Kernel crash/Null pointer dereference on vblank

Johannes Hirte johannes.hirte at datenkhaos.de
Wed Nov 22 22:31:26 UTC 2017 

Ok, now I have more use-after-free report, this time without dc. I
don't know if this is related, but I didn't have runtime errors without
dc for now. 

kasan report:

[22697.845475] ==================================================================
[22697.845495] BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x140/0x150
[22697.845500] Read of size 8 at addr ffff8801c02e91c8 by task kworker/0:2/22547

[22697.845509] CPU: 0 PID: 22547 Comm: kworker/0:2 Not tainted 4.14.0-11095-g0c86a6bd85ff #404
[22697.845513] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.09 06/09/2017
[22697.845520] Workqueue: events amd_sched_job_finish
[22697.845525] Call Trace:
[22697.845534]  dump_stack+0x99/0x11e
[22697.845541]  ? _atomic_dec_and_lock+0x152/0x152
[22697.845548]  print_address_description+0x65/0x270
[22697.845553]  kasan_report+0x272/0x360
[22697.845557]  ? amdgpu_job_free_cb+0x140/0x150
[22697.845562]  amdgpu_job_free_cb+0x140/0x150
[22697.845566]  amd_sched_job_finish+0x288/0x560
[22697.845571]  ? amd_sched_process_job+0x220/0x220
[22697.845576]  ? amdgpu_unpin_work_func+0x266/0x460
[22697.845582]  ? _raw_spin_unlock_irq+0xbe/0x120
[22697.845587]  ? _raw_spin_unlock+0x120/0x120
[22697.845593]  process_one_work+0x84b/0x1600
[22697.845599]  ? tick_nohz_dep_clear_signal+0x20/0x20
[22697.845603]  ? _raw_spin_unlock_irq+0xbe/0x120
[22697.845607]  ? _raw_spin_unlock+0x120/0x120
[22697.845611]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[22697.845617]  ? release_thread+0xa0/0xe0
[22697.845621]  ? cyc2ns_read_end+0x20/0x20
[22697.845626]  ? finish_task_switch+0x27d/0x7f0
[22697.845630]  ? wq_worker_waking_up+0xc0/0xc0
[22697.845640]  ? pci_mmcfg_check_reserved+0x100/0x100
[22697.845644]  ? pci_mmcfg_check_reserved+0x100/0x100
[22697.845648]  ? preempt_schedule_irq+0x4e/0xb0
[22697.845653]  ? retint_kernel+0x1b/0x1d
[22697.845659]  ? schedule+0xfb/0x3b0
[22697.845663]  ? __schedule+0x19b0/0x19b0
[22697.845669]  ? _raw_spin_unlock_irq+0xb9/0x120
[22697.845674]  ? _raw_spin_unlock_irq+0xbe/0x120
[22697.845678]  ? _raw_spin_unlock+0x120/0x120
[22697.845683]  worker_thread+0x211/0x1790
[22697.845692]  ? pick_next_task_fair+0x97d/0x10f0
[22697.845697]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[22697.845703]  ? tick_nohz_dep_clear_signal+0x20/0x20
[22697.845708]  ? _raw_spin_unlock_irq+0xbe/0x120
[22697.845713]  ? _raw_spin_unlock+0x120/0x120
[22697.845718]  ? compat_start_thread+0x70/0x70
[22697.845722]  ? finish_task_switch+0x27d/0x7f0
[22697.845727]  ? sched_clock_cpu+0x18/0x1e0
[22697.845733]  ? ret_from_fork+0x1f/0x30
[22697.845739]  ? pci_mmcfg_check_reserved+0x100/0x100
[22697.845744]  ? unix_write_space+0x410/0x410
[22697.845749]  ? cyc2ns_read_end+0x20/0x20
[22697.845755]  ? schedule+0xfb/0x3b0
[22697.845759]  ? __schedule+0x19b0/0x19b0
[22697.845765]  ? remove_wait_queue+0x2b0/0x2b0
[22697.845770]  ? arch_vtime_task_switch+0xee/0x190
[22697.845774]  ? _raw_spin_unlock_irqrestore+0xc2/0x130
[22697.845778]  ? _raw_spin_unlock_irq+0x120/0x120
[22697.845783]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[22697.845788]  kthread+0x2d4/0x390
[22697.845793]  ? kthread_create_worker+0xd0/0xd0
[22697.845797]  ret_from_fork+0x1f/0x30

[22697.845809] Allocated by task 2378:
[22697.845817]  kasan_kmalloc+0xa0/0xd0
[22697.845822]  kmem_cache_alloc_trace+0xd1/0x1e0
[22697.845829]  amdgpu_driver_open_kms+0x12b/0x4d0
[22697.845839]  drm_open+0x7c3/0x1100
[22697.845843]  drm_stub_open+0x2a8/0x400
[22697.845851]  chrdev_open+0x1eb/0x5a0
[22697.845857]  do_dentry_open+0x5a1/0xc50
[22697.845865]  path_openat+0x11d3/0x4e90
[22697.845868]  do_filp_open+0x239/0x3c0
[22697.845872]  do_sys_open+0x402/0x630
[22697.845878]  do_syscall_64+0x220/0x670
[22697.845881]  return_from_SYSCALL_64+0x0/0x65

[22697.845887] Freed by task 24090:
[22697.845892]  kasan_slab_free+0x71/0xc0
[22697.845895]  kfree+0x88/0x1b0
[22697.845900]  amdgpu_driver_postclose_kms+0x469/0x860
[22697.845904]  drm_release+0x8a8/0x1180
[22697.845909]  __fput+0x2ab/0x730
[22697.845913]  task_work_run+0x14b/0x200
[22697.845919]  do_exit+0x7c6/0x13a0
[22697.845922]  do_group_exit+0x121/0x340
[22697.845926]  SyS_exit_group+0x14/0x20
[22697.845929]  do_syscall_64+0x220/0x670
[22697.845932]  return_from_SYSCALL_64+0x0/0x65

[22697.845940] The buggy address belongs to the object at ffff8801c02e9100
[22697.845946] The buggy address is located 200 bytes inside of
[22697.845949] The buggy address belongs to the page:
[22697.845958] page:ffffea000700ba00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[22697.845967] flags: 0x2000000000008100(slab|head)
[22697.845977] raw: 2000000000008100 0000000000000000 0000000000000000 00000001000f000f
[22697.845982] raw: dead000000000100 dead000000000200 ffff8803f3402a80 0000000000000000
[22697.845985] page dumped because: kasan: bad access detected

[22697.845990] Memory state around the buggy address:
[22697.845995]  ffff8801c02e9080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[22697.845999]  ffff8801c02e9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[22697.846003] >ffff8801c02e9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[22697.846005]                                               ^
[22697.846009]  ffff8801c02e9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[22697.846012]  ffff8801c02e9280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[22697.846015] ==================================================================
[22697.846018] Disabling lock debugging due to kernel taint

-- 
Regards,
  Johannes

More information about the amd-gfx mailing list