[Intel-gfx] [PATCH 2/2] drm/i915: Handle legacy cursor update as normal update

kernel test robot oliver.sang at intel.com
Fri Aug 18 08:37:32 UTC 2023 


Hello,

kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_intel_wait_for_vblank_workers" on:

commit: cfd54d37e5cd9511b5a4a98bba6d4b2f596149cf ("[Intel-gfx] [PATCH 2/2] drm/i915: Handle legacy cursor update as normal update")
url: https://github.com/intel-lab-lkp/linux/commits/Maarten-Lankhorst/drm-i915-Handle-legacy-cursor-update-as-normal-update/20230814-145051
base: git://anongit.freedesktop.org/drm/drm-tip drm-tip
patch link: https://lore.kernel.org/all/20230814065006.47160-2-dev@lankhorst.se/
patch subject: [Intel-gfx] [PATCH 2/2] drm/i915: Handle legacy cursor update as normal update

in testcase: igt
version: igt-x86_64-0f075441-1_20230520
with following parameters:

	group: group-23



compiler: gcc-12
test machine: 20 threads 1 sockets (Commet Lake) with 16G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang at intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202308181627.2fec1157-oliver.sang@intel.com


kern :err : [  162.196982] BUG: KASAN: slab-use-after-free in intel_wait_for_vblank_workers (drivers/gpu/drm/i915/display/intel_crtc.c:395 drivers/gpu/drm/i915/display/intel_crtc.c:447) i915
kern  :err   : [  162.206530] Read of size 1 at addr ffff88811d8dc150 by task kworker/0:0H/8

kern  :err   : [  162.216391] CPU: 0 PID: 8 Comm: kworker/0:0H Not tainted 6.5.0-rc6-00947-gcfd54d37e5cd #1
kern  :err   : [  162.225319] Workqueue: events_highpri intel_atomic_cleanup_work [i915]
kern  :err   : [  162.232683] Call Trace:
kern  :err   : [  162.235861]  <TASK>
kern :err : [  162.238688] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
kern :err : [  162.243085] print_address_description+0x2c/0x3a0 
kern :err : [  162.249618] ? intel_wait_for_vblank_workers (drivers/gpu/drm/i915/display/intel_crtc.c:395 drivers/gpu/drm/i915/display/intel_crtc.c:447) i915
kern :err : [  162.256370] print_report (mm/kasan/report.c:476) 
kern :err : [  162.260681] ? kasan_addr_to_slab (mm/kasan/common.c:35) 
kern :err : [  162.265515] ? intel_wait_for_vblank_workers (drivers/gpu/drm/i915/display/intel_crtc.c:395 drivers/gpu/drm/i915/display/intel_crtc.c:447) i915
kern :err : [  162.272267] kasan_report (mm/kasan/report.c:590) 
kern :err : [  162.276584] ? intel_wait_for_vblank_workers (drivers/gpu/drm/i915/display/intel_crtc.c:395 drivers/gpu/drm/i915/display/intel_crtc.c:447) i915
kern :err : [  162.283336] intel_wait_for_vblank_workers (drivers/gpu/drm/i915/display/intel_crtc.c:395 drivers/gpu/drm/i915/display/intel_crtc.c:447) i915
kern :err : [  162.289911] intel_atomic_cleanup_work (drivers/gpu/drm/i915/display/intel_display.c:6901) i915
kern :err : [  162.296191] ? drm_dev_put (drivers/gpu/drm/drm_drv.c:827) drm
kern :err : [  162.301672] process_one_work (kernel/workqueue.c:2605) 
kern :err : [  162.306507] worker_thread (include/linux/list.h:292 kernel/workqueue.c:2752) 
kern :err : [  162.311080] ? rescuer_thread (kernel/workqueue.c:2694) 
kern :err : [  162.315828] kthread (kernel/kthread.c:389) 
kern :err : [  162.319791] ? kthread_complete_and_exit (kernel/kthread.c:342) 
kern :err : [  162.325323] ret_from_fork (arch/x86/kernel/process.c:151) 
kern :err : [  162.329630] ? kthread_complete_and_exit (kernel/kthread.c:342) 
kern :err : [  162.335181] ret_from_fork_asm (arch/x86/entry/entry_64.S:312) 
kern  :err   : [  162.339840]  </TASK>

kern  :err   : [  162.344980] Allocated by task 4201:
kern :warn : [  162.349214] kasan_save_stack (mm/kasan/common.c:46) 
kern :warn : [  162.353787] kasan_set_track (mm/kasan/common.c:52) 
kern :warn : [  162.358270] __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383) 
kern :warn : [  162.362757] __kmalloc_node_track_caller (include/linux/kasan.h:196 mm/slab_common.c:985 mm/slab_common.c:1005) 
kern :warn : [  162.368283] kmemdup (mm/util.c:131) 
kern :warn : [  162.372075] intel_crtc_duplicate_state (include/linux/fortify-string.h:765 drivers/gpu/drm/i915/display/intel_atomic.c:242) i915
kern :warn : [  162.378364] drm_atomic_get_crtc_state (drivers/gpu/drm/drm_atomic.c:363) drm
kern :warn : [  162.384453] drm_atomic_get_plane_state (drivers/gpu/drm/drm_atomic.c:567) drm
kern :warn : [  162.390622] drm_atomic_helper_update_plane (drivers/gpu/drm/drm_atomic_helper.c:3127) drm_kms_helper
kern :warn : [  162.397997] drm_mode_cursor_universal (drivers/gpu/drm/drm_plane.c:1086) drm
kern :warn : [  162.404086] drm_mode_cursor_common (drivers/gpu/drm/drm_plane.c:1172) drm
kern :warn : [  162.409973] drm_mode_cursor_ioctl (drivers/gpu/drm/drm_plane.c:1188) drm
kern :warn : [  162.415628] drm_ioctl_kernel (drivers/gpu/drm/drm_ioctl.c:795) drm
kern :warn : [  162.420933] drm_ioctl (drivers/gpu/drm/drm_ioctl.c:893) drm
kern :warn : [  162.425627] __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856) 
kern :warn : [  162.430284] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
kern :warn : [  162.434590] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 

kern  :err   : [  162.442600] Freed by task 266:
kern :warn : [  162.446384] kasan_save_stack (mm/kasan/common.c:46) 
kern :warn : [  162.450957] kasan_set_track (mm/kasan/common.c:52) 
kern :warn : [  162.455435] kasan_save_free_info (mm/kasan/generic.c:524) 
kern :warn : [  162.460355] __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) 
kern :warn : [  162.465185] __kmem_cache_free (mm/slub.c:1818 mm/slub.c:3801 mm/slub.c:3814) 
kern :warn : [  162.470016] drm_atomic_state_default_clear (drivers/gpu/drm/drm_atomic.c:228) drm
kern :warn : [  162.476541] intel_atomic_state_clear (drivers/gpu/drm/i915/display/intel_atomic.c:343) i915
kern :warn : [  162.482512] __drm_atomic_state_free (drivers/gpu/drm/drm_atomic.c:313) drm
kern :warn : [  162.488342] intel_atomic_helper_free_state (drivers/gpu/drm/i915/display/intel_display.c:6850) i915
kern :warn : [  162.494833] process_one_work (kernel/workqueue.c:2605) 
kern :warn : [  162.499668] worker_thread (include/linux/list.h:292 kernel/workqueue.c:2752) 
kern :warn : [  162.504244] kthread (kernel/kthread.c:389) 
kern :warn : [  162.508205] ret_from_fork (arch/x86/kernel/process.c:151) 
kern :warn : [  162.512521] ret_from_fork_asm (arch/x86/entry/entry_64.S:312) 

kern  :err   : [  162.519398] The buggy address belongs to the object at ffff88811d8dc000
which belongs to the cache kmalloc-8k of size 8192
kern  :err   : [  162.533366] The buggy address is located 336 bytes inside of
freed 8192-byte region [ffff88811d8dc000, ffff88811d8de000)

kern  :err   : [  162.549380] The buggy address belongs to the physical page:
kern  :warn  : [  162.555691] page:00000000f71065d9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11d8d8
kern  :warn  : [  162.565835] head:00000000f71065d9 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
kern  :warn  : [  162.574675] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
kern  :warn  : [  162.582819] page_type: 0xffffffff()
kern  :warn  : [  162.587049] raw: 0017ffffc0010200 ffff88810c843180 dead000000000122 0000000000000000
kern  :warn  : [  162.595537] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
kern  :warn  : [  162.604024] page dumped because: kasan: bad access detected

kern  :err   : [  162.612551] Memory state around the buggy address:
kern  :err   : [  162.618082]  ffff88811d8dc000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern  :err   : [  162.626051]  ffff88811d8dc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern  :err   : [  162.634018] >ffff88811d8dc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern  :err   : [  162.641981]                                                  ^
kern  :err   : [  162.648551]  ffff88811d8dc180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern  :err   : [  162.656516]  ffff88811d8dc200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern  :err   : [  162.664482] ==================================================================
kern  :warn  : [  162.672474] Disabling lock debugging due to kernel taint
user  :info  : [  183.845750] [IGT] kms_cursor_legacy: starting dynamic subtest pipe-B
user  :notice: [  183.847199] Total updates 140241 (median of 20 processes is 6978.00)

user  :notice: [  183.862752] Dynamic subtest pipe-A: SUCCESS (21.683s)

user  :notice: [  183.871250] Starting dynamic subtest: pipe-B

user  :info  : [  205.481554] [IGT] kms_cursor_legacy: starting dynamic subtest pipe-C
user  :notice: [  205.483064] Total updates 146561 (median of 20 processes is 7323.50)

user  :notice: [  205.498578] Dynamic subtest pipe-B: SUCCESS (21.629s)

user  :notice: [  205.507030] Starting dynamic subtest: pipe-C

user  :info  : [  227.139947] [IGT] kms_cursor_legacy: starting dynamic subtest all-pipes


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20230818/202308181627.2fec1157-oliver.sang@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

More information about the Intel-gfx mailing list