[Bug 199425] New: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260

bugzilla-daemon at bugzilla.kernel.org bugzilla-daemon at bugzilla.kernel.org
Tue Apr 17 08:01:51 UTC 2018 

https://bugzilla.kernel.org/show_bug.cgi?id=199425

            Bug ID: 199425
           Summary: BUG: KASAN: use-after-free in
                    drm_atomic_helper_wait_for_flip_done+0x247/0x260
           Product: Drivers
           Version: 2.5
    Kernel Version: 4.17-rc1
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Video(DRI - non Intel)
          Assignee: drivers_video-dri at kernel-bugs.osdl.org
          Reporter: johannes.hirte at datenkhaos.de
        Regression: No

With dc enabled, I get the following use-after-free on my Carrizo:

[53213.875800]
==================================================================
[53213.875826] BUG: KASAN: use-after-free in
drm_atomic_helper_wait_for_flip_done+0x247/0x260
[53213.875835] Read of size 8 at addr ffff8801063aaa88 by task
kworker/u8:3/9911

[53213.875848] CPU: 3 PID: 9911 Comm: kworker/u8:3 Not tainted
4.17.0-rc1-00001-g9e7729e9a66c #566
[53213.875855] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.12
12/19/2017
[53213.875864] Workqueue: events_unbound commit_work
[53213.875870] Call Trace:
[53213.875881]  dump_stack+0x5b/0x8b
[53213.875890]  ? drm_atomic_helper_wait_for_flip_done+0x247/0x260
[53213.875899]  print_address_description+0x65/0x270
[53213.875907]  ? drm_atomic_helper_wait_for_flip_done+0x247/0x260
[53213.875913]  kasan_report+0x232/0x350
[53213.875920]  drm_atomic_helper_wait_for_flip_done+0x247/0x260
[53213.875930]  amdgpu_dm_atomic_commit_tail+0x1b19/0x4010
[53213.875940]  ? _raw_spin_unlock_irq+0x35/0x50
[53213.875946]  ? wait_for_completion_timeout+0x215/0x2b0
[53213.875953]  ? btrfs_rmap_block+0x9c0/0x9c0
[53213.875959]  ? dm_update_crtcs_state+0xcb0/0xcb0
[53213.875966]  ? _raw_spin_unlock_irqrestore+0x3a/0x70
[53213.875973]  ? try_to_wake_up+0xa1/0xf90
[53213.875980]  ? drm_atomic_helper_wait_for_dependencies+0x3de/0x7d0
[53213.875986]  ? normal_work_helper+0x273/0xa70
[53213.875993]  commit_tail+0x95/0xf0
[53213.876000]  process_one_work+0x7c8/0x1330
[53213.876006]  ? _raw_spin_lock_irq+0x1c/0x40
[53213.876013]  worker_thread+0xc9/0xef0
[53213.876021]  ? process_one_work+0x1330/0x1330
[53213.876026]  kthread+0x2d6/0x390
[53213.876032]  ? kthread_create_worker+0xd0/0xd0
[53213.876038]  ret_from_fork+0x22/0x40

[53213.876049] Allocated by task 508:
[53213.876056]  kasan_kmalloc+0xa0/0xd0
[53213.876063]  kmem_cache_alloc_trace+0xf3/0x1f0
[53213.876068]  dm_crtc_duplicate_state+0x73/0x130
[53213.876075]  drm_atomic_get_crtc_state+0x142/0x400
[53213.876080]  page_flip_common+0x52/0x220
[53213.876086]  drm_atomic_helper_page_flip+0xa1/0x100
[53213.876093]  drm_mode_page_flip_ioctl+0xbe3/0xff0
[53213.876100]  drm_ioctl_kernel+0x13d/0x1d0
[53213.876106]  drm_ioctl+0x63d/0x920
[53213.876112]  amdgpu_drm_ioctl+0xc7/0x1a0
[53213.876120]  do_vfs_ioctl+0x173/0xde0
[53213.876125]  ksys_ioctl+0x6b/0x80
[53213.876130]  __x64_sys_ioctl+0x6a/0xb0
[53213.876137]  do_syscall_64+0x95/0x2f0
[53213.876142]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[53213.876149] Freed by task 637:
[53213.876154]  __kasan_slab_free+0x130/0x180
[53213.876159]  kfree+0x8b/0x1c0
[53213.876164]  drm_atomic_state_default_clear+0x2c5/0xa00
[53213.876169]  __drm_atomic_state_free+0x30/0xc0
[53213.876174]  drm_atomic_helper_update_plane+0xb6/0x350
[53213.876179]  __setplane_internal+0x48c/0x7f0
[53213.876184]  drm_mode_cursor_universal+0x2e7/0x970
[53213.876189]  drm_mode_cursor_common+0x493/0x860
[53213.876194]  drm_mode_cursor_ioctl+0x7a/0xa0
[53213.876199]  drm_ioctl_kernel+0x13d/0x1d0
[53213.876203]  drm_ioctl+0x63d/0x920
[53213.876207]  amdgpu_drm_ioctl+0xc7/0x1a0
[53213.876212]  do_vfs_ioctl+0x173/0xde0
[53213.876216]  ksys_ioctl+0x6b/0x80
[53213.876221]  __x64_sys_ioctl+0x6a/0xb0
[53213.876225]  do_syscall_64+0x95/0x2f0
[53213.876230]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[53213.876239] The buggy address belongs to the object at ffff8801063aa880
                which belongs to the cache kmalloc-1024 of size 1024
[53213.876247] The buggy address is located 520 bytes inside of
                1024-byte region [ffff8801063aa880, ffff8801063aac80)
[53213.876252] The buggy address belongs to the page:
[53213.876258] page:ffffea000418ea00 count:1 mapcount:0
mapping:0000000000000000 index:0x0 compound_mapcount: 0
[53213.876268] flags: 0x2000000000008100(slab|head)
[53213.876278] raw: 2000000000008100 0000000000000000 0000000000000000
00000001801c001c
[53213.876284] raw: dead000000000100 dead000000000200 ffff8803f3402c40
0000000000000000
[53213.876288] page dumped because: kasan: bad access detected

[53213.876294] Memory state around the buggy address:
[53213.876300]  ffff8801063aa980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[53213.876305]  ffff8801063aaa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[53213.876310] >ffff8801063aaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[53213.876313]                       ^
[53213.876319]  ffff8801063aab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[53213.876324]  ffff8801063aab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[53213.876327]
==================================================================
[53213.876331] Disabling lock debugging due to kernel taint


I've obverved this already with kernel 4.14, 4.15 and 4.16.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the dri-devel mailing list