radeon on drm-tip: null-ptr deref in radeon_ttm_bo_destroy()

Christian König ckoenig.leichtzumerken at gmail.com
Tue Jun 22 12:16:56 UTC 2021 

Hi Thomas,

yeah that's a known issue. A patch to fix that is already under review.

Christian.

Am 22.06.21 um 14:03 schrieb Thomas Zimmermann:
> Hi,
>
> on drm-tip, I see a null-ptr deref in radeon_ttm_bo_destroy(). Happens 
> when I try to start weston or X. Full error is below. Let me know if 
> you need more info.
>
> Best regards
> Thomas
>
>> [ 1849.999218] 
>> ==================================================================
>
>> [ 1850.006544] BUG: KASAN: null-ptr-deref in 
>> radeon_ttm_bo_destroy+0x39/0x1d0 [radeon]
>
>> [ 1850.014312] Read of size 4 at addr 0000000000000010 by task 
>> weston/1434
>
>> [ 1850.020938] 
>
>> [ 1850.022434] CPU: 7 PID: 1434 Comm: weston Tainted: G            
>> E     5.13.0-rc7-1-default+ #972
>
>> [ 1850.031233] Hardware name: Dell Inc. OptiPlex 9020/0N4YC8, BIOS 
>> A24 10/24/2018
>
>> [ 1850.038466] Call Trace:
>
>> [ 1850.040920]  dump_stack+0xa5/0xdc
>
>> [ 1850.044249]  ? radeon_ttm_bo_destroy+0x39/0x1d0 [radeon]
>
>> [ 1850.049639] kasan_report.cold+0x5f/0xd8
>
>> [ 1850.053575]  ? radeon_ttm_bo_destroy+0x39/0x1d0 [radeon]
>
>> [ 1850.058967] radeon_ttm_bo_destroy+0x39/0x1d0 [radeon]
>
>> [ 1850.064189]  radeon_bo_unref+0x1f/0x30 [radeon]
>
>> [ 1850.068798] radeon_gem_object_free+0x5f/0x80 [radeon]
>
>> [ 1850.074016]  ? radeon_gem_object_mmap+0x70/0x70 [radeon]
>
>> [ 1850.079404]  ? drm_gem_object_handle_put_unlocked+0xd0/0x160 [drm]
>
>> [ 1850.085673]  ? drm_gem_object_free+0x25/0x40 [drm]
>
>> [ 1850.090524] drm_gem_object_release_handle+0x8e/0xa0 [drm]
>
>> [ 1850.096070] drm_gem_handle_delete+0x5b/0xa0 [drm]
>
>> [ 1850.100922]  ? drm_gem_handle_create+0x50/0x50 [drm]
>
>> [ 1850.105947] drm_ioctl_kernel+0x131/0x180 [drm]
>
>> [ 1850.110538]  ? drm_setversion+0x340/0x340 [drm]
>
>> [ 1850.115135]  ? drm_gem_handle_create+0x50/0x50 [drm]
>
>> [ 1850.120157]  drm_ioctl+0x309/0x540 [drm]
>
>> [ 1850.124143]  ? drm_version+0x150/0x150 [drm]
>
>> [ 1850.128470]  ? __lock_release+0x12f/0x4e0
>
>> [ 1850.132496]  ? lock_downgrade+0xa0/0xa0
>
>> [ 1850.136342]  ? rpm_callback+0xe0/0xe0
>
>> [ 1850.140015]  ? mark_held_locks+0x23/0x90
>
>> [ 1850.143951]  ? lockdep_hardirqs_on_prepare.part.0+0x128/0x1d0
>
>> [ 1850.149708]  ? _raw_spin_unlock_irqrestore+0x37/0x40
>
>> [ 1850.154684]  ? lockdep_hardirqs_on+0x77/0xf0
>
>> [ 1850.158967]  ? _raw_spin_unlock_irqrestore+0x37/0x40
>
>> [ 1850.163947]  radeon_drm_ioctl+0x75/0xd0 [radeon]
>
>> [ 1850.168644]  __x64_sys_ioctl+0xb9/0xf0
>
>> [ 1850.172406]  do_syscall_64+0x40/0xb0
>
>> [ 1850.175992] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
>> [ 1850.181053] RIP: 0033:0x7f7d5fd0c0bb
>
>> [ 1850.184636] Code: ff ff ff 85 c0 79 8b 49 c7 c4 ff ff ff ff 5b 5d 
>> 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 
>> 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 bd 0c 00 f7 d8 64 
>> 89 01 48
>
>> [ 1850.203436] RSP: 002b:00007ffc3fb35778 EFLAGS: 00000246 ORIG_RAX: 
>> 0000000000000010
>
>> [ 1850.211020] RAX: ffffffffffffffda RBX: 00007ffc3fb357c8 RCX: 
>> 00007f7d5fd0c0bb
>
>> [ 1850.218171] RDX: 00007ffc3fb357c8 RSI: 0000000040086409 RDI: 
>> 0000000000000010
>
>> [ 1850.225330] RBP: 0000000040086409 R08: 0000000000000000 R09: 
>> ffffffffffffffff
>
>> [ 1850.232489] R10: 00007ffc3fbf4080 R11: 0000000000000246 R12: 
>> 00005561d758e130
>
>> [ 1850.239647] R13: 0000000000000010 R14: 00005561d7bda6f0 R15: 
>> 00005561d7bcb250
>
>> [ 1850.246863] 
>> ==================================================================
>
>> [ 1850.254107] Disabling lock debugging due to kernel taint
>
>> [ 1850.259487] BUG: kernel NULL pointer dereference, address: 
>> 0000000000000010
>
>> [ 1850.266458] #PF: supervisor read access in kernel mode
>
>> [ 1850.271602] #PF: error_code(0x0000) - not-present page
>
>> [ 1850.276746] PGD 0 P4D 0 
>
>> [ 1850.279283] Oops: 0000 [#1] SMP KASAN PTI
>
>> [ 1850.283296] CPU: 7 PID: 1434 Comm: weston Tainted: G    B       
>> E     5.13.0-rc7-1-default+ #972
>
>> [ 1850.292092] Hardware name: Dell Inc. OptiPlex 9020/0N4YC8, BIOS 
>> A24 10/24/2018
>
>> [ 1850.299324] RIP: 0010:radeon_ttm_bo_destroy+0x40/0x1d0 [radeon]
>
>> [ 1850.305323] Code: 81 c7 68 02 00 00 53 4c 8d ad 08 03 00 00 e8 47 
>> 0f d6 ce 48 8b 9d 68 02 00 00 48 8d 7b 10 e8 37 0e d6 ce 48 8d bd 18 
>> 01 00 00 <44> 8b 7b 10 e8 27 0f d6 ce 4c 8b b5 18 01 00 00 4c 89 ef 
>> e8 18 0f
>
>> [ 1850.324124] RSP: 0018:ffffc9000367fbf8 EFLAGS: 00010282
>
>> [ 1850.329356] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 
>> dffffc0000000000
>
>> [ 1850.336499] RDX: 0000000000000007 RSI: 0000000000000004 RDI: 
>> ffff88818b2fd190
>
>> [ 1850.343643] RBP: ffff88818b2fd078 R08: 0000000000000000 R09: 
>> ffffffff9154f743
>
>> [ 1850.350787] R10: fffffbfff22a9ee8 R11: 0000000000000001 R12: 
>> ffff88818b2fd000
>
>> [ 1850.357933] R13: ffff88818b2fd380 R14: ffff8881ecf87098 R15: 
>> ffff8881ecf87038
>
>> [ 1850.365076] FS:  00007f7d5f6618c0(0000) GS:ffff8887b7e00000(0000) 
>> knlGS:0000000000000000
>
>> [ 1850.373176] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>
>> [ 1850.378927] CR2: 0000000000000010 CR3: 000000024b49a002 CR4: 
>> 00000000001706e0
>
>> [ 1850.386070] Call Trace:
>
>> [ 1850.388519]  radeon_bo_unref+0x1f/0x30 [radeon]
>
>> [ 1850.393125] radeon_gem_object_free+0x5f/0x80 [radeon]
>
>> [ 1850.398338]  ? radeon_gem_object_mmap+0x70/0x70 [radeon]
>
>> [ 1850.403724]  ? drm_gem_object_handle_put_unlocked+0xd0/0x160 [drm]
>
>> [ 1850.409960]  ? drm_gem_object_free+0x25/0x40 [drm]
>
>> [ 1850.414806] drm_gem_object_release_handle+0x8e/0xa0 [drm]
>
>> [ 1850.420346] drm_gem_handle_delete+0x5b/0xa0 [drm]
>
>> [ 1850.425194]  ? drm_gem_handle_create+0x50/0x50 [drm]
>
>> [ 1850.430215] drm_ioctl_kernel+0x131/0x180 [drm]
>
>> [ 1850.434803]  ? drm_setversion+0x340/0x340 [drm]
>
>> [ 1850.439386]  ? drm_gem_handle_create+0x50/0x50 [drm]
>
>> [ 1850.444407]  drm_ioctl+0x309/0x540 [drm]
>
>> [ 1850.448384]  ? drm_version+0x150/0x150 [drm]
>
>> [ 1850.452708]  ? __lock_release+0x12f/0x4e0
>
>> [ 1850.456722]  ? lock_downgrade+0xa0/0xa0
>
>> [ 1850.460562]  ? rpm_callback+0xe0/0xe0
>
>> [ 1850.464230]  ? mark_held_locks+0x23/0x90
>
>> [ 1850.468155]  ? lockdep_hardirqs_on_prepare.part.0+0x128/0x1d0
>
>> [ 1850.473910]  ? _raw_spin_unlock_irqrestore+0x37/0x40
>
>> [ 1850.478880]  ? lockdep_hardirqs_on+0x77/0xf0
>
>> [ 1850.483156]  ? _raw_spin_unlock_irqrestore+0x37/0x40
>
>> [ 1850.488128]  radeon_drm_ioctl+0x75/0xd0 [radeon]
>
>> [ 1850.492817]  __x64_sys_ioctl+0xb9/0xf0
>
>> [ 1850.496570]  do_syscall_64+0x40/0xb0
>
>> [ 1850.500150] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
>> [ 1850.505209] RIP: 0033:0x7f7d5fd0c0bb
>
>> [ 1850.508787] Code: ff ff ff 85 c0 79 8b 49 c7 c4 ff ff ff ff 5b 5d 
>> 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 
>> 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 bd 0c 00 f7 d8 64 
>> 89 01 48
>
>> [ 1850.527580] RSP: 002b:00007ffc3fb35778 EFLAGS: 00000246 ORIG_RAX: 
>> 0000000000000010
>
>> [ 1850.535157] RAX: ffffffffffffffda RBX: 00007ffc3fb357c8 RCX: 
>> 00007f7d5fd0c0bb
>
>> [ 1850.542299] RDX: 00007ffc3fb357c8 RSI: 0000000040086409 RDI: 
>> 0000000000000010
>
>> [ 1850.549443] RBP: 0000000040086409 R08: 0000000000000000 R09: 
>> ffffffffffffffff
>
>> [ 1850.556587] R10: 00007ffc3fbf4080 R11: 0000000000000246 R12: 
>> 00005561d758e130
>
>> [ 1850.563733] R13: 0000000000000010 R14: 00005561d7bda6f0 R15: 
>> 00005561d7bcb250
>
>> [ 1850.570878] Modules linked in: af_packet(E) rfkill(E) dmi_sysfs(E) 
>> intel_rapl_msr(E) snd_hda_codec_realtek(E) snd_hda_codec_generic(E) 
>> intel_rapl_common(E) ledtrig_audio(E) snd_hda_codec_hdmi(E) 
>> x86_pkg_temp_thermal(E) snd_hda_intel(E)
>
>> [ 1850.570970]  blake2b_generic(E) libcrc32c(E) crc32c_intel(E) 
>> xor(E) raid6_pq(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) 
>> scsi_dh_emc(E) scsi_dh_alua(E) msr(E) efivarfs(E)
>
>> [ 1850.673011] CR2: 0000000000000010
>
>> [ 1850.676355] ---[ end trace 7f92395c6274c049 ]---
>
>> [ 1850.703761] RIP: 0010:radeon_ttm_bo_destroy+0x40/0x1d0 [radeon]
>
>> [ 1850.709761] Code: 81 c7 68 02 00 00 53 4c 8d ad 08 03 00 00 e8 47 
>> 0f d6 ce 48 8b 9d 68 02 00 00 48 8d 7b 10 e8 37 0e d6 ce 48 8d bd 18 
>> 01 00 00 <44> 8b 7b 10 e8 27 0f d6 ce 4c 8b b5 18 01 00 00 4c 89 ef 
>> e8 18 0f
>
>> [ 1850.728562] RSP: 0018:ffffc9000367fbf8 EFLAGS: 00010282
>
>> [ 1850.733800] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 
>> dffffc0000000000
>
>> [ 1850.740949] RDX: 0000000000000007 RSI: 0000000000000004 RDI: 
>> ffff88818b2fd190
>
>> [ 1850.748095] RBP: ffff88818b2fd078 R08: 0000000000000000 R09: 
>> ffffffff9154f743
>
>> [ 1850.755242] R10: fffffbfff22a9ee8 R11: 0000000000000001 R12: 
>> ffff88818b2fd000
>
>> [ 1850.762388] R13: ffff88818b2fd380 R14: ffff8881ecf87098 R15: 
>> ffff8881ecf87038
>
>> [ 1850.769533] FS:  00007f7d5f6618c0(0000) GS:ffff8887b7e00000(0000) 
>> knlGS:0000000000000000
>
>> [ 1850.777634] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>
>> [ 1850.783391] CR2: 0000000000000010 CR3: 000000024b49a002 CR4: 
>> 00000000001706e0
>
>>
>
>> CTRL-A Z for help | 115200 8N1 | NOR | Minicom 2.7.1 | VT102 | Online 
>> 0:30 | ttyUSB0 
>
>>
>
>
>
>
> _______________________________________________
> amd-gfx mailing list
> amd-gfx at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/amd-gfx/attachments/20210622/e4e88d7c/attachment-0001.htm>

More information about the amd-gfx mailing list