[Bug 101659] New: [EXTENDED][SKL,KBL] KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.3+0x62b/0x670
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Fri Jun 30 08:20:30 UTC 2017
https://bugs.freedesktop.org/show_bug.cgi?id=101659
Bug ID: 101659
Summary: [EXTENDED][SKL,KBL] KASAN: slab-out-of-bounds in
bdw_load_gamma_lut.isra.3+0x62b/0x670
Product: DRI
Version: DRI git
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: DRM/Intel
Assignee: intel-gfx-bugs at lists.freedesktop.org
Reporter: martin.peres at free.fr
QA Contact: intel-gfx-bugs at lists.freedesktop.org
CC: intel-gfx-bugs at lists.freedesktop.org
This bug is triggered by IGT's igt at kms_pipe_color@ctm-0-25-pipe0 on kbl-7700k,
skl-6100u, and skl-6700k when running a couple of days old drm-tip.
[ 6426.201216]
==================================================================
[ 6426.208870] BUG: KASAN: slab-out-of-bounds in
bdw_load_gamma_lut.isra.3+0x62b/0x670 [i915]
[ 6426.217327] Read of size 2 at addr ffff8801e92f5318 by task
kms_pipe_color/12456
[ 6426.226444] CPU: 0 PID: 12456 Comm: kms_pipe_color Tainted: G U W
4.12.0-rc7-CI-CI_DRM_450+ #1
[ 6426.226451] Hardware name: Gigabyte Technology Co., Ltd.
Z170X-UD5/Z170X-UD5-CF, BIOS F22 03/06/2017
[ 6426.226458] Call Trace:
[ 6426.226470] dump_stack+0x67/0x99
[ 6426.226483] print_address_description+0x77/0x290
[ 6426.226589] ? bdw_load_gamma_lut.isra.3+0x62b/0x670 [i915]
[ 6426.226600] kasan_report+0x269/0x350
[ 6426.226700] ? gen8_write32+0x5b0/0x5b0 [i915]
[ 6426.226714] __asan_report_load2_noabort+0x14/0x20
[ 6426.226816] bdw_load_gamma_lut.isra.3+0x62b/0x670 [i915]
[ 6426.226924] broadwell_load_luts+0x2ed/0x630 [i915]
[ 6426.227033] intel_color_load_luts+0x69/0x90 [i915]
[ 6426.227135] intel_begin_crtc_commit+0x253/0x890 [i915]
[ 6426.227153] drm_atomic_helper_commit_planes_on_crtc+0x15a/0x970
[ 6426.227257] ? intel_pre_plane_update+0x41d/0x710 [i915]
[ 6426.227268] ? try_to_wake_up+0x797/0x1320
[ 6426.227376] intel_update_crtc+0x1a9/0x390 [i915]
[ 6426.227483] skl_update_crtcs+0x6bd/0xca0 [i915]
[ 6426.227596] ? intel_update_crtcs+0x260/0x260 [i915]
[ 6426.227707] intel_atomic_commit_tail+0xb1c/0x3c50 [i915]
[ 6426.227821] ? skl_update_crtcs+0xca0/0xca0 [i915]
[ 6426.227832] ? trace_hardirqs_on_caller+0x287/0x590
[ 6426.227845] ? register_lock_class+0x1330/0x1330
[ 6426.227948] ? intel_atomic_commit_ready+0x10a/0x158 [i915]
[ 6426.227964] ? __lock_is_held+0x116/0x1d0
[ 6426.227989] ? __might_sleep+0x95/0x190
[ 6426.228094] intel_atomic_commit+0x9c0/0xfb0 [i915]
[ 6426.228205] ? intel_atomic_commit_tail+0x3c50/0x3c50 [i915]
[ 6426.228217] ? drm_atomic_legacy_backoff+0x1e0/0x1e0
[ 6426.228226] ? drm_atomic_crtc_set_property+0x458/0x5c0
[ 6426.228235] ? drm_property_blob_get+0xd/0x20
[ 6426.228246] ? drm_atomic_set_mode_prop_for_crtc+0x200/0x200
[ 6426.228350] ? intel_atomic_commit_tail+0x3c50/0x3c50 [i915]
[ 6426.228362] drm_atomic_commit+0xc4/0xf0
[ 6426.228374] drm_atomic_helper_crtc_set_property+0xfc/0x170
[ 6426.228388] drm_mode_crtc_set_obj_prop+0x73/0xb0
[ 6426.228402] drm_mode_obj_set_property_ioctl+0x36e/0x5a0
[ 6426.228414] ? lock_acquire+0x390/0x390
[ 6426.228423] ? __might_fault+0xc6/0x1b0
[ 6426.228435] ? drm_mode_obj_find_prop_id+0x190/0x190
[ 6426.228453] drm_ioctl+0x4ba/0xaa0
[ 6426.228463] ? drm_mode_obj_find_prop_id+0x190/0x190
[ 6426.228479] ? drm_getunique+0x270/0x270
[ 6426.228491] ? _raw_spin_unlock+0x2c/0x50
[ 6426.228501] ? __handle_mm_fault+0x1447/0x2b90
[ 6426.228515] ? vm_insert_page+0x790/0x790
[ 6426.228533] do_vfs_ioctl+0x17f/0xfa0
[ 6426.228548] ? ioctl_preallocate+0x1d0/0x1d0
[ 6426.228558] ? __do_page_fault+0x49b/0xa70
[ 6426.228569] ? lock_acquire+0x390/0x390
[ 6426.228592] ? __this_cpu_preempt_check+0x13/0x20
[ 6426.228602] ? trace_hardirqs_on_caller+0x287/0x590
[ 6426.228615] SyS_ioctl+0x3c/0x70
[ 6426.228631] entry_SYSCALL_64_fastpath+0x1c/0xb1
[ 6426.228642] RIP: 0033:0x7f4062b35587
[ 6426.228649] RSP: 002b:00007ffc80ce26b8 EFLAGS: 00000246 ORIG_RAX:
0000000000000010
[ 6426.228664] RAX: ffffffffffffffda RBX: 00007ffc80ce40e8 RCX:
00007f4062b35587
[ 6426.228671] RDX: 00007ffc80ce26f0 RSI: 00000000c01864ba RDI:
0000000000000003
[ 6426.228679] RBP: ffffffff81209956 R08: 0000000000000061 R09:
0000000000000000
[ 6426.228686] R10: 0000000000000073 R11: 0000000000000246 R12:
ffff8801ea09ff98
[ 6426.228693] R13: ffffffff81cb7c63 R14: ffff8801ea09ff70 R15:
00007ffc80ce40e8
[ 6426.228704] ? __this_cpu_preempt_check+0x13/0x20
[ 6426.228714] ? trace_hardirqs_off_caller+0x1d6/0x2c0
[ 6426.230331] Allocated by task 12456:
[ 6426.234104] save_stack_trace+0x16/0x20
[ 6426.234110] kasan_kmalloc+0xee/0x180
[ 6426.234117] __kmalloc+0x135/0x370
[ 6426.234124] drm_property_create_blob.part.1+0x28/0x2b0
[ 6426.234131] drm_mode_createblob_ioctl+0xc9/0x380
[ 6426.234137] drm_ioctl+0x4ba/0xaa0
[ 6426.234143] do_vfs_ioctl+0x17f/0xfa0
[ 6426.234149] SyS_ioctl+0x3c/0x70
[ 6426.234155] entry_SYSCALL_64_fastpath+0x1c/0xb1
[ 6426.235728] Freed by task 11419:
[ 6426.239013] save_stack_trace+0x16/0x20
[ 6426.239018] kasan_slab_free+0xad/0x180
[ 6426.239023] kfree+0xf1/0x310
[ 6426.239077] i915_ppgtt_release+0x126/0x380 [i915]
[ 6426.239129] i915_gem_context_free+0x5bf/0x750 [i915]
[ 6426.239182] contexts_free+0x68/0xd0 [i915]
[ 6426.239234] contexts_free_worker+0x24/0x40 [i915]
[ 6426.239241] process_one_work+0x66f/0x1410
[ 6426.239246] worker_thread+0xe1/0xe90
[ 6426.239251] kthread+0x304/0x410
[ 6426.239256] ret_from_fork+0x27/0x40
[ 6426.240788] The buggy address belongs to the object at ffff8801e92f42c8
which belongs to the cache kmalloc-8192 of size 8192
[ 6426.253760] The buggy address is located 4176 bytes inside of
8192-byte region [ffff8801e92f42c8, ffff8801e92f62c8)
[ 6426.265920] The buggy address belongs to the page:
[ 6426.270782] page:ffffea0007a4bc00 count:1 mapcount:0 mapping:
(null) index:0x0 compound_mapcount: 0
[ 6426.280784] flags: 0x8000000000008100(slab|head)
[ 6426.285481] raw: 8000000000008100 0000000000000000 0000000000000000
0000000100030003
[ 6426.293358] raw: ffffea00041c9e20 ffff8801f5802fe0 ffff8801f5811700
0000000000000000
[ 6426.301262] page dumped because: kasan: bad access detected
[ 6426.308464] Memory state around the buggy address:
[ 6426.313351] ffff8801e92f5200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6426.320702] ffff8801e92f5280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 6426.328058] >ffff8801e92f5300: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 6426.335426] ^
[ 6426.339535] ffff8801e92f5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 6426.346883] ffff8801e92f5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 6426.354240]
==================================================================
[ 6426.361609] Disabling lock debugging due to kernel taint
--
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20170630/15c5a7fc/attachment-0001.html>
More information about the intel-gfx-bugs
mailing list