[Bug 101660] New: [EXTENDED][BXT,KBL] KASAN: stack-out-of-bounds in string+0x1af/0x1f0

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Jun 30 08:26:15 UTC 2017 

https://bugs.freedesktop.org/show_bug.cgi?id=101660

            Bug ID: 101660
           Summary: [EXTENDED][BXT,KBL] KASAN: stack-out-of-bounds in
                    string+0x1af/0x1f0
           Product: DRI
           Version: DRI git
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: DRM/Intel
          Assignee: intel-gfx-bugs at lists.freedesktop.org
          Reporter: martin.peres at free.fr
        QA Contact: intel-gfx-bugs at lists.freedesktop.org
                CC: intel-gfx-bugs at lists.freedesktop.org

This bug is triggered by IGT's igt at debugfs_test@read_all_entries on bxt-j3405
and kbl-7260u when running a couple of days old drm-tip.

[ 3580.104980]
==================================================================
[ 3580.105148] BUG: KASAN: stack-out-of-bounds in string+0x1af/0x1f0
[ 3580.105223] Read of size 1 at addr ffff88022878f8e6 by task
debugfs_test/29219

[ 3580.105337] CPU: 1 PID: 29219 Comm: debugfs_test Tainted: G     U         
4.12.0-rc7-CI-CI_DRM_450+ #1
[ 3580.105345] Hardware name: To Be Filled By O.E.M. To Be Filled By
O.E.M./J3455-ITX, BIOS P1.10 09/29/2016
[ 3580.105353] Call Trace:
[ 3580.105366]  dump_stack+0x67/0x99
[ 3580.105380]  print_address_description+0x77/0x290
[ 3580.105392]  ? string+0x1af/0x1f0
[ 3580.105403]  kasan_report+0x269/0x350
[ 3580.105418]  __asan_report_load1_noabort+0x14/0x20
[ 3580.105429]  string+0x1af/0x1f0
[ 3580.105446]  vsnprintf+0x374/0x1c20
[ 3580.105464]  ? pointer+0xa80/0xa80
[ 3580.105489]  seq_vprintf+0xbf/0x1a0
[ 3580.105502]  ? drm_dp_dpcd_access+0x177/0x1c0
[ 3580.105515]  seq_printf+0x8b/0xb0
[ 3580.105526]  ? seq_vprintf+0x1a0/0x1a0
[ 3580.105538]  ? memcpy+0x45/0x50
[ 3580.105558]  drm_dp_downstream_debug+0x1b5/0x450
[ 3580.105573]  ? drm_dp_downstream_id+0x20/0x20
[ 3580.105582]  ? seq_printf+0x8b/0xb0
[ 3580.105593]  ? seq_vprintf+0x1a0/0x1a0
[ 3580.105604]  ? drm_mode_object_put+0xc2/0x120
[ 3580.105617]  ? drm_connector_list_iter_next+0x124/0x1c0
[ 3580.105734]  i915_display_info+0x1308/0x1fc0 [i915]
[ 3580.105844]  ? intel_seq_print_mode.constprop.14+0x400/0x400 [i915]
[ 3580.105873]  seq_read+0x322/0x11f0
[ 3580.105897]  ? seq_lseek+0x380/0x380
[ 3580.105910]  ? lock_acquire+0x143/0x390
[ 3580.105921]  ? debugfs_atomic_t_get+0x80/0x80
[ 3580.105945]  full_proxy_read+0x102/0x180
[ 3580.105958]  ? full_proxy_write+0x180/0x180
[ 3580.105972]  ? debug_check_no_obj_freed+0x495/0x760
[ 3580.105983]  ? lock_acquire+0x390/0x390
[ 3580.105993]  ? debug_check_no_obj_freed+0x15f/0x760
[ 3580.106010]  __vfs_read+0xdb/0x600
[ 3580.106026]  ? clone_verify_area+0x1c0/0x1c0
[ 3580.106037]  ? debug_check_no_obj_freed+0x495/0x760
[ 3580.106063]  ? putname+0xbc/0xf0
[ 3580.106076]  ? rcu_lockdep_current_cpu_online+0xdc/0x130
[ 3580.106086]  ? putname+0xbc/0xf0
[ 3580.106096]  ? rcu_read_lock_sched_held+0xa3/0x130
[ 3580.106113]  vfs_read+0xfc/0x300
[ 3580.106127]  SyS_read+0xcb/0x1b0
[ 3580.106141]  ? vfs_copy_file_range+0x960/0x960
[ 3580.106151]  ? trace_hardirqs_on_caller+0x287/0x590
[ 3580.106165]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 3580.106183]  entry_SYSCALL_64_fastpath+0x1c/0xb1
[ 3580.106193] RIP: 0033:0x7f32163a4500
[ 3580.106201] RSP: 002b:00007ffc29dfe058 EFLAGS: 00000246 ORIG_RAX:
0000000000000000
[ 3580.106217] RAX: ffffffffffffffda RBX: 0000000000000000 RCX:
00007f32163a4500
[ 3580.106225] RDX: 000000000000003f RSI: 000000000075c170 RDI:
0000000000000006
[ 3580.106233] RBP: ffffffff81209956 R08: 00007f321638ec38 R09:
0000000000000000
[ 3580.106241] R10: 0000000000000000 R11: 0000000000000246 R12:
ffff88022878ff98
[ 3580.106249] R13: ffffffff81cb7c63 R14: ffff88022878ff70 R15:
000000000075c170
[ 3580.106261]  ? __this_cpu_preempt_check+0x13/0x20
[ 3580.106272]  ? trace_hardirqs_off_caller+0x1d6/0x2c0

[ 3580.106320] The buggy address belongs to the page:
[ 3580.106381] page:ffffea0008a1e3c0 count:0 mapcount:0 mapping:         
(null) index:0x0
[ 3580.106478] flags: 0x8000000000000000()
[ 3580.106532] raw: 8000000000000000 0000000000000000 0000000000000000
00000000ffffffff
[ 3580.106621] raw: 0000000000000000 dead000000000200 0000000000000000
0000000000000000
[ 3580.106709] page dumped because: kasan: bad access detected

[ 3580.106810] Memory state around the buggy address:
[ 3580.106882]  ffff88022878f780: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f4 f3
f3
[ 3580.106987]  ffff88022878f800: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 3580.107093] >ffff88022878f880: f1 f1 f1 f1 02 f4 f4 f4 f2 f2 f2 f2 06 f4 f4
f4
[ 3580.107198]                                                        ^
[ 3580.107283]  ffff88022878f900: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00
00
[ 3580.107388]  ffff88022878f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
f1
[ 3580.107491]
==================================================================
[ 3580.107596] Disabling lock debugging due to kernel taint

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20170630/3eb76857/attachment.html>

More information about the intel-gfx-bugs mailing list