KASAN: use-after-free in amdgpu_ttm_tt_pte_flags

Michel Dänzer michel at daenzer.net
Fri Jun 8 14:07:13 UTC 2018 

KASAN picked up something during today's piglit run on
amd-staging-drm-next, see attached. I've never seen this one before.


-- 
Earthling Michel Dänzer               |               http://www.amd.com
Libre software enthusiast             |             Mesa and X developer
-------------- next part --------------
[  386.246490] ==================================================================
[  386.246604] BUG: KASAN: use-after-free in amdgpu_ttm_tt_pte_flags+0x11f/0x170 [amdgpu]
[  386.246610] Read of size 4 at addr ffff8803dd6871f0 by task amdgpu_cs:0/2132

[  386.246621] CPU: 0 PID: 2132 Comm: amdgpu_cs:0 Tainted: G    B D W  OE    4.16.0-rc7+ #104
[  386.246626] Hardware name: Micro-Star International Co., Ltd. MS-7A34/B350 TOMAHAWK (MS-7A34), BIOS 1.80 09/13/2017
[  386.246631] Call Trace:
[  386.246640]  dump_stack+0x85/0xc1
[  386.246649]  print_address_description+0x6a/0x270
[  386.246657]  kasan_report+0x258/0x380
[  386.246762]  ? amdgpu_ttm_tt_pte_flags+0x11f/0x170 [amdgpu]
[  386.246862]  amdgpu_ttm_tt_pte_flags+0x11f/0x170 [amdgpu]
[  386.246971]  amdgpu_vm_bo_update+0x11a3/0x1cb0 [amdgpu]
[  386.246983]  ? lock_downgrade+0x5e0/0x5e0
[  386.247092]  ? amdgpu_vm_handle_moved+0x92/0x5c0 [amdgpu]
[  386.247202]  amdgpu_vm_handle_moved+0x239/0x5c0 [amdgpu]
[  386.247291]  ? amdgpu_vm_clear_freed+0x450/0x450 [amdgpu]
[  386.247380]  ? amdgpu_sync_fence+0x145/0x560 [amdgpu]
[  386.247468]  amdgpu_cs_ioctl+0x3e8c/0x4d80 [amdgpu]
[  386.247552]  ? amdgpu_cs_find_mapping+0x3c0/0x3c0 [amdgpu]
[  386.247638]  ? amdgpu_bo_list_ioctl+0x2aa/0x650 [amdgpu]
[  386.247643]  ? save_stack+0x89/0xb0
[  386.247649]  ? __kasan_slab_free+0x136/0x180
[  386.247654]  ? kfree+0xf9/0x2f0
[  386.247740]  ? amdgpu_bo_list_ioctl+0x2aa/0x650 [amdgpu]
[  386.247764]  ? drm_ioctl_kernel+0x135/0x1c0 [drm]
[  386.247786]  ? drm_ioctl+0x67a/0x980 [drm]
[  386.247867]  ? amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu]
[  386.247872]  ? do_vfs_ioctl+0x192/0xee0
[  386.247876]  ? SyS_ioctl+0x74/0x80
[  386.247881]  ? do_syscall_64+0x198/0x5c0
[  386.247886]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  386.247894]  ? idr_get_free+0x4b3/0x980
[  386.247904]  ? debug_check_no_locks_freed+0x2c0/0x2c0
[  386.247925]  ? get_futex_key+0xc20/0xc20
[  386.248011]  ? amdgpu_cs_find_mapping+0x3c0/0x3c0 [amdgpu]
[  386.248035]  drm_ioctl_kernel+0x135/0x1c0 [drm]
[  386.248061]  drm_ioctl+0x67a/0x980 [drm]
[  386.248148]  ? amdgpu_cs_find_mapping+0x3c0/0x3c0 [amdgpu]
[  386.248172]  ? drm_getstats+0x20/0x20 [drm]
[  386.248179]  ? lock_downgrade+0x5e0/0x5e0
[  386.248184]  ? __pm_runtime_resume+0x68/0xf0
[  386.248190]  ? debug_check_no_locks_freed+0x2c0/0x2c0
[  386.248276]  amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu]
[  386.248283]  do_vfs_ioctl+0x192/0xee0
[  386.248290]  ? ioctl_preallocate+0x1b0/0x1b0
[  386.248296]  ? __fget+0x1bc/0x300
[  386.248302]  ? lock_downgrade+0x5e0/0x5e0
[  386.248306]  ? __fget+0x49/0x300
[  386.248312]  ? SyS_futex+0x197/0x200
[  386.248319]  ? __fget+0x1db/0x300
[  386.248328]  SyS_ioctl+0x74/0x80
[  386.248333]  ? do_vfs_ioctl+0xee0/0xee0
[  386.248338]  do_syscall_64+0x198/0x5c0
[  386.248346]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  386.248351] RIP: 0033:0x7f98ef330f07
[  386.248355] RSP: 002b:00007f98e4cb4ae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  386.248361] RAX: ffffffffffffffda RBX: 00007f98e4cb4bd8 RCX: 00007f98ef330f07
[  386.248365] RDX: 00007f98e4cb4b50 RSI: 00000000c0186444 RDI: 000000000000000e
[  386.248369] RBP: 00007f98e4cb4b10 R08: 00007f98e4cb4c00 R09: 00007f98e4cb4bd8
[  386.248373] R10: 00007f98e4cb4c00 R11: 0000000000000246 R12: 00007f98e4cb4b50
[  386.248376] R13: 00000000c0186444 R14: 000000000000000e R15: 0000000000000000

[  386.248390] Allocated by task 17099:
[  386.248395]  kasan_kmalloc+0xa0/0xd0
[  386.248399]  kmem_cache_alloc_trace+0x12f/0x310
[  386.248482]  amdgpu_ttm_tt_create+0x47/0xc0 [amdgpu]
[  386.248492]  ttm_tt_create+0x171/0x2d0 [ttm]
[  386.248502]  ttm_bo_handle_move_mem+0x1441/0x2270 [ttm]
[  386.248511]  ttm_bo_evict+0x35a/0x960 [ttm]
[  386.248521]  ttm_mem_evict_first+0x349/0x550 [ttm]
[  386.248531]  ttm_bo_mem_space+0x78a/0xe10 [ttm]
[  386.248541]  ttm_bo_validate+0x293/0x4a0 [ttm]
[  386.248625]  amdgpu_cs_bo_validate+0x34c/0x860 [amdgpu]
[  386.248709]  amdgpu_cs_validate+0x94/0xb40 [amdgpu]
[  386.248793]  amdgpu_cs_list_validate+0x197/0x3e0 [amdgpu]
[  386.248877]  amdgpu_cs_ioctl+0x3310/0x4d80 [amdgpu]
[  386.248899]  drm_ioctl_kernel+0x135/0x1c0 [drm]
[  386.248921]  drm_ioctl+0x67a/0x980 [drm]
[  386.249002]  amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu]
[  386.249006]  do_vfs_ioctl+0x192/0xee0
[  386.249010]  SyS_ioctl+0x74/0x80
[  386.249014]  do_syscall_64+0x198/0x5c0
[  386.249019]  entry_SYSCALL_64_after_hwframe+0x42/0xb7

[  386.249024] Freed by task 17598:
[  386.249029]  __kasan_slab_free+0x136/0x180
[  386.249033]  kfree+0xf9/0x2f0
[  386.249043]  ttm_bo_pipeline_move+0x870/0xa50 [ttm]
[  386.249126]  amdgpu_move_blit.constprop.16+0x1f1/0x240 [amdgpu]
[  386.249209]  amdgpu_move_ram_vram.constprop.14+0x1df/0x270 [amdgpu]
[  386.249293]  amdgpu_bo_move+0x511/0x640 [amdgpu]
[  386.249303]  ttm_bo_handle_move_mem+0x8b3/0x2270 [ttm]
[  386.249312]  ttm_bo_validate+0x3b1/0x4a0 [ttm]
[  386.249396]  amdgpu_cs_bo_validate+0x34c/0x860 [amdgpu]
[  386.249481]  amdgpu_cs_validate+0x94/0xb40 [amdgpu]
[  386.249565]  amdgpu_cs_list_validate+0x197/0x3e0 [amdgpu]
[  386.249649]  amdgpu_cs_ioctl+0x3310/0x4d80 [amdgpu]
[  386.249671]  drm_ioctl_kernel+0x135/0x1c0 [drm]
[  386.249694]  drm_ioctl+0x67a/0x980 [drm]
[  386.249779]  amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu]
[  386.249783]  do_vfs_ioctl+0x192/0xee0
[  386.249787]  SyS_ioctl+0x74/0x80
[  386.249792]  do_syscall_64+0x198/0x5c0
[  386.249797]  entry_SYSCALL_64_after_hwframe+0x42/0xb7

[  386.249804] The buggy address belongs to the object at ffff8803dd687180
                which belongs to the cache kmalloc-256 of size 256
[  386.249810] The buggy address is located 112 bytes inside of
                256-byte region [ffff8803dd687180, ffff8803dd687280)
[  386.249814] The buggy address belongs to the page:
[  386.249819] page:ffffea000f75a180 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
[  386.249826] flags: 0x17fffc000008100(slab|head)
[  386.249832] raw: 017fffc000008100 0000000000000000 0000000000000000 0000000180190019
[  386.249838] raw: dead000000000100 dead000000000200 ffff8803ed80ee00 0000000000000000
[  386.249841] page dumped because: kasan: bad access detected

[  386.249847] Memory state around the buggy address:
[  386.249851]  ffff8803dd687080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  386.249856]  ffff8803dd687100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  386.249860] >ffff8803dd687180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  386.249864]                                                              ^
[  386.249868]  ffff8803dd687200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  386.249872]  ffff8803dd687280: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[  386.249875] ==================================================================
[  692.664488] amdgpu 0000:23:00.0: Disabling VM faults because of PRT request!

More information about the amd-gfx mailing list