[Bug 198985] BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x26/0xb0 [amdgpu]
bugzilla-daemon at bugzilla.kernel.org
bugzilla-daemon at bugzilla.kernel.org
Thu Mar 15 16:58:30 UTC 2018
https://bugzilla.kernel.org/show_bug.cgi?id=198985
--- Comment #4 from Fredrik (fredrik at planet-express.se) ---
I've applied the patch you mentioned above. Is this related or should I open a
new bug?:
[56091.713961]
==================================================================
[56091.714058] BUG: KASAN: use-after-free in
dc_create_stream_for_sink+0x73/0x440 [amdgpu]
[56091.714062] Read of size 8 at addr ffff88092d66fc68 by task X/490
[56091.714066] CPU: 11 PID: 490 Comm: X Not tainted 4.15.9 #21
[56091.714068] Hardware name: System manufacturer System Product Name/PRIME
X370-PRO, BIOS 3803 01/22/2018
[56091.714069] Call Trace:
[56091.714075] dump_stack+0x46/0x5a
[56091.714080] print_address_description+0x82/0x2c0
[56091.714084] kasan_report+0x289/0x380
[56091.714175] ? dc_create_stream_for_sink+0x73/0x440 [amdgpu]
[56091.714265] dc_create_stream_for_sink+0x73/0x440 [amdgpu]
[56091.714357] create_stream_for_sink+0xe5/0x7c0 [amdgpu]
[56091.714451] ? fill_stream_properties_from_drm_display_mode+0x400/0x400
[amdgpu]
[56091.714454] ? kasan_kmalloc+0xb0/0xf0
[56091.714458] ? drm_legacy_ioremapfree+0xd0/0xd0
[56091.714461] ? drm_atomic_commit+0x2d/0xb0
[56091.714465] ? drm_atomic_helper_legacy_gamma_set+0x190/0x1e0
[56091.714469] ? drm_mode_gamma_set_ioctl+0x28a/0x320
[56091.714473] ? drm_atomic_get_connector_state+0xaa/0x2a0
[56091.714565] dm_update_crtcs_state+0x1d2/0x5e0 [amdgpu]
[56091.714569] ? drm_atomic_get_crtc_state+0x76/0x1d0
[56091.714660] ? dc_resource_state_copy_construct+0x199/0x1d0 [amdgpu]
[56091.714759] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu]
[56091.714764] ? __radix_tree_replace+0x95/0x150
[56091.714766] ? node_tag_clear+0x66/0xb0
[56091.714859] ? dm_update_planes_state.part.28+0x1150/0x1150 [amdgpu]
[56091.714862] ? __mutex_lock_interruptible_slowpath+0x1/0x10
[56091.714865] ? __fprop_inc_percpu_max+0x180/0x180
[56091.714869] drm_atomic_check_only+0x6b8/0x940
[56091.714872] ? drm_legacy_ioremapfree+0xd0/0xd0
[56091.714876] ? drm_atomic_set_crtc_for_connector+0x1d0/0x1d0
[56091.714878] ? drm_mode_object_get+0x51/0x70
[56091.714882] drm_atomic_commit+0x2d/0xb0
[56091.714886] drm_atomic_helper_legacy_gamma_set+0x190/0x1e0
[56091.714889] ? drm_atomic_helper_update_plane+0x1a0/0x1a0
[56091.714892] drm_mode_gamma_set_ioctl+0x28a/0x320
[56091.714896] ? drm_crtc_enable_color_mgmt+0x140/0x140
[56091.714899] ? drm_legacy_ioremapfree+0xd0/0xd0
[56091.714902] ? drm_lease_owner+0x15/0x30
[56091.714905] ? drm_crtc_enable_color_mgmt+0x140/0x140
[56091.714908] drm_ioctl_kernel+0xaf/0x120
[56091.714911] drm_ioctl+0x4bf/0x570
[56091.714915] ? drm_crtc_enable_color_mgmt+0x140/0x140
[56091.714917] ? drm_ioctl_kernel+0x120/0x120
[56091.714922] ? set_current_blocked+0x20/0x20
[56091.714924] ? get_signal+0x5c8/0x760
[56091.714927] ? memset+0x2d/0x50
[56091.714930] ? fpstate_init+0x6c/0x80
[56091.714933] ? fpu__initialize+0x1c/0x50
[56091.714936] ? __fpu__restore_sig+0x327/0x510
[56091.714940] do_vfs_ioctl+0x155/0x920
[56091.714943] ? ioctl_preallocate+0x140/0x140
[56091.714945] ? recalc_sigpending_tsk+0x95/0xa0
[56091.714948] ? recalc_sigpending+0x12/0x20
[56091.714950] ? do_sigaltstack+0x1d0/0x270
[56091.714955] ? SyS_futex+0x1be/0x250
[56091.714959] ? __rcu_read_unlock+0x76/0xa0
[56091.714961] ? __fget+0xc2/0x100
[56091.714964] SyS_ioctl+0x47/0x90
[56091.714967] ? do_vfs_ioctl+0x920/0x920
[56091.714970] do_syscall_64+0xf3/0x2b0
[56091.714974] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[56091.714976] RIP: 0033:0x7f3385a95397
[56091.714978] RSP: 002b:00007ffe5b715608 EFLAGS: 00000246 ORIG_RAX:
0000000000000010
[56091.714982] RAX: ffffffffffffffda RBX: 000055cc1d92d2a0 RCX:
00007f3385a95397
[56091.714984] RDX: 00007ffe5b715640 RSI: 00000000c02064a5 RDI:
000000000000000c
[56091.714985] RBP: 00007ffe5b715640 R08: 000055cc1d92d960 R09:
000055cc1d92db60
[56091.714987] R10: 0000000000000001 R11: 0000000000000246 R12:
00000000c02064a5
[56091.714989] R13: 000000000000000c R14: 000055cc1d92b130 R15:
000055cc1d92d760
[56091.714992] Allocated by task 490:
[56091.714996] kasan_kmalloc+0xb0/0xf0
[56091.715086] dc_sink_create+0x41/0x140 [amdgpu]
[56091.715178] create_stream_for_sink+0x6a7/0x7c0 [amdgpu]
[56091.715270] dm_update_crtcs_state+0x1d2/0x5e0 [amdgpu]
[56091.715362] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu]
[56091.715365] drm_atomic_check_only+0x6b8/0x940
[56091.715367] drm_atomic_commit+0x2d/0xb0
[56091.715370] drm_atomic_connector_commit_dpms+0x1ea/0x210
[56091.715373] drm_mode_obj_set_property_ioctl+0x2fb/0x410
[56091.715376] drm_mode_connector_property_set_ioctl+0xb5/0xf0
[56091.715378] drm_ioctl_kernel+0xaf/0x120
[56091.715381] drm_ioctl+0x4bf/0x570
[56091.715383] do_vfs_ioctl+0x155/0x920
[56091.715385] SyS_ioctl+0x47/0x90
[56091.715387] do_syscall_64+0xf3/0x2b0
[56091.715390] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[56091.715392] Freed by task 112:
[56091.715395] kasan_slab_free+0x7c/0xe0
[56091.715397] kfree+0x91/0x1a0
[56091.715487] dc_link_detect+0x21a/0x1030 [amdgpu]
[56091.715579] handle_hpd_irq+0x65/0xd0 [amdgpu]
[56091.715671] dm_irq_work_func+0x86/0xa0 [amdgpu]
[56091.715674] process_one_work+0x3cd/0x660
[56091.715676] worker_thread+0x81/0x7b0
[56091.715678] kthread+0x1ae/0x1d0
[56091.715680] ret_from_fork+0x22/0x40
[56091.715683] The buggy address belongs to the object at ffff88092d66f980
which belongs to the cache kmalloc-1024 of size 1024
[56091.715687] The buggy address is located 744 bytes inside of
1024-byte region [ffff88092d66f980, ffff88092d66fd80)
[56091.715688] The buggy address belongs to the page:
[56091.715691] page:ffffea0024b59a00 count:1 mapcount:0
mapping:0000000000000000 index:0x0 compound_mapcount: 0
[56091.715696] flags: 0x8000000000008100(slab|head)
[56091.715701] raw: 8000000000008100 0000000000000000 0000000000000000
00000001001c001c
[56091.715704] raw: dead000000000100 dead000000000200 ffff880f98c03180
0000000000000000
[56091.715707] page dumped because: kasan: bad access detected
[56091.715709] Memory state around the buggy address:
[56091.715714] ffff88092d66fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[56091.715717] ffff88092d66fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[56091.715720] >ffff88092d66fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[56091.715721] ^
[56091.715724] ffff88092d66fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[56091.715727] ffff88092d66fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[56091.715729]
==================================================================
[56091.715730] Disabling lock debugging due to kernel taint
[56091.715777]
==================================================================
[56091.715780] BUG: KASAN: double-free or invalid-free in (null)
[56091.715792] CPU: 11 PID: 490 Comm: X Tainted: G B 4.15.9 #21
[56091.715795] Hardware name: System manufacturer System Product Name/PRIME
X370-PRO, BIOS 3803 01/22/2018
[56091.715800] Call Trace:
[56091.715806] dump_stack+0x46/0x5a
[56091.715812] print_address_description+0x82/0x2c0
[56091.715818] kasan_report_double_free+0x60/0xa0
[56091.715824] kasan_slab_free+0xb5/0xe0
[56091.715919] ? dc_stream_release+0x3c/0x90 [amdgpu]
[56091.715925] kfree+0x91/0x1a0
[56091.716021] dc_stream_release+0x3c/0x90 [amdgpu]
[56091.716119] dm_update_crtcs_state+0x23d/0x5e0 [amdgpu]
[56091.716126] ? drm_atomic_get_crtc_state+0x76/0x1d0
[56091.716221] ? dc_resource_state_copy_construct+0x199/0x1d0 [amdgpu]
[56091.716318] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu]
[56091.716325] ? __radix_tree_replace+0x95/0x150
[56091.716330] ? node_tag_clear+0x66/0xb0
[56091.716427] ? dm_update_planes_state.part.28+0x1150/0x1150 [amdgpu]
[56091.716433] ? __mutex_lock_interruptible_slowpath+0x1/0x10
[56091.716438] ? __fprop_inc_percpu_max+0x180/0x180
[56091.716444] drm_atomic_check_only+0x6b8/0x940
[56091.716450] ? drm_legacy_ioremapfree+0xd0/0xd0
[56091.716457] ? drm_atomic_set_crtc_for_connector+0x1d0/0x1d0
[56091.716463] ? drm_mode_object_get+0x51/0x70
[56091.716469] drm_atomic_commit+0x2d/0xb0
[56091.716476] drm_atomic_helper_legacy_gamma_set+0x190/0x1e0
[56091.716482] ? drm_atomic_helper_update_plane+0x1a0/0x1a0
[56091.716488] drm_mode_gamma_set_ioctl+0x28a/0x320
[56091.716495] ? drm_crtc_enable_color_mgmt+0x140/0x140
[56091.716501] ? drm_legacy_ioremapfree+0xd0/0xd0
[56091.716507] ? drm_lease_owner+0x15/0x30
[56091.716513] ? drm_crtc_enable_color_mgmt+0x140/0x140
[56091.716518] drm_ioctl_kernel+0xaf/0x120
[56091.716525] drm_ioctl+0x4bf/0x570
[56091.716529] ? drm_crtc_enable_color_mgmt+0x140/0x140
[56091.716532] ? drm_ioctl_kernel+0x120/0x120
[56091.716535] ? set_current_blocked+0x20/0x20
[56091.716538] ? get_signal+0x5c8/0x760
[56091.716541] ? memset+0x2d/0x50
[56091.716544] ? fpstate_init+0x6c/0x80
[56091.716547] ? fpu__initialize+0x1c/0x50
[56091.716550] ? __fpu__restore_sig+0x327/0x510
[56091.716553] do_vfs_ioctl+0x155/0x920
[56091.716556] ? ioctl_preallocate+0x140/0x140
[56091.716559] ? recalc_sigpending_tsk+0x95/0xa0
[56091.716561] ? recalc_sigpending+0x12/0x20
[56091.716564] ? do_sigaltstack+0x1d0/0x270
[56091.716568] ? SyS_futex+0x1be/0x250
[56091.716571] ? __rcu_read_unlock+0x76/0xa0
[56091.716573] ? __fget+0xc2/0x100
[56091.716576] SyS_ioctl+0x47/0x90
[56091.716579] ? do_vfs_ioctl+0x920/0x920
[56091.716581] do_syscall_64+0xf3/0x2b0
[56091.716585] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[56091.716587] RIP: 0033:0x7f3385a95397
[56091.716589] RSP: 002b:00007ffe5b715608 EFLAGS: 00000246 ORIG_RAX:
0000000000000010
[56091.716592] RAX: ffffffffffffffda RBX: 000055cc1d92d2a0 RCX:
00007f3385a95397
[56091.716594] RDX: 00007ffe5b715640 RSI: 00000000c02064a5 RDI:
000000000000000c
[56091.716596] RBP: 00007ffe5b715640 R08: 000055cc1d92d960 R09:
000055cc1d92db60
[56091.716598] R10: 0000000000000001 R11: 0000000000000246 R12:
00000000c02064a5
[56091.716599] R13: 000000000000000c R14: 000055cc1d92b130 R15:
000055cc1d92d760
[56091.716602] Allocated by task 490:
[56091.716606] kasan_kmalloc+0xb0/0xf0
[56091.716698] dc_sink_create+0x41/0x140 [amdgpu]
[56091.716794] create_stream_for_sink+0x6a7/0x7c0 [amdgpu]
[56091.716891] dm_update_crtcs_state+0x1d2/0x5e0 [amdgpu]
[56091.716986] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu]
[56091.716990] drm_atomic_check_only+0x6b8/0x940
[56091.716993] drm_atomic_commit+0x2d/0xb0
[56091.716996] drm_atomic_connector_commit_dpms+0x1ea/0x210
[56091.716999] drm_mode_obj_set_property_ioctl+0x2fb/0x410
[56091.717001] drm_mode_connector_property_set_ioctl+0xb5/0xf0
[56091.717004] drm_ioctl_kernel+0xaf/0x120
[56091.717007] drm_ioctl+0x4bf/0x570
[56091.717009] do_vfs_ioctl+0x155/0x920
[56091.717011] SyS_ioctl+0x47/0x90
[56091.717013] do_syscall_64+0xf3/0x2b0
[56091.717016] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[56091.717018] Freed by task 112:
[56091.717021] kasan_slab_free+0x7c/0xe0
[56091.717023] kfree+0x91/0x1a0
[56091.717118] dc_link_detect+0x21a/0x1030 [amdgpu]
[56091.717209] handle_hpd_irq+0x65/0xd0 [amdgpu]
[56091.717297] dm_irq_work_func+0x86/0xa0 [amdgpu]
[56091.717299] process_one_work+0x3cd/0x660
[56091.717302] worker_thread+0x81/0x7b0
[56091.717303] kthread+0x1ae/0x1d0
[56091.717306] ret_from_fork+0x22/0x40
[56091.717308] The buggy address belongs to the object at ffff88092d66f980
which belongs to the cache kmalloc-1024 of size 1024
[56091.717312] The buggy address is located 0 bytes inside of
1024-byte region [ffff88092d66f980, ffff88092d66fd80)
[56091.717313] The buggy address belongs to the page:
[56091.717315] page:ffffea0024b59a00 count:1 mapcount:0
mapping:0000000000000000 index:0x0 compound_mapcount: 0
[56091.717319] flags: 0x8000000000008100(slab|head)
[56091.717323] raw: 8000000000008100 0000000000000000 0000000000000000
00000001001c001c
[56091.717327] raw: dead000000000100 dead000000000200 ffff880f98c03180
0000000000000000
[56091.717328] page dumped because: kasan: bad access detected
[56091.717330] Memory state around the buggy address:
[56091.717332] ffff88092d66f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[56091.717335] ffff88092d66f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[56091.717337] >ffff88092d66f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[56091.717338] ^
[56091.717341] ffff88092d66fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[56091.717343] ffff88092d66fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[56091.717344]
==================================================================
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the dri-devel
mailing list