New issue
Advanced search Search tips

Issue 791773 link

Starred by 1 user

Issue metadata

Status: Untriaged
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

chromeos-4.14: KASAN: slab-out-of-bounds in iwl_mvm_sar_init

Project Member Reported by groeck@chromium.org, Dec 4 2017

Issue description

Seen when running 'suspend_stress_test -c 5000 --suspend_min=3 --suspend_max=10 --wake_min=3 --wake_max=10 --memory_check --noerrors_fatal --nocrc_fatal -i "rtc_cmos"' with chromeos-4.14 on eve:

[  556.026136] ==================================================================
[  556.026201] BUG: KASAN: slab-out-of-bounds in iwl_mvm_sar_init+0x3f8/0x4e2 [iwlmvm]
[  556.026204] Read of size 4 at addr ffff8803d34ad408 by task kworker/u8:13/6044

[  556.026210] CPU: 3 PID: 6044 Comm: kworker/u8:13 Tainted: G        W       4.14.3 #3
[  556.026212] Hardware name: Google Eve/Eve, BIOS Google_Eve.9584.95.0 09/27/2017
[  556.026217] Workqueue: events_unbound async_run_entry_fn
[  556.026220] Call Trace:
[  556.026226]  dump_stack+0x67/0x90
[  556.026230]  print_address_description+0x80/0x2d6
[  556.026263]  ? iwl_mvm_sar_init+0x3f8/0x4e2 [iwlmvm]
[  556.026266]  kasan_report+0x255/0x295
[  556.026269]  __asan_load4+0x81/0x83
[  556.026302]  iwl_mvm_sar_init+0x3f8/0x4e2 [iwlmvm]
[  556.026332]  iwl_mvm_up+0x6a0/0x734 [iwlmvm]
[  556.026365]  __iwl_mvm_mac_start+0x3d9/0x421 [iwlmvm]
[  556.026395]  iwl_mvm_mac_start+0x106/0x137 [iwlmvm]
[  556.026500]  drv_start+0x1d4/0x203 [mac80211]
[  556.026598]  ieee80211_reconfig+0x2db/0x1c33 [mac80211]
[  556.026603]  ? mark_held_locks+0x30/0x87
[  556.026607]  ? rtnl_lock+0x17/0x19
[  556.026611]  ? trace_hardirqs_on_caller+0x262/0x271
[  556.026614]  ? match_held_lock+0x1d/0x108
[  556.026695]  ieee80211_resume+0xaa/0xb1 [mac80211]
[  556.026766]  wiphy_resume+0x1fd/0x21b [cfg80211]
[  556.026837]  ? addresses_show+0xbc/0xbc [cfg80211]
[  556.026841]  dpm_run_callback+0x6c/0xf2
[  556.026844]  device_resume+0x264/0x2bd
[  556.026848]  ? async_run_entry_fn+0x6f/0x194
[  556.026851]  ? device_resume+0x2bd/0x2bd
[  556.026854]  async_resume+0x1d/0x43
[  556.026857]  async_run_entry_fn+0x79/0x194
[  556.026862]  process_one_work+0x427/0x798
[  556.026866]  worker_thread+0x31c/0x483
[  556.026870]  ? flush_delayed_work+0x65/0x65
[  556.026874]  kthread+0x1e5/0x1f5
[  556.026878]  ? kthread_create_on_node+0x62/0x62
[  556.026882]  ret_from_fork+0x27/0x40

[  556.026886] Allocated by task 6044:
[  556.026891]  save_stack_trace+0x1b/0x1d
[  556.026895]  save_stack+0x46/0xce
[  556.026898]  kasan_kmalloc+0x99/0xa8
[  556.026901]  __kmalloc+0x14c/0x172
[  556.026905]  acpi_os_allocate+0x22/0x24
[  556.026908]  acpi_ut_initialize_buffer+0x4d/0xb7
[  556.026911]  acpi_evaluate_object+0x363/0x3f0
[  556.026964]  iwl_mvm_sar_init+0x2d6/0x4e2 [iwlmvm]
[  556.026994]  iwl_mvm_up+0x6a0/0x734 [iwlmvm]
[  556.027024]  __iwl_mvm_mac_start+0x3d9/0x421 [iwlmvm]
[  556.027054]  iwl_mvm_mac_start+0x106/0x137 [iwlmvm]
[  556.027132]  drv_start+0x1d4/0x203 [mac80211]
[  556.027213]  ieee80211_reconfig+0x2db/0x1c33 [mac80211]
[  556.027293]  ieee80211_resume+0xaa/0xb1 [mac80211]
[  556.027359]  wiphy_resume+0x1fd/0x21b [cfg80211]
[  556.027362]  dpm_run_callback+0x6c/0xf2
[  556.027364]  device_resume+0x264/0x2bd
[  556.027367]  async_resume+0x1d/0x43
[  556.027370]  async_run_entry_fn+0x79/0x194
[  556.027373]  process_one_work+0x427/0x798
[  556.027376]  worker_thread+0x31c/0x483
[  556.027379]  kthread+0x1e5/0x1f5
[  556.027382]  ret_from_fork+0x27/0x40

[  556.027384] Freed by task 5178:
[  556.027388]  save_stack_trace+0x1b/0x1d
[  556.027391]  save_stack+0x46/0xce
[  556.027394]  kasan_slab_free+0x8a/0xac
[  556.027396]  slab_free_hook+0x52/0x5c
[  556.027399]  kfree+0x19d/0x218
[  556.027418]  acpi_ds_delete_walk_state+0x14b/0x154
[  556.027421]  acpi_ps_parse_aml+0x414/0x457
[  556.027423]  acpi_ps_execute_method+0x29b/0x31c
[  556.027429]  acpi_ns_evaluate+0x370/0x45b
[  556.027432]  acpi_evaluate_object+0x242/0x3f0
[  556.027436]  keyboard_led_set_brightness+0x52/0x94
[  556.027439]  led_set_brightness_nopm+0x2c/0x6a
[  556.027442]  led_set_brightness_nosleep+0x4c/0x51
[  556.027445]  led_set_brightness+0x78/0x7d
[  556.027448]  brightness_store+0xa2/0xce
[  556.027452]  dev_attr_store+0x49/0x50
[  556.027455]  sysfs_kf_write+0x8b/0x96
[  556.027458]  kernfs_fop_write+0x185/0x1eb
[  556.027462]  __vfs_write+0x6a/0x153
[  556.027465]  vfs_write+0xd2/0x130
[  556.027468]  SyS_write+0x72/0xc0
[  556.027471]  entry_SYSCALL_64_fastpath+0x2c/0xc1

[  556.027475] The buggy address belongs to the object at ffff8803d34ad0a8
                which belongs to the cache kmalloc-1024 of size 1024
[  556.027478] The buggy address is located 864 bytes inside of
                1024-byte region [ffff8803d34ad0a8, ffff8803d34ad4a8)
[  556.027479] The buggy address belongs to the page:
[  556.027483] page:ffffea000f4d2a00 count:1 mapcount:0 mapping:          (null) index:0xffff8803d34ab5c8 compound_mapcount: 0
[  556.027501] flags: 0x8000000000008100(slab|head)
[  556.027509] raw: 8000000000008100 0000000000000000 ffff8803d34ab5c8 000000010017000b
[  556.027513] raw: ffffea000f522e20 ffff8803ed000e00 ffff8803ed00ef00 0000000000000000
[  556.027515] page dumped because: kasan: bad access detected

[  556.027517] Memory state around the buggy address:
[  556.027520]  ffff8803d34ad300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  556.027523]  ffff8803d34ad380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  556.027526] >ffff8803d34ad400: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  556.027528]                       ^
[  556.027530]  ffff8803d34ad480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  556.027533]  ffff8803d34ad500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  556.027535] ==================================================================

 
Labels: Kernel-4.14
Components: OS>Kernel

Sign in to add a comment