https://bugzilla.kernel.org/show_bug.cgi?id=220046 Bug ID: 220046 Summary: kmalloc Redzone overwritten in usbhid_parse and usb_get_status Product: Drivers Version: 2.5 Hardware: ARM OS: Linux Status: NEW Severity: normal Priority: P3 Component: USB Assignee: drivers_usb@xxxxxxxxxxxxxxxxxxxxxx Reporter: m95d@xxxxxxxxxxxxxx Regression: No Hi. The system is Asus Tinkerboard S (RK3288, armv7). I get this error a few seconds after boot if a USB keyboard is connected: [ +0,007751] [ T265] [kmalloc Redzone overwritten] 0xc61ebec1-0xc61ebec3 @offset=7873. First byte 0x40 instead of 0xcc [ +0,011900] [ T265] ============================================================================= [ +0,009952] [ T265] BUG kmalloc-128 (Tainted: G B W ): Object corrupt [ +0,008575] [ T265] ----------------------------------------------------------------------------- [ +0,012348] [ T265] Allocated in usbhid_parse+0x4c0/0x940 age=1812 cpu=0 pid=63 [ +0,008183] [ T265] usbhid_parse+0x4c0/0x940 [ +0,004880] [ T265] hid_add_device+0x1ac/0xaf8 [ +0,005076] [ T265] usbhid_probe+0xbdc/0x1208 [ +0,004973] [ T265] usb_probe_interface+0x3f8/0xa40 [ +0,005559] [ T265] really_probe+0x250/0x818 [ +0,004880] [ T265] __driver_probe_device+0x1c4/0x404 [ +0,005754] [ T265] driver_probe_device+0x58/0x154 [ +0,005459] [ T265] __device_attach_driver+0x278/0x33c [ +0,005848] [ T265] bus_for_each_drv+0x14c/0x1b4 [ +0,005265] [ T265] __device_attach+0x1d0/0x394 [ +0,005167] [ T265] bus_probe_device+0x19c/0x1cc [ +0,005264] [ T265] device_add+0xb78/0x11ac [ +0,004778] [ T265] usb_set_configuration+0x11dc/0x1e54 [ +0,005946] [ T265] usb_generic_driver_probe+0x8c/0xd0 [ +0,005847] [ T265] usb_probe_device+0xc4/0x340 [ +0,005167] [ T265] really_probe+0x250/0x818 [ +0,004878] [ T265] Slab 0xeeed44e8 objects=21 used=15 fp=0xc61eb400 flags=0x240(workingset|head|zone=0) [ +0,010611] [ T265] Object 0xc61ebe80 @offset=7808 fp=0x00000000 [ +0,009149] [ T265] Redzone c61ebe00: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010605] [ T265] Redzone c61ebe10: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010605] [ T265] Redzone c61ebe20: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010603] [ T265] Redzone c61ebe30: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010605] [ T265] Redzone c61ebe40: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010604] [ T265] Redzone c61ebe50: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010603] [ T265] Redzone c61ebe60: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010604] [ T265] Redzone c61ebe70: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010604] [ T265] Object c61ebe80: 05 01 09 06 a1 01 05 07 19 e0 29 e7 15 00 25 01 ..........)...%. [ +0,010604] [ T265] Object c61ebe90: 75 01 95 08 81 02 95 01 75 08 81 01 95 03 75 01 u.......u.....u. [ +0,010603] [ T265] Object c61ebea0: 05 08 19 01 29 03 91 02 95 05 75 01 91 01 95 06 ....).....u..... [ +0,010604] [ T265] Object c61ebeb0: 75 08 05 07 19 00 2a ff 00 15 00 26 ff 00 81 00 u.....*....&.... [ +0,010603] [ T265] Object c61ebec0: c0 40 ef 00 cc cc cc cc cc cc cc cc cc cc cc cc .@.............. [ +0,010604] [ T265] Object c61ebed0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010604] [ T265] Object c61ebee0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010604] [ T265] Object c61ebef0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010602] [ T265] Redzone c61ebf00: cc cc cc cc .... [ +0,009438] [ T265] Padding c61ebf64: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ +0,010604] [ T265] Padding c61ebf74: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ [ +0,010213] [ T265] ------------[ cut here ]------------ [ +0,005938] [ T265] WARNING: CPU: 1 PID: 265 at mm/slub.c:1110 check_bytes_and_report+0xf4/0x118 [ +0,009839] [ T265] CPU: 1 UID: 0 PID: 265 Comm: mdev Tainted: G B W 6.15.0-rc3-M95D-00014-ge00e800e6d2a-dirty #1 NONE [ +0,000019] [ T265] Tainted: [B]=BAD_PAGE, [W]=WARN [ +0,000005] [ T265] Hardware name: Rockchip (Device Tree) [ +0,000006] [ T265] Call trace: [ +0,000005] [ T265] [<c0101c44>] (unwind_backtrace) from [<c01566c8>] (show_stack+0x10/0x28) [ +0,000024] [ T265] [<c01566c8>] (show_stack) from [<c0140ee8>] (dump_stack_lvl+0x58/0x94) [ +0,000023] [ T265] [<c0140ee8>] (dump_stack_lvl) from [<c0196828>] (__warn+0x12c/0x1b0) [ +0,000020] [ T265] [<c0196828>] (__warn) from [<c0196af0>] (warn_slowpath_fmt+0x244/0x24c) [ +0,000015] [ T265] [<c0196af0>] (warn_slowpath_fmt) from [<c0529ad8>] (check_bytes_and_report+0xf4/0x118) [ +0,000018] [ T265] [<c0529ad8>] (check_bytes_and_report) from [<c0529e9c>] (check_object+0x3a0/0x408) [ +0,000017] [ T265] [<c0529e9c>] (check_object) from [<c052aa18>] (free_debug_processing+0x120/0x2e4) [ +0,000017] [ T265] [<c052aa18>] (free_debug_processing) from [<c052e0b4>] (free_to_partial_list+0x70/0x278) [ +0,000018] [ T265] [<c052e0b4>] (free_to_partial_list) from [<c0530234>] (___cache_free+0xcc/0x114) [ +0,000019] [ T265] [<c0530234>] (___cache_free) from [<c055fd74>] (qlist_free_all+0x6c/0x108) [ +0,000022] [ T265] [<c055fd74>] (qlist_free_all) from [<c0560270>] (kasan_quarantine_reduce+0x124/0x180) [ +0,000021] [ T265] [<c0560270>] (kasan_quarantine_reduce) from [<c055d358>] (__kasan_slab_alloc+0x5c/0x8c) [ +0,000020] [ T265] [<c055d358>] (__kasan_slab_alloc) from [<c052c91c>] (kmem_cache_alloc_noprof+0x160/0x254) [ +0,000019] [ T265] [<c052c91c>] (kmem_cache_alloc_noprof) from [<c05cf06c>] (getname_flags+0x94/0x720) [ +0,000019] [ T265] [<c05cf06c>] (getname_flags) from [<c05a44bc>] (sys_statx+0xb8/0xd4) [ +0,000018] [ T265] [<c05a44bc>] (sys_statx) from [<c0100060>] (ret_fast_syscall+0x0/0x54) [ +0,000016] [ T265] Exception stack(0xc85cffa8 to 0xc85cfff0) [ +0,000012] [ T265] ffa0: b6b2ab20 b6b2ac88 ffffff9c 00263048 00000800 000007ff [ +0,000011] [ T265] ffc0: b6b2ab20 b6b2ac88 00263048 0000018d 002aa5d8 00263048 00000001 00000000 [ +0,000010] [ T265] ffe0: 00000000 b6b2ab00 ffffff9c 0017dc4c [ +0,000006] [ T265] ---[ end trace 0000000000000000 ]--- [ +0,227892] [ T265] FIX kmalloc-128: Restoring kmalloc Redzone 0xc61ebec1-0xc61ebec3=0xcc [ +0,009150] [ T265] FIX kmalloc-128: Object at 0xc61ebe80 not freed There's also an almost identical error in usb_get_status: [ +0,104795] [ T265] [kmalloc Redzone overwritten] 0xc3f0e342-0xc3f0e343 @offset=834. First byte 0xff instead of 0xcc [ +0,011804] [ T265] ============================================================================= [ +0,009926] [ T265] BUG kmalloc-64 (Tainted: G B W ): Object corrupt [ +0,008467] [ T265] ----------------------------------------------------------------------------- [ +0,012347] [ T265] Allocated in usb_get_status+0x84/0x33c age=1977 cpu=2 pid=50 [ +0,008288] [ T265] usb_get_status+0x84/0x33c [ +0,004972] [ T265] hub_configure+0x1164/0x1d34 [ +0,005171] [ T265] hub_probe+0xde4/0xe90 [ +0,004586] [ T265] usb_probe_interface+0x3f8/0xa40 [ +0,005557] [ T265] really_probe+0x250/0x818 [ +0,004880] [ T265] __driver_probe_device+0x1c4/0x404 [ +0,005751] [ T265] driver_probe_device+0x58/0x154 [ +0,005461] [ T265] __device_attach_driver+0x278/0x33c [ +0,005847] [ T265] bus_for_each_drv+0x14c/0x1b4 [ +0,005265] [ T265] __device_attach+0x1d0/0x394 [ +0,005168] [ T265] bus_probe_device+0x19c/0x1cc [ +0,005265] [ T265] device_add+0xb78/0x11ac [ +0,004778] [ T265] usb_set_configuration+0x11dc/0x1e54 [ +0,005946] [ T265] usb_generic_driver_probe+0x8c/0xd0 [ +0,005848] [ T265] usb_probe_device+0xc4/0x340 [ +0,005168] [ T265] really_probe+0x250/0x818 [ +0,004877] [ T265] Slab 0xeee85df8 objects=16 used=9 fp=0xc3f0e440 flags=0x200(workingset|zone=0) [ +0,010019] [ T265] Object 0xc3f0e340 @offset=832 fp=0xc3f0e440 [ +0,009052] [ T265] Redzone c3f0e300: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010605] [ T265] Redzone c3f0e310: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010605] [ T265] Redzone c3f0e320: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010603] [ T265] Redzone c3f0e330: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010605] [ T265] Object c3f0e340: 01 00 ff df cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010604] [ T265] Object c3f0e350: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010603] [ T265] Object c3f0e360: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010604] [ T265] Object c3f0e370: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................ [ +0,010603] [ T265] Redzone c3f0e380: cc cc cc cc .... [ +0,009438] [ T265] Padding c3f0e3e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ [ +0,010603] [ T265] Padding c3f0e3f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ [ +0,010214] [ T265] ------------[ cut here ]------------ [ +0,005938] [ T265] WARNING: CPU: 1 PID: 265 at mm/slub.c:1110 check_bytes_and_report+0xf4/0x118 [ +0,009839] [ T265] CPU: 1 UID: 0 PID: 265 Comm: mdev Tainted: G B W 6.15.0-rc3-M95D-00014-ge00e800e6d2a-dirty #1 NONE [ +0,000018] [ T265] Tainted: [B]=BAD_PAGE, [W]=WARN [ +0,000005] [ T265] Hardware name: Rockchip (Device Tree) [ +0,000007] [ T265] Call trace: [ +0,000004] [ T265] [<c0101c44>] (unwind_backtrace) from [<c01566c8>] (show_stack+0x10/0x28) [ +0,000025] [ T265] [<c01566c8>] (show_stack) from [<c0140ee8>] (dump_stack_lvl+0x58/0x94) [ +0,000022] [ T265] [<c0140ee8>] (dump_stack_lvl) from [<c0196828>] (__warn+0x12c/0x1b0) [ +0,000021] [ T265] [<c0196828>] (__warn) from [<c0196af0>] (warn_slowpath_fmt+0x244/0x24c) [ +0,000015] [ T265] [<c0196af0>] (warn_slowpath_fmt) from [<c0529ad8>] (check_bytes_and_report+0xf4/0x118) [ +0,000018] [ T265] [<c0529ad8>] (check_bytes_and_report) from [<c0529e9c>] (check_object+0x3a0/0x408) [ +0,000017] [ T265] [<c0529e9c>] (check_object) from [<c052aa18>] (free_debug_processing+0x120/0x2e4) [ +0,000017] [ T265] [<c052aa18>] (free_debug_processing) from [<c052e0b4>] (free_to_partial_list+0x70/0x278) [ +0,000018] [ T265] [<c052e0b4>] (free_to_partial_list) from [<c0530234>] (___cache_free+0xcc/0x114) [ +0,000019] [ T265] [<c0530234>] (___cache_free) from [<c055fd74>] (qlist_free_all+0x6c/0x108) [ +0,000020] [ T265] [<c055fd74>] (qlist_free_all) from [<c0560270>] (kasan_quarantine_reduce+0x124/0x180) [ +0,000022] [ T265] [<c0560270>] (kasan_quarantine_reduce) from [<c055d358>] (__kasan_slab_alloc+0x5c/0x8c) [ +0,000020] [ T265] [<c055d358>] (__kasan_slab_alloc) from [<c052d5e0>] (__kvmalloc_node_noprof+0x1c4/0x3c4) [ +0,000018] [ T265] [<c052d5e0>] (__kvmalloc_node_noprof) from [<c06307c8>] (seq_buf_alloc+0x68/0x14c) [ +0,000020] [ T265] [<c06307c8>] (seq_buf_alloc) from [<c0631cc4>] (seq_read_iter+0x8c4/0x14a8) [ +0,000018] [ T265] [<c0631cc4>] (seq_read_iter) from [<c058cc08>] (vfs_read+0x760/0xae0) [ +0,000021] [ T265] [<c058cc08>] (vfs_read) from [<c058f070>] (ksys_read+0xf4/0x1bc) [ +0,000020] [ T265] [<c058f070>] (ksys_read) from [<c0100060>] (ret_fast_syscall+0x0/0x54) [ +0,000018] [ T265] Exception stack(0xc85cffa8 to 0xc85cfff0) [ +0,000011] [ T265] ffa0: 0000007f b6b2bc62 00000006 b6b2bc62 0000007f 00000001 [ +0,000012] [ T265] ffc0: 0000007f b6b2bc62 00000006 00000003 0023f53c 00000011 ffffffff b6b2bc62 [ +0,000009] [ T265] ffe0: 000001cc b6b29bd8 0006bcc8 0017f20c [ +0,000006] [ T265] ---[ end trace 0000000000000000 ]--- [ +0,246152] [ T265] FIX kmalloc-64: Restoring kmalloc Redzone 0xc3f0e342-0xc3f0e343=0xcc [ +0,009054] [ T265] FIX kmalloc-64: Object at 0xc3f0e340 not freed I tried to do a git bisect, but I couldn't go back more than v6.8 because the board won't boot. Thanks. -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.
