[Bug 106084] [CI] igt at .* - BUG kmalloc-2048 (Tainted: G U W ): Poison overwritten
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Wed Apr 25 18:25:29 UTC 2018
https://bugs.freedesktop.org/show_bug.cgi?id=106084
--- Comment #5 from Guenter Roeck <linux at roeck-us.net> ---
Same problem seen with v4.17-rc2 when inserting a USB Type-C dongle.
[ 1657.051472] usb 2-2: new SuperSpeed USB device number 5 using xhci_hcd
[ 1657.084589] usb 2-2: device descriptor read/8, error -71
[ 1657.199254] usb 2-2: new SuperSpeed USB device number 5 using xhci_hcd
[ 1657.319426] usb 2-2: device descriptor read/8, error -71
[ 1657.453806]
==================================================================
[ 1657.462113] BUG: KASAN: use-after-free in xhci_free_virt_device+0x33b/0x38e
[ 1657.469911] Read of size 4 at addr ffff88040e82b550 by task kworker/3:3/2085
[ 1657.479477] CPU: 3 PID: 2085 Comm: kworker/3:3 Not tainted
4.17.0-rc2-00001-g41e284e58369-dirty #10
[ 1657.489598] Hardware name: Google Eve/Eve, BIOS Google_Eve.9584.95.0
09/27/2017
[ 1657.497782] Workqueue: usb_hub_wq hub_event
[ 1657.502469] Call Trace:
[ 1657.505212] <IRQ>
[ 1657.507469] dump_stack+0x7d/0xbd
[ 1657.511184] print_address_description+0x80/0x2d2
[ 1657.516443] ? xhci_free_virt_device+0x33b/0x38e
[ 1657.521619] kasan_report+0x26a/0x2aa
[ 1657.525721] xhci_free_virt_device+0x33b/0x38e
[ 1657.530695] handle_cmd_completion+0x5e6/0x1f19
[ 1657.535768] ? lock_acquire+0x1f5/0x22b
[ 1657.540071] ? match_held_lock+0x1d/0xff
[ 1657.544466] xhci_irq+0x20c7/0x2284
[ 1657.548371] ? match_held_lock+0x1d/0xff
[ 1657.552766] ? xhci_irq+0x2284/0x2284
[ 1657.556874] __handle_irq_event_percpu+0x1da/0x424
[ 1657.562238] handle_irq_event_percpu+0x34/0x8f
[ 1657.567212] handle_irq_event+0x59/0x89
[ 1657.571514] handle_edge_irq+0x13e/0x188
[ 1657.575921] handle_irq+0x19f/0x1b0
[ 1657.579823] do_IRQ+0x8b/0xfa
[ 1657.583144] common_interrupt+0xf/0xf
[ 1657.587244] </IRQ>
[ 1657.589600] RIP: 0010:__asan_load4+0x63/0x84
[ 1657.594379] RSP: 0018:ffff8804149af7d8 EFLAGS: 00000a06 ORIG_RAX:
ffffffffffffffdc
[ 1657.602853] RAX: 1ffff10082935f1d RBX: ffff8804149af8e8 RCX:
ffffffff9f2e52a7
[ 1657.610841] RDX: 0000000000000008 RSI: 0000000000000003 RDI:
ffff8804149af8e8
[ 1657.618838] RBP: ffff8804149af7d8 R08: dffffc0000000000 R09:
ffffed0081d055dd
[ 1657.626828] R10: fffffbfff4198620 R11: ffffffffa0cc30fd R12:
0000000000000008
[ 1657.634811] R13: ffff8804149afc98 R14: ffff8804149b0000 R15:
ffff8804149a8000
[ 1657.642802] ? on_stack+0x38/0x71
[ 1657.646514] ? stack_access_ok+0x17/0x41
[ 1657.650903] on_stack+0x38/0x71
[ 1657.654424] ? device_release+0x9b/0xda
[ 1657.658719] stack_access_ok+0x17/0x41
[ 1657.662915] deref_stack_reg+0x1d/0x44
[ 1657.667127] ? unwind_next_frame+0x65f/0x7a0
[ 1657.671913] unwind_next_frame+0x674/0x7a0
[ 1657.676502] ? kobject_put+0x9f/0xb9
[ 1657.680500] ? kobject_put+0x9f/0xb9
[ 1657.684501] __save_stack_trace+0xbf/0xe2
[ 1657.688992] ? kobject_put+0x9f/0xb9
[ 1657.692998] ? kfree+0x1d9/0x26f
[ 1657.696610] save_stack+0x46/0xce
[ 1657.700319] ? __kasan_slab_free+0x102/0x126
[ 1657.705105] ? slab_free_freelist_hook+0x84/0xd1
[ 1657.710285] ? kfree+0x1d9/0x26f
[ 1657.713898] ? device_release+0x9b/0xda
[ 1657.718191] ? look_up_lock_class+0x104/0x127
[ 1657.723073] ? register_lock_class+0x4a2/0x507
[ 1657.728067] ? hlock_class+0x67/0x85
[ 1657.732069] ? mark_lock+0x3a/0x27a
[ 1657.735974] ? lock_acquire+0x1f5/0x22b
[ 1657.740271] ? lookup_chain_cache+0x4c/0x76
[ 1657.744956] ? __lock_acquire+0x13d9/0x1522
[ 1657.749637] ? match_held_lock+0x1d/0xff
[ 1657.754051] ? hlock_class+0x67/0x85
[ 1657.758059] ? mark_lock+0x3a/0x27a
[ 1657.761965] ? mark_held_locks+0x30/0x87
[ 1657.766357] __kasan_slab_free+0x102/0x126
[ 1657.770948] slab_free_freelist_hook+0x84/0xd1
[ 1657.775926] kfree+0x1d9/0x26f
[ 1657.779345] ? device_release+0x9b/0xda
[ 1657.783637] device_release+0x9b/0xda
[ 1657.787743] kobject_put+0x9f/0xb9
[ 1657.791555] hub_event+0x1058/0x1626
[ 1657.795558] ? xhci_address_device+0x14/0x14
[ 1657.800336] process_one_work+0x423/0x761
[ 1657.804830] worker_thread+0x2ec/0x469
[ 1657.809046] ? cancel_delayed_work+0xdd/0xdd
[ 1657.813827] kthread+0x1d2/0x1e1
[ 1657.817439] ? kthread_flush_work+0x118/0x118
[ 1657.822322] ret_from_fork+0x3a/0x50
[ 1657.827994] Allocated by task 2085:
[ 1657.831897] kasan_kmalloc+0x99/0xa8
[ 1657.835902] kmem_cache_alloc_trace+0x10d/0x133
[ 1657.840978] usb_alloc_dev+0x41/0x551
[ 1657.845070] hub_event+0x9d2/0x1626
[ 1657.848995] process_one_work+0x423/0x761
[ 1657.853487] worker_thread+0x2ec/0x469
[ 1657.857683] kthread+0x1d2/0x1e1
[ 1657.861295] ret_from_fork+0x3a/0x50
[ 1657.866961] Freed by task 2085:
[ 1657.870482] __kasan_slab_free+0x102/0x126
[ 1657.875071] slab_free_freelist_hook+0x84/0xd1
[ 1657.880066] kfree+0x1d9/0x26f
[ 1657.883484] __kfree_skb+0x30/0x3a
[ 1657.887296] unix_stream_read_generic+0xa61/0xb09
[ 1657.892563] unix_stream_recvmsg+0x53/0x69
[ 1657.897146] ___sys_recvmsg+0x167/0x289
[ 1657.901437] __sys_recvmsg+0x63/0xa2
[ 1657.905444] do_syscall_64+0x74/0x94
[ 1657.909449] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1657.916786] The buggy address belongs to the object at ffff88040e82aee8
which belongs to the cache kmalloc-2048 of size 2048
[ 1657.930989] The buggy address is located 1640 bytes inside of
2048-byte region [ffff88040e82aee8, ffff88040e82b6e8)
[ 1657.944320] The buggy address belongs to the page:
[ 1657.949685] page:ffffea00103a0a00 count:1 mapcount:0
mapping:0000000000000000 index:0xffff88040e828008 compound_mapcount: 0
[ 1657.962146] flags: 0x8000000000008100(slab|head)
[ 1657.967317] raw: 8000000000008100 0000000000000000 ffff88040e828008
00000001000d000c
[ 1657.975986] raw: ffffea00108fe420 ffff88042d403200 ffff88042d40d0c0
0000000000000000
[ 1657.984650] page dumped because: kasan: bad access detected
[ 1657.992554] Memory state around the buggy address:
[ 1657.997915] ffff88040e82b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.005999] ffff88040e82b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.014096] >ffff88040e82b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.022174] ^
[ 1658.028705] ffff88040e82b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.036792] ffff88040e82b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.044873]
==================================================================
(gdb) l *xhci_free_virt_device+0x33b
0xffffffff8191b855 is in xhci_free_virt_device
(/mnt/host/source/src/third_party/kernel/v4.14/drivers/usb/host/xhci-mem.c:916).
911 if (dev->in_ctx)
912 xhci_free_container_ctx(xhci, dev->in_ctx);
913 if (dev->out_ctx)
914 xhci_free_container_ctx(xhci, dev->out_ctx);
915
916 if (dev->udev && dev->udev->slot_id)
917 dev->udev->slot_id = 0;
918 kfree(xhci->devs[slot_id]);
919 xhci->devs[slot_id] = NULL;
920 }
It appears that dev->udev has been freed.
Wonder why this is filed against drm ?
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20180425/00309e11/attachment.html>
More information about the intel-gfx-bugs
mailing list