[Bug 106084] [CI] igt at .* - BUG kmalloc-2048 (Tainted: G U W ): Poison overwritten

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Apr 20 09:13:36 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=106084

--- Comment #4 from Chris Wilson <chris at chris-wilson.co.uk> ---
<3>[   56.014815]
==================================================================
<3>[   56.014947] BUG: KASAN: use-after-free in
xhci_free_virt_device.part.18+0x5e4/0x650
<3>[   56.014959] Read of size 4 at addr ffff8800aaffd178 by task
systemd-udevd/1516

<4>[   56.014981] CPU: 0 PID: 1516 Comm: systemd-udevd Tainted: G     U  W     
   4.17.0-rc1-g47f407780a2b-kasan_27+ #1
<4>[   56.014985] Hardware name: LENOVO 2356GCG/2356GCG, BIOS G7ET31WW (1.13 )
07/02/2012
<4>[   56.014990] Call Trace:
<4>[   56.014995]  <IRQ>
<4>[   56.015004]  dump_stack+0x7c/0xbb
<4>[   56.015012]  ? xhci_free_virt_device.part.18+0x5e4/0x650
<4>[   56.015019]  print_address_description+0x65/0x270
<4>[   56.015027]  ? xhci_free_virt_device.part.18+0x5e4/0x650
<4>[   56.015035]  kasan_report+0x23e/0x360
<4>[   56.015047]  xhci_free_virt_device.part.18+0x5e4/0x650
<4>[   56.015065]  handle_cmd_completion+0x1791/0x41a0
<4>[   56.015092]  ? lock_acquire+0x138/0x3c0
<4>[   56.015098]  ? lock_acquire+0x138/0x3c0
<4>[   56.015106]  ? xhci_queue_new_dequeue_state+0x860/0x860
<4>[   56.015125]  xhci_irq+0x1c89/0x64e0
<4>[   56.015160]  ? debug_check_no_locks_freed+0x2a0/0x2a0
<4>[   56.015168]  ? finish_td+0x350/0x350
<4>[   56.015186]  ? xhci_irq+0x64e0/0x64e0
<4>[   56.015195]  __handle_irq_event_percpu+0xe5/0x6e0
<4>[   56.015212]  handle_irq_event_percpu+0x65/0x120
<4>[   56.015221]  ? __handle_irq_event_percpu+0x6e0/0x6e0
<4>[   56.015227]  ? lock_acquire+0x138/0x3c0
<4>[   56.015233]  ? handle_edge_irq+0x24/0x750
<4>[   56.015243]  ? do_raw_spin_unlock+0x4f/0x240
<4>[   56.015254]  handle_irq_event+0x9c/0x130
<4>[   56.015263]  handle_edge_irq+0x2ba/0x750
<4>[   56.015278]  handle_irq+0x39/0x50
<4>[   56.015285]  do_IRQ+0x7d/0x1a0
<4>[   56.015296]  common_interrupt+0xf/0xf
<4>[   56.015301]  </IRQ>
<4>[   56.015308] RIP: 0010:unwind_get_return_address+0x72/0x90
<4>[   56.015313] RSP: 0018:ffff8800b17ef330 EFLAGS: 00000246 ORIG_RAX:
ffffffffffffffd6
<4>[   56.015322] RAX: ffffffffa65a68a2 RBX: ffff8800b17ef3c8 RCX:
0000000000000000
<4>[   56.015328] RDX: 1ffff100162fde70 RSI: ffff8800b17ef200 RDI:
ffffffffa65a68a2
<4>[   56.015332] RBP: ffff8800b17ef3b0 R08: 0000000000000001 R09:
0000000000000001
<4>[   56.015337] R10: ffff8800b17efc90 R11: 000000000001e033 R12:
0000000000000000
<4>[   56.015342] R13: 0000000000000000 R14: ffff88010d7e4ec0 R15:
ffff88011a18de80
<4>[   56.015358]  ? filename_lookup+0x172/0x2e0
<4>[   56.015366]  ? filename_lookup+0x172/0x2e0
<4>[   56.015378]  __save_stack_trace+0x7e/0xd0
<4>[   56.015392]  ? filename_lookup+0x172/0x2e0
<4>[   56.015404]  kasan_kmalloc+0xe4/0x170
<4>[   56.015414]  ? kmem_cache_alloc+0xdf/0x2e0
<4>[   56.015420]  ? __d_alloc+0x25/0x900
<4>[   56.015425]  ? d_alloc+0x3f/0x240
<4>[   56.015430]  ? d_alloc_parallel+0xdf/0x13e0
<4>[   56.015436]  ? __lookup_slow+0x167/0x390
<4>[   56.015442]  ? lookup_slow+0x4b/0x70
<4>[   56.015447]  ? walk_component+0x67e/0xcc0
<4>[   56.015453]  ? path_lookupat+0x1a1/0x880
<4>[   56.015466]  ? __d_alloc+0x25/0x900
<4>[   56.015472]  ? __d_alloc+0x25/0x900
<4>[   56.015479]  ? set_track+0x86/0x100
<4>[   56.015485]  ? init_object+0x66/0x80
<4>[   56.015498]  ? ___slab_alloc.constprop.35+0x232/0x3e0
<4>[   56.015505]  ? ___slab_alloc.constprop.35+0x232/0x3e0
<4>[   56.015510]  ? __d_alloc+0x25/0x900
<4>[   56.015532]  ? mark_held_locks+0xa8/0xf0
<4>[   56.015542]  ? __d_alloc+0x25/0x900
<4>[   56.015548]  ? trace_hardirqs_on_caller+0x33f/0x590
<4>[   56.015560]  ? __d_alloc+0x25/0x900
<4>[   56.015565]  kmem_cache_alloc+0xdf/0x2e0
<4>[   56.015576]  __d_alloc+0x25/0x900
<4>[   56.015590]  d_alloc+0x3f/0x240
<4>[   56.015603]  d_alloc_parallel+0xdf/0x13e0
<4>[   56.015613]  ? debug_check_no_locks_freed+0x2a0/0x2a0
<4>[   56.015629]  ? __lock_acquire+0x8a4/0x4f30
<4>[   56.015638]  ? __mutex_unlock_slowpath+0xd3/0x670
<4>[   56.015645]  ? __d_lookup_rcu+0x720/0x720
<4>[   56.015657]  ? mark_held_locks+0xa8/0xf0
<4>[   56.015670]  ? trace_hardirqs_on_caller+0x33f/0x590
<4>[   56.015680]  ? __lockdep_init_map+0xdf/0x580
<4>[   56.015688]  ? __lockdep_init_map+0xdf/0x580
<4>[   56.015704]  __lookup_slow+0x167/0x390
<4>[   56.015724]  ? follow_dotdot+0x1f0/0x1f0
<4>[   56.015752]  lookup_slow+0x4b/0x70
<4>[   56.015761]  walk_component+0x67e/0xcc0
<4>[   56.015769]  ? inode_permission+0x2c7/0x380
<4>[   56.015777]  ? lookup_fast+0x10b0/0x10b0
<4>[   56.015785]  ? link_path_walk+0x6cc/0x1240
<4>[   56.015801]  ? walk_component+0xcc0/0xcc0
<4>[   56.015821]  path_lookupat+0x1a1/0x880
<4>[   56.015826]  ? getname_flags+0x4a/0x3e0
<4>[   56.015832]  ? user_path_at_empty+0x18/0x30
<4>[   56.015841]  ? path_mountpoint+0x900/0x900
<4>[   56.015855]  ? getname_flags+0x4a/0x3e0
<4>[   56.015862]  ? getname_flags+0x4a/0x3e0
<4>[   56.015869]  ? set_track+0x86/0x100
<4>[   56.015875]  ? init_object+0x66/0x80
<4>[   56.015888]  ? ___slab_alloc.constprop.35+0x232/0x3e0
<4>[   56.015900]  filename_lookup+0x172/0x2e0
<4>[   56.015912]  ? filename_parentat+0x380/0x380
<4>[   56.015934]  ? strncpy_from_user+0x75/0x280
<4>[   56.015941]  ? getname_flags+0x4a/0x3e0
<4>[   56.015947]  ? rcu_read_lock_sched_held+0x10f/0x130
<4>[   56.015954]  ? kmem_cache_alloc+0x278/0x2e0
<4>[   56.015965]  ? getname_flags+0x88/0x3e0
<4>[   56.015981]  ? do_readlinkat+0xad/0x240
<4>[   56.015986]  do_readlinkat+0xad/0x240
<4>[   56.015997]  ? __x32_compat_sys_newfstat+0x70/0x70
<4>[   56.016007]  ? syscall_trace_enter+0x27e/0x880
<4>[   56.016013]  ? do_faccessat+0x36d/0x570
<4>[   56.016021]  ? syscall_slow_exit_work+0x400/0x400
<4>[   56.016040]  __x64_sys_readlinkat+0x8e/0xf0
<4>[   56.016049]  do_syscall_64+0x97/0x400
<4>[   56.016060]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
<4>[   56.016065] RIP: 0033:0x7f869cfbcd1a
<4>[   56.016070] RSP: 002b:00007ffe3fe72f08 EFLAGS: 00000202 ORIG_RAX:
000000000000010b
<4>[   56.016079] RAX: ffffffffffffffda RBX: 000056128e58ec10 RCX:
00007f869cfbcd1a
<4>[   56.016083] RDX: 000056128e58ec10 RSI: 00007ffe3fe72f90 RDI:
00000000ffffff9c
<4>[   56.016088] RBP: 0000000000000064 R08: 000000000000fefe R09:
0000000000000018
<4>[   56.016092] R10: 0000000000000063 R11: 0000000000000202 R12:
00007ffe3fe72f90
<4>[   56.016097] R13: 00000000ffffff9c R14: 00007ffe3fe72f60 R15:
0000000000000063

<3>[   56.016130] Allocated by task 153:
<4>[   56.016140]  kmem_cache_alloc_trace+0x125/0x300
<4>[   56.016147]  usb_alloc_dev+0x50/0xc70
<4>[   56.016153]  hub_event+0x10b9/0x3370
<4>[   56.016159]  process_one_work+0x6f8/0x1600
<4>[   56.016164]  worker_thread+0xc9/0xc20
<4>[   56.016170]  kthread+0x30c/0x3d0
<4>[   56.016175]  ret_from_fork+0x3a/0x50

<3>[   56.016187] Freed by task 153:
<4>[   56.016196]  kfree+0xe9/0x310
<4>[   56.016202]  device_release+0x6e/0x1d0
<4>[   56.016208]  kobject_put+0x14b/0x400
<4>[   56.016213]  hub_event+0xfc9/0x3370
<4>[   56.016218]  process_one_work+0x6f8/0x1600
<4>[   56.016223]  worker_thread+0x5dd/0xc20
<4>[   56.016229]  kthread+0x30c/0x3d0
<4>[   56.016234]  ret_from_fork+0x3a/0x50

<3>[   56.016247] The buggy address belongs to the object at ffff8800aaffcb08
                   which belongs to the cache kmalloc-2048 of size 2048
<3>[   56.016257] The buggy address is located 1648 bytes inside of
                   2048-byte region [ffff8800aaffcb08, ffff8800aaffd308)
<3>[   56.016266] The buggy address belongs to the page:
<0>[   56.016276] page:ffffea0002abfe00 count:1 mapcount:0
mapping:0000000000000000 index:0x0 compound_mapcount: 0
<0>[   56.016293] flags: 0x4000000000008100(slab|head)
<1>[   56.016303] raw: 4000000000008100 0000000000000000 0000000000000000
00000001000d000d
<1>[   56.016314] raw: ffffea0002ab6a20 ffffea0002a45e20 ffff88011a0113c0
0000000000000000
<1>[   56.016322] page dumped because: kasan: bad access detected

<3>[   56.016338] Memory state around the buggy address:
<3>[   56.016347]  ffff8800aaffd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
<3>[   56.016356]  ffff8800aaffd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
<3>[   56.016365] >ffff8800aaffd100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
<3>[   56.016373]                                                              
  ^
<3>[   56.016382]  ffff8800aaffd180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
<3>[   56.016391]  ffff8800aaffd200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
<3>[   56.016399]
==================================================================

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20180420/79a4e087/attachment-0001.html>

More information about the intel-gfx-bugs mailing list