[Bug 106084] [CI] igt at .* - BUG kmalloc-2048 (Tainted: G U W ): Poison overwritten

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Wed Apr 25 18:25:29 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=106084

--- Comment #5 from Guenter Roeck <linux at roeck-us.net> ---
Same problem seen with v4.17-rc2 when inserting a USB Type-C dongle.

[ 1657.051472] usb 2-2: new SuperSpeed USB device number 5 using xhci_hcd
[ 1657.084589] usb 2-2: device descriptor read/8, error -71
[ 1657.199254] usb 2-2: new SuperSpeed USB device number 5 using xhci_hcd
[ 1657.319426] usb 2-2: device descriptor read/8, error -71
[ 1657.453806]
==================================================================
[ 1657.462113] BUG: KASAN: use-after-free in xhci_free_virt_device+0x33b/0x38e
[ 1657.469911] Read of size 4 at addr ffff88040e82b550 by task kworker/3:3/2085

[ 1657.479477] CPU: 3 PID: 2085 Comm: kworker/3:3 Not tainted
4.17.0-rc2-00001-g41e284e58369-dirty #10
[ 1657.489598] Hardware name: Google Eve/Eve, BIOS Google_Eve.9584.95.0
09/27/2017
[ 1657.497782] Workqueue: usb_hub_wq hub_event
[ 1657.502469] Call Trace:
[ 1657.505212]  <IRQ>
[ 1657.507469]  dump_stack+0x7d/0xbd
[ 1657.511184]  print_address_description+0x80/0x2d2
[ 1657.516443]  ? xhci_free_virt_device+0x33b/0x38e
[ 1657.521619]  kasan_report+0x26a/0x2aa
[ 1657.525721]  xhci_free_virt_device+0x33b/0x38e
[ 1657.530695]  handle_cmd_completion+0x5e6/0x1f19
[ 1657.535768]  ? lock_acquire+0x1f5/0x22b
[ 1657.540071]  ? match_held_lock+0x1d/0xff
[ 1657.544466]  xhci_irq+0x20c7/0x2284
[ 1657.548371]  ? match_held_lock+0x1d/0xff
[ 1657.552766]  ? xhci_irq+0x2284/0x2284
[ 1657.556874]  __handle_irq_event_percpu+0x1da/0x424
[ 1657.562238]  handle_irq_event_percpu+0x34/0x8f
[ 1657.567212]  handle_irq_event+0x59/0x89
[ 1657.571514]  handle_edge_irq+0x13e/0x188
[ 1657.575921]  handle_irq+0x19f/0x1b0
[ 1657.579823]  do_IRQ+0x8b/0xfa
[ 1657.583144]  common_interrupt+0xf/0xf
[ 1657.587244]  </IRQ>
[ 1657.589600] RIP: 0010:__asan_load4+0x63/0x84
[ 1657.594379] RSP: 0018:ffff8804149af7d8 EFLAGS: 00000a06 ORIG_RAX:
ffffffffffffffdc
[ 1657.602853] RAX: 1ffff10082935f1d RBX: ffff8804149af8e8 RCX:
ffffffff9f2e52a7
[ 1657.610841] RDX: 0000000000000008 RSI: 0000000000000003 RDI:
ffff8804149af8e8
[ 1657.618838] RBP: ffff8804149af7d8 R08: dffffc0000000000 R09:
ffffed0081d055dd
[ 1657.626828] R10: fffffbfff4198620 R11: ffffffffa0cc30fd R12:
0000000000000008
[ 1657.634811] R13: ffff8804149afc98 R14: ffff8804149b0000 R15:
ffff8804149a8000
[ 1657.642802]  ? on_stack+0x38/0x71
[ 1657.646514]  ? stack_access_ok+0x17/0x41
[ 1657.650903]  on_stack+0x38/0x71
[ 1657.654424]  ? device_release+0x9b/0xda
[ 1657.658719]  stack_access_ok+0x17/0x41
[ 1657.662915]  deref_stack_reg+0x1d/0x44
[ 1657.667127]  ? unwind_next_frame+0x65f/0x7a0
[ 1657.671913]  unwind_next_frame+0x674/0x7a0
[ 1657.676502]  ? kobject_put+0x9f/0xb9
[ 1657.680500]  ? kobject_put+0x9f/0xb9
[ 1657.684501]  __save_stack_trace+0xbf/0xe2
[ 1657.688992]  ? kobject_put+0x9f/0xb9
[ 1657.692998]  ? kfree+0x1d9/0x26f
[ 1657.696610]  save_stack+0x46/0xce
[ 1657.700319]  ? __kasan_slab_free+0x102/0x126
[ 1657.705105]  ? slab_free_freelist_hook+0x84/0xd1
[ 1657.710285]  ? kfree+0x1d9/0x26f
[ 1657.713898]  ? device_release+0x9b/0xda
[ 1657.718191]  ? look_up_lock_class+0x104/0x127
[ 1657.723073]  ? register_lock_class+0x4a2/0x507
[ 1657.728067]  ? hlock_class+0x67/0x85
[ 1657.732069]  ? mark_lock+0x3a/0x27a
[ 1657.735974]  ? lock_acquire+0x1f5/0x22b
[ 1657.740271]  ? lookup_chain_cache+0x4c/0x76
[ 1657.744956]  ? __lock_acquire+0x13d9/0x1522
[ 1657.749637]  ? match_held_lock+0x1d/0xff
[ 1657.754051]  ? hlock_class+0x67/0x85
[ 1657.758059]  ? mark_lock+0x3a/0x27a
[ 1657.761965]  ? mark_held_locks+0x30/0x87
[ 1657.766357]  __kasan_slab_free+0x102/0x126
[ 1657.770948]  slab_free_freelist_hook+0x84/0xd1
[ 1657.775926]  kfree+0x1d9/0x26f
[ 1657.779345]  ? device_release+0x9b/0xda
[ 1657.783637]  device_release+0x9b/0xda
[ 1657.787743]  kobject_put+0x9f/0xb9
[ 1657.791555]  hub_event+0x1058/0x1626
[ 1657.795558]  ? xhci_address_device+0x14/0x14
[ 1657.800336]  process_one_work+0x423/0x761
[ 1657.804830]  worker_thread+0x2ec/0x469
[ 1657.809046]  ? cancel_delayed_work+0xdd/0xdd
[ 1657.813827]  kthread+0x1d2/0x1e1
[ 1657.817439]  ? kthread_flush_work+0x118/0x118
[ 1657.822322]  ret_from_fork+0x3a/0x50

[ 1657.827994] Allocated by task 2085:
[ 1657.831897]  kasan_kmalloc+0x99/0xa8
[ 1657.835902]  kmem_cache_alloc_trace+0x10d/0x133
[ 1657.840978]  usb_alloc_dev+0x41/0x551
[ 1657.845070]  hub_event+0x9d2/0x1626
[ 1657.848995]  process_one_work+0x423/0x761
[ 1657.853487]  worker_thread+0x2ec/0x469
[ 1657.857683]  kthread+0x1d2/0x1e1
[ 1657.861295]  ret_from_fork+0x3a/0x50

[ 1657.866961] Freed by task 2085:
[ 1657.870482]  __kasan_slab_free+0x102/0x126
[ 1657.875071]  slab_free_freelist_hook+0x84/0xd1
[ 1657.880066]  kfree+0x1d9/0x26f
[ 1657.883484]  __kfree_skb+0x30/0x3a
[ 1657.887296]  unix_stream_read_generic+0xa61/0xb09
[ 1657.892563]  unix_stream_recvmsg+0x53/0x69
[ 1657.897146]  ___sys_recvmsg+0x167/0x289
[ 1657.901437]  __sys_recvmsg+0x63/0xa2
[ 1657.905444]  do_syscall_64+0x74/0x94
[ 1657.909449]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[ 1657.916786] The buggy address belongs to the object at ffff88040e82aee8
                which belongs to the cache kmalloc-2048 of size 2048
[ 1657.930989] The buggy address is located 1640 bytes inside of
                2048-byte region [ffff88040e82aee8, ffff88040e82b6e8)
[ 1657.944320] The buggy address belongs to the page:
[ 1657.949685] page:ffffea00103a0a00 count:1 mapcount:0
mapping:0000000000000000 index:0xffff88040e828008 compound_mapcount: 0
[ 1657.962146] flags: 0x8000000000008100(slab|head)
[ 1657.967317] raw: 8000000000008100 0000000000000000 ffff88040e828008
00000001000d000c
[ 1657.975986] raw: ffffea00108fe420 ffff88042d403200 ffff88042d40d0c0
0000000000000000
[ 1657.984650] page dumped because: kasan: bad access detected

[ 1657.992554] Memory state around the buggy address:
[ 1657.997915]  ffff88040e82b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.005999]  ffff88040e82b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.014096] >ffff88040e82b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.022174]                                                  ^
[ 1658.028705]  ffff88040e82b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.036792]  ffff88040e82b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1658.044873]
==================================================================

(gdb) l *xhci_free_virt_device+0x33b
0xffffffff8191b855 is in xhci_free_virt_device
(/mnt/host/source/src/third_party/kernel/v4.14/drivers/usb/host/xhci-mem.c:916).
911             if (dev->in_ctx)
912                     xhci_free_container_ctx(xhci, dev->in_ctx);
913             if (dev->out_ctx)
914                     xhci_free_container_ctx(xhci, dev->out_ctx);
915     
916             if (dev->udev && dev->udev->slot_id)
917                     dev->udev->slot_id = 0;
918             kfree(xhci->devs[slot_id]);
919             xhci->devs[slot_id] = NULL;
920     }


It appears that dev->udev has been freed.

Wonder why this is filed against drm ?

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20180425/00309e11/attachment.html>

More information about the intel-gfx-bugs mailing list