe+0xda/0x140
[ 26.711003] driver_probe_device+0x400/0x660
[ 26.711292] __driver_attach+0x115/0x120
[ 26.711576] bus_for_each_dev+0xe3/0x140
[ 26.711862] driver_attach+0x26/0x30
[ 26.712147] bus_add_driver+0x268/0x3b0
[ 26.712435] driver_register+0xce/0x190
[ 26.712730] __pci_register_driver+0xab/0xc0
[ 26.713008] 0xffffffffa02a8063
[ 26.713288] do_one_initcall+0x8b/0x1e0
[ 26.713579] do_init_module+0x102/0x2ec
[ 26.713860] load_module+0x39a4/0x4430
[ 26.714166] SYSC_finit_module+0x169/0x1a0
[ 26.714456] SyS_finit_module+0x9/0x10
[ 26.714738] entry_SYSCALL_64_fastpath+0x17/0x98
[ 26.715005] Freed:
[ 26.715231] PID = 396
[ 26.715486] save_stack_trace+0x16/0x20
[ 26.715746] save_stack+0x46/0xd0
[ 26.716045] kasan_slab_free+0x73/0xc0
[ 26.716327] kfree+0x7e/0x130
[ 26.716602] platform_device_release+0x76/0x80
[ 26.716887] device_release+0x45/0xe0
[ 26.717173] kobject_release+0x99/0x1e0
[ 26.717481] kobject_put+0x30/0x60
[ 26.717759] put_device+0x12/0x20
[ 26.718041] platform_device_unregister+0x1b/0x20
[ 26.718975] intel_lpe_audio_teardown+0x5c/0xb0 [i915]
[ 26.719875] intel_audio_deinit+0x28/0x80 [i915]
[ 26.720698] i915_driver_unload+0xe1/0x340 [i915]
[ 26.721528] i915_pci_remove+0x23/0x30 [i915]
[ 26.721832] pci_device_remove+0x5c/0x100
[ 26.722121] device_release_driver_internal+0x1d3/0x2e0
[ 26.722412] driver_detach+0x6e/0xd0
[ 26.722694] bus_remove_driver+0x88/0x150
[ 26.722984] driver_unregister+0x3e/0x60
[ 26.723287] pci_unregister_driver+0x2b/0x100
[ 26.724219] i915_exit+0x1a/0x71 [i915]
[ 26.724507] SyS_delete_module+0x262/0x2b0
[ 26.724787] entry_SYSCALL_64_fastpath+0x17/0x98
[ 26.725051] Memory state around the buggy address:
[ 26.725310] ffff880235a50e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 26.725687] ffff880235a50f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 26.726092] >ffff880235a50f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 26.726457] ^
[ 26.726705] ffff880235a51000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 26.727102] ffff880235a51080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are on the CC list for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20170224/3e29cbc6/attachment.html>
More information about the intel-gfx-bugs
mailing list