[Bug 99949] New: huc/guc unwind order use-after-free(engine) in i915_load_modeset_init error path

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Feb 24 18:46:29 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=99949

            Bug ID: 99949
           Summary: huc/guc unwind order use-after-free(engine) in
                    i915_load_modeset_init error path
           Product: DRI
           Version: XOrg git
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: DRM/Intel
          Assignee: intel-gfx-bugs at lists.freedesktop.org
          Reporter: chris at chris-wilson.co.uk
        QA Contact: intel-gfx-bugs at lists.freedesktop.org
                CC: intel-gfx-bugs at lists.freedesktop.org

[    9.055546]
==================================================================
[    9.055917] BUG: KASAN: use-after-free in guc_interrupts_release+0x57/0xe0
[i915] at addr ffff880235652120
[    9.056030] Read of size 4 by task systemd-udevd/208
[    9.056109] CPU: 0 PID: 208 Comm: systemd-udevd Not tainted 4.10.0+ #437
[    9.056190] Hardware name:                  /        , BIOS
PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
[    9.056299] Call Trace:
[    9.056380]  dump_stack+0x4d/0x63
[    9.056461]  kasan_object_err+0x1c/0x70
[    9.056552]  kasan_report_error+0x1f1/0x4f0
[    9.056859]  ? gen6_write32+0x170/0x170 [i915]
[    9.056938]  kasan_report+0x34/0x40
[    9.057242]  ? __intel_uncore_forcewake_put+0x10/0xd0 [i915]
[    9.057548]  ? guc_interrupts_release+0x57/0xe0 [i915]
[    9.057636]  __asan_load4+0x61/0x80
[    9.057946]  guc_interrupts_release+0x57/0xe0 [i915]
[    9.058252]  intel_guc_fini+0x1e/0xb0 [i915]
[    9.058537]  i915_driver_load+0xf5b/0x1cb0 [i915]
[    9.058625]  ? ida_simple_get+0xf6/0x170
[    9.058910]  ? __i915_printk+0x1d0/0x1d0 [i915]
[    9.058997]  ? rpm_resume+0x170/0xa70
[    9.059086]  ? rpm_callback+0xe0/0xe0
[    9.059173]  ? pci_match_id+0x118/0x180
[    9.059261]  ? pci_match_device+0x1f8/0x220
[    9.059549]  i915_pci_probe+0x65/0xe0 [i915]
[    9.059637]  pci_device_probe+0xda/0x140
[    9.059726]  driver_probe_device+0x400/0x660
[    9.059818]  ? driver_probe_device+0x660/0x660
[    9.059906]  __driver_attach+0x115/0x120
[    9.059993]  bus_for_each_dev+0xe3/0x140
[    9.060080]  ? subsys_dev_iter_exit+0x10/0x10
[    9.060167]  ? klist_node_init+0x57/0x80
[    9.060254]  driver_attach+0x26/0x30
[    9.060343]  bus_add_driver+0x268/0x3b0
[    9.060432]  driver_register+0xce/0x190
[    9.060520]  __pci_register_driver+0xab/0xc0
[    9.060604]  ? 0xffffffffa02b0000
[    9.060916]  i915_init+0x63/0x6a [i915]
[    9.061005]  do_one_initcall+0x8b/0x1e0
[    9.061096]  ? kasan_slab_free+0x89/0xc0
[    9.061184]  ? initcall_blacklisted+0x130/0x130
[    9.061271]  ? kasan_kmalloc+0xad/0xe0
[    9.061357]  ? kasan_unpoison_shadow+0x35/0x50
[    9.061444]  ? __asan_register_globals+0x7c/0xa0
[    9.061534]  do_init_module+0x102/0x2ec
[    9.061625]  load_module+0x39a4/0x4430
[    9.061711]  ? __symbol_put+0x90/0x90
[    9.061802]  ? module_frob_arch_sections+0x20/0x20
[    9.061889]  ? kernel_read_file+0x2c0/0x340
[    9.061977]  ? __fsnotify_parent+0x2b/0x130
[    9.063868]  ? vfs_read+0x13f/0x1a0
[    9.063969]  ? kernel_read_file+0x121/0x340
[    9.064065]  ? __register_binfmt+0xe0/0xe0
[    9.064162]  ? kernel_read_file_from_fd+0x44/0x70
[    9.064258]  SYSC_finit_module+0x169/0x1a0
[    9.064354]  ? SYSC_init_module+0x1d0/0x1d0
[    9.064448]  ? up_write+0x11/0x30
[    9.064547]  ? vm_mmap_pgoff+0x120/0x150
[    9.064645]  ? SyS_mmap_pgoff+0xa0/0xd0
[    9.064740]  SyS_finit_module+0x9/0x10
[    9.064836]  entry_SYSCALL_64_fastpath+0x17/0x98
[    9.064928] RIP: 0033:0x7ff70e67c0f9
[    9.065008] RSP: 002b:00007ffcf8bf9bd8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[    9.065137] RAX: ffffffffffffffda RBX: 00007ff70f8082d1 RCX:
00007ff70e67c0f9
[    9.065223] RDX: 0000000000000000 RSI: 00007ff70ef94265 RDI:
0000000000000011
[    9.065308] RBP: 0000000000020000 R08: 0000000000000000 R09:
00007ffcf8bfa150
[    9.065393] R10: 0000000000000011 R11: 0000000000000246 R12:
0000556d4a74a4d0
[    9.065478] R13: 0000556d4a74dde0 R14: 0000000000000000 R15:
0000556d49baacb8
[    9.065565] Object at ffff880235652100, in cache kmalloc-8192 size: 8192
[    9.065648] Allocated:
[    9.065723] PID = 208
[    9.065807]  save_stack_trace+0x16/0x20
[    9.065891]  save_stack+0x46/0xd0
[    9.065984]  kasan_kmalloc+0xad/0xe0
[    9.066320]  intel_engines_init_early+0xea/0x2f0 [i915]
[    9.066639]  i915_driver_load+0x455/0x1cb0 [i915]
[    9.066955]  i915_pci_probe+0x65/0xe0 [i915]
[    9.067050]  pci_device_probe+0xda/0x140
[    9.067145]  driver_probe_device+0x400/0x660
[    9.067240]  __driver_attach+0x115/0x120
[    9.067334]  bus_for_each_dev+0xe3/0x140
[    9.067431]  driver_attach+0x26/0x30
[    9.067525]  bus_add_driver+0x268/0x3b0
[    9.067620]  driver_register+0xce/0x190
[    9.067714]  __pci_register_driver+0xab/0xc0
[    9.068057]  i915_init+0x63/0x6a [i915]
[    9.068152]  do_one_initcall+0x8b/0x1e0
[    9.068251]  do_init_module+0x102/0x2ec
[    9.068345]  load_module+0x39a4/0x4430
[    9.068439]  SYSC_finit_module+0x169/0x1a0
[    9.068533]  SyS_finit_module+0x9/0x10
[    9.068625]  entry_SYSCALL_64_fastpath+0x17/0x98
[    9.068712] Freed:
[    9.068791] PID = 208
[    9.068873]  save_stack_trace+0x16/0x20
[    9.068957]  save_stack+0x46/0xd0
[    9.069051]  kasan_slab_free+0x73/0xc0
[    9.070889]  kfree+0x7e/0x130
[    9.071222]  intel_engines_init+0x138/0x1c0 [i915]
[    9.071557]  i915_gem_init+0xf6/0x140 [i915]
[    9.071870]  i915_driver_load+0xf48/0x1cb0 [i915]
[    9.072190]  i915_pci_probe+0x65/0xe0 [i915]
[    9.072285]  pci_device_probe+0xda/0x140
[    9.072381]  driver_probe_device+0x400/0x660
[    9.072475]  __driver_attach+0x115/0x120
[    9.072578]  bus_for_each_dev+0xe3/0x140
[    9.072671]  driver_attach+0x26/0x30
[    9.072765]  bus_add_driver+0x268/0x3b0
[    9.072859]  driver_register+0xce/0x190
[    9.072953]  __pci_register_driver+0xab/0xc0
[    9.073300]  i915_init+0x63/0x6a [i915]
[    9.073406]  do_one_initcall+0x8b/0x1e0
[    9.073501]  do_init_module+0x102/0x2ec
[    9.073594]  load_module+0x39a4/0x4430
[    9.073687]  SYSC_finit_module+0x169/0x1a0
[    9.073783]  SyS_finit_module+0x9/0x10
[    9.073875]  entry_SYSCALL_64_fastpath+0x17/0x98
[    9.073970] Memory state around the buggy address:
[    9.074059]  ffff880235652000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[    9.074189]  ffff880235652080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[    9.074318] >ffff880235652100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[    9.074437]                                ^
[    9.074524]  ffff880235652180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[    9.074659]  ffff880235652200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[    9.074783]
==================================================================

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20170224/7fa37462/attachment.html>

More information about the intel-gfx-bugs mailing list