<html>
    <head>
      <base href="https://bugs.freedesktop.org/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - BUG: KASAN: use-after-free in verify_connector_state.isra.70+0xbc8/0xbe0 [i915]"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=102333">102333</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>BUG: KASAN: use-after-free in verify_connector_state.isra.70+0xbc8/0xbe0 [i915]
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>DRI
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>XOrg git
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>DRM/Intel
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>chris@chris-wilson.co.uk
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>intel-gfx-bugs@lists.freedesktop.org
          </td>
        </tr></table>
      <p>
        <div>
        <pre>[  157.923595]
==================================================================
[  157.923840] BUG: KASAN: use-after-free in
verify_connector_state.isra.70+0xbc8/0xbe0 [i915]
[  157.923864] Read of size 8 at addr ffff88022a6623d0 by task
kworker/u8:25/1390

[  157.923896] CPU: 1 PID: 1390 Comm: kworker/u8:25 Tainted: G     U         
4.13.0-rc5-CI-Custom_3146+ #1
[  157.923905] Hardware name:                  /NUC7i5BNB, BIOS
BNKBL357.86A.0048.2017.0704.1415 07/04/2017
[  157.924069] [drm:intel_dump_pipe_config [i915]] ips: 0, double wide: 0
[  157.924236] Workqueue: events_unbound intel_atomic_commit_work [i915]
[  157.924403] [drm:skl_dump_hw_state [i915]] dpll_hw_state: ctrl1: 0x5,
cfgcr1: 0x0, cfgcr2: 0x0
[  157.924422] Call Trace:
[  157.924457]  dump_stack+0x68/0xa0
[  157.924493]  print_address_description+0x73/0x290
[  157.924705]  ? verify_connector_state.isra.70+0xbc8/0xbe0 [i915]
[  157.924740]  kasan_report+0x238/0x350
[  157.924795]  __asan_report_load8_noabort+0x14/0x20
[  157.924977]  verify_connector_state.isra.70+0xbc8/0xbe0 [i915]
[  157.925149]  ? intel_display_power_put+0x21f/0x3a0 [i915]
[  157.925354]  intel_atomic_commit_tail+0x1184/0x3ca0 [i915]
[  157.925394]  ? cpuacct_charge+0x1e6/0x380
[  157.925669]  ? skl_update_crtcs+0xca0/0xca0 [i915]
[  157.925713]  ? debug_check_no_locks_freed+0x280/0x280
[  157.925743]  ? _raw_spin_unlock_irqrestore+0x33/0x60
[  157.925779]  ? __this_cpu_preempt_check+0x13/0x20
[  157.925806]  ? trace_hardirqs_off_caller+0x1fb/0x2c0
[  157.925845]  ? _raw_spin_unlock_irqrestore+0x3d/0x60
[  157.925900]  ? lock_acquire+0x13e/0x380
[  157.926185]  intel_atomic_commit_work+0xd/0x10 [i915]
[  157.926218]  process_one_work+0x6f4/0x14f0
[  157.926276]  ? pwq_dec_nr_in_flight+0x2b0/0x2b0
[  157.926339]  worker_thread+0xe1/0xe90
[  157.926423]  kthread+0x304/0x410
[  157.926450]  ? process_one_work+0x14f0/0x14f0
[  157.926474]  ? kthread_create_on_node+0xa0/0xa0
[  157.926512]  ret_from_fork+0x27/0x40

[  157.926612] Allocated by task 1619:
[  157.926647]  save_stack_trace+0x16/0x20
[  157.926672]  kasan_kmalloc+0xee/0x190
[  157.926696]  kasan_slab_alloc+0x12/0x20
[  157.926720]  __kmalloc_track_caller+0xe9/0x330
[  157.926743]  kmemdup+0x1b/0x40
[  157.926936]  intel_digital_connector_duplicate_state+0x3f/0x70 [i915]
[  157.926956]  drm_atomic_get_connector_state+0x286/0x5f0
[  157.927123] [drm:intel_dump_pipe_config [i915]] planes on this crtc
[  157.927146]  drm_atomic_set_property+0x46f/0x1440
[  157.927160]  drm_mode_atomic_ioctl+0x4ec/0x1f40
[  157.927324] [drm:intel_dump_pipe_config [i915]] [PLANE:27:plane 1A]
disabled, scaler_id = -1
[  157.927341]  drm_ioctl_kernel+0x13a/0x1c0
[  157.927354]  drm_ioctl+0x6ca/0x970
[  157.927540] [drm:intel_dump_pipe_config [i915]] [PLANE:30:plane 2A]
disabled, scaler_id = -1
[  157.927574]  do_vfs_ioctl+0x17f/0xf30
[  157.927600]  SyS_ioctl+0x3c/0x70
[  157.927626]  entry_SYSCALL_64_fastpath+0x1c/0xb1

[  157.927674] Freed by task 1619:
[  157.927707]  save_stack_trace+0x16/0x20
[  157.927729]  kasan_slab_free+0xaf/0x190
[  157.927751]  kfree+0xea/0x300
[  157.927781]  drm_atomic_helper_connector_destroy_state+0x55/0x70
[  157.927810]  drm_atomic_state_default_clear+0x156/0xb90
[  157.927982]  intel_atomic_state_clear+0xd/0x80 [i915]
[  157.928016]  drm_atomic_state_clear+0x7b/0xa0
[  157.928044]  __drm_atomic_state_free+0x35/0xe0
[  157.928077]  set_property_atomic+0x22a/0x290
[  157.928103]  drm_mode_obj_set_property_ioctl+0x346/0x6b0
[  157.928130]  drm_mode_connector_property_set_ioctl+0xe4/0x170
[  157.928160]  drm_ioctl_kernel+0x13a/0x1c0
[  157.928186]  drm_ioctl+0x6ca/0x970
[  157.928213]  do_vfs_ioctl+0x17f/0xf30
[  157.928241]  SyS_ioctl+0x3c/0x70
[  157.928269]  entry_SYSCALL_64_fastpath+0x1c/0xb1

[  157.928332] The buggy address belongs to the object at ffff88022a6623c8
                which belongs to the cache kmalloc-128 of size 128
[  157.928372] The buggy address is located 8 bytes inside of
                128-byte region [ffff88022a6623c8, ffff88022a662448)
[  157.928408] The buggy address belongs to the page:
[  157.928444] page:ffffea0008a99880 count:1 mapcount:0 mapping:         
(null) index:0x0 compound_mapcount: 0
[  157.928522] flags: 0x8000000000008100(slab|head)
[  157.928568] raw: 8000000000008100 0000000000000000 0000000000000000
0000000100110011
[  157.928610] raw: ffffea0008b461a0 ffff8802358009a0 ffff88023580f100
0000000000000000
[  157.928645] page dumped because: kasan: bad access detected

[  157.928717] Memory state around the buggy address:
[  157.928761]  ffff88022a662280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[  157.928799]  ffff88022a662300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[  157.928828] >ffff88022a662380: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
fb
[  157.928856]                                                  ^
[  157.928887]  ffff88022a662400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
fc
[  157.928921]  ffff88022a662480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[  157.928948]
==================================================================</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are on the CC list for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>