[Bug 109161] Kernel crash shortly after gnome-shell login - refcount_t: increment on 0; use-after-free

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Thu Dec 27 12:51:37 UTC 2018 

https://bugs.freedesktop.org/show_bug.cgi?id=109161

            Bug ID: 109161
           Summary: Kernel crash shortly after gnome-shell login -
                    refcount_t: increment on 0; use-after-free
           Product: DRI
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: DRM/AMDgpu
          Assignee: dri-devel at lists.freedesktop.org
          Reporter: yaneti at declera.com

Fedora rawhide
4.21.0-0.rc0.git1.1.fc30.x86_64 ~= linus a5f2bd479f58
....
[   12.777868] [drm] initializing kernel modesetting (POLARIS11 0x1002:0x67EF
0x1682:0x9460 0xCF).
....
[   68.593291] amdgpu 0000:0a:00.0: 0000000038144057 unpin not necessary
[   68.795444] ------------[ cut here ]------------
[   68.800304] refcount_t: increment on 0; use-after-free.
[   68.805649] WARNING: CPU: 12 PID: 1907 at lib/refcount.c:153
refcount_inc_checked+0x26/0x30
[   68.814053] Modules linked in: nfsv3 nfs_acl nfs lockd grace fscache pppoe
pppox ppp_synctty ppp_async ppp_generic slhc fuse iptable_mangle xt_CHECKSUM
iptable_nat ipt_MASQUERADE nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack
nf_defrag_ipv6 nf_defrag_ipv4 tun bridge stp llc ebtable_filter ebtables
ip6table_filter ip6_tables ib_isert iscsi_target_mod ib_srpt target_core_mod
ib_srp scsi_transport_srp rpcrdma rdma_ucm ib_iser rdma_cm ib_umad ib_ipoib
iw_cm libiscsi ib_cm scsi_transport_iscsi mlx4_ib ib_uverbs ib_core mlx4_en
it87 hwmon_vid sunrpc btrfs xor zstd_compress raid6_pq libcrc32c
zstd_decompress xxhash vfat fat edac_mce_amd kvm_amd kvm irqbypass pl2303
joydev snd_hda_codec_realtek ftdi_sio snd_hda_codec_generic ledtrig_audio
snd_hda_codec_hdmi snd_hda_intel snd_hda_codec ppdev snd_hda_core snd_hwdep
snd_seq crct10dif_pclmul raid1 snd_seq_device mlx4_core crc32_pclmul snd_pcm
wmi_bmof snd_timer ghash_clmulni_intel parport_serial mxm_wmi snd igb
parport_pc sp5100_tco devlink soundcore
[   68.814090]  ccp parport k10temp i2c_piix4 atlantic dca gpio_amdpt
gpio_generic amdgpu hid_logitech_hidpp chash amd_iommu_v2 gpu_sched
i2c_algo_bit ttm drm_kms_helper drm crc32c_intel nvme hid_logitech_dj nvme_core
wmi pinctrl_amd i2c_dev
[   68.903020] CPU: 12 PID: 1907 Comm: gnome-shell Not tainted
4.21.0-0.rc0.git1.1.fc30.x86_64 #1
[   68.903021] Hardware name: Gigabyte Technology Co., Ltd. X470 AORUS ULTRA
GAMING/X470 AORUS ULTRA GAMING-CF, BIOS F3g 05/10/2018
[   68.903023] RIP: 0010:refcount_inc_checked+0x26/0x30
[   68.903024] Code: 0f 1f 40 00 e8 ab ff ff ff 84 c0 74 01 c3 80 3d 74 62 3b
01 00 75 f6 48 c7 c7 38 32 35 a9 c6 05 64 62 3b 01 01 e8 7e 4d b9 ff <0f> 0b c3
0f 1f 80 00 00 00 00 8b 06 83 f8 ff 74 20 31 c9 39 f8 89
[   68.903025] RSP: 0018:ffffadf1c8b8bb10 EFLAGS: 00010282
[   68.903026] RAX: 0000000000000000 RBX: ffff98d381b58050 RCX:
0000000000000000
[   68.903027] RDX: ffff98d3be7ddc40 RSI: ffff98d3be7d6c28 RDI:
ffff98d3be7d6c28
[   68.903028] RBP: ffff98d381b5807c R08: 0000000000000002 R09:
0000000000000000
[   68.903029] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff98d3a9fa2d08
[   68.903030] R13: ffff98d381b580f8 R14: ffff98d381b588f8 R15:
ffff98d3a9fa3160
[   68.903035] FS:  00007f05a5b04d00(0000) GS:ffff98d3be600000(0000)
knlGS:0000000000000000
[   68.903036] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   68.903037] CR2: 00007f0538b3b00c CR3: 00000007f465c000 CR4:
00000000003406e0
[   68.903037] Call Trace:
[   68.903042]  ttm_bo_add_to_lru+0xab/0x160 [ttm]
[   68.903047]  ttm_eu_backoff_reservation+0x4e/0xe0 [ttm]
[   69.044521]  amdgpu_gem_object_close+0xf3/0x1e0 [amdgpu]
[   69.044540]  drm_gem_object_release_handle+0x7b/0xc0 [drm]
[   69.055515]  drm_gem_handle_delete+0x61/0x90 [drm]
[   69.055523]  ? drm_mode_destroy_dumb+0x40/0x40 [drm]
[   69.065443]  drm_ioctl_kernel+0xa9/0xf0 [drm]
[   69.065452]  drm_ioctl+0x201/0x3a0 [drm]
[   69.073783]  ? drm_mode_destroy_dumb+0x40/0x40 [drm]
[   69.073787]  ? sched_clock+0x5/0x10
[   69.082443]  ? sched_clock_cpu+0xc/0xb0
[   69.086349]  ? lockdep_hardirqs_on+0xed/0x180
[   69.086379]  amdgpu_drm_ioctl+0x49/0x80 [amdgpu]
[   69.086384]  do_vfs_ioctl+0xa5/0x6f0
[   69.099131]  ksys_ioctl+0x60/0x90
[   69.099135]  __x64_sys_ioctl+0x16/0x20
[   69.106318]  do_syscall_64+0x60/0x1f0
[   69.110043]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   69.115181] RIP: 0033:0x7f05a965c2fb
[   69.118817] Code: 0f 1e fa 48 8b 05 8d 9b 0c 00 64 c7 00 26 00 00 00 48 c7
c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 5d 9b 0c 00 f7 d8 64 89 01 48
[   69.118818] RSP: 002b:00007ffd2a76dea8 EFLAGS: 00000246 ORIG_RAX:
0000000000000010
[   69.118819] RAX: ffffffffffffffda RBX: 00005627173c6080 RCX:
00007f05a965c2fb
[   69.118820] RDX: 00007ffd2a76dee4 RSI: 00000000c00464b4 RDI:
000000000000000b
[   69.118820] RBP: 00007ffd2a76dee4 R08: 0000562717496a20 R09:
0000000000000005
[   69.118821] R10: 0000000000000011 R11: 0000000000000246 R12:
00000000c00464b4
[   69.118824] R13: 000000000000000b R14: 00005627175aba10 R15:
0000000000000007
[   69.181886] irq event stamp: 2263926
[   69.181889] hardirqs last  enabled at (2263925): [<ffffffffa813c59e>]
console_unlock+0x45e/0x610
[   69.181892] hardirqs last disabled at (2263926): [<ffffffffa80037e8>]
trace_hardirqs_off_thunk+0x1a/0x1c
[   69.204101] softirqs last  enabled at (2263922): [<ffffffffa8e00365>]
__do_softirq+0x365/0x47c
[   69.204103] softirqs last disabled at (2263915): [<ffffffffa80c60e9>]
irq_exit+0x119/0x120
[   69.204104] ---[ end trace f9abd5c695102e80 ]---
....

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20181227/6e86fed7/attachment.html>

More information about the dri-devel mailing list