[Bug 110848] [BXT] Everything using GPU gets stuck after running+killing parallel Media loads

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Mon Sep 2 12:51:33 UTC 2019 

https://bugs.freedesktop.org/show_bug.cgi?id=110848

--- Comment #62 from David Weinehall <david.weinehall at intel.com> ---
[ 2138.371643]
==================================================================
[ 2138.371911] BUG: KASAN: use-after-free in per_file_stats+0x43/0x380 [i915]
[ 2138.371924] Read of size 8 at addr ffff888223651000 by task cat/8293

[ 2138.371947] CPU: 0 PID: 8293 Comm: cat Not tainted 5.3.0-rc6-CI-Custom_4352+
#1
[ 2138.371953] Hardware name: To Be Filled By O.E.M. To Be Filled By
O.E.M./J4205-ITX, BIOS P1.40 07/14/2017
[ 2138.371959] Call Trace:
[ 2138.371974]  dump_stack+0x7c/0xbb
[ 2138.372099]  ? per_file_stats+0x43/0x380 [i915]
[ 2138.372108]  print_address_description+0x73/0x3a0
[ 2138.372231]  ? per_file_stats+0x43/0x380 [i915]
[ 2138.372352]  ? per_file_stats+0x43/0x380 [i915]
[ 2138.372362]  __kasan_report+0x14e/0x192
[ 2138.372489]  ? per_file_stats+0x43/0x380 [i915]
[ 2138.372502]  kasan_report+0xe/0x20
[ 2138.372625]  per_file_stats+0x43/0x380 [i915]
[ 2138.372751]  ? i915_panel_show+0x110/0x110 [i915]
[ 2138.372761]  idr_for_each+0xa7/0x160
[ 2138.372773]  ? idr_get_next_ul+0x110/0x110
[ 2138.372782]  ? do_raw_spin_lock+0x10a/0x1d0
[ 2138.372923]  print_context_stats+0x264/0x510 [i915]
[ 2138.373051]  ? i915_interrupt_info+0x1140/0x1140 [i915]
[ 2138.373065]  ? preempt_count_sub+0x14/0xc0
[ 2138.373074]  ? __mutex_lock+0x656/0xcb0
[ 2138.373092]  ? __mutex_add_waiter+0x90/0x90
[ 2138.373121]  ? seq_vprintf+0xb0/0xb0
[ 2138.373262]  i915_gem_object_info+0xc8/0xe0 [i915]
[ 2138.373276]  seq_read+0x1a4/0x6b0
[ 2138.373306]  full_proxy_read+0x8e/0xc0
[ 2138.373323]  vfs_read+0xc3/0x1e0
[ 2138.373338]  ksys_read+0x116/0x170
[ 2138.373348]  ? kernel_write+0xb0/0xb0
[ 2138.373361]  ? lockdep_hardirqs_off+0xb5/0x100
[ 2138.373368]  ? mark_held_locks+0x1a/0x90
[ 2138.373385]  do_syscall_64+0x72/0x260
[ 2138.373397]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 2138.373405] RIP: 0033:0x7f7da3356081
[ 2138.373415] Code: fe ff ff 48 8d 3d 67 9c 0a 00 48 83 ec 08 e8 a6 4c 02 00
66 0f 1f 44 00 00 48 8d 05 81 08 2e 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00
f0 ff ff 77 57 f3 c3 0f 1f 44 00 00 41 54 55 49 89 d4 53
[ 2138.373421] RSP: 002b:00007ffeed129258 EFLAGS: 00000246 ORIG_RAX:
0000000000000000
[ 2138.373429] RAX: ffffffffffffffda RBX: 0000000000020000 RCX:
00007f7da3356081
[ 2138.373435] RDX: 0000000000020000 RSI: 00007f7da381b000 RDI:
0000000000000003
[ 2138.373441] RBP: 0000000000020000 R08: 00000000ffffffff R09:
0000000000000000
[ 2138.373447] R10: 0000000000000022 R11: 0000000000000246 R12:
00007f7da381b000
[ 2138.373453] R13: 0000000000000003 R14: 00007f7da381b00f R15:
0000000000020000

[ 2138.373494] Allocated by task 7737:
[ 2138.373507]  __kasan_kmalloc.constprop.0+0xcb/0x130
[ 2138.373515]  kmem_cache_alloc+0xdf/0x2d0
[ 2138.373641]  i915_gem_object_create_shmem.part.1+0x1d/0x2c0 [i915]
[ 2138.373767]  i915_gem_create+0x96/0x140 [i915]
[ 2138.373776]  drm_ioctl_kernel+0x114/0x190
[ 2138.373783]  drm_ioctl+0x4ba/0x580
[ 2138.373790]  do_vfs_ioctl+0x134/0x9d0
[ 2138.373797]  ksys_ioctl+0x3a/0x70
[ 2138.373803]  __x64_sys_ioctl+0x3d/0x50
[ 2138.373810]  do_syscall_64+0x72/0x260
[ 2138.373817]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[ 2138.373832] Freed by task 187:
[ 2138.373843]  __kasan_slab_free+0x146/0x200
[ 2138.373851]  kmem_cache_free+0xb3/0x390
[ 2138.373975]  __i915_gem_free_object_rcu+0x3c/0x60 [i915]
[ 2138.373982]  rcu_core+0x326/0xa10
[ 2138.373990]  __do_softirq+0x12f/0x618

[ 2138.374006] The buggy address belongs to the object at ffff888223650f00
                which belongs to the cache drm_i915_gem_object of size 1136
[ 2138.374018] The buggy address is located 256 bytes inside of
                1136-byte region [ffff888223650f00, ffff888223651370)
[ 2138.374028] The buggy address belongs to the page:
[ 2138.374040] page:ffffea00088d9400 refcount:1 mapcount:0
mapping:ffff888235ed5b80 index:0x0 compound_mapcount: 0
[ 2138.374050] flags: 0x8000000000010200(slab|head)
[ 2138.374061] raw: 8000000000010200 0000000000000000 0000000100000001
ffff888235ed5b80
[ 2138.374068] raw: 0000000000000000 0000000000190019 00000001ffffffff
0000000000000000
[ 2138.374074] page dumped because: kasan: bad access detected

[ 2138.374087] Memory state around the buggy address:
[ 2138.374099]  ffff888223650f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 2138.374110]  ffff888223650f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 2138.374121] >ffff888223651000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 2138.374130]                    ^
[ 2138.374141]  ffff888223651080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 2138.374152]  ffff888223651100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 2138.374161]
==================================================================

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/intel-gfx-bugs/attachments/20190902/6fb16eec/attachment.html>

More information about the intel-gfx-bugs mailing list