Hi Laurent et al, > Subject: RE: [PATCH v7 00/16] Intel IPU3 ImgU patchset > > Hi Jacopo, > > > Subject: Re: [PATCH v7 00/16] Intel IPU3 ImgU patchset > > > > Hi Raj, > > > > On Wed, Jan 09, 2019 at 06:01:39PM +0000, Mani, Rajmohan wrote: > > > Hi Jacopo, > > > > > > > Subject: Re: [PATCH v7 00/16] Intel IPU3 ImgU patchset > > > > > > > > Hello Raj, > > > > > > > > On Wed, Jan 09, 2019 at 05:00:21PM +0000, Mani, Rajmohan wrote: > > > > > Hi Laurent, Tomasz, Jacopo, > > > > > > > > > > > Subject: Re: [PATCH v7 00/16] Intel IPU3 ImgU patchset > > > > > > > > > > > > Hello, > > > > > > > > > > > > On Tue, Jan 08, 2019 at 03:54:34PM +0900, Tomasz Figa wrote: > > > > > > > Hi Raj, Yong, Bingbu, Tianshu, > > > > > > > > > > > > > > On Fri, Dec 21, 2018 at 12:04 PM Tomasz Figa > > > > > > > <tfiga@xxxxxxxxxxxx> > > > > wrote: > > > > > > > > > > > > > > > > On Fri, Dec 21, 2018 at 7:24 AM Laurent Pinchart > > > > > > > > <laurent.pinchart@xxxxxxxxxxxxxxxx> wrote: > > > > > > > > > > > > > > > > > > Hellon > > > > > > > > > > > > > > > > > > On Sunday, 16 December 2018 09:26:18 EET Laurent > > > > > > > > > Pinchart > > wrote: > > > > > > > > > > Hello Yong, > > > > > > > > > > > > > > > > > > > > Could you please have a look at the crash reported below ? > > > > > > > > > > > > > > > > > > A bit more information to help you debugging this. I've > > > > > > > > > enabled KASAN in the kernel configuration, and get the > > > > > > > > > following use-after-free > > > > > > reports. > > > > > > > > > > > > I tested as well using the ipu-process.sh script shared by > > > > > > Laurent, with the following command line: > > > > > > ./ipu3-process.sh --out 2560x1920 --vf 1920x1080 > > > > > > frame-2592x1944.cio2 > > > > > > > > > > > > and I got a very similar trace available at: > > > > > > https://paste.debian.net/hidden/5855e15a/ > > > > > > > > > > > > Please note I have been able to process a set of images (with > > > > > > KASAN enabled the machine does not freeze) but the kernel log > > > > > > gets flooded and it is not possible to process any other frame after > this. > > > > > > > > > > > > The issue is currently quite annoying and it's a blocker for > > > > > > libcamera development on IPU3. Please let me know if I can > > > > > > support with > > > > more testing. > > > > > > > > > > > > Thanks > > > > > > j > > > > > > > > > > > > > > > > > > > > > > > > [ 166.332920] > > > > > > > > > > > > > > > > > > > > > > ================================================================ > > > > > > == > > > > > > > > > [ 166.332937] BUG: KASAN: use-after-free in > > > > > > > > > __cached_rbnode_delete_update+0x36/0x202 > > > > > > > > > [ 166.332944] Read of size 8 at addr ffff888133823718 > > > > > > > > > by task > > > > > > > > > yavta/1305 > > > > > > > > > > > > > > > > > > [ 166.332955] CPU: 3 PID: 1305 Comm: yavta Tainted: G C > > > > 4.20.0- > > > > > > rc6+ #3 > > > > > > > > > [ 166.332958] Hardware name: HP Soraka/Soraka, BIOS > > > > > > > > > 08/30/2018 [ 166.332959] Call Trace: > > > > > > > > > [ 166.332967] dump_stack+0x5b/0x81 [ 166.332974] > > > > > > > > > print_address_description+0x65/0x227 > > > > > > > > > [ 166.332979] ? > > > > > > > > > __cached_rbnode_delete_update+0x36/0x202 > > > > > > > > > [ 166.332983] kasan_report+0x247/0x285 [ 166.332989] > > > > > > > > > __cached_rbnode_delete_update+0x36/0x202 > > > > > > > > > [ 166.332995] private_free_iova+0x57/0x6d [ > > > > > > > > > 166.332999] > > > > > > > > > __free_iova+0x23/0x31 [ 166.333011] > > > > > > > > > ipu3_dmamap_free+0x118/0x1d6 [ipu3_imgu] > > > > > > > > > > > > > > > > Thanks Laurent, I think this is a very good hint. It looks > > > > > > > > like we're basically freeing and already freed IOVA and > > > > > > > > corrupting some allocator state? > > > > > > > > > > > > > > Did you have any luck in reproducing and fixing this double > > > > > > > free > > issue? > > > > > > > > > > > > > > > > > This issue is either hard to reproduce or comes with different > > > > > signatures with the updated yavta (that now supports meta > > > > > output) with the 4.4 kernel that I have been using. > > > > > I am switching to 4.20-rc6 for better reproducibility. > > > > > Enabling KASAN also results in storage space issues on my Chrome > > device. > > > > > Will enable this just for ImgU to get ahead and get back with > > > > > more > > updates. > > > > > > > > > > > > > Thanks for testing this. > > > > > > > > For your informations I'm using the following branch, from > > > > Sakari's > > > > tree: git://linuxtv.org/sailus/media_tree.git ipu3 > > > > > > > > Although it appears that the media tree master branch has > > > > everything that is there, with a few additional patches on top. I > > > > should move to use media tree master as well... > > > > > > > > I have here attached 2 configuration files for v4.20-rc5 I am > > > > using on Soraka, in case they might help you. One has KASAN > > > > enabled with an increased kernel log size, the other one is the > > > > one we use for daily > > development. > > > > > > I think I am missing a trick here to override the default chrome os > > > kernel config with the one that you supplied. > > > > > > In particular I am looking for steps to build the upstream kernel > > > within chrome os build environment using your config, so I can > > > update my > > Soraka device. > > > > I'm sorry I can not help much building 'withing chrome os build > environment'. > > Care to explain what you mean? > > > > This is part of the Chromium OS build environment and development > workflow. > https://chromium.googlesource.com/chromiumos/docs/+/master/kernel_faq. > md > > No worries. > I will sync up with Tomasz, as he managed to get this working with 4.20 kernel. > I finally managed to reproduce the issue with 4.20-rc6, with KASAN enabled and with CONFIG_SLUB_DEBUG_ON with SLAB_STORE_USER. The following line indicates the crash happens when yavta PID 10289 tries to free the memory. [ 452.437844] BUG: KASAN: use-after-free in ipu3_dmamap_free+0x50/0x9c [ipu3_imgu] [ 452.446123] Read of size 8 at addr ffff8881503481a0 by task yavta/10289 The above looks to be normal, since it's the same task that allocated this memory. [ 452.685731] Allocated by task 10289: Before the above happened, yavta/10187 came in and freed this memory per KASAN. [ 452.787656] Freed by task 10187: Is this (one instance of yavta freeing the memory allocated by another instance of yavta) expected? Or does it indicate that mmap giving the same address across these 2 instances of yavta? I need to debug / confirm the latter case. With the help of local application that operates these pipes in a serial fashion, I do not see this issue. I have pasted the relevant parts of the dmesg. [ 452.038082] WARNING: CPU: 1 PID: 10289 at /mnt/host/source/src/third_party/kernel/v4.4/drivers/staging/media/ipu3/ipu3-dmamap.c:172 ipu3_dmamap_unmap+0xf6/0x107 [ipu3_imgu] [ 452.055293] Modules linked in: cmac rfcomm uinput snd_soc_kbl_rt5663_max98927 snd_soc_skl_ssp_clk snd_soc_hdac_hdmi snd_soc_dmic btusb btrtl btbcm asix usbnet btintel bluetooth snd_soc_skl snd_soc_skl_ipc ecdh_generic snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_hda_core ipu3_imgu(C) ipu3_cio2 iova videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 videobuf2_common snd_soc_rt5663 snd_soc_max98927 at24 snd_soc_rl6231 ov13858 ov5670 v4l2_fwnode dw9714 bridge stp llc acpi_als kfifo_buf industrialio ipt_MASQUERADE lzo lzo_compress zram xt_mark fuse snd_seq_dummy snd_seq snd_seq_device cfg80211 ip6table_filter r8152 mii joydev [ 452.117513] CPU: 1 PID: 10289 Comm: yavta Tainted: G WC 4.20.0-rc6-00031-g3b32400169db-dirty #37 [ 452.128705] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.17.0 03/22/2018 [ 452.137476] RIP: 0010:ipu3_dmamap_unmap+0xf6/0x107 [ipu3_imgu] [ 452.144007] Code: e1 48 d3 e2 48 8b 7d c8 48 89 de e8 7b f5 ff ff 48 8b 7d d0 4c 89 fe 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d e9 b2 f5 ee ff <0f> 0b 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 1f 44 00 00 [ 452.165007] RSP: 0018:ffff88814ef67a20 EFLAGS: 00010246 [ 452.170857] RAX: 0000000000000000 RBX: 00000000000e527e RCX: 0000000000000001 [ 452.178842] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff8881179076b8 [ 452.186828] RBP: ffff88814ef67a68 R08: 0000000000000000 R09: ffffed1022f20ed8 [ 452.194812] R10: ffff8881179076bb R11: dffffc0000000000 R12: ffff8881179076e8 [ 452.202799] R13: ffff888117900028 R14: ffff8881179076b8 R15: 0000000000000000 [ 452.210784] FS: 00007a5d6524a700(0000) GS:ffff88815b680000(0000) knlGS:0000000000000000 [ 452.219837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 452.226271] CR2: 00005ba49b474078 CR3: 0000000129e1e002 CR4: 00000000003606e0 [ 452.234251] Call Trace: [ 452.237003] ipu3_dmamap_free+0x41/0x9c [ipu3_imgu] [ 452.242473] ipu3_css_pool_cleanup+0x24/0x37 [ipu3_imgu] [ 452.248431] ipu3_css_pipeline_cleanup+0x61/0xb9 [ipu3_imgu] [ 452.254772] ipu3_css_stop_streaming+0x1f2/0x321 [ipu3_imgu] [ 452.261119] imgu_s_stream+0x94/0x443 [ipu3_imgu] [ 452.266392] ? ipu3_vb2_buf_queue+0x280/0x280 [ipu3_imgu] [ 452.272438] ? vb2_dma_sg_unmap_dmabuf+0x16/0x6f [videobuf2_dma_sg] [ 452.279456] ? vb2_buffer_in_use+0x36/0x58 [videobuf2_common] [ 452.285894] ipu3_vb2_stop_streaming+0xf9/0x135 [ipu3_imgu] [ 452.292137] __vb2_queue_cancel+0x35/0x215 [videobuf2_common] [ 452.298576] vb2_core_streamoff+0x19/0x73 [videobuf2_common] [ 452.304920] __video_do_ioctl+0x34e/0x450 [ 452.309414] video_usercopy+0x25e/0x597 [ 452.313718] ? video_ioctl2+0x16/0x16 [ 452.317823] ? __switch_to_asm+0x34/0x70 [ 452.322215] v4l2_ioctl+0x45/0x49 [ 452.325932] vfs_ioctl+0x1b/0x30 [ 452.329551] do_vfs_ioctl+0x479/0x6d0 [ 452.333660] ksys_ioctl+0x53/0x79 [ 452.337375] __se_sys_ioctl+0xe/0x12 [ 452.341379] do_syscall_64+0x52/0x60 [ 452.345384] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 452.351035] RIP: 0033:0x7a5d64b73967 [ 452.355042] Code: 8a 66 90 48 8b 05 29 55 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 54 2b 00 f7 d8 64 89 01 48 [ 452.376041] RSP: 002b:00007fff3483aca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 452.384515] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007a5d64b73967 [ 452.392501] RDX: 00007fff3483acb4 RSI: 0000000040045613 RDI: 0000000000000003 [ 452.400484] RBP: 0000000000404c48 R08: fffffffffed7c030 R09: fffffffffed7c020 [ 452.408467] R10: fffffffffed7c010 R11: 0000000000000246 R12: 0000000000404c56 [ 452.416450] R13: 0000000000000001 R14: 00007fff3483c75c R15: 000000000062b800 [ 452.424432] ---[ end trace ed0895d0744ba932 ]--- [ 452.429752] ================================================================== [ 452.437844] BUG: KASAN: use-after-free in ipu3_dmamap_free+0x50/0x9c [ipu3_imgu] [ 452.446123] Read of size 8 at addr ffff8881503481a0 by task yavta/10289 [ 452.455191] CPU: 1 PID: 10289 Comm: yavta Tainted: G WC 4.20.0-rc6-00031-g3b32400169db-dirty #37 [ 452.466380] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.17.0 03/22/2018 [ 452.475133] Call Trace: [ 452.477880] dump_stack+0x6a/0xb1 [ 452.481600] print_address_description+0x8e/0x279 [ 452.486873] ? ipu3_dmamap_free+0x50/0x9c [ipu3_imgu] [ 452.492530] kasan_report+0x260/0x28a [ 452.496637] ipu3_dmamap_free+0x50/0x9c [ipu3_imgu] [ 452.502103] ipu3_css_pool_cleanup+0x24/0x37 [ipu3_imgu] [ 452.508056] ipu3_css_pipeline_cleanup+0x61/0xb9 [ipu3_imgu] [ 452.514395] ipu3_css_stop_streaming+0x1f2/0x321 [ipu3_imgu] [ 452.520737] imgu_s_stream+0x94/0x443 [ipu3_imgu] [ 452.526010] ? ipu3_vb2_buf_queue+0x280/0x280 [ipu3_imgu] [ 452.532058] ? vb2_dma_sg_unmap_dmabuf+0x16/0x6f [videobuf2_dma_sg] [ 452.539076] ? vb2_buffer_in_use+0x36/0x58 [videobuf2_common] [ 452.545513] ipu3_vb2_stop_streaming+0xf9/0x135 [ipu3_imgu] [ 452.551762] __vb2_queue_cancel+0x35/0x215 [videobuf2_common] [ 452.558203] vb2_core_streamoff+0x19/0x73 [videobuf2_common] [ 452.564542] __video_do_ioctl+0x34e/0x450 [ 452.569039] video_usercopy+0x25e/0x597 [ 452.573341] ? video_ioctl2+0x16/0x16 [ 452.577443] ? __switch_to_asm+0x34/0x70 [ 452.581838] v4l2_ioctl+0x45/0x49 [ 452.585559] vfs_ioctl+0x1b/0x30 [ 452.589178] do_vfs_ioctl+0x479/0x6d0 [ 452.593277] ksys_ioctl+0x53/0x79 [ 452.596991] __se_sys_ioctl+0xe/0x12 [ 452.601000] do_syscall_64+0x52/0x60 [ 452.605010] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 452.610668] RIP: 0033:0x7a5d64b73967 [ 452.614677] Code: 8a 66 90 48 8b 05 29 55 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 54 2b 00 f7 d8 64 89 01 48 [ 452.635676] RSP: 002b:00007fff3483aca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 452.644149] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007a5d64b73967 [ 452.652125] RDX: 00007fff3483acb4 RSI: 0000000040045613 RDI: 0000000000000003 [ 452.660109] RBP: 0000000000404c48 R08: fffffffffed7c030 R09: fffffffffed7c020 [ 452.668092] R10: fffffffffed7c010 R11: 0000000000000246 R12: 0000000000404c56 [ 452.676076] R13: 0000000000000001 R14: 00007fff3483c75c R15: 000000000062b800 [ 452.685731] Allocated by task 10289: [ 452.689736] set_track+0x64/0xfb [ 452.693354] __kmalloc+0x94/0x1af [ 452.697066] __get_vm_area_node+0x9e/0x103 [ 452.701654] __get_vm_area+0x26/0x29 [ 452.705653] ipu3_dmamap_alloc+0x333/0x503 [ipu3_imgu] [ 452.711408] ipu3_css_pool_init+0x43/0x99 [ipu3_imgu] [ 452.717070] ipu3_css_start_streaming+0x25cf/0x29a7 [ipu3_imgu] [ 452.723697] imgu_s_stream+0x133/0x443 [ipu3_imgu] [ 452.729055] ipu3_vb2_start_streaming+0x1a3/0x1f1 [ipu3_imgu] [ 452.735492] vb2_start_streaming+0x71/0x11c [videobuf2_common] [ 452.742027] vb2_core_streamon+0xf8/0x118 [videobuf2_common] [ 452.748371] __video_do_ioctl+0x34e/0x450 [ 452.752857] video_usercopy+0x25e/0x597 [ 452.757155] v4l2_ioctl+0x45/0x49 [ 452.760869] vfs_ioctl+0x1b/0x30 [ 452.764497] do_vfs_ioctl+0x479/0x6d0 [ 452.768602] ksys_ioctl+0x53/0x79 [ 452.772318] __se_sys_ioctl+0xe/0x12 [ 452.776322] do_syscall_64+0x52/0x60 [ 452.780330] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 452.787656] Freed by task 10187: [ 452.791274] set_track+0x64/0xfb [ 452.794897] __kasan_slab_free+0xde/0x101 [ 452.799393] slab_free_freelist_hook+0x4d/0x9e [ 452.804373] kfree+0x8b/0x4d7 [ 452.807703] ipu3_dmamap_free+0x7e/0x9c [ipu3_imgu] [ 452.813167] ipu3_css_pool_cleanup+0x24/0x37 [ipu3_imgu] [ 452.819117] ipu3_css_pipeline_cleanup+0x61/0xb9 [ipu3_imgu] [ 452.825454] ipu3_css_stop_streaming+0x1f2/0x321 [ipu3_imgu] [ 452.831796] imgu_s_stream+0x94/0x443 [ipu3_imgu] [ 452.837066] ipu3_vb2_stop_streaming+0xf9/0x135 [ipu3_imgu] [ 452.843308] __vb2_queue_cancel+0x35/0x215 [videobuf2_common] [ 452.849747] vb2_core_streamoff+0x19/0x73 [videobuf2_common] [ 452.856086] __video_do_ioctl+0x34e/0x450 [ 452.860610] video_usercopy+0x25e/0x597 [ 452.864913] v4l2_ioctl+0x45/0x49 [ 452.868630] vfs_ioctl+0x1b/0x30 [ 452.872245] do_vfs_ioctl+0x479/0x6d0 [ 452.876349] ksys_ioctl+0x53/0x79 [ 452.880059] __se_sys_ioctl+0xe/0x12 [ 452.884068] do_syscall_64+0x52/0x60 [ 452.888075] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 452.895396] The buggy address belongs to the object at ffff888150348180 which belongs to the cache kmalloc-64 of size 64 [ 452.909203] The buggy address is located 32 bytes inside of 64-byte region [ffff888150348180, ffff8881503481c0) [ 452.922142] The buggy address belongs to the page: [ 452.927506] page:ffffea000540d200 count:1 mapcount:0 mapping:ffff88815ac0f840 index:0x0 compound_mapcount: 0 [ 452.938503] flags: 0x8000000000010200(slab|head) [ 452.943675] raw: 8000000000010200 ffffea00055d1d08 ffffea0005345e08 ffff88815ac0f840 [ 452.952342] raw: 0000000000000000 0000000000150015 00000001ffffffff 0000000000000000 [ 452.961008] page dumped because: kasan: bad access detected [ 452.968915] Memory state around the buggy address: [ 452.974277] ffff888150348080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 452.982361] ffff888150348100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 452.990435] >ffff888150348180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 452.998518] ^ [ 453.003291] ffff888150348200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 453.011376] ffff888150348280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 453.019457] ================================================================== [ 453.027537] Disabling lock debugging due to kernel taint [ 453.034645] ================================================================== [ 453.042736] BUG: KASAN: double-free or invalid-free in kfree+0x8b/0x4d7 [ 453.051817] CPU: 1 PID: 10289 Comm: yavta Tainted: G B WC 4.20.0-rc6-00031-g3b32400169db-dirty #37 [ 453.063006] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.17.0 03/22/2018 [ 453.071767] Call Trace: [ 453.074513] dump_stack+0x6a/0xb1 [ 453.078233] ? kfree+0x8b/0x4d7 [ 453.081757] ? kfree+0x8b/0x4d7 [ 453.085284] print_address_description+0x8e/0x279 [ 453.090556] ? kfree+0x8b/0x4d7 [ 453.094082] ? kfree+0x8b/0x4d7 [ 453.097608] kasan_report_invalid_free+0x58/0x95 [ 453.102787] __kasan_slab_free+0x9f/0x101 [ 453.107286] slab_free_freelist_hook+0x4d/0x9e [ 453.112266] ? ipu3_dmamap_free+0x6d/0x9c [ipu3_imgu] [ 453.117930] kfree+0x8b/0x4d7 [ 453.121262] ? __free_pages+0x2f/0x71 [ 453.125368] ipu3_dmamap_free+0x6d/0x9c [ipu3_imgu] [ 453.130833] ipu3_css_pool_cleanup+0x24/0x37 [ipu3_imgu] [ 453.136786] ipu3_css_pipeline_cleanup+0x61/0xb9 [ipu3_imgu] [ 453.143131] ipu3_css_stop_streaming+0x1f2/0x321 [ipu3_imgu] [ 453.149476] imgu_s_stream+0x94/0x443 [ipu3_imgu] [ 453.154750] ? ipu3_vb2_buf_queue+0x280/0x280 [ipu3_imgu] [ 453.160798] ? vb2_dma_sg_unmap_dmabuf+0x16/0x6f [videobuf2_dma_sg] [ 453.167821] ? vb2_buffer_in_use+0x36/0x58 [videobuf2_common] [ 453.174263] ipu3_vb2_stop_streaming+0xf9/0x135 [ipu3_imgu] [ 453.180500] __vb2_queue_cancel+0x35/0x215 [videobuf2_common] [ 453.186938] vb2_core_streamoff+0x19/0x73 [videobuf2_common] [ 453.193276] __video_do_ioctl+0x34e/0x450 [ 453.197789] video_usercopy+0x25e/0x597 [ 453.202088] ? video_ioctl2+0x16/0x16 [ 453.206193] ? __switch_to_asm+0x34/0x70 [ 453.210587] v4l2_ioctl+0x45/0x49 [ 453.214302] vfs_ioctl+0x1b/0x30 [ 453.217923] do_vfs_ioctl+0x479/0x6d0 [ 453.222033] ksys_ioctl+0x53/0x79 [ 453.225750] __se_sys_ioctl+0xe/0x12 [ 453.229757] do_syscall_64+0x52/0x60 [ 453.233765] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 453.239423] RIP: 0033:0x7a5d64b73967 [ 453.243429] Code: 8a 66 90 48 8b 05 29 55 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 54 2b 00 f7 d8 64 89 01 48 [ 453.264428] RSP: 002b:00007fff3483aca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 453.272904] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007a5d64b73967 [ 453.280892] RDX: 00007fff3483acb4 RSI: 0000000040045613 RDI: 0000000000000003 [ 453.288877] RBP: 0000000000404c48 R08: fffffffffed7c030 R09: fffffffffed7c020 [ 453.296861] R10: fffffffffed7c010 R11: 0000000000000246 R12: 0000000000404c56 [ 453.304842] R13: 0000000000000001 R14: 00007fff3483c75c R15: 000000000062b800 [ 453.314500] Allocated by task 10289: [ 453.318507] set_track+0x64/0xfb [ 453.322120] __kmalloc+0x94/0x1af [ 453.325832] kvmalloc_node+0x4e/0x84 [ 453.329839] ipu3_dmamap_alloc+0xec/0x503 [ipu3_imgu] [ 453.335488] ipu3_css_pool_init+0x43/0x99 [ipu3_imgu] [ 453.341144] ipu3_css_start_streaming+0x25cf/0x29a7 [ipu3_imgu] [ 453.347775] imgu_s_stream+0x133/0x443 [ipu3_imgu] [ 453.353144] ipu3_vb2_start_streaming+0x1a3/0x1f1 [ipu3_imgu] [ 453.359579] vb2_start_streaming+0x71/0x11c [videobuf2_common] [ 453.366111] vb2_core_streamon+0xf8/0x118 [videobuf2_common] [ 453.372449] __video_do_ioctl+0x34e/0x450 [ 453.376935] video_usercopy+0x25e/0x597 [ 453.381230] v4l2_ioctl+0x45/0x49 [ 453.384945] vfs_ioctl+0x1b/0x30 [ 453.388568] do_vfs_ioctl+0x479/0x6d0 [ 453.392672] ksys_ioctl+0x53/0x79 [ 453.396387] __se_sys_ioctl+0xe/0x12 [ 453.400393] do_syscall_64+0x52/0x60 [ 453.404395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 453.411716] Freed by task 10187: [ 453.415340] set_track+0x64/0xfb [ 453.418960] __kasan_slab_free+0xde/0x101 [ 453.423452] slab_free_freelist_hook+0x4d/0x9e [ 453.428430] kfree+0x8b/0x4d7 [ 453.431766] ipu3_dmamap_free+0x6d/0x9c [ipu3_imgu] [ 453.437231] ipu3_css_pool_cleanup+0x24/0x37 [ipu3_imgu] [ 453.443183] ipu3_css_pipeline_cleanup+0x61/0xb9 [ipu3_imgu] [ 453.449522] ipu3_css_stop_streaming+0x1f2/0x321 [ipu3_imgu] [ 453.455864] imgu_s_stream+0x94/0x443 [ipu3_imgu] [ 453.461133] ipu3_vb2_stop_streaming+0xf9/0x135 [ipu3_imgu] [ 453.467375] __vb2_queue_cancel+0x35/0x215 [videobuf2_common] [ 453.473810] vb2_core_streamoff+0x19/0x73 [videobuf2_common] [ 453.480154] __video_do_ioctl+0x34e/0x450 [ 453.484650] video_usercopy+0x25e/0x597 [ 453.488946] v4l2_ioctl+0x45/0x49 [ 453.492652] vfs_ioctl+0x1b/0x30 [ 453.496271] do_vfs_ioctl+0x479/0x6d0 [ 453.500376] ksys_ioctl+0x53/0x79 [ 453.504091] __se_sys_ioctl+0xe/0x12 [ 453.508094] do_syscall_64+0x52/0x60 [ 453.512099] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 453.519424] The buggy address belongs to the object at ffff888153eaf380 which belongs to the cache kmalloc-1k of size 1024 [ 453.533431] The buggy address is located 0 bytes inside of 1024-byte region [ffff888153eaf380, ffff888153eaf780) [ 453.546466] The buggy address belongs to the page: [ 453.551828] page:ffffea00054faa00 count:1 mapcount:0 mapping:ffff88815ac0f180 index:0x0 compound_mapcount: 0 [ 453.562829] flags: 0x8000000000010200(slab|head) [ 453.568002] raw: 8000000000010200 ffffea0004b88a08 ffffea000565e808 ffff88815ac0f180 [ 453.576670] raw: 0000000000000000 0000000000180018 00000001ffffffff 0000000000000000 [ 453.585337] page dumped because: kasan: bad access detected [ 453.593239] Memory state around the buggy address: [ 453.598596] ffff888153eaf280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 453.606680] ffff888153eaf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 453.614765] >ffff888153eaf380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 453.622846] ^ [ 453.626467] ffff888153eaf400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 453.634550] ffff888153eaf480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 453.642624] ================================================================== [ 453.653315] ------------[ cut here ]------------ [ 453.658485] kernel BUG at /mnt/host/source/src/third_party/kernel/v4.4/mm/slub.c:3940! [ 453.667369] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI [ 453.673604] CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G B WC 4.20.0-rc6-00031-g3b32400169db-dirty #37 [ 453.684990] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.17.0 03/22/2018 [ 453.693762] RIP: 0010:kfree+0x4d3/0x4d7 [ 453.698049] Code: 7d b0 48 8b 75 a0 e8 38 e6 6e 00 4c 89 ff 4c 89 f6 e8 3f a9 ff ff e9 22 fc ff ff 4c 89 ff 4c 89 f6 e8 1d b6 ff ff eb d6 0f 0b <0f> 0b 0f 0b 0f 1f 44 00 00 55 48 89 e5 48 8b 07 48 8b 4f 08 48 89 [ 453.719051] RSP: 0018:ffff88815af17d20 EFLAGS: 00010246 [ 453.724904] RAX: ffffea0001d9a288 RBX: ffff88807644d860 RCX: ffffea0001d91300 [ 453.732891] RDX: ffffea0001d91340 RSI: 0000000000000004 RDI: 0000000001d91361 [ 453.740866] RBP: ffff88815af17da8 R08: 0000000000000000 R09: fffffbfff6521ca7 [ 453.748852] R10: ffffffffb290e533 R11: dffffc0000000000 R12: ffffffffb16dec02 [ 453.751044] ipu3-imgu 0000:00:05.0: wait cio gate idle timeout [ 453.756835] R13: ffff88815b62ab70 R14: ffffea0001d91300 R15: ffff88815af08000 [ 453.756839] FS: 0000000000000000(0000) GS:ffff88815b600000(0000) knlGS:0000000000000000 [ 453.756841] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 453.756843] CR2: 00007a8ac018f000 CR3: 00000000744ba006 CR4: 00000000003606f0 [ 453.756845] Call Trace: [ 453.756855] rcu_process_callbacks+0x20a/0x437 [ 453.769422] BUG: Bad page state in process yavta pfn:74756 [ 453.771362] __do_softirq+0x16c/0x33e [ 453.780406] page:ffffea0001d1d580 count:0 mapcount:0 mapping:ffff88815ae4c6c0 index:0x0 [ 453.786839] run_ksoftirqd+0x1d/0x34 [ 453.794809] flags: 0x4000000000000000() [ 453.797551] smpboot_thread_fn+0x1bb/0x291 [ 453.802503] raw: 4000000000000000 dead000000000100 dead000000000200 ffff88815ae4c6c0 [ 453.808736] ? cpu_report_death+0x84/0x84 [ 453.812829] raw: 0000000000000000 0000000000100010 00000000ffffffff 0000000000000000 [ 453.821781] kthread+0xfd/0x10d [ 453.825773] page dumped because: non-NULL mapping [ 453.830072] ? cpu_report_death+0x84/0x84 [ 453.834649] Modules linked in: cmac rfcomm uinput snd_soc_kbl_rt5663_max98927 snd_soc_skl_ssp_clk snd_soc_hdac_hdmi snd_soc_dmic btusb btrtl btbcm asix usbnet btintel bluetooth snd_soc_skl snd_soc_skl_ipc ecdh_generic snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_hda_core ipu3_imgu(C) ipu3_cio2 iova videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 videobuf2_common snd_soc_rt5663 snd_soc_max98927 at24 snd_soc_rl6231 ov13858 ov5670 v4l2_fwnode dw9714 bridge stp llc acpi_als kfifo_buf industrialio ipt_MASQUERADE lzo lzo_compress zram xt_mark fuse snd_seq_dummy snd_seq snd_seq_device cfg80211 ip6table_filter r8152 mii joydev [ 453.843306] ? kthread_destroy_worker+0x49/0x49 [ 453.847795] CPU: 1 PID: 10289 Comm: yavta Tainted: G B WC 4.20.0-rc6-00031-g3b32400169db-dirty #37 [ 453.856449] ret_from_fork+0x35/0x40 [ 453.859956] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.17.0 03/22/2018 [ 453.865208] Modules linked in: cmac rfcomm uinput snd_soc_kbl_rt5663_max98927 snd_soc_skl_ssp_clk snd_soc_hdac_hdmi snd_soc_dmic btusb btrtl btbcm asix usbnet btintel bluetooth snd_soc_skl snd_soc_skl_ipc ecdh_generic snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_hda_core ipu3_imgu(C) ipu3_cio2 iova videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 videobuf2_common snd_soc_rt5663 snd_soc_max98927 at24 snd_soc_rl6231 ov13858 ov5670 v4l2_fwnode dw9714 bridge stp llc acpi_als kfifo_buf industrialio ipt_MASQUERADE lzo lzo_compress zram xt_mark fuse snd_seq_dummy snd_seq snd_seq_device cfg80211 ip6table_filter r8152 mii joydev [ 453.869692] Call Trace: [ 453.933872] gsmi: Log Shutdown Reason 0x03 [ 453.938939] dump_stack+0x6a/0xb1 [ 453.950359] ---[ end trace ed0895d0744ba933 ]--- [ 453.954123] bad_page+0x140/0x14a [ 453.954128] free_pages_check+0x87/0x95 [ 453.954132] free_pcppages_bulk+0xbd/0x218 [ 453.954137] free_unref_page+0x49/0x6e [ 453.954142] __free_pages+0x4a/0x71 [ 453.962932] RIP: 0010:kfree+0x4d3/0x4d7 [ 454.025068] vb2_dma_sg_put+0x8f/0xec [videobuf2_dma_sg] [ 454.025074] __vb2_buf_mem_free+0x39/0x75 [videobuf2_common] [ 454.025079] __vb2_queue_free+0xb3/0x19f [videobuf2_common] [ 454.025084] vb2_core_reqbufs+0x12a/0x312 [videobuf2_common] [ 454.025090] vb2_ioctl_reqbufs+0x81/0xa8 [videobuf2_v4l2] [ 454.025098] __video_do_ioctl+0x34e/0x450 [ 454.025105] video_usercopy+0x25e/0x597 [ 454.025109] ? video_ioctl2+0x16/0x16 [ 454.025116] v4l2_ioctl+0x45/0x49 [ 454.025121] vfs_ioctl+0x1b/0x30 [ 454.025125] do_vfs_ioctl+0x479/0x6d0 [ 454.025131] ksys_ioctl+0x53/0x79 [ 454.025136] __se_sys_ioctl+0xe/0x12 [ 454.027896] Code: 7d b0 48 8b 75 a0 e8 38 e6 6e 00 4c 89 ff 4c 89 f6 e8 3f a9 ff ff e9 22 fc ff ff 4c 89 ff 4c 89 f6 e8 1d b6 ff ff eb d6 0f 0b <0f> 0b 0f 0b 0f 1f 44 00 00 55 48 89 e5 48 8b 07 48 8b 4f 08 48 89 [ 454.032459] do_syscall_64+0x52/0x60 [ 454.032465] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 454.032469] RIP: 0033:0x7a5d64b73967 [ 454.032473] Code: 8a 66 90 48 8b 05 29 55 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 54 2b 00 f7 d8 64 89 01 48 [ 454.032475] RSP: 002b:00007fff3483acd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 454.032479] RAX: ffffffffffffffda RBX: 00000000023d97a0 RCX: 00007a5d64b73967 [ 454.036194] RSP: 0018:ffff88815af17d20 EFLAGS: 00010246 [ 454.041352] RDX: 00007fff3483ade0 RSI: 00000000c0145608 RDI: 0000000000000003 [ 454.041355] RBP: 0000000000000007 R08: 00007a5d64e287c0 R09: 0000000000000045 [ 454.041356] R10: fffffffffffff88f R11: 0000000000000246 R12: 0000000000000001 [ 454.041358] R13: 00000000023d9778 R14: 00000000023d9750 R15: 000000000062b800 [ 454.041364] BUG: Bad page state in process yavta pfn:7671e [ 454.041368] page:ffffea0001d9c780 count:0 mapcount:0 mapping:ffff88815ae4c6c0 index:0x0 [ 454.041370] flags: 0x4000000000000000() [ 454.041375] raw: 4000000000000000 dead000000000100 dead000000000200 ffff88815ae4c6c0 [ 454.041378] raw: 0000000000000000 0000000000100010 00000000ffffffff 0000000000000000 [ 454.041379] page dumped because: non-NULL mapping [ 454.041380] Modules linked in: cmac rfcomm uinput snd_soc_kbl_rt5663_max98927 snd_soc_skl_ssp_clk snd_soc_hdac_hdmi snd_soc_dmic btusb btrtl btbcm asix usbnet btintel bluetooth snd_soc_skl snd_soc_skl_ipc ecdh_generic snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_hda_core ipu3_imgu(C) ipu3_cio2 iova videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 videobuf2_common snd_soc_rt5663 snd_soc_max98927 at24 snd_soc_rl6231 ov13858 ov5670 v4l2_fwnode dw9714 bridge stp llc acpi_als kfifo_buf industrialio ipt_MASQUERADE lzo lzo_compress zram xt_mark fuse snd_seq_dummy snd_seq snd_seq_device cfg80211 ip6table_filter r8152 mii joydev [ 454.045094] RAX: ffffea0001d9a288 RBX: ffff88807644d860 RCX: ffffea0001d91300 [ 454.049378] CPU: 1 PID: 10289 Comm: yavta Tainted: G B D WC 4.20.0-rc6-00031-g3b32400169db-dirty #37 [ 454.049380] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.17.0 03/22/2018 [ 454.049381] Call Trace: [ 454.049389] dump_stack+0x6a/0xb1 [ 454.049395] bad_page+0x140/0x14a [ 454.049399] free_pages_check+0x87/0x95 [ 454.049403] free_pcppages_bulk+0xbd/0x218 [ 454.049408] free_unref_page+0x49/0x6e [ 454.049412] __free_pages+0x4a/0x71 [ 454.049420] vb2_dma_sg_put+0x8f/0xec [videobuf2_dma_sg] [ 454.049433] __vb2_buf_mem_free+0x39/0x75 [videobuf2_common] [ 454.049438] __vb2_queue_free+0xb3/0x19f [videobuf2_common] [ 454.049444] vb2_core_reqbufs+0x12a/0x312 [videobuf2_common] [ 454.049450] vb2_ioctl_reqbufs+0x81/0xa8 [videobuf2_v4l2] [ 454.049455] __video_do_ioctl+0x34e/0x450 [ 454.054060] RDX: ffffea0001d91340 RSI: 0000000000000004 RDI: 0000000001d91361 [ 454.058234] video_usercopy+0x25e/0x597 [ 454.058238] ? video_ioctl2+0x16/0x16 [ 454.058243] v4l2_ioctl+0x45/0x49 [ 454.062148] RBP: ffff88815af17da8 R08: 0000000000000000 R09: fffffbfff6521ca7 [ 454.066440] vfs_ioctl+0x1b/0x30 [ 454.066444] do_vfs_ioctl+0x479/0x6d0 [ 454.066448] ksys_ioctl+0x53/0x79 [ 454.066452] __se_sys_ioctl+0xe/0x12 [ 454.066456] do_syscall_64+0x52/0x60 [ 454.066461] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 454.066464] RIP: 0033:0x7a5d64b73967 [ 454.066468] Code: 8a 66 90 48 8b 05 29 55 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 54 2b 00 f7 d8 64 89 01 48 [ 454.066469] RSP: 002b:00007fff3483acd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 454.066476] RAX: ffffffffffffffda RBX: 00000000023d97a0 RCX: 00007a5d64b73967 [ 454.072423] R10: ffffffffb290e533 R11: dffffc0000000000 R12: ffffffffb16dec02 [ 454.078745] RDX: 00007fff3483ade0 RSI: 00000000c0145608 RDI: 0000000000000003 [ 454.078747] RBP: 0000000000000007 R08: 00007a5d64e287c0 R09: 0000000000000045 [ 454.078749] R10: fffffffffffff88f R11: 0000000000000246 R12: 0000000000000001 [ 454.078750] R13: 00000000023d9778 R14: 00000000023d9750 R15: 000000000062b800 [ 454.078758] BUG: Bad page state in process yavta pfn:746a6 [ 454.085002] R13: ffff88815b62ab70 R14: ffffea0001d91300 R15: ffff88815af08000 [ 454.091322] page:ffffea0001d1a980 count:0 mapcount:0 mapping:ffff88815ae4c6c0 index:0x0 [ 454.091325] flags: 0x4000000000000000() [ 454.091329] raw: 4000000000000000 dead000000000100 dead000000000200 ffff88815ae4c6c0 [ 454.091331] raw: 0000000000000000 0000000000100010 00000000ffffffff 0000000000000000 [ 454.097378] FS: 0000000000000000(0000) GS:ffff88815b600000(0000) knlGS:0000000000000000 [ 454.101841] page dumped because: non-NULL mapping [ 454.101843] Modules linked in: cmac rfcomm uinput snd_soc_kbl_rt5663_max98927 snd_soc_skl_ssp_clk snd_soc_hdac_hdmi snd_soc_dmic btusb btrtl btbcm asix usbnet btintel bluetooth snd_soc_skl snd_soc_skl_ipc ecdh_generic snd_soc_sst_ipc snd_soc_sst_dsp snd_hda_ext_core snd_hda_core ipu3_imgu(C) ipu3_cio2 iova videobuf2_dma_sg videobuf2_memops videobuf2_v4l2 videobuf2_common snd_soc_rt5663 snd_soc_max98927 at24 snd_soc_rl6231 ov13858 ov5670 v4l2_fwnode dw9714 bridge stp llc acpi_als kfifo_buf industrialio ipt_MASQUERADE lzo lzo_compress zram xt_mark fuse snd_seq_dummy snd_seq snd_seq_device cfg80211 ip6table_filter r8152 mii joydev [ 454.106153] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 454.110240] CPU: 1 PID: 10289 Comm: yavta Tainted: G B D WC 4.20.0-rc6-00031-g3b32400169db-dirty #37 [ 454.110242] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.17.0 03/22/2018 [ 454.110243] Call Trace: [ 454.110250] dump_stack+0x6a/0xb1 [ 454.110265] bad_page+0x140/0x14a [ 454.113968] CR2: 00007a8ac018f000 CR3: 00000000744ba006 CR4: 00000000003606f0 [ 454.117574] free_pages_check+0x87/0x95 [ 454.117579] free_pcppages_bulk+0xbd/0x218 [ 454.117583] free_unref_page+0x49/0x6e [ 454.121691] Kernel panic - not syncing: Fatal exception in interrupt [ 454.125400] __free_pages+0x4a/0x71 [snip]
