From: bugzilla-daemon@kernel.org
To: linux-usb@vger.kernel.org
Subject: [Bug 220046] New: kmalloc Redzone overwritten in usbhid_parse and usb_get_status
Date: Wed, 23 Apr 2025 12:42:53 +0000 [thread overview]
Message-ID: <bug-220046-208809@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=220046
Bug ID: 220046
Summary: kmalloc Redzone overwritten in usbhid_parse and
usb_get_status
Product: Drivers
Version: 2.5
Hardware: ARM
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: USB
Assignee: drivers_usb@kernel-bugs.kernel.org
Reporter: m95d@psihoexpert.ro
Regression: No
Hi.
The system is Asus Tinkerboard S (RK3288, armv7).
I get this error a few seconds after boot if a USB keyboard is connected:
[ +0,007751] [ T265] [kmalloc Redzone overwritten] 0xc61ebec1-0xc61ebec3
@offset=7873. First byte 0x40 instead of 0xcc
[ +0,011900] [ T265]
=============================================================================
[ +0,009952] [ T265] BUG kmalloc-128 (Tainted: G B W ): Object
corrupt
[ +0,008575] [ T265]
-----------------------------------------------------------------------------
[ +0,012348] [ T265] Allocated in usbhid_parse+0x4c0/0x940 age=1812 cpu=0
pid=63
[ +0,008183] [ T265] usbhid_parse+0x4c0/0x940
[ +0,004880] [ T265] hid_add_device+0x1ac/0xaf8
[ +0,005076] [ T265] usbhid_probe+0xbdc/0x1208
[ +0,004973] [ T265] usb_probe_interface+0x3f8/0xa40
[ +0,005559] [ T265] really_probe+0x250/0x818
[ +0,004880] [ T265] __driver_probe_device+0x1c4/0x404
[ +0,005754] [ T265] driver_probe_device+0x58/0x154
[ +0,005459] [ T265] __device_attach_driver+0x278/0x33c
[ +0,005848] [ T265] bus_for_each_drv+0x14c/0x1b4
[ +0,005265] [ T265] __device_attach+0x1d0/0x394
[ +0,005167] [ T265] bus_probe_device+0x19c/0x1cc
[ +0,005264] [ T265] device_add+0xb78/0x11ac
[ +0,004778] [ T265] usb_set_configuration+0x11dc/0x1e54
[ +0,005946] [ T265] usb_generic_driver_probe+0x8c/0xd0
[ +0,005847] [ T265] usb_probe_device+0xc4/0x340
[ +0,005167] [ T265] really_probe+0x250/0x818
[ +0,004878] [ T265] Slab 0xeeed44e8 objects=21 used=15 fp=0xc61eb400
flags=0x240(workingset|head|zone=0)
[ +0,010611] [ T265] Object 0xc61ebe80 @offset=7808 fp=0x00000000
[ +0,009149] [ T265] Redzone c61ebe00: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010605] [ T265] Redzone c61ebe10: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010605] [ T265] Redzone c61ebe20: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010603] [ T265] Redzone c61ebe30: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010605] [ T265] Redzone c61ebe40: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010604] [ T265] Redzone c61ebe50: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010603] [ T265] Redzone c61ebe60: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010604] [ T265] Redzone c61ebe70: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010604] [ T265] Object c61ebe80: 05 01 09 06 a1 01 05 07 19 e0 29 e7
15 00 25 01 ..........)...%.
[ +0,010604] [ T265] Object c61ebe90: 75 01 95 08 81 02 95 01 75 08 81 01
95 03 75 01 u.......u.....u.
[ +0,010603] [ T265] Object c61ebea0: 05 08 19 01 29 03 91 02 95 05 75 01
91 01 95 06 ....).....u.....
[ +0,010604] [ T265] Object c61ebeb0: 75 08 05 07 19 00 2a ff 00 15 00 26
ff 00 81 00 u.....*....&....
[ +0,010603] [ T265] Object c61ebec0: c0 40 ef 00 cc cc cc cc cc cc cc cc
cc cc cc cc .@..............
[ +0,010604] [ T265] Object c61ebed0: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010604] [ T265] Object c61ebee0: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010604] [ T265] Object c61ebef0: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010602] [ T265] Redzone c61ebf00: cc cc cc cc
....
[ +0,009438] [ T265] Padding c61ebf64: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ +0,010604] [ T265] Padding c61ebf74: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
ZZZZZZZZZZZZ
[ +0,010213] [ T265] ------------[ cut here ]------------
[ +0,005938] [ T265] WARNING: CPU: 1 PID: 265 at mm/slub.c:1110
check_bytes_and_report+0xf4/0x118
[ +0,009839] [ T265] CPU: 1 UID: 0 PID: 265 Comm: mdev Tainted: G B W
6.15.0-rc3-M95D-00014-ge00e800e6d2a-dirty #1 NONE
[ +0,000019] [ T265] Tainted: [B]=BAD_PAGE, [W]=WARN
[ +0,000005] [ T265] Hardware name: Rockchip (Device Tree)
[ +0,000006] [ T265] Call trace:
[ +0,000005] [ T265] [<c0101c44>] (unwind_backtrace) from [<c01566c8>]
(show_stack+0x10/0x28)
[ +0,000024] [ T265] [<c01566c8>] (show_stack) from [<c0140ee8>]
(dump_stack_lvl+0x58/0x94)
[ +0,000023] [ T265] [<c0140ee8>] (dump_stack_lvl) from [<c0196828>]
(__warn+0x12c/0x1b0)
[ +0,000020] [ T265] [<c0196828>] (__warn) from [<c0196af0>]
(warn_slowpath_fmt+0x244/0x24c)
[ +0,000015] [ T265] [<c0196af0>] (warn_slowpath_fmt) from [<c0529ad8>]
(check_bytes_and_report+0xf4/0x118)
[ +0,000018] [ T265] [<c0529ad8>] (check_bytes_and_report) from [<c0529e9c>]
(check_object+0x3a0/0x408)
[ +0,000017] [ T265] [<c0529e9c>] (check_object) from [<c052aa18>]
(free_debug_processing+0x120/0x2e4)
[ +0,000017] [ T265] [<c052aa18>] (free_debug_processing) from [<c052e0b4>]
(free_to_partial_list+0x70/0x278)
[ +0,000018] [ T265] [<c052e0b4>] (free_to_partial_list) from [<c0530234>]
(___cache_free+0xcc/0x114)
[ +0,000019] [ T265] [<c0530234>] (___cache_free) from [<c055fd74>]
(qlist_free_all+0x6c/0x108)
[ +0,000022] [ T265] [<c055fd74>] (qlist_free_all) from [<c0560270>]
(kasan_quarantine_reduce+0x124/0x180)
[ +0,000021] [ T265] [<c0560270>] (kasan_quarantine_reduce) from [<c055d358>]
(__kasan_slab_alloc+0x5c/0x8c)
[ +0,000020] [ T265] [<c055d358>] (__kasan_slab_alloc) from [<c052c91c>]
(kmem_cache_alloc_noprof+0x160/0x254)
[ +0,000019] [ T265] [<c052c91c>] (kmem_cache_alloc_noprof) from [<c05cf06c>]
(getname_flags+0x94/0x720)
[ +0,000019] [ T265] [<c05cf06c>] (getname_flags) from [<c05a44bc>]
(sys_statx+0xb8/0xd4)
[ +0,000018] [ T265] [<c05a44bc>] (sys_statx) from [<c0100060>]
(ret_fast_syscall+0x0/0x54)
[ +0,000016] [ T265] Exception stack(0xc85cffa8 to 0xc85cfff0)
[ +0,000012] [ T265] ffa0: b6b2ab20 b6b2ac88 ffffff9c
00263048 00000800 000007ff
[ +0,000011] [ T265] ffc0: b6b2ab20 b6b2ac88 00263048 0000018d 002aa5d8
00263048 00000001 00000000
[ +0,000010] [ T265] ffe0: 00000000 b6b2ab00 ffffff9c 0017dc4c
[ +0,000006] [ T265] ---[ end trace 0000000000000000 ]---
[ +0,227892] [ T265] FIX kmalloc-128: Restoring kmalloc Redzone
0xc61ebec1-0xc61ebec3=0xcc
[ +0,009150] [ T265] FIX kmalloc-128: Object at 0xc61ebe80 not freed
There's also an almost identical error in usb_get_status:
[ +0,104795] [ T265] [kmalloc Redzone overwritten] 0xc3f0e342-0xc3f0e343
@offset=834. First byte 0xff instead of 0xcc
[ +0,011804] [ T265]
=============================================================================
[ +0,009926] [ T265] BUG kmalloc-64 (Tainted: G B W ): Object
corrupt
[ +0,008467] [ T265]
-----------------------------------------------------------------------------
[ +0,012347] [ T265] Allocated in usb_get_status+0x84/0x33c age=1977 cpu=2
pid=50
[ +0,008288] [ T265] usb_get_status+0x84/0x33c
[ +0,004972] [ T265] hub_configure+0x1164/0x1d34
[ +0,005171] [ T265] hub_probe+0xde4/0xe90
[ +0,004586] [ T265] usb_probe_interface+0x3f8/0xa40
[ +0,005557] [ T265] really_probe+0x250/0x818
[ +0,004880] [ T265] __driver_probe_device+0x1c4/0x404
[ +0,005751] [ T265] driver_probe_device+0x58/0x154
[ +0,005461] [ T265] __device_attach_driver+0x278/0x33c
[ +0,005847] [ T265] bus_for_each_drv+0x14c/0x1b4
[ +0,005265] [ T265] __device_attach+0x1d0/0x394
[ +0,005168] [ T265] bus_probe_device+0x19c/0x1cc
[ +0,005265] [ T265] device_add+0xb78/0x11ac
[ +0,004778] [ T265] usb_set_configuration+0x11dc/0x1e54
[ +0,005946] [ T265] usb_generic_driver_probe+0x8c/0xd0
[ +0,005848] [ T265] usb_probe_device+0xc4/0x340
[ +0,005168] [ T265] really_probe+0x250/0x818
[ +0,004877] [ T265] Slab 0xeee85df8 objects=16 used=9 fp=0xc3f0e440
flags=0x200(workingset|zone=0)
[ +0,010019] [ T265] Object 0xc3f0e340 @offset=832 fp=0xc3f0e440
[ +0,009052] [ T265] Redzone c3f0e300: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010605] [ T265] Redzone c3f0e310: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010605] [ T265] Redzone c3f0e320: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010603] [ T265] Redzone c3f0e330: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010605] [ T265] Object c3f0e340: 01 00 ff df cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010604] [ T265] Object c3f0e350: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010603] [ T265] Object c3f0e360: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010604] [ T265] Object c3f0e370: cc cc cc cc cc cc cc cc cc cc cc cc
cc cc cc cc ................
[ +0,010603] [ T265] Redzone c3f0e380: cc cc cc cc
....
[ +0,009438] [ T265] Padding c3f0e3e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ +0,010603] [ T265] Padding c3f0e3f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a
ZZZZZZZZZZZZ
[ +0,010214] [ T265] ------------[ cut here ]------------
[ +0,005938] [ T265] WARNING: CPU: 1 PID: 265 at mm/slub.c:1110
check_bytes_and_report+0xf4/0x118
[ +0,009839] [ T265] CPU: 1 UID: 0 PID: 265 Comm: mdev Tainted: G B W
6.15.0-rc3-M95D-00014-ge00e800e6d2a-dirty #1 NONE
[ +0,000018] [ T265] Tainted: [B]=BAD_PAGE, [W]=WARN
[ +0,000005] [ T265] Hardware name: Rockchip (Device Tree)
[ +0,000007] [ T265] Call trace:
[ +0,000004] [ T265] [<c0101c44>] (unwind_backtrace) from [<c01566c8>]
(show_stack+0x10/0x28)
[ +0,000025] [ T265] [<c01566c8>] (show_stack) from [<c0140ee8>]
(dump_stack_lvl+0x58/0x94)
[ +0,000022] [ T265] [<c0140ee8>] (dump_stack_lvl) from [<c0196828>]
(__warn+0x12c/0x1b0)
[ +0,000021] [ T265] [<c0196828>] (__warn) from [<c0196af0>]
(warn_slowpath_fmt+0x244/0x24c)
[ +0,000015] [ T265] [<c0196af0>] (warn_slowpath_fmt) from [<c0529ad8>]
(check_bytes_and_report+0xf4/0x118)
[ +0,000018] [ T265] [<c0529ad8>] (check_bytes_and_report) from [<c0529e9c>]
(check_object+0x3a0/0x408)
[ +0,000017] [ T265] [<c0529e9c>] (check_object) from [<c052aa18>]
(free_debug_processing+0x120/0x2e4)
[ +0,000017] [ T265] [<c052aa18>] (free_debug_processing) from [<c052e0b4>]
(free_to_partial_list+0x70/0x278)
[ +0,000018] [ T265] [<c052e0b4>] (free_to_partial_list) from [<c0530234>]
(___cache_free+0xcc/0x114)
[ +0,000019] [ T265] [<c0530234>] (___cache_free) from [<c055fd74>]
(qlist_free_all+0x6c/0x108)
[ +0,000020] [ T265] [<c055fd74>] (qlist_free_all) from [<c0560270>]
(kasan_quarantine_reduce+0x124/0x180)
[ +0,000022] [ T265] [<c0560270>] (kasan_quarantine_reduce) from [<c055d358>]
(__kasan_slab_alloc+0x5c/0x8c)
[ +0,000020] [ T265] [<c055d358>] (__kasan_slab_alloc) from [<c052d5e0>]
(__kvmalloc_node_noprof+0x1c4/0x3c4)
[ +0,000018] [ T265] [<c052d5e0>] (__kvmalloc_node_noprof) from [<c06307c8>]
(seq_buf_alloc+0x68/0x14c)
[ +0,000020] [ T265] [<c06307c8>] (seq_buf_alloc) from [<c0631cc4>]
(seq_read_iter+0x8c4/0x14a8)
[ +0,000018] [ T265] [<c0631cc4>] (seq_read_iter) from [<c058cc08>]
(vfs_read+0x760/0xae0)
[ +0,000021] [ T265] [<c058cc08>] (vfs_read) from [<c058f070>]
(ksys_read+0xf4/0x1bc)
[ +0,000020] [ T265] [<c058f070>] (ksys_read) from [<c0100060>]
(ret_fast_syscall+0x0/0x54)
[ +0,000018] [ T265] Exception stack(0xc85cffa8 to 0xc85cfff0)
[ +0,000011] [ T265] ffa0: 0000007f b6b2bc62 00000006
b6b2bc62 0000007f 00000001
[ +0,000012] [ T265] ffc0: 0000007f b6b2bc62 00000006 00000003 0023f53c
00000011 ffffffff b6b2bc62
[ +0,000009] [ T265] ffe0: 000001cc b6b29bd8 0006bcc8 0017f20c
[ +0,000006] [ T265] ---[ end trace 0000000000000000 ]---
[ +0,246152] [ T265] FIX kmalloc-64: Restoring kmalloc Redzone
0xc3f0e342-0xc3f0e343=0xcc
[ +0,009054] [ T265] FIX kmalloc-64: Object at 0xc3f0e340 not freed
I tried to do a git bisect, but I couldn't go back more than v6.8 because the
board won't boot.
Thanks.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
reply other threads:[~2025-04-23 12:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-220046-208809@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.