[Bug 198985] New: BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x26/0xb0 [amdgpu]

bugzilla-daemon at bugzilla.kernel.org bugzilla-daemon at bugzilla.kernel.org
Sat Mar 3 14:53:58 UTC 2018 

https://bugzilla.kernel.org/show_bug.cgi?id=198985

            Bug ID: 198985
           Summary: BUG: KASAN: use-after-free in
                    amdgpu_job_free_cb+0x26/0xb0 [amdgpu]
           Product: Drivers
           Version: 2.5
    Kernel Version: 4.15.7
          Hardware: x86-64
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Video(DRI - non Intel)
          Assignee: drivers_video-dri at kernel-bugs.osdl.org
          Reporter: fredrik at planet-express.se
        Regression: No

I've hit a bunch of complete & partial lockups with 4.15. I finally built a
kasan kernel and caught this:

[50772.217692]
==================================================================
[50772.217773] BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x26/0xb0
[amdgpu]
[50772.217776] Read of size 8 at addr ffff880ccf431a48 by task kworker/7:1/112

[50772.217781] CPU: 7 PID: 112 Comm: kworker/7:1 Not tainted 4.15.7 #18
[50772.217782] Hardware name: System manufacturer System Product Name/PRIME
X370-PRO, BIOS 3803 01/22/2018
[50772.217861] Workqueue: events amd_sched_job_finish [amdgpu]
[50772.217863] Call Trace:
[50772.217869]  dump_stack+0x46/0x5a
[50772.217874]  print_address_description+0x82/0x2c0
[50772.217878]  kasan_report+0x289/0x380
[50772.217973]  ? amdgpu_job_free_cb+0x26/0xb0 [amdgpu]
[50772.218047]  amdgpu_job_free_cb+0x26/0xb0 [amdgpu]
[50772.218052]  process_one_work+0x3cd/0x660
[50772.218055]  worker_thread+0x81/0x7b0
[50772.218058]  ? create_worker+0x2a0/0x2a0
[50772.218060]  kthread+0x1ae/0x1d0
[50772.218062]  ? kthread_create_worker+0xd0/0xd0
[50772.218065]  ret_from_fork+0x22/0x40

[50772.218069] Allocated by task 489:
[50772.218072]  kasan_kmalloc+0xb0/0xf0
[50772.218132]  amdgpu_driver_open_kms+0x8c/0x1f0 [amdgpu]
[50772.218136]  drm_open+0x39e/0x720
[50772.218138]  drm_stub_open+0x155/0x1d0
[50772.218140]  chrdev_open+0x168/0x300
[50772.218143]  do_dentry_open.isra.20+0x325/0x510
[50772.218145]  path_openat+0x7f6/0x1ac0
[50772.218148]  do_filp_open+0x125/0x1d0
[50772.218149]  do_sys_open+0x251/0x300
[50772.218152]  do_syscall_64+0xf3/0x2b0
[50772.218154]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

[50772.218155] Freed by task 19848:
[50772.218158]  kasan_slab_free+0x7c/0xe0
[50772.218160]  kfree+0x91/0x1a0
[50772.218220]  amdgpu_driver_postclose_kms+0x154/0x360 [amdgpu]
[50772.218222]  drm_release+0x45e/0x5f0
[50772.218224]  __fput+0x14e/0x2e0
[50772.218226]  task_work_run+0xa0/0xc0
[50772.218229]  do_exit+0x3c4/0x10f0
[50772.218231]  do_group_exit+0x74/0x110
[50772.218234]  get_signal+0x1ab/0x760
[50772.218237]  do_signal+0xb4/0xa80
[50772.218238]  exit_to_usermode_loop+0x74/0xa0
[50772.218240]  do_syscall_64+0x2a0/0x2b0
[50772.218242]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

[50772.218245] The buggy address belongs to the object at ffff880ccf431980
                which belongs to the cache kmalloc-2048 of size 2048
[50772.218247] The buggy address is located 200 bytes inside of
                2048-byte region [ffff880ccf431980, ffff880ccf432180)
[50772.218249] The buggy address belongs to the page:
[50772.218252] page:ffffea00333d0c00 count:1 mapcount:0 mapping:         
(null) index:0x0 compound_mapcount: 0
[50772.218255] flags: 0x8000000000008100(slab|head)
[50772.218260] raw: 8000000000008100 0000000000000000 0000000000000000
00000001000f000f
[50772.218263] raw: dead000000000100 dead000000000200 ffff880f98c03040
0000000000000000
[50772.218264] page dumped because: kasan: bad access detected

[50772.218265] Memory state around the buggy address:
[50772.218267]  ffff880ccf431900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[50772.218270]  ffff880ccf431980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[50772.218272] >ffff880ccf431a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[50772.218273]                                               ^
[50772.218275]  ffff880ccf431a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[50772.218277]  ffff880ccf431b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[50772.218278]
==================================================================

lspci:

0a:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI]
Ellesmere [Radeon RX 470/480/570/580] (rev cf) (prog-if 00 [VGA controller])
        Subsystem: PC Partner Limited / Sapphire Technology Radeon RX 470
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
        Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
        Latency: 0, Cache Line Size: 64 bytes
        Interrupt: pin A routed to IRQ 53
        Region 0: Memory at e0000000 (64-bit, prefetchable) [size=256M]
        Region 2: Memory at f0000000 (64-bit, prefetchable) [size=2M]
        Region 4: I/O ports at e000 [size=256]
        Region 5: Memory at fe800000 (32-bit, non-prefetchable) [size=256K]
        Expansion ROM at 000c0000 [disabled] [size=128K]
        Capabilities: [48] Vendor Specific Information: Len=08 <?>
        Capabilities: [50] Power Management version 3
                Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=0mA
PME(D0-,D1+,D2+,D3hot+,D3cold+)
                Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME-
        Capabilities: [58] Express (v2) Legacy Endpoint, MSI 00
                DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s <4us, L1
unlimited
                        ExtTag+ AttnBtn- AttnInd- PwrInd- RBE+ FLReset-
                DevCtl: Report errors: Correctable- Non-Fatal- Fatal-
Unsupported-
                        RlxdOrd+ ExtTag+ PhantFunc- AuxPwr- NoSnoop+
                        MaxPayload 256 bytes, MaxReadReq 512 bytes
                DevSta: CorrErr+ UncorrErr- FatalErr- UnsuppReq+ AuxPwr-
TransPend-
                LnkCap: Port #0, Speed 8GT/s, Width x16, ASPM L1, Exit Latency
L1 <1us
                        ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
                LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- CommClk+
                        ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 2.5GT/s, Width x16, TrErr- Train- SlotClk+
DLActive- BWMgmt- ABWMgmt-
                DevCap2: Completion Timeout: Not Supported, TimeoutDis-, LTR+,
OBFF Not Supported
                         AtomicOpsCap: 32bit+ 64bit+ 128bitCAS-
                DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-,
OBFF Disabled
                         AtomicOpsCtl: ReqEn-
                LnkCtl2: Target Link Speed: 8GT/s, EnterCompliance- SpeedDis-
                         Transmit Margin: Normal Operating Range,
EnterModifiedCompliance- ComplianceSOS-
                         Compliance De-emphasis: -6dB
                LnkSta2: Current De-emphasis Level: -3.5dB,
EqualizationComplete+, EqualizationPhase1+
                         EqualizationPhase2+, EqualizationPhase3+,
LinkEqualizationRequest-
        Capabilities: [a0] MSI: Enable+ Count=1/1 Maskable- 64bit+
                Address: 00000000fee00000  Data: 0000
        Capabilities: [100 v1] Vendor Specific Information: ID=0001 Rev=1
Len=010 <?>
        Capabilities: [150 v2] Advanced Error Reporting
                UESta:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt-
RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
                UEMsk:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt-
RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
                UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt-
RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
                CESta:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
                CEMsk:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
                AERCap: First Error Pointer: 00, ECRCGenCap+ ECRCGenEn-
ECRCChkCap+ ECRCChkEn-
                        MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap-
                HeaderLog: 00000000 00000000 00000000 00000000
        Capabilities: [200 v1] #15
        Capabilities: [270 v1] #19
        Capabilities: [2b0 v1] Address Translation Service (ATS)
                ATSCap: Invalidate Queue Depth: 00
                ATSCtl: Enable+, Smallest Translation Unit: 00
        Capabilities: [2c0 v1] Page Request Interface (PRI)
                PRICtl: Enable- Reset-
                PRISta: RF- UPRGI- Stopped+
                Page Request Capacity: 00000020, Page Request Allocation:
00000000
        Capabilities: [2d0 v1] Process Address Space ID (PASID)
                PASIDCap: Exec+ Priv+, Max PASID Width: 10
                PASIDCtl: Enable- Exec- Priv-
        Capabilities: [320 v1] Latency Tolerance Reporting
                Max snoop latency: 0ns
                Max no snoop latency: 0ns
        Capabilities: [328 v1] Alternative Routing-ID Interpretation (ARI)
                ARICap: MFVC- ACS-, Next Function: 1
                ARICtl: MFVC- ACS-, Function Group: 0
        Capabilities: [370 v1] L1 PM Substates
                L1SubCap: PCI-PM_L1.2+ PCI-PM_L1.1+ ASPM_L1.2+ ASPM_L1.1+
L1_PM_Substates+
                          PortCommonModeRestoreTime=0us PortTPowerOnTime=170us
                L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
                           T_CommonMode=0us LTR1.2_Threshold=0ns
                L1SubCtl2: T_PwrOn=10us
        Kernel driver in use: amdgpu
        Kernel modules: amdgpu

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the dri-devel mailing list