<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - [EXTENDED][SKL,KBL] KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.3+0x62b/0x670" href="https://bugs.freedesktop.org/show_bug.cgi?id=101659">101659</a> </td> </tr> <tr> <th>Summary</th> <td>[EXTENDED][SKL,KBL] KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.3+0x62b/0x670 </td> </tr> <tr> <th>Product</th> <td>DRI </td> </tr> <tr> <th>Version</th> <td>DRI git </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>DRM/Intel </td> </tr> <tr> <th>Assignee</th> <td>intel-gfx-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>martin.peres@free.fr </td> </tr> <tr> <th>QA Contact</th> <td>intel-gfx-bugs@lists.freedesktop.org </td> </tr> <tr> <th>CC</th> <td>intel-gfx-bugs@lists.freedesktop.org </td> </tr></table> <p> <div> <pre>This bug is triggered by IGT's igt@kms_pipe_color@ctm-0-25-pipe0 on kbl-7700k, skl-6100u, and skl-6700k when running a couple of days old drm-tip. [ 6426.201216] ================================================================== [ 6426.208870] BUG: KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.3+0x62b/0x670 [i915] [ 6426.217327] Read of size 2 at addr ffff8801e92f5318 by task kms_pipe_color/12456 [ 6426.226444] CPU: 0 PID: 12456 Comm: kms_pipe_color Tainted: G U W 4.12.0-rc7-CI-CI_DRM_450+ #1 [ 6426.226451] Hardware name: Gigabyte Technology Co., Ltd. Z170X-UD5/Z170X-UD5-CF, BIOS F22 03/06/2017 [ 6426.226458] Call Trace: [ 6426.226470] dump_stack+0x67/0x99 [ 6426.226483] print_address_description+0x77/0x290 [ 6426.226589] ? bdw_load_gamma_lut.isra.3+0x62b/0x670 [i915] [ 6426.226600] kasan_report+0x269/0x350 [ 6426.226700] ? gen8_write32+0x5b0/0x5b0 [i915] [ 6426.226714] __asan_report_load2_noabort+0x14/0x20 [ 6426.226816] bdw_load_gamma_lut.isra.3+0x62b/0x670 [i915] [ 6426.226924] broadwell_load_luts+0x2ed/0x630 [i915] [ 6426.227033] intel_color_load_luts+0x69/0x90 [i915] [ 6426.227135] intel_begin_crtc_commit+0x253/0x890 [i915] [ 6426.227153] drm_atomic_helper_commit_planes_on_crtc+0x15a/0x970 [ 6426.227257] ? intel_pre_plane_update+0x41d/0x710 [i915] [ 6426.227268] ? try_to_wake_up+0x797/0x1320 [ 6426.227376] intel_update_crtc+0x1a9/0x390 [i915] [ 6426.227483] skl_update_crtcs+0x6bd/0xca0 [i915] [ 6426.227596] ? intel_update_crtcs+0x260/0x260 [i915] [ 6426.227707] intel_atomic_commit_tail+0xb1c/0x3c50 [i915] [ 6426.227821] ? skl_update_crtcs+0xca0/0xca0 [i915] [ 6426.227832] ? trace_hardirqs_on_caller+0x287/0x590 [ 6426.227845] ? register_lock_class+0x1330/0x1330 [ 6426.227948] ? intel_atomic_commit_ready+0x10a/0x158 [i915] [ 6426.227964] ? __lock_is_held+0x116/0x1d0 [ 6426.227989] ? __might_sleep+0x95/0x190 [ 6426.228094] intel_atomic_commit+0x9c0/0xfb0 [i915] [ 6426.228205] ? intel_atomic_commit_tail+0x3c50/0x3c50 [i915] [ 6426.228217] ? drm_atomic_legacy_backoff+0x1e0/0x1e0 [ 6426.228226] ? drm_atomic_crtc_set_property+0x458/0x5c0 [ 6426.228235] ? drm_property_blob_get+0xd/0x20 [ 6426.228246] ? drm_atomic_set_mode_prop_for_crtc+0x200/0x200 [ 6426.228350] ? intel_atomic_commit_tail+0x3c50/0x3c50 [i915] [ 6426.228362] drm_atomic_commit+0xc4/0xf0 [ 6426.228374] drm_atomic_helper_crtc_set_property+0xfc/0x170 [ 6426.228388] drm_mode_crtc_set_obj_prop+0x73/0xb0 [ 6426.228402] drm_mode_obj_set_property_ioctl+0x36e/0x5a0 [ 6426.228414] ? lock_acquire+0x390/0x390 [ 6426.228423] ? __might_fault+0xc6/0x1b0 [ 6426.228435] ? drm_mode_obj_find_prop_id+0x190/0x190 [ 6426.228453] drm_ioctl+0x4ba/0xaa0 [ 6426.228463] ? drm_mode_obj_find_prop_id+0x190/0x190 [ 6426.228479] ? drm_getunique+0x270/0x270 [ 6426.228491] ? _raw_spin_unlock+0x2c/0x50 [ 6426.228501] ? __handle_mm_fault+0x1447/0x2b90 [ 6426.228515] ? vm_insert_page+0x790/0x790 [ 6426.228533] do_vfs_ioctl+0x17f/0xfa0 [ 6426.228548] ? ioctl_preallocate+0x1d0/0x1d0 [ 6426.228558] ? __do_page_fault+0x49b/0xa70 [ 6426.228569] ? lock_acquire+0x390/0x390 [ 6426.228592] ? __this_cpu_preempt_check+0x13/0x20 [ 6426.228602] ? trace_hardirqs_on_caller+0x287/0x590 [ 6426.228615] SyS_ioctl+0x3c/0x70 [ 6426.228631] entry_SYSCALL_64_fastpath+0x1c/0xb1 [ 6426.228642] RIP: 0033:0x7f4062b35587 [ 6426.228649] RSP: 002b:00007ffc80ce26b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 6426.228664] RAX: ffffffffffffffda RBX: 00007ffc80ce40e8 RCX: 00007f4062b35587 [ 6426.228671] RDX: 00007ffc80ce26f0 RSI: 00000000c01864ba RDI: 0000000000000003 [ 6426.228679] RBP: ffffffff81209956 R08: 0000000000000061 R09: 0000000000000000 [ 6426.228686] R10: 0000000000000073 R11: 0000000000000246 R12: ffff8801ea09ff98 [ 6426.228693] R13: ffffffff81cb7c63 R14: ffff8801ea09ff70 R15: 00007ffc80ce40e8 [ 6426.228704] ? __this_cpu_preempt_check+0x13/0x20 [ 6426.228714] ? trace_hardirqs_off_caller+0x1d6/0x2c0 [ 6426.230331] Allocated by task 12456: [ 6426.234104] save_stack_trace+0x16/0x20 [ 6426.234110] kasan_kmalloc+0xee/0x180 [ 6426.234117] __kmalloc+0x135/0x370 [ 6426.234124] drm_property_create_blob.part.1+0x28/0x2b0 [ 6426.234131] drm_mode_createblob_ioctl+0xc9/0x380 [ 6426.234137] drm_ioctl+0x4ba/0xaa0 [ 6426.234143] do_vfs_ioctl+0x17f/0xfa0 [ 6426.234149] SyS_ioctl+0x3c/0x70 [ 6426.234155] entry_SYSCALL_64_fastpath+0x1c/0xb1 [ 6426.235728] Freed by task 11419: [ 6426.239013] save_stack_trace+0x16/0x20 [ 6426.239018] kasan_slab_free+0xad/0x180 [ 6426.239023] kfree+0xf1/0x310 [ 6426.239077] i915_ppgtt_release+0x126/0x380 [i915] [ 6426.239129] i915_gem_context_free+0x5bf/0x750 [i915] [ 6426.239182] contexts_free+0x68/0xd0 [i915] [ 6426.239234] contexts_free_worker+0x24/0x40 [i915] [ 6426.239241] process_one_work+0x66f/0x1410 [ 6426.239246] worker_thread+0xe1/0xe90 [ 6426.239251] kthread+0x304/0x410 [ 6426.239256] ret_from_fork+0x27/0x40 [ 6426.240788] The buggy address belongs to the object at ffff8801e92f42c8 which belongs to the cache kmalloc-8192 of size 8192 [ 6426.253760] The buggy address is located 4176 bytes inside of 8192-byte region [ffff8801e92f42c8, ffff8801e92f62c8) [ 6426.265920] The buggy address belongs to the page: [ 6426.270782] page:ffffea0007a4bc00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 6426.280784] flags: 0x8000000000008100(slab|head) [ 6426.285481] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100030003 [ 6426.293358] raw: ffffea00041c9e20 ffff8801f5802fe0 ffff8801f5811700 0000000000000000 [ 6426.301262] page dumped because: kasan: bad access detected [ 6426.308464] Memory state around the buggy address: [ 6426.313351] ffff8801e92f5200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 6426.320702] ffff8801e92f5280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 6426.328058] >ffff8801e92f5300: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 6426.335426] ^ [ 6426.339535] ffff8801e92f5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 6426.346883] ffff8801e92f5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 6426.354240] ================================================================== [ 6426.361609] Disabling lock debugging due to kernel taint</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> <li>You are the QA Contact for the bug.</li> <li>You are on the CC list for the bug.</li> </ul> </body> </html>