<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - [EXTENDED][BYT] KASAN: use-after-free in verify_connector_state.isra.51+0x9ee/0xd60"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=101661">101661</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[EXTENDED][BYT] KASAN: use-after-free in verify_connector_state.isra.51+0x9ee/0xd60
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>DRI
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>DRI git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>DRM/Intel
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>martin.peres@free.fr
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>This bug is triggered by IGT's
igt@kms_atomic_transition@1x-modeset-transitions-nonblocking on byt-n2820, when
running a couple of days old drm-tip

[ 4685.748717]
==================================================================
[ 4685.748901] BUG: KASAN: use-after-free in
verify_connector_state.isra.51+0x9ee/0xd60 [i915]
[ 4685.748921] Read of size 8 at addr ffff88010d81e970 by task
kworker/u4:3/4299

[ 4685.748952] CPU: 0 PID: 4299 Comm: kworker/u4:3 Tainted: G     U  W      
4.12.0-rc7-CI-CI_DRM_450+ #1
[ 4685.748963] Hardware name:
\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff
\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff\xffffffff/DN2820FYK,
BIOS FYBYT10H.86A.0056.2016.1122.1846 11/22/2016
[ 4685.749082] Workqueue: events_unbound intel_atomic_commit_work [i915]
[ 4685.749099] Call Trace:
[ 4685.749118]  dump_stack+0x67/0x99
[ 4685.749137]  print_address_description+0x77/0x290
[ 4685.749258]  ? verify_connector_state.isra.51+0x9ee/0xd60 [i915]
[ 4685.749273]  kasan_report+0x269/0x350
[ 4685.749293]  __asan_report_load8_noabort+0x14/0x20
[ 4685.749412]  verify_connector_state.isra.51+0x9ee/0xd60 [i915]
[ 4685.749527]  ? intel_display_power_put+0x225/0x390 [i915]
[ 4685.749654]  intel_atomic_commit_tail+0x1176/0x3c50 [i915]
[ 4685.749671]  ? cpuacct_charge+0x1e0/0x3a0
[ 4685.749802]  ? skl_update_crtcs+0xca0/0xca0 [i915]
[ 4685.749821]  ? debug_check_no_locks_freed+0x280/0x280
[ 4685.749836]  ? _raw_spin_unlock_irqrestore+0x33/0x60
[ 4685.749853]  ? __this_cpu_preempt_check+0x13/0x20
[ 4685.749866]  ? trace_hardirqs_off_caller+0x1fb/0x2c0
[ 4685.749895]  ? lock_acquire+0x143/0x390
[ 4685.749909]  ? lock_acquire+0x143/0x390
[ 4685.750038]  intel_atomic_commit_work+0xd/0x10 [i915]
[ 4685.750055]  process_one_work+0x66f/0x1410
[ 4685.750080]  ? pwq_dec_nr_in_flight+0x2b0/0x2b0
[ 4685.750107]  worker_thread+0xe1/0xe90
[ 4685.750141]  kthread+0x304/0x410
[ 4685.750155]  ? process_one_work+0x1410/0x1410
[ 4685.750167]  ? kthread_create_on_node+0xa0/0xa0
[ 4685.750184]  ret_from_fork+0x27/0x40

[ 4685.750226] Allocated by task 4723:
[ 4685.750246]  save_stack_trace+0x16/0x20
[ 4685.750258]  kasan_kmalloc+0xee/0x180
[ 4685.750269]  kasan_slab_alloc+0x12/0x20
[ 4685.750281]  __kmalloc_track_caller+0xe7/0x330
[ 4685.750293]  kmemdup+0x1b/0x40
[ 4685.750408]  intel_digital_connector_duplicate_state+0x3f/0x70 [i915]
[ 4685.750422]  drm_atomic_get_connector_state+0x288/0x5f0
[ 4685.750434]  drm_mode_atomic_ioctl+0x7b8/0x1dc0
[ 4685.750445]  drm_ioctl+0x4ba/0xaa0
[ 4685.750457]  do_vfs_ioctl+0x17f/0xfa0
[ 4685.750468]  SyS_ioctl+0x3c/0x70
[ 4685.750479]  entry_SYSCALL_64_fastpath+0x1c/0xb1

[ 4685.750501] Freed by task 4723:
[ 4685.750518]  save_stack_trace+0x16/0x20
[ 4685.750529]  kasan_slab_free+0xad/0x180
[ 4685.750541]  kfree+0xf1/0x310
[ 4685.750554]  drm_atomic_helper_connector_destroy_state+0x55/0x70
[ 4685.750565]  drm_atomic_state_default_clear+0x156/0xb90
[ 4685.750681]  intel_atomic_state_clear+0xd/0x80 [i915]
[ 4685.750693]  drm_atomic_state_clear+0x7b/0xa0
[ 4685.750704]  __drm_atomic_state_free+0x35/0xe0
[ 4685.750716]  drm_atomic_helper_connector_set_property+0x124/0x170
[ 4685.750727]  drm_mode_connector_set_obj_prop+0xc0/0x160
[ 4685.750739]  drm_mode_obj_set_property_ioctl+0x39b/0x5a0
[ 4685.750751]  drm_mode_connector_property_set_ioctl+0xdc/0x170
[ 4685.750761]  drm_ioctl+0x4ba/0xaa0
[ 4685.750773]  do_vfs_ioctl+0x17f/0xfa0
[ 4685.750784]  SyS_ioctl+0x3c/0x70
[ 4685.750795]  entry_SYSCALL_64_fastpath+0x1c/0xb1

[ 4685.750819] The buggy address belongs to the object at ffff88010d81e968
                which belongs to the cache kmalloc-128 of size 128
[ 4685.750836] The buggy address is located 8 bytes inside of
                128-byte region [ffff88010d81e968, ffff88010d81e9e8)
[ 4685.750851] The buggy address belongs to the page:
[ 4685.750868] page:ffffea0004360780 count:1 mapcount:0 mapping:         
(null) index:0x0 compound_mapcount: 0
[ 4685.750899] flags: 0x8000000000008100(slab|head)
[ 4685.750918] raw: 8000000000008100 0000000000000000 0000000000000000
0000000100110011
[ 4685.750934] raw: ffffea000446e720 ffffea00044b7820 ffff88011ac0f100
0000000000000000
[ 4685.750948] page dumped because: kasan: bad access detected

[ 4685.750972] Memory state around the buggy address:
[ 4685.750987]  ffff88010d81e800: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 4685.751002]  ffff88010d81e880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 4685.751017] >ffff88010d81e900: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb
fb
[ 4685.751031]                                                              ^
[ 4685.751046]  ffff88010d81e980: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
fc
[ 4685.751062]  ffff88010d81ea00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 4685.751075]
==================================================================
[ 4685.751087] Disabling lock debugging due to kernel taint

Full logs:
<a href="https://intel-gfx-ci.01.org/CI/kasan/byt-n2820:igt@kms_atomic_transition@1x">https://intel-gfx-ci.01.org/CI/kasan/byt-n2820:igt@kms_atomic_transition@1x</a>-
modeset-transitions-nonblocking.html</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are on the CC list for the bug.</li>
          <li>You are the assignee for the bug.</li>
          <li>You are the QA Contact for the bug.</li>
      </ul>
    </body>
</html>