New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 718070 link

Starred by 1 user
Status: WontFix
Owner:
groeck@chromium.org
Closed: May 2017
Cc:
dtor@chromium.org
groeck@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

(Use after free) - asix 5-1.3:1.0 eth0: asix_rx_fixup() Bad Header Length 0x6b6b6b6b, offset 4

Project Member Reported by briannorris@chromium.org, May 3 2017 
I'm testing with something like the following on Kevin (testing mwifiex Wifi reset + FW reload), over SSH + USB ethernet, with slub_debug enabled.

while :; do
echo 1 > /sys/bus/pci/devices/0000\:01\:00.0/reset || break 
[ "$(iw dev)" != "" ] || break
echo $((i+=1))  
done

I manage to crash shill a lot (maybe relevant? but I'm running a somewhat old rootfs; I wouldn't worry about this too much), but I triggered a fairly obvious use-after-free in the asix USB ethernet driver, followed by a networking BUG -> panic:

[52734.379417] init: shill main process (8409) killed by ABRT signal
[52734.385656] init: shill main process ended, respawning
[52735.441163] asix 5-1.3:1.0 eth0: asix_rx_fixup() Bad Header Length 0x6b6b6b6b, offset 4
[52735.531006] ------------[ cut here ]------------
[52735.535645] kernel BUG at /mnt/host/source/src/third_party/kernel/v4.4/net/core/skbuff.c:1357!
[52735.544250] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[52735.549733] Modules linked in: rfcomm btusb btrtl btbcm btintel uinput uvcvideo videobuf2_vmalloc mwifiex_pcie mwifiex ipt_MASQUERADE nf_nat_masquerade_ipv4 bluetooth iptable_nat nf_nat_ipv4 nf_nat xt_mark bridge stp llc fuse zram cfg80211 ip6table_filter asix usbnet mii joydev
[52735.574692] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.52 #1070
[52735.580864] Hardware name: Google Kevin (DT)
[52735.585133] task: ffffffc0010999b0 ti: ffffffc001080000 task.ti: ffffffc001080000
[52735.592613] PC is at skb_put+0x3c/0x80
[52735.596357] LR is at usbnet_defer_kevent+0x664/0x804 [usbnet]
[52735.602098] pc : [<ffffffc000804e18>] lr : [<ffffffbffc01a700>] pstate: 800001c5
[52735.609483] sp : ffffffc001083a00
[52735.612795] x29: ffffffc001083a00 x28: 0000000000000004 
[52735.618134] x27: 0000000000000000 x26: 000000000000000d 
[52735.623464] x25: ffffffc0e9621400 x24: ffffffc0eade8000 
[52735.628797] x23: ffffffc0eade83a8 x22: ffffffc0ba114b40 
[52735.634126] x21: 0000000000000000 x20: ffffffc0e2fff700 
[52735.639458] x19: ffffffc0ba114b40 x18: 0000000000000000 
[52735.644788] x17: 0000000000000000 x16: 0000000000000000 
[52735.650125] x15: 0000000000000000 x14: 0000000000000000 
[52735.655460] x13: 0000000000000000 x12: 0000000034d5d91d 
[52735.660800] x11: 0000000000000000 x10: 0000000000001000 
[52735.666136] x9 : ffffffc000202800 x8 : ffffffc0bc8ea488 
[52735.671476] x7 : 0000000000000001 x6 : 5a5a5a5a5a5a5a5a 
[52735.676813] x5 : ffffffc0002146a8 x4 : 000000006b6b6b6b 
[52735.682153] x3 : 000000006b6b6b6b x2 : ffffffbffc01a700 
[52735.687488] x1 : 000000000000004e x0 : 6b6b6b6bd6d6d6d6 
[52735.692826] 
[52735.692826] PC: 0xffffffc000804d98:
[52735.697785] 4d98  b9407a60 f94017a1 6b01001f 54000169 b9407e60 34000060 d4210000 14000007
[52735.706093] 4db8  f9406a60 f9406662 b9007a61 cb020000 0b000021 b900c261 f9400bf3 a8c37bfd
[52735.714401] 4dd8  d65f03c0 a9bd7bfd 910003fd f9000bf3 aa0003f3 aa1e03e0 f90013a1 f90017be
[52735.722712] 4df8  d503201f b9407e64 b940c263 f9406660 8b234000 f94017a2 f94013a1 34000044
[52735.731016] 4e18  d4210000 b9407a64 0b030023 b900c263 0b010084 b9007a64 b940c664 6b04007f
[52735.739322] 4e38  540000c9 d00015c3 aa1303e0 912a2063 91004063 97fffc99 f9400bf3 a8c37bfd
[52735.747625] 4e58  d65f03c0 a9ba7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9 a90573fb
[52735.755931] 4e78  aa0003f3 aa1e03e0 aa0103f4 2a0203f6 d503201f b9407a60 b9407e75 f9406681
[52735.764241] 
[52735.764241] SP: 0xffffffc001083980:
[52735.769201] 3980  ba114b40 ffffffc0 eade83a8 ffffffc0 eade8000 ffffffc0 e9621400 ffffffc0
[52735.777508] 39a0  0000000d 00000000 00000000 00000000 00000004 00000000 01083a00 ffffffc0
[52735.785810] 39c0  fc01a700 ffffffbf 01083a00 ffffffc0 00804e18 ffffffc0 800001c5 00000000
[52735.794119] 39e0  0000a888 00000000 00000002 00000000 00000000 00000080 b5c7f602 00000000
[52735.802426] 3a00  01083a30 ffffffc0 fc01a700 ffffffbf 6b6b6b6b 6b6b6b6b ebb34300 ffffffc0
[52735.810733] 3a20  0000004e 00000000 fc01a700 ffffffbf 01083a70 ffffffc0 0065e870 ffffffc0
[52735.819037] 3a40  e2fff700 ffffffc0 000001c0 00000000 ebb34300 ffffffc0 00000000 00000000
[52735.827344] 3a60  e2fff700 ffffffc0 00000000 00000000 01083aa0 ffffffc0 0065e924 ffffffc0
[52735.835653] 
[52735.835653] X5: 0xffffffc000214628:
[52735.840612] 4628  aa1403e0 f94027a4 aa1303e1 2a1603e3 940b5ad5 2a0003f5 b4000074 394aa280
[52735.848918] 4648  35000240 52800014 b25a67f7 900073d8 6b15029f 540001aa f9400a60 2a1603e2
[52735.857226] 4668  f9451b01 11000694 8b170000 cb010000 b9400e61 94000759 aa1303e0 940b005e
[52735.865532] 4688  aa0003f3 17fffff3 2a1503e0 a94153f3 a9425bf5 a94363f7 a8c57bfd d65f03c0
[52735.873838] 46a8  a9bc7bfd 910003fd a90153f3 f90013f5 aa0003f3 aa1e03e0 f9001ba3 aa0103f5
[52735.882142] 46c8  f9001fa4 aa0203f4 d503201f f9401fa4 f9401ba3 b4000073 394aa260 350001a0
[52735.890449] 46e8  900073c0 2a0303e2 f9001ba4 f9001fa3 f9451801 b25a67e0 cb010000 aa1403e1
[52735.898758] 4708  8b150000 94000739 f9401ba4 f9401fa3 aa1303e0 aa1503e1 aa1403e2 940b5b5d
[52735.907070] 
[52735.907070] X8: 0xffffffc0bc8ea408:
[52735.912027] a408  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52735.920337] a428  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52735.928642] a448  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52735.936947] a468  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b a56b6b6b bbbbbbbb bbbbbbbb
[52735.945256] a488  00000000 00000000 0068e034 ffffffc0 0034aaac ffffffc0 0034b028 ffffffc0
[52735.953564] a4a8  0034b14c ffffffc0 0034b7b0 ffffffc0 0068e034 ffffffc0 006602a0 ffffffc0
[52735.961871] a4c8  006614b8 ffffffc0 fc01a338 ffffffbf fc01a874 ffffffbf 0065e870 ffffffc0
[52735.970177] a4e8  0065e924 ffffffc0 0069904c ffffffc0 0065dd2c ffffffc0 0027ab70 ffffffc0
[52735.978483] 
[52735.978483] X9: 0xffffffc000202780:
[52735.983443] 2780  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[52735.991746] 27a0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[52736.000057] 27c0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[52736.008364] 27e0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[52736.016666] 2800  1400029d d503201f d503201f d503201f d503201f d503201f d503201f d503201f
[52736.024972] 2820  d503201f d503201f d503201f d503201f d503201f d503201f d503201f d503201f
[52736.033281] 2840  d503201f d503201f d503201f d503201f d503201f d503201f d503201f d503201f
[52736.041590] 2860  d503201f d503201f d503201f d503201f d503201f d503201f d503201f d503201f
[52736.049902] 
[52736.049902] X19: 0xffffffc0ba114ac0:
[52736.054947] 4ac0  002250a8 ffffffc0 00200964 ffffffc0 00224a60 ffffffc0 0024fdb8 ffffffc0
[52736.063255] 4ae0  0020e300 ffffffc0 00200750 ffffffc0 00203700 ffffffc0 007460ec ffffffc0
[52736.071562] 4b00  00267b70 ffffffc0 00933c04 ffffffc0 00000000 00000000 03201729 00000001
[52736.079870] 4b20  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.088176] 4b40  ba114b40 ffffffc0 ba114b40 ffffffc0 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52736.096487] 4b60  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52736.104792] 4b80  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52736.113099] 4ba0  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52736.121408] 
[52736.121408] X20: 0xffffffc0e2fff680:
[52736.126454] f680  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[52736.134764] f6a0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[52736.143072] f6c0  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.151381] f6e0  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.159685] f700  00000002 00000000 00000000 00000000 00000001 00000000 00000000 00000000
[52736.167988] f720  e2fff720 ffffffc0 e2fff720 ffffffc0 e2fff730 ffffffc0 e2fff730 ffffffc0
[52736.176298] f740  00000000 00000000 eae1cc00 ffffffc0 ea06c548 ffffffc0 c0010380 00000000
[52736.184610] f760  00000000 00000200 b5a7f602 ffffffc0 b5c7f602 00000000 00000000 00000000
[52736.192919] 
[52736.192919] X22: 0xffffffc0ba114ac0:
[52736.197964] 4ac0  002250a8 ffffffc0 00200964 ffffffc0 00224a60 ffffffc0 0024fdb8 ffffffc0
[52736.206270] 4ae0  0020e300 ffffffc0 00200750 ffffffc0 00203700 ffffffc0 007460ec ffffffc0
[52736.214578] 4b00  00267b70 ffffffc0 00933c04 ffffffc0 00000000 00000000 03201729 00000001
[52736.222883] 4b20  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.231193] 4b40  ba114b40 ffffffc0 ba114b40 ffffffc0 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52736.239498] 4b60  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52736.247806] 4b80  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52736.256113] 4ba0  6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b 6b6b6b6b
[52736.264425] 
[52736.264425] X23: 0xffffffc0eade8328:
[52736.269471] 8328  eade82c8 ffffffc0 00000005 ffffffff ffffffff 00000000 00000000 00000000
[52736.277783] 8348  00000000 00000000 00000000 00000000 ebb345b0 ffffffc0 00000000 00000000
[52736.286086] 8368  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[52736.294388] 8388  00000000 00000000 eade8390 ffffffc0 eade8390 ffffffc0 00000000 00000000
[52736.302695] 83a8  e9621400 ffffffc0 00000000 00000000 00000000 00000000 00000000 00000000
[52736.311004] 83c8  eade83c8 ffffffc0 eade83c8 ffffffc0 00000000 00000000 00000000 00000000
[52736.319305] 83e8  00000000 00000000 00000000 00000000 00000000 00000000 00695304 ffffffc0
[52736.327612] 8408  eade83a8 ffffffc0 00000005 ffffffff ffffffff 00000000 00000000 00000000
[52736.335919] 
[52736.335919] X24: 0xffffffc0eade7f80:
[52736.340965] 7f80  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.349273] 7fa0  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.357584] 7fc0  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.365896] 7fe0  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.374206] 8000  eae1cc00 ffffffc0 ea813400 ffffffc0 ea812c00 ffffffc0 eace0f00 ffffffc0
[52736.382512] 8020  00000003 00000000 ea739a00 ffffffc0 00000000 00000000 00000000 00000000
[52736.390819] 8040  00000000 00000000 eade8048 ffffffc0 eade8048 ffffffc0 00000000 00000000
[52736.399129] 8060  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[52736.407439] 
[52736.407439] X25: 0xffffffc0e9621380:
[52736.412487] 1380  002006f4 ffffffc0 00203700 ffffffc0 004d57b8 ffffffc0 00475324 ffffffc0
[52736.420798] 13a0  00475a34 ffffffc0 00477a2c ffffffc0 00000002 000000e7 fffb7e2e 00000000
[52736.429098] 13c0  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.437405] 13e0  5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a 5a5a5a5a
[52736.445712] 1400  ea656e00 ffffffc0 ea114200 ffffffc0 004ef700 ffffff80 ea656e00 ffffffc0
[52736.454017] 1420  00041656 00000000 004ef450 ffffff80 ea656e00 ffffffc0 0004162b 00000000
[52736.462325] 1440  b9405200 ffffffc0 b96de000 ffffffc0 00000000 00000000 00000002 000001d2
[52736.470631] 1460  00000000 00000002 00000001 00000000 00000000 00000000 00000000 00000000
[52736.478933] 
[52736.478933] X29: 0xffffffc001083980:
[52736.483979] 3980  ba114b40 ffffffc0 eade83a8 ffffffc0 eade8000 ffffffc0 e9621400 ffffffc0
[52736.492287] 39a0  0000000d 00000000 00000000 00000000 00000004 00000000 01083a00 ffffffc0
[52736.500592] 39c0  fc01a700 ffffffbf 01083a00 ffffffc0 00804e18 ffffffc0 800001c5 00000000
[52736.508900] 39e0  0000a888 00000000 00000002 00000000 00000000 00000080 b5c7f602 00000000
[52736.517207] 3a00  01083a30 ffffffc0 fc01a700 ffffffbf 6b6b6b6b 6b6b6b6b ebb34300 ffffffc0
[52736.525512] 3a20  0000004e 00000000 fc01a700 ffffffbf 01083a70 ffffffc0 0065e870 ffffffc0
[52736.533820] 3a40  e2fff700 ffffffc0 000001c0 00000000 ebb34300 ffffffc0 00000000 00000000
[52736.542125] 3a60  e2fff700 ffffffc0 00000000 00000000 01083aa0 ffffffc0 0065e924 ffffffc0
[52736.550431] 
[52736.551926] Process swapper/0 (pid: 0, stack limit = 0xffffffc001080040)
[52736.558622] Stack: (0xffffffc001083a00 to 0xffffffc001084000)
[52736.564365] 3a00: ffffffc001083a30 ffffffbffc01a700 6b6b6b6b6b6b6b6b ffffffc0ebb34300
[52736.572187] 3a20: 000000000000004e ffffffbffc01a700 ffffffc001083a70 ffffffc00065e870
[52736.580007] 3a40: ffffffc0e2fff700 00000000000001c0 ffffffc0ebb34300 0000000000000000
[52736.587828] 3a60: ffffffc0e2fff700 0000000000000000 ffffffc001083aa0 ffffffc00065e924
[52736.595650] 3a80: ffffffc0ebb34300 ffffffc0e2fff700 ffffffc0ebb34300 ffffffc0b94b3e00
[52736.603470] 3aa0: ffffffc001083ae0 ffffffc00069904c ffffffc0ebb345b0 ffffff8000343d40
[52736.611293] 3ac0: ffffffc0ebb34300 ffffffc0b94b3e00 ffffffc0ebb345b0 0000000000000000
[52736.619113] 3ae0: ffffffc001083bd0 ffffffc00065dd2c ffffffc0ebdb9a00 ffffffc001080000
[52736.626936] 3b00: 00000000000000e5 0000000000000000 ffffffc001083d60 ffffffc0ebb7b480
[52736.634757] 3b20: ffffffc00114923a 0000000000000000 ffffffc000bf0286 ffffffc001080000
[52736.642578] 3b40: ffffffc001083b60 ffffffc0b9428b40 ffffffc001083b70 ffffffc000938dc4
[52736.650399] 3b60: 0000000000000001 0000000000000001 ffffffc000c4be1f ffffffc000c4be60
[52736.658219] 3b80: ffffffc000c4bdd0 ffffffc00108c000 ffffff8000343d40 00000000e9843440
[52736.666040] 3ba0: 0000000000000004 ffffffc0ebb34600 00000000f7b11c80 00002ff662ad8800
[52736.673862] 3bc0: ffffffc0f7b11c80 cb88537fdc8ba634 ffffffc001083bf0 ffffffc00027ab70
[52736.681682] 3be0: ffffffc0f7b131c8 ffffffc0ebb34300 ffffffc001083c50 ffffffc00027ad24
[52736.689503] 3c00: ffffffc0ebb7b480 ffffffc0ebb7b520 ffffffc0ebb7b520 0000000000000001
[52736.697324] 3c20: ffffffc001083d60 ffffffc0010e0000 0000000000000089 ffffffc00114a488
[52736.705146] 3c40: ffffffc0000801d8 ffffffc001080000 ffffffc001083c80 ffffffc00027e748
[52736.712966] 3c60: ffffffc0ebb7b480 ffffffc0010e0c90 ffffffc0ebb7b520 ffffffc0002817f8
[52736.720787] 3c80: ffffffc001083cb0 ffffffc00027a058 00000000000000e5 0000000000000000
[52736.728608] 3ca0: ffffffc000021800 0000000000000000 ffffffc001083cd0 ffffffc00027a3c4
[52736.736429] 3cc0: ffffffc001068000 ffffffc0ebb7b4a0 ffffffc001083d10 ffffffc0002006f4
[52736.744249] 3ce0: 0000000000000089 ffffffc001149387 ffffffc0010e0000 ffffffc000c1b733
[52736.752071] 3d00: 0000000000000089 ffffffc001083d60 ffffffc001083e90 ffffffc000203700
[52736.759892] 3d20: 00002ff662aaf31b 0000008000000000 ffffffc001083e90 ffffffc000745ffc
[52736.767713] 3d40: 0000000060000145 0000000000000000 00002ff662a599a3 ffffffc0004ef27c
[52736.775534] 3d60: ffffffc0f7b17480 00000000ffffffff 00000000f6aad000 0000000000000018
[52736.783357] 3d80: 00081b943459b000 00000126b65390f0 0000000001b12f20 0000000000000019
[52736.791178] 3da0: 00000032b5193519 ffffffc000202800 0000000000001000 0000000000000000
[52736.798999] 3dc0: 0000000034d5d91d 0000000000000000 0000000000000000 0000000000000000
[52736.806820] 3de0: 0000000000000000 0000000000000000 0000000000000000 00002ff662aaf31b
[52736.814640] 3e00: 0000000000000000 ffffffc00114a488 ffffffc0eca81180 0000000000000000
[52736.822459] 3e20: 0000000000000000 00002ff662a599a3 ffffffc00114a488 ffffffc0000801d8
[52736.830280] 3e40: 0000000004000000 ffffffc001083e90 ffffffc000745fc8 ffffffc001083e90
[52736.838101] 3e60: ffffffc000745ffc 0000000060000145 00002ff662aaf31b 0000000000000000
[52736.845922] 3e80: ffffffffffffffff 00000000ffffffff ffffffc001083ee0 ffffffc0007460ec
[52736.853743] 3ea0: ffffffc001114af0 ffffffc001114af0 ffffffc001064b50 ffffffc0010693f0
[52736.861564] 3ec0: ffffffc000a05000 ffffffc001080000 0000000000000000 0000000001411000
[52736.869384] 3ee0: ffffffc001083f10 ffffffc000267b70 ffffffc0eca81180 ffffffc000267a70
[52736.877205] 3f00: ffffffc0eca81180 0000000000000000 ffffffc001083f70 ffffffc000933c04
[52736.885026] 3f20: 0000000000000000 ffffffc00108c000 ffffffc001151000 ffffffc001151000
[52736.892847] 3f40: ffffffc00108c000 ffffffc001000838 ffffffc0f7b79780 ffffffc000933bf8
[52736.900668] 3f60: ffffffc001083f70 00000000ffffffff ffffffc001083f90 ffffffc000e00984
[52736.908491] 3f80: ffffffc001151000 0000000000000002 0000000000000000 0000000000b3a000
[52736.916311] 3fa0: 0000000000280000 0000000000000e12 0000000006400000 0000000006400000
[52736.924136] 3fc0: 0000000004000000 0000000000200000 000000000140e000 0000000000000000
[52736.931956] 3fe0: ffffffc001000838 0000000000000000 0000000000000000 0000000000000000
[52736.939776] Call trace:
[52736.942228] [<ffffffc000804e18>] skb_put+0x3c/0x80
[52736.947021] [<ffffffbffc01a700>] usbnet_defer_kevent+0x664/0x804 [usbnet]
[52736.953805] [<ffffffc00065e870>] __usb_hcd_giveback_urb+0xc0/0x120
[52736.959981] [<ffffffc00065e924>] usb_hcd_giveback_urb+0x54/0xf0
[52736.965897] [<ffffffc00069904c>] xhci_irq+0x1330/0x1364
[52736.971119] [<ffffffc00065dd2c>] usb_hcd_irq+0x40/0x50
[52736.976256] [<ffffffc00027ab70>] handle_irq_event_percpu+0xf0/0x258
[52736.982516] [<ffffffc00027ad24>] handle_irq_event+0x4c/0x7c
[52736.988085] [<ffffffc00027e748>] handle_fasteoi_irq+0xb4/0x124
[52736.993915] [<ffffffc00027a058>] generic_handle_irq+0x30/0x44
[52736.999655] [<ffffffc00027a3c4>] __handle_domain_irq+0x90/0xbc
[52737.005485] [<ffffffc0002006f4>] gic_handle_irq+0xcc/0x18c
[52737.010965] Exception stack(0xffffffc001083d20 to 0xffffffc001083e50)
[52737.017399] 3d20: 00002ff662aaf31b 0000008000000000 ffffffc001083e90 ffffffc000745ffc
[52737.025219] 3d40: 0000000060000145 0000000000000000 00002ff662a599a3 ffffffc0004ef27c
[52737.033040] 3d60: ffffffc0f7b17480 00000000ffffffff 00000000f6aad000 0000000000000018
[52737.040861] 3d80: 00081b943459b000 00000126b65390f0 0000000001b12f20 0000000000000019
[52737.048681] 3da0: 00000032b5193519 ffffffc000202800 0000000000001000 0000000000000000
[52737.056504] 3dc0: 0000000034d5d91d 0000000000000000 0000000000000000 0000000000000000
[52737.064324] 3de0: 0000000000000000 0000000000000000 0000000000000000 00002ff662aaf31b
[52737.072145] 3e00: 0000000000000000 ffffffc00114a488 ffffffc0eca81180 0000000000000000
[52737.079966] 3e20: 0000000000000000 00002ff662a599a3 ffffffc00114a488 ffffffc0000801d8
[52737.087785] 3e40: 0000000004000000 ffffffc001083e90
[52737.092662] [<ffffffc000203700>] el1_irq+0x80/0xf8
[52737.097454] [<ffffffc0007460ec>] cpuidle_enter+0x34/0x40
[52737.102763] [<ffffffc000267b70>] cpu_startup_entry+0x378/0x3e0
[52737.108593] [<ffffffc000933c04>] rest_init+0x8c/0x94
[52737.113557] [<ffffffc000e00984>] start_kernel+0x3a8/0x400
[52737.118949] [<0000000000b3a000>] 0xb3a000
[52737.122958] Code: 8b234000 f94017a2 f94013a1 34000044 (d4210000) 
[52737.129115] ---[ end trace 9b884ac58ea54e3f ]---
[52737.149496] =============================================================================
[52737.158989] BUG skbuff_head_cache (Tainted: G      D        ): Poison overwritten
[52737.159035] Kernel panic - not syncing: Fatal exception in interrupt
[52737.159042] CPU1: stopping
[52737.159050] CPU: 1 PID: 1710 Comm: chrome Tainted: G      D         4.4.52 #1070
[52737.159051] Hardware name: Google Kevin (DT)
[52737.159054] Call trace:
[52737.159070] [<ffffffc00020883c>] dump_backtrace+0x0/0x160
[52737.159075] [<ffffffc000208acc>] show_stack+0x20/0x28
[52737.159082] [<ffffffc0004c622c>] dump_stack+0x90/0xb0
[52737.159087] [<ffffffc00020e34c>] handle_IPI+0x194/0x2d0
[52737.159091] [<ffffffc000200750>] gic_handle_irq+0x128/0x18c
[52737.159094] Exception stack(0xffffffc0ddb0be80 to 0xffffffc0ddb0bfb0)
[52737.159098] be80: 0000000000400800 0000000000000000 ffffffffffffffff 00000000ef876552
[52737.159101] bea0: 0000000080030030 0000000000000000 0000000000000000 cb88537fdc8ba634
[52737.159104] bec0: 00000000bb414c18 0000000000000000 0000000000000001 00000000bb414c1c
[52737.159107] bee0: 0000000000000004 00000000bb414c18 00000000baafb030 00000000bab55008
[52737.159110] bf00: 00000000bb236c00 00000000baafb008 00000000bb414c18 00000000baafb030
[52737.159114] bf20: 0000000000000001 00000000ffe7ab94 00000000ef8828e1 0000000000000000
[52737.159120] bf40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[52737.159123] bf60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[52737.159126] bf80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[52737.159128] bfa0: 0000000000000000 0000000000000000
[52737.159133] [<ffffffc000203c10>] el0_irq_naked+0x14/0x24
[52737.159135] CPU3: stopping
[52737.159140] CPU: 3 PID: 7440 Comm: sshd Tainted: G      D         4.4.52 #1070
[52737.159141] Hardware name: Google Kevin (DT)
[52737.159142] Call trace:
[52737.159147] [<ffffffc00020883c>] dump_backtrace+0x0/0x160
[52737.159150] [<ffffffc000208acc>] show_stack+0x20/0x28
[52737.159154] [<ffffffc0004c622c>] dump_stack+0x90/0xb0
[52737.159157] [<ffffffc00020e34c>] handle_IPI+0x194/0x2d0
[52737.159160] [<ffffffc000200750>] gic_handle_irq+0x128/0x18c
[52737.159162] Exception stack(0xffffffc0bc8c3a60 to 0xffffffc0bc8c3b90)
[52737.159166] 3a60: ffffffc0d4e99380 0000008000000000 ffffffc0bc8c3bd0 ffffffc0007ff7c0
[52737.159169] 3a80: 0000000060000145 0000000000000011 ffffffc0d4e99380 dead000000000200
[52737.159172] 3aa0: ffffffc000c79000 0000000000000000 0000000000000b14 ffffffc000887cbc
[52737.159175] 3ac0: 0000000000000000 0000000000000000 0000000000000003 0000000000000004
[52737.159178] 3ae0: 00000000ff93a918 00000000ff93a914 00000000acdb6520 00000000acdb5a50
[52737.159184] 3b00: 0000000000000000 00000000ff93a86c 00000000acd51ebd 0000000000000000
[52737.159190] 3b20: ffffffc00035ba80 0000000000000000 0000000000000000 ffffffc0d4e99380
[52737.159194] 3b40: ffffffc0d4e99408 ffffffc0bc8c3d20 0000000000000b14 00000000ad252a60
[52737.159197] 3b60: 0000000000000011 ffffffc0d4e99380 0000000000000004 0000000000000b14
[52737.159202] 3b80: ffffffc0bc8c0000 ffffffc0bc8c3bd0
[52737.159206] [<ffffffc000203700>] el1_irq+0x80/0xf8
[52737.159212] [<ffffffc000887d04>] tcp_sendmsg+0x48/0x9fc
[52737.159218] [<ffffffc0008b027c>] inet_sendmsg+0x9c/0xcc
[52737.159225] [<ffffffc0007faa44>] sock_sendmsg+0x48/0x60
[52737.159228] [<ffffffc0007faaf8>] sock_write_iter+0x9c/0xdc
[52737.159235] [<ffffffc00035a84c>] __vfs_write+0xd4/0x11c
[52737.159238] [<ffffffc00035b1e8>] vfs_write+0xbc/0x154
[52737.159243] [<ffffffc00035bae4>] SyS_write+0x64/0xb4
[52737.159246] [<ffffffc000203e34>] el0_svc_naked+0x24/0x28
[52737.159250] CPU4: stopping
[52737.159255] CPU: 4 PID: 1742 Comm: mali-renderer Tainted: G      D         4.4.52 #1070
[52737.159257] Hardware name: Google Kevin (DT)
[52737.159258] Call trace:
[52737.159266] [<ffffffc00020883c>] dump_backtrace+0x0/0x160
[52737.159270] [<ffffffc000208acc>] show_stack+0x20/0x28
[52737.159273] [<ffffffc0004c622c>] dump_stack+0x90/0xb0
[52737.159276] [<ffffffc00020e34c>] handle_IPI+0x194/0x2d0
[52737.159279] [<ffffffc000200750>] gic_handle_irq+0x128/0x18c
[52737.159281] Exception stack(0xffffffc0ddbdf6a0 to 0xffffffc0ddbdf7d0)
[52737.159284] f6a0: ffffffc0ece503d8 0000008000000000 ffffffc0ddbdf810 ffffffc000938dcc
[52737.159286] f6c0: 0000000060000145 ffffffc0ece503d8 0000000000000140 ffffffc000938dc4
[52737.159289] f6e0: 0000000000004715 0000000000000140 0000000000000001 ffffff8004041000
[52737.159291] f700: ffffffc0ece52458 ffffffc0ece52458 0000000000000000 0000000000000000
[52737.159293] f720: ffffffc0ddaa6b40 ffffffc0ddbdf680 00000000000008e0 4604b570c002e130
[52737.159296] f740: 6861480a72c52500 61054909686060c8 0280f10068606809 0000000000000000
[52737.159298] f760: ffffffc00039f6e4 0000000000000000 0000000000000000 ffffffc0ece503d8
[52737.159304] f780: 0000000000000001 ffffffc0ece52000 ffffffc0ece50860 ffffffc0ece50410
[52737.159306] f7a0: ffffffc0ece503d8 0000000000000140 ffffff8004067000 0000000000000002
[52737.159308] f7c0: 0000000000000001 ffffffc0ddbdf810
[52737.159314] [<ffffffc000203700>] el1_irq+0x80/0xf8
[52737.159318] [<ffffffc0005edb38>] kbase_pm_clock_on+0x10c/0x13c
[52737.159320] [<ffffffc0005ec194>] kbase_pm_do_poweron+0x28/0x3c
[52737.159324] [<ffffffc0005ee94c>] kbase_pm_update_active+0xb4/0x158
[52737.159326] [<ffffffc0005ec4b4>] kbase_hwaccess_pm_gpu_active+0x20/0x2c
[52737.159332] [<ffffffc0005d3d04>] kbase_pm_context_active_handle_suspend+0x90/0xb4
[52737.159334] [<ffffffc0005d1f00>] kbase_js_sched+0x138/0x700
[52737.159337] [<ffffffc0005ceddc>] kbase_jd_submit+0x32c/0x364
[52737.159340] [<ffffffc0005de6cc>] kbase_ioctl+0x504/0xa94
[52737.159345] [<ffffffc0003acecc>] compat_SyS_ioctl+0x134/0x10ac
[52737.159348] [<ffffffc000203e90>] __sys_trace_return+0x0/0x4
[52737.159351] CPU2: stopping
[52737.159356] CPU: 2 PID: 2294 Comm: warn_collector Tainted: G      D         4.4.52 #1070
[52737.159357] Hardware name: Google Kevin (DT)
[52737.159358] Call trace:
[52737.159362] [<ffffffc00020883c>] dump_backtrace+0x0/0x160
[52737.159366] [<ffffffc000208acc>] show_stack+0x20/0x28
[52737.159369] [<ffffffc0004c622c>] dump_stack+0x90/0xb0
[52737.159372] [<ffffffc00020e34c>] handle_IPI+0x194/0x2d0
[52737.159375] [<ffffffc000200750>] gic_handle_irq+0x128/0x18c
[52737.159378] Exception stack(0xffffffc0cab0fcc0 to 0xffffffc0cab0fdf0)
[52737.159381] fcc0: 0000000000000010 0000008000000000 ffffffc0cab0fe30 ffffffc00035b0c0
[52737.159385] fce0: 0000000020000145 0000000000000011 0000000000000186 0000000000000011
[52737.159391] fd00: 0000000000000010 cb88537fdc8ba634 cb88537fdc8ba634 ffffffc0d9ea2a78
[52737.159394] fd20: 0000000000000010 0000000000000000 5a5a5a5a5a5a5a5a bbbbbbbbbbbbbbbb
[52737.159397] fd40: ffffffc0c3d87288 ffffffc0cab0fb20 00000000000008e0 0000000000000004
[52737.159403] fd60: ffffffc00039cda0 00000000ffda250c 00000000b1b25053 0000000000000000
[52737.159406] fd80: ffffffc00035b9cc 0000000000000000 0000000000000000 0000000000000010
[52737.159409] fda0: ffffffc0cc0f6f80 0000000000000010 ffffffc0cab0feb0 ffffffc0ed791e80
[52737.159416] fdc0: 0000000000000011 0000000000000186 0000000000000003 ffffffc000a04000
[52737.159418] fde0: ffffffc0cab0c000 ffffffc0cab0fe30
[52737.159421] [<ffffffc000203700>] el1_irq+0x80/0xf8
[52737.159425] [<ffffffc00035ba30>] SyS_read+0x64/0xb4
[52737.159427] [<ffffffc000203e34>] el0_svc_naked+0x24/0x28
[52737.803930] -----------------------------------------------------------------------------
[52737.803930] 
[52737.813572] INFO: 0xffffffc0ba114b40-0xffffffc0ba114b4f. First byte 0x40 instead of 0x6b
[52737.821663] INFO: Allocated in __build_skb+0x44/0xac age=3122 cpu=0 pid=7376
[52737.828710] 	alloc_debug_processing+0x124/0x178
[52737.833238] 	___slab_alloc.constprop.69+0x528/0x608
[52737.838113] 	__slab_alloc.isra.65.constprop.68+0x44/0x54
[52737.843420] 	kmem_cache_alloc+0xc8/0x240
[52737.847339] 	__build_skb+0x44/0xac
[52737.850738] 	__netdev_alloc_skb+0xc0/0x120
[52737.854842] 	usbnet_defer_kevent+0x1fc/0x804 [usbnet]
[52737.859889] 	usbnet_defer_kevent+0x7d8/0x804 [usbnet]
[52737.864940] 	__usb_hcd_giveback_urb+0xc0/0x120
[52737.869381] 	usb_hcd_giveback_urb+0x54/0xf0
[52737.873569] 	xhci_irq+0x1330/0x1364
[52737.877059] 	usb_hcd_irq+0x40/0x50
[52737.880465] 	handle_irq_event_percpu+0xf0/0x258
[52737.884983] 	handle_irq_event+0x4c/0x7c
[52737.888820] 	handle_fasteoi_irq+0xb4/0x124
[52737.892915] 	generic_handle_irq+0x30/0x44
[52737.896926] INFO: Freed in __kfree_skb+0x98/0xa4 age=1700 cpu=0 pid=0
[52737.903361] 	free_debug_processing+0x264/0x370
[52737.907801] 	__slab_free+0x84/0x40c
[52737.911289] 	kmem_cache_free+0x1ac/0x284
[52737.915212] 	__kfree_skb+0x98/0xa4
[52737.918610] 	consume_skb+0xf0/0xfc
[52737.922015] 	usbnet_defer_kevent+0x534/0x804 [usbnet]
[52737.927065] 	tasklet_action+0x90/0xf4
[52737.930725] 	__do_softirq+0x1ac/0x338
[52737.934384] 	irq_exit+0x78/0xc0
[52737.937524] 	__handle_domain_irq+0x9c/0xbc
[52737.941617] 	gic_handle_irq+0xcc/0x18c
[52737.945363] 	el1_irq+0x80/0xf8
[52737.948421] 	cpuidle_enter+0x34/0x40
[52737.951997] 	cpu_startup_entry+0x378/0x3e0
[52737.956093] 	rest_init+0x8c/0x94
[52737.959324] 	start_kernel+0x3a8/0x400
[52737.962987] INFO: Slab 0xffffffbdc2e8c500 objects=28 used=25 fp=0xffffffc0ba115f80 flags=0x4080
[52737.971674] INFO: Object 0xffffffc0ba114b40 @offset=2880 fp=0xffffffc0ba114d80
[52737.971674] 
[52737.980365] Bytes b4 ffffffc0ba114b30: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[52737.989832] Object ffffffc0ba114b40: 40 4b 11 ba c0 ff ff ff 40 4b 11 ba c0 ff ff ff  @K......@K......
[52737.999127] Object ffffffc0ba114b50: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.008419] Object ffffffc0ba114b60: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.017715] Object ffffffc0ba114b70: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.027008] Object ffffffc0ba114b80: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.036300] Object ffffffc0ba114b90: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.045594] Object ffffffc0ba114ba0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.054892] Object ffffffc0ba114bb0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.064186] Object ffffffc0ba114bc0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.073478] Object ffffffc0ba114bd0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.082772] Object ffffffc0ba114be0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.092064] Object ffffffc0ba114bf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.101359] Object ffffffc0ba114c00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[52738.110652] Object ffffffc0ba114c10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5  kkkkkkkkkkkkkkk.
[52738.119945] Redzone ffffffc0ba114c20: bb bb bb bb bb bb bb bb                          ........
[52738.128632] Padding ffffffc0ba114d60: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[52738.138012] Padding ffffffc0ba114d70: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[52738.147394] CPU: 5 PID: 1759 Comm: Chrome_ChildIOT Tainted: G    B D         4.4.52 #1070
[52738.155559] Hardware name: Google Kevin (DT)
[52738.159825] Call trace:
[52738.162272] [<ffffffc00020883c>] dump_backtrace+0x0/0x160
[52738.167667] [<ffffffc000208acc>] show_stack+0x20/0x28
[52738.172713] [<ffffffc0004c622c>] dump_stack+0x90/0xb0
[52738.177763] [<ffffffc000349888>] print_trailer+0x158/0x168
[52738.183243] [<ffffffc000349950>] check_bytes_and_report+0xb8/0x118
[52738.189416] [<ffffffc000349b40>] check_object+0x134/0x22c
[52738.194810] [<ffffffc00034aa8c>] alloc_debug_processing+0x104/0x178
[52738.201070] [<ffffffc00034b028>] ___slab_alloc.constprop.69+0x528/0x608
[52738.207677] [<ffffffc00034b14c>] __slab_alloc.isra.65.constprop.68+0x44/0x54
[52738.214717] [<ffffffc00034b224>] kmem_cache_alloc+0xc8/0x240
[52738.220372] [<ffffffc000807894>] __alloc_skb+0x68/0x1b4
[52738.225592] [<ffffffc000807a64>] alloc_skb_with_frags+0x84/0x1bc
[52738.231598] [<ffffffc0007ff154>] sock_alloc_send_pskb+0x19c/0x218
[52738.237690] [<ffffffc0008e6384>] unix_stream_sendmsg+0x19c/0x318
[52738.243682] [<ffffffc0007faa44>] sock_sendmsg+0x48/0x60
[52738.248901] [<ffffffc0007fce78>] SyS_sendto+0xe0/0x120
[52738.254035] [<ffffffc0007fcef8>] SyS_send+0x40/0x4c
[52738.258907] [<ffffffc000203e90>] __sys_trace_return+0x0/0x4
[52738.264474] FIX skbuff_head_cache: Restoring 0xffffffc0ba114b40-0xffffffc0ba114b4f=0x6b
[52738.264474] 
[52738.273942] FIX skbuff_head_cache: Marking all objects used
[52738.279555] CPU5: stopping
[52738.282273] CPU: 5 PID: 1759 Comm: Chrome_ChildIOT Tainted: G    B D         4.4.52 #1070
[52738.290439] Hardware name: Google Kevin (DT)
[52738.294704] Call trace:
[52738.297151] [<ffffffc00020883c>] dump_backtrace+0x0/0x160
[52738.302545] [<ffffffc000208acc>] show_stack+0x20/0x28
[52738.307591] [<ffffffc0004c622c>] dump_stack+0x90/0xb0
[52738.312639] [<ffffffc00020e34c>] handle_IPI+0x194/0x2d0
[52738.317858] [<ffffffc000200750>] gic_handle_irq+0x128/0x18c
[52738.323426] Exception stack(0xffffffc0ddd83670 to 0xffffffc0ddd837a0)
[52738.325709] SMP: failed to stop secondary CPUs
[52738.325718] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
[52738.325721] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
[52738.325740] CPU5 PC: <ffffffc0005650fc> dw8250_serial_in32[52738.325744] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
+0x38/0x60
[52738.325749] CPU5 PC: <ffffffc0005650e8> dw8250_serial_in32[52738.325753] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
+0x24/0x60
[52738.325760] CPU5 PC: <ffffffc0005650e8> dw8250_serial_in32[52738.325765] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
+0x24/0x60
[52738.325769] CPU5 PC: <ffffffc0005650fc> dw8250_serial_in32[52738.325777] CPU5 PC: <ffffffc0005650e8> dw8250_serial_in32+0x24/0x60
[52738.325780] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
+0x24/0x60
[52738.325789] CPU5 PC: <ffffffc0004c4b18> __delay+0x18/0x48
[52738.325793] CPU5 PC: <ffffffc0004c4b24> __delay+0x24/0x48
[52738.325800] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
[52738.325804] CPU5 PC: <ffffffc0004c4b18> __delay+0x18/0x48
[52738.325808] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
[52738.325812] CPU5 PC: <ffffffc0004c4b18> __delay+0x18/0x48
[52738.325819] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
[52738.325824] CPU5 PC: <ffffffc0005650e8> dw8250_serial_in32[52738.325829] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
+0x24/0x60
[52738.325834] CPU5 PC: <ffffffc0004c4b34> __delay+0x34/0x48
[52738.325840] CPU5 PC: <ffffffc0004c4b24> __delay+0x24/0x48
[52738.325844] CPU5 PC: <ffffffc0005650e8> dw8250_serial_in32[52738.325849] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
+0x24/0x60
[52738.325856] CPU5 PC: <ffffffc0005650e8> dw8250_serial_in32[52738.325864] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
+0x24/0x60
[52738.325868] CPU5 PC: <ffffffc0005650f8> dw8250_serial_in32[52738.325872] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
+0x34/0x60
[52738.325876] CPU5 PC: <ffffffc0005650e8> dw8250_serial_in32[52738.325883] CPU5 PC: <ffffffc0004c4b20> __delay+0x20/0x48
+0x24/0x60
[52738.325888] CPU5 PC: <ffffffc0005650e8> dw8250_serial_in32[52738.325888] CPU5 PC: <ffffffc0005650e8> dw8250_serial_in32+0x24/0x60
[52738.517042] 3660:                                   0000000000000100 0000008000000000
[52738.524862] 3680: ffffffc0ddd837e0 ffffffc000200870 0000000040000145 0000000000000005
[52738.532682] 36a0: 000000000000000a ffffffc0011529c0 0000000000000280 ffffffc001151c00
[52738.540501] 36c0: 0000000000404040 0000000000000018 0034c06975a94240 00000126ba4247b0
[52738.548320] 36e0: ffffffc0ddd80000 ffffffc0cacc9040 ffffffc0cacc903c 00000000001ec300
[52738.556141] 3700: ffffffc0ecb96a6c 00000000ffffffff 0000000000000008 aaaaaaaaaaaaaaab
[52738.563960] 3720: 000000000000000c 0000000000000000 ffffffc0007fceb8 0000000000000000
[52738.571780] 3740: 0000000000000000 0000000000000100 0000000000000000 0000000000000082
[52738.579603] 3760: 0000000000000280 ffffffc0ddd80000 0000000000000005 000000000000000a
[52738.587425] 3780: ffffffc001086000 ffffffc001149000 ffffffc0ddd80000 ffffffc0ddd837e0
[52738.595245] [<ffffffc000203700>] el1_irq+0x80/0xf8
[52738.600030] [<ffffffc000224a60>] irq_exit+0x78/0xc0
[52738.604903] [<ffffffc00027a3d0>] __handle_domain_irq+0x9c/0xbc
[52738.610732] [<ffffffc0002006f4>] gic_handle_irq+0xcc/0x18c
[52738.616215] Exception stack(0xffffffc0ddd838e0 to 0xffffffc0ddd83a10)
[52738.622648] 38e0: ffffffc0ef070780 0000008000000000 ffffffc0ddd83a50 ffffffc00034b150
[52738.630471] 3900: 0000000080000145 ffffffc000807a64 ffffffc0ddd83a80 00000001001c0015
[52738.638291] 3920: ffffffc0ce36c480 ffffffc0ddd80000 0000000000004080 0000000000000001
[52738.646111] 3940: 0000000000000001 0000000000000000 5a5a5a5a5a5a5a5a cccccccccccccccc
[52738.653931] 3960: ffffffc0ce36c568 7f7f7f7f7f7f7f7f 6574616a71ff6467 7f7f7f7f7f7f7f7f
[52738.661750] 3980: 0101010101010101 0000000000000010 0ffffffffffffffe 0000000000000000
[52738.669573] 39a0: ffffffc0007fceb8 0000000000000000 0000000000000000 ffffffc0ef070780
[52738.677393] 39c0: 0000000000000140 ffffffc0ef070780 00000000024004c0 ffffffc000807894
[52738.685213] 39e0: ffffffc000807a64 ffffffc0ddd83a80 0000000000000003 00000000024000c0
[52738.693033] 3a00: 0000000000000098 ffffffc0ddd83a50
[52738.697909] [<ffffffc000203700>] el1_irq+0x80/0xf8
[52738.702695] [<ffffffc00034b224>] kmem_cache_alloc+0xc8/0x240
[52738.708351] [<ffffffc000807894>] __alloc_skb+0x68/0x1b4
[52738.713574] [<ffffffc000807a64>] alloc_skb_with_frags+0x84/0x1bc
[52738.719578] [<ffffffc0007ff154>] sock_alloc_send_pskb+0x19c/0x218
[52738.725667] [<ffffffc0008e6384>] unix_stream_sendmsg+0x19c/0x318
[52738.731666] [<ffffffc0007faa44>] sock_sendmsg+0x48/0x60
[52738.736886] [<ffffffc0007fce78>] SyS_sendto+0xe0/0x120
[52738.742021] [<ffffffc0007fcef8>] SyS_send+0x40/0x4c
[52738.746895] [<ffffffc000203e90>] __sys_trace_return+0x0/0x4

Comment 1 by briannorris@chromium.org, May 3 2017 

Oh wow, I actually reproduced a similar crash shortly after:

[ 3127.619069] mwifiex_pcie 0000:01:00.0: PREP_CMD: card is removed
[ 3127.734555] init: shill main process (5171) killed by ABRT signal
[ 3127.740903] init: shill main process ended, respawning
[ 3127.845443] mwifiex_pcie 0000:01:00.0: info: dnld wifi firmware from 174948 bytes
[ 3128.598054] =============================================================================
[ 3128.605791] ------------[ cut here ]------------
[ 3128.605803] kernel BUG at /mnt/host/source/src/third_party/kernel/v4.4/net/core/skbuff.c:1357!
[ 3128.605810] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[ 3128.605866] Modules linked in: rfcomm btusb btrtl btbcm btintel uinput uvcvideo videobuf2_vmalloc mwifiex_pcie mwifiex ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat bluetooth xt_mark bridge stp llc fuse zram cfg80211 ip6table_filter joydev asix usbnet mii
[ 3128.605873] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.52 #1070
[ 3128.605875] Hardware name: Google Kevin (DT)
[ 3128.605880] task: ffffffc0010999b0 ti: ffffffc001080000 task.ti: ffffffc001080000
[ 3128.605892] PC is at skb_put+0x3c/0x80
[ 3128.605902] LR is at usbnet_defer_kevent+0x664/0x804 [usbnet]
[ 3128.605905] pc : [<ffffffc000804e18>] lr : [<ffffffbffc008700>] pstate: 800001c5
[ 3128.605907] sp : ffffffc001083a00
[ 3128.605911] x29: ffffffc001083a00 x28: 0000000000000004 
[ 3128.605915] x27: 0000000000000000 x26: 000000000000000d 
[ 3128.605919] x25: ffffffc0ea013e00 x24: ffffffc0eadc0000 
[ 3128.605923] x23: ffffffc0eadc03a8 x22: ffffffc0b9eb98c0 
[ 3128.605927] x21: 0000000000000000 x20: ffffffc0e2dade00 
[ 3128.605931] x19: ffffffc0b9eb98c0 x18: 0000000000000000 
[ 3128.605935] x17: 0000000000000000 x16: ffffffc00035b9cc 
[ 3128.605939] x15: 0000000000000000 x14: 0000000000000000 
[ 3128.605943] x13: 0000000000000002 x12: 0000000100000003 
[ 3128.605947] x11: 0000000000000003 x10: 00000000000008e0 
[ 3128.605951] x9 : 0000000000000000 x8 : ffffffc0d99c0a88 
[ 3128.605954] x7 : 0000000000000001 x6 : 5a5a5a5a5a5a5a5a 
[ 3128.605959] x5 : ffffffc0002146a8 x4 : 000000006b6b6b6b 
[ 3128.605962] x3 : 000000006b6b6b6b x2 : ffffffbffc008700 
[ 3128.605966] x1 : 0000000000000060 x0 : 6b6b6b6bd6d6d6d6 
...
[ 3128.607158] Call trace:
c001000838 0000000000000000 0000000000000000 0000000000000000
[ 3128.607166] [<ffffffc000[ 3128.607173] [<ffffffbffc008700>] usbnet_defer_keven[ 3128.607182] [<ffffffc00065e870>] __usb_hcd_giveback_urb+0xc0/0x120
sbnet]
[ 3128.607187] [<ffffffc00065e924>] usb_hcd_giveback_urb+0x54/0xf0
20
[ 3128.607194] [<ffffffc00069904c>] xhci_irq+0x1330/0x1364
54/0xf0
[ 3128.607199] [<ffffffc00065dd2c>] usb_hcd_irq+0x40/0x50

[ 3128.607208] [<ffffffc00027ab70>] handle_irq_event_percp[ 3128.607212] [<ffffffc00027ad24>] handle_irq_event+0x4c/0x7c
0/0x258
[ 3128.607218] [<ffffffc00027e748>] handle_fasteoi_irq+0xb4/0x1[ 3128.607223] [<ffffffc00027a058>] generic_handle_irq+0x30/0x44

[ 3128.607228] [<ffffffc00027a3c4>] __handle_domain_irq+0x90/0xbc[ 3128.607234] [<ffffffc0002006f4>] gic_handle_irq+0xcc/0x18c
xbc

Comment 2 by briannorris@chromium.org, May 3 2017 

And if it helps, lsusb gives:

Bus 005 Device 003: ID 0b95:7720 ASIX Electronics Corp. AX88772

Comment 3 by groeck@chromium.org, May 3 2017

Status: Assigned (was: Untriaged)
Can you enable KASAN ? That might help tracking down the problem further.

Assigning to myself, though it might take a bit until I can look into it. Others feel free to chime in.

Comment 4 by briannorris@chromium.org, May 3 2017 

I'll try to keep kasan enabled.

Also, beware that there may be other memory bugs related to my issues, especially given that I'm stressing the mwifiex reset path. The mwifiex driver is still really crappy, and I just saw this one:

[ 1455.225563] Unable to handle kernel paging request at virtual address d6d6d696d6b6d6c0
[ 1455.233804] pgd = ffffffc0c0df4000
[ 1455.237435] [d6d6d696d6b6d6c0] *pgd=0000000000000000, *pud=0000000000000000
[ 1455.244475] Internal error: Oops: 96000144 [#1] PREEMPT SMP
[ 1455.250041] Modules linked in: rfcomm btusb btrtl btbcm btintel uinput uvcvideo videobuf2_vmalloc mwifiex_pcie mwifiex bluetooth ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat xt_mark bridge stp llc fuse zram cfg80211 ip6table_filter joydev asix usbnet mii
[ 1455.275116] CPU: 4 PID: 3570 Comm: bash Not tainted 4.4.52 #1070
[ 1455.281114] Hardware name: Google Kevin (DT)
[ 1455.285384] task: ffffffc0cb5faa00 ti: ffffffc0c0dac000 task.ti: ffffffc0c0dac000
[ 1455.292866] PC is at __dma_inv_range+0x20/0x50
[ 1455.297317] LR is at __swiotlb_unmap_page+0x68/0x90
[ 1455.302189] pc : [<ffffffc000216350>] lr : [<ffffffc000214710>] pstate: 00000145
[ 1455.309574] sp : ffffffc0c0dafa50
[ 1455.312886] x29: ffffffc0c0dafa50 x28: ffffffc0c0dac000 
[ 1455.318220] x27: ffffffc000a04000 x26: 0000000000000004 
[ 1455.323557] x25: ffffffc0c923bdc8 x24: ffffff8000142028 
[ 1455.328885] x23: ffffffc0bafab3c0 x22: ffffffc0dcef4300 
[ 1455.334219] x21: 6b6b6b6b6b6b6b6b x20: 6b6b6b6b6b6b6b6b 
[ 1455.339558] x19: ffffffc0ed2f3998 x18: 0000000000000000 
[ 1455.344898] x17: 0000000000000000 x16: ffffffc0002a3e4c 
[ 1455.350237] x15: 0000000000000000 x14: 00000000f3556263 
[ 1455.355576] x13: 00000000f25fea70 x12: 00000000000000f0 
[ 1455.360912] x11: 0000000000000080 x10: 00000000000008e0 
[ 1455.366246] x9 : ffffffc0c0daf810 x8 : ffffffc0bafa8328 
[ 1455.371582] x7 : bbbbbbbbbbbbbbbb x6 : 5a5a5a5a5a5a5a5a 
[ 1455.376919] x5 : ffffffc0002146a8 x4 : 0000000000000000 
[ 1455.382257] x3 : 000000000000003f x2 : 0000000000000040 
[ 1455.387596] x1 : d6d6d696d6b6d6c0 x0 : 6b6b6b2b6b4b6b6b 
...
[ 1456.766291] Call trace:
[ 1456.768742] [<ffffffc000216350>] __dma_inv_range+0x20/0x50
[ 1456.774224] [<ffffffbffc1cefd8>] 0xffffffbffc1cefd8
[ 1456.779093] [<ffffffbffc1cf1fc>] 0xffffffbffc1cf1fc
[ 1456.783962] [<ffffffbffc1cf560>] 0xffffffbffc1cf560
[ 1456.788833] [<ffffffbffc1cf5c4>] 0xffffffbffc1cf5c4
[ 1456.793719] [<ffffffbffc18e0cc>] mwifiex_shutdown_sw+0x104/0x5e4 [mwifiex]
[ 1456.800584] [<ffffffbffc1ce474>] 0xffffffbffc1ce474
[ 1456.805462] [<ffffffc00050cfe4>] pci_reset_notify+0x40/0x4c
[ 1456.811026] [<ffffffc0005102f8>] pci_dev_save_and_disable+0x24/0x58
[ 1456.817287] [<ffffffc0005126c4>] pci_reset_function+0x30/0x7c
[ 1456.823025] [<ffffffc000515998>] reset_store+0x68/0x98
[ 1456.828164] [<ffffffc0005f1ddc>] dev_attr_store+0x48/0x54
[ 1456.833563] [<ffffffc0003cce20>] sysfs_kf_write+0x5c/0x68
[ 1456.838953] [<ffffffc0003cbee8>] kernfs_fop_write+0x118/0x170
[ 1456.844697] [<ffffffc00035a7d0>] __vfs_write+0x58/0x11c
[ 1456.849917] [<ffffffc00035b1e8>] vfs_write+0xbc/0x154
[ 1456.854961] [<ffffffc00035bae4>] SyS_write+0x64/0xb4
[ 1456.859924] [<ffffffc000203e34>] el0_svc_naked+0x24/0x28

Comment 5 by briannorris@chromium.org, May 3 2017

Cc: dtor@chromium.org
Yep, I'm gonna say that probably wasn't a USB issue. I forgot, I've seen this one before but didn't track it down. Just saw it again, now that I re-enabled KASAN:

[   89.971753] mwifiex_pcie 0000:01:00.0: info: shutdown mwifiex...
[   89.982483] ==================================================================
[   89.989742] BUG: KASAN: use-after-free in mwifiex_wait_queue_complete+0xa0/0x168 [mwifiex] at addr ffffffc09c80b198
[   90.000162] Read of size 8 by task wpa_supplicant/887
[   90.005207] =============================================================================
[   90.013374] BUG kmalloc-8192 (Not tainted): kasan: bad access detected
[   90.019891] -----------------------------------------------------------------------------
[   90.019891] 
[   90.029530] Disabling lock debugging due to kernel taint
[   90.034841] INFO: Allocated in mwifiex_alloc_cmd_buffer+0x30/0xdc [mwifiex] age=245 cpu=4 pid=2250
[   90.043794] 	alloc_debug_processing+0x124/0x178
[   90.048322] 	___slab_alloc.constprop.61+0x528/0x608
[   90.053196] 	__slab_alloc.isra.57.constprop.60+0x44/0x54
[   90.058503] 	__kmalloc+0x11c/0x2b8
[   90.061912] 	mwifiex_alloc_cmd_buffer+0x30/0xdc [mwifiex]
[   90.067315] 	mwifiex_init_fw+0x40/0x6cc [mwifiex]
[   90.072025] 	mwifiex_shutdown_sw+0x468/0x830 [mwifiex]
[   90.077168] 	mwifiex_reinit_sw+0x2c4/0x3cc [mwifiex]
[   90.082127] 	0xffffffbffc3206f4
[   90.085268] 	pci_reset_notify+0x5c/0x6c
[   90.089100] 	pci_reset_function+0x6c/0x7c
[   90.093106] 	reset_store+0x68/0x98
[   90.096506] 	dev_attr_store+0x54/0x60
[   90.100165] 	sysfs_kf_write+0x9c/0xb0
[   90.103825] 	kernfs_fop_write+0x184/0x1f8
[   90.107831] 	__vfs_write+0x6c/0x17c
[   90.111329] INFO: Freed in mwifiex_free_cmd_buffer+0x130/0x158 [mwifiex] age=72 cpu=5 pid=2250
[   90.119930] 	free_debug_processing+0x264/0x370
[   90.124371] 	__slab_free+0x84/0x40c
[   90.127856] 	kfree+0x248/0x274
[   90.130919] 	mwifiex_free_cmd_buffer+0x130/0x158 [mwifiex]
[   90.136408] 	mwifiex_shutdown_drv+0x578/0x5c4 [mwifiex]
[   90.141638] 	mwifiex_shutdown_sw+0x178/0x830 [mwifiex]
[   90.146773] 	0xffffffbffc3206b4
[   90.149915] 	pci_reset_notify+0x5c/0x6c
[   90.153747] 	pci_dev_save_and_disable+0x24/0x6c
[   90.158274] 	pci_reset_function+0x30/0x7c
[   90.162282] 	reset_store+0x68/0x98
[   90.165686] 	dev_attr_store+0x54/0x60
[   90.169347] 	sysfs_kf_write+0x9c/0xb0
[   90.173005] 	kernfs_fop_write+0x184/0x1f8
[   90.177011] 	__vfs_write+0x6c/0x17c
[   90.180496] 	vfs_write+0xf0/0x1c4
[   90.183808] INFO: Slab 0xffffffbdc2728200 objects=3 used=1 fp=0xffffffc09c80a180 flags=0x4080
[   90.192321] INFO: Object 0xffffffc09c80a180 @offset=8576 fp=0xffffffc09c808000
[   90.192321] 
[   90.201012] Bytes b4 ffffffc09c80a170: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   90.210479] Object ffffffc09c80a180: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[   90.219771] Object ffffffc09c80a190: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
[   90.229065] Object ffffffc09c80a1a0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
...
[   92.580236] atmel_mxt_ts 3-004b: Status: 10 Config Checksum: 06cb89
[   92.587868] atmel_mxt_ts 3-004b: Status: 00 Config Checksum: 06cb89
[   92.601912] Redzone ffffffc09c80c180: bb bb bb bb bb bb bb bb                          ........
[   92.610598] Padding ffffffc09c80c2c0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   92.619978] Padding ffffffc09c80c2d0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   92.629356] Padding ffffffc09c80c2e0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   92.638736] Padding ffffffc09c80c2f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
[   92.648119] CPU: 4 PID: 887 Comm: wpa_supplicant Tainted: G    B           4.4.52 #1073
[   92.656112] Hardware name: Google Kevin (DT)
[   92.660377] Call trace:
[   92.662829] [<ffffffc00020a69c>] dump_backtrace+0x0/0x190
[   92.668225] [<ffffffc00020a96c>] show_stack+0x20/0x28
[   92.673276] [<ffffffc0005ce10c>] dump_stack+0xa4/0xcc
[   92.678326] [<ffffffc0003be4a4>] print_trailer+0x158/0x168
[   92.683806] [<ffffffc0003be648>] object_err+0x4c/0x5c
[   92.688853] [<ffffffc0003c44f4>] kasan_report+0x334/0x500
[   92.694247] [<ffffffc0003c3734>] __asan_load8+0x78/0x80
[   92.699482] [<ffffffbffc2abbcc>] mwifiex_wait_queue_complete+0xa0/0x168 [mwifiex]
[   92.706967] [<ffffffbffc29772c>] mwifiex_send_cmd+0x474/0x490 [mwifiex]
[   92.713586] [<ffffffbffc2c06a4>] mwifiex_del_virtual_intf+0x43bc/0x67e8 [mwifiex]
[   92.721073] [<ffffffbffc0a4fc4>] cfg80211_cqm_beacon_loss_notify+0x23e4/0x4e30 [cfg80211]
[   92.729252] [<ffffffbffc0b4f60>] cfg80211_ch_switch_notify+0x4fc/0x3cd8 [cfg80211]
[   92.736815] [<ffffffc000ab368c>] genl_lock_dumpit+0x48/0x64
[   92.742382] [<ffffffc000ab06f0>] netlink_dump+0x178/0x398
[   92.747775] [<ffffffc000ab0f94>] __netlink_dump_start+0x1bc/0x260
[   92.753862] [<ffffffc000ab44e4>] genl_family_rcv_msg+0x200/0x478
[   92.759863] [<ffffffc000ab47c0>] genl_rcv_msg+0x64/0x98
[   92.765083] [<ffffffc000ab3220>] netlink_rcv_skb+0xa4/0x128
[   92.770651] [<ffffffc000ab42d0>] genl_rcv+0x3c/0x50
[   92.775525] [<ffffffc000ab2918>] netlink_unicast+0x200/0x2d8
[   92.781178] [<ffffffc000ab2f4c>] netlink_sendmsg+0x460/0x48c
[   92.786833] [<ffffffc000a449a4>] sock_sendmsg+0x70/0x8c
[   92.792053] [<ffffffc000a46674>] ___sys_sendmsg+0x2a0/0x364
[   92.797620] [<ffffffc000a47b1c>] __sys_sendmsg+0x60/0xa4
[   92.802928] [<ffffffc000a9eab0>] compat_SyS_sendmsg+0x34/0x40
[   92.808668] [<ffffffc000204634>] el0_svc_naked+0x24/0x28
[   92.813972] Memory state around the buggy address:
[   92.818759]  ffffffc09c80b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.825971]  ffffffc09c80b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.833184] >ffffffc09c80b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.840394]                             ^
[   92.844400]  ffffffc09c80b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.851613]  ffffffc09c80b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.858822] ==================================================================
[   92.867585] ==================================================================
[   92.874810] BUG: KASAN: wild-memory-access on address 6b6b6b6b6b6b6b6b
[   92.881330] Read of size 1 by task wpa_supplicant/887
[   92.886381] CPU: 4 PID: 887 Comm: wpa_supplicant Tainted: G    B           4.4.52 #1073
[   92.894372] Hardware name: Google Kevin (DT)
[   92.898635] Call trace:
[   92.901089] [<ffffffc00020a69c>] dump_backtrace+0x0/0x190
[   92.906483] [<ffffffc00020a96c>] show_stack+0x20/0x28
[   92.911531] [<ffffffc0005ce10c>] dump_stack+0xa4/0xcc
[   92.916579] [<ffffffc0003c42e8>] kasan_report+0x128/0x500
[   92.921971] [<ffffffc0003c3460>] __asan_load1+0x44/0x4c
[   92.927212] [<ffffffbffc2abbd8>] mwifiex_wait_queue_complete+0xac/0x168 [mwifiex]
[   92.934696] [<ffffffbffc29772c>] mwifiex_send_cmd+0x474/0x490 [mwifiex]
[   92.941314] [<ffffffbffc2c06a4>] mwifiex_del_virtual_intf+0x43bc/0x67e8 [mwifiex]
[   92.948800] [<ffffffbffc0a4fc4>] cfg80211_cqm_beacon_loss_notify+0x23e4/0x4e30 [cfg80211]
[   92.956979] [<ffffffbffc0b4f60>] cfg80211_ch_switch_notify+0x4fc/0x3cd8 [cfg80211]
[   92.964542] [<ffffffc000ab368c>] genl_lock_dumpit+0x48/0x64
[   92.970109] [<ffffffc000ab06f0>] netlink_dump+0x178/0x398
[   92.975503] [<ffffffc000ab0f94>] __netlink_dump_start+0x1bc/0x260
[   92.981590] [<ffffffc000ab44e4>] genl_family_rcv_msg+0x200/0x478
[   92.987590] [<ffffffc000ab47c0>] genl_rcv_msg+0x64/0x98
[   92.992814] [<ffffffc000ab3220>] netlink_rcv_skb+0xa4/0x128
[   92.998381] [<ffffffc000ab42d0>] genl_rcv+0x3c/0x50
[   93.003257] [<ffffffc000ab2918>] netlink_unicast+0x200/0x2d8
[   93.008914] [<ffffffc000ab2f4c>] netlink_sendmsg+0x460/0x48c
[   93.014579] [<ffffffc000a449a4>] sock_sendmsg+0x70/0x8c
[   93.019806] [<ffffffc000a46674>] ___sys_sendmsg+0x2a0/0x364
[   93.025380] [<ffffffc000a47b1c>] __sys_sendmsg+0x60/0xa4
[   93.030693] [<ffffffc000a9eab0>] compat_SyS_sendmsg+0x34/0x40
[   93.036441] [<ffffffc000204634>] el0_svc_naked+0x24/0x28
[   93.041752] ==================================================================

Comment 6 by briannorris@chromium.org, May 3 2017

Owner: groeck@chromium.org
Filed this, so Marvell can pay attention (ha! I kid myself):
https://issuetracker.google.com/issues/37946775

I'm not 100% sure if all symptoms are directly resulting from mwifiex bugs, but I'd bet pretty good money. Maybe it's best to just close this one.

--

Guenter, presumably you meant to assign to yourself. I'll assign you, but feel free to close if you agree.

Comment 7 by groeck@chromium.org, May 3 2017 

Looking into the code, I think there is a race between mwifiex_wait_queue_complete() accessing a command structure which was freed in mwifiex_shutdown_drv(). The latter function triggers the waiter, but I don't see how it would make sure that the waiter doesn't access the freed memory.

Comment 8 by groeck@chromium.org, May 3 2017

Status: WontFix (was: Assigned)
I agree with #6. There is a slight chance that there is a parallel USB problem, but that will be all but impossible to track down with the mwifiex use-after-free lurking in the background. Marking as WontFix.

Note: I tried to mark the bug as duplicate of https://issuetracker.google.com/issues/37946775, but the system doesn't let me do that.

Sign in to add a comment