Bug 198985
Summary: | BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x26/0xb0 [amdgpu] | ||
---|---|---|---|
Product: | Drivers | Reporter: | Fredrik (fredrik) |
Component: | Video(DRI - non Intel) | Assignee: | drivers_video-dri |
Status: | NEW --- | ||
Severity: | normal | CC: | christian.koenig, fredrik |
Priority: | P1 | ||
Hardware: | x86-64 | ||
OS: | Linux | ||
Kernel Version: | 4.15.7 | Subsystem: | |
Regression: | No | Bisected commit-id: |
Description
Fredrik
2018-03-03 14:53:58 UTC
mesa3d 17.3.6-1 CONFIG_DRM_AMDGPU=m CONFIG_DRM_AMD_DC=y CONFIG_DRM_AMD_DC_PRE_VEGA=y That is fixed by: commit d1f6dc1a9a106a73510181cfad9b4a7a0b140990 Author: Andrey Grodzovsky <Andrey.Grodzovsky@amd.com> Date: Thu Oct 19 14:29:46 2017 -0400 drm/amdgpu: Avoid accessing job->entity after the job is scheduled. Bug: amdgpu_job_free_cb was accessing s_job->s_entity when the allocated amdgpu_ctx (and the entity inside it) were already deallocated from amdgpu_cs_parser_fini. Fix: Save job's priority on it's creation instead of accessing it from s_entity later on. Signed-off-by: Andrey Grodzovsky <Andrey.Grodzovsky@amd.com> Reviewed-by: Andres Rodriguez <andresx7@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Not sure why that didn't ended up in 4.15. Still missing from 4.15.8 I've applied the patch you mentioned above. Is this related or should I open a new bug?: [56091.713961] ================================================================== [56091.714058] BUG: KASAN: use-after-free in dc_create_stream_for_sink+0x73/0x440 [amdgpu] [56091.714062] Read of size 8 at addr ffff88092d66fc68 by task X/490 [56091.714066] CPU: 11 PID: 490 Comm: X Not tainted 4.15.9 #21 [56091.714068] Hardware name: System manufacturer System Product Name/PRIME X370-PRO, BIOS 3803 01/22/2018 [56091.714069] Call Trace: [56091.714075] dump_stack+0x46/0x5a [56091.714080] print_address_description+0x82/0x2c0 [56091.714084] kasan_report+0x289/0x380 [56091.714175] ? dc_create_stream_for_sink+0x73/0x440 [amdgpu] [56091.714265] dc_create_stream_for_sink+0x73/0x440 [amdgpu] [56091.714357] create_stream_for_sink+0xe5/0x7c0 [amdgpu] [56091.714451] ? fill_stream_properties_from_drm_display_mode+0x400/0x400 [amdgpu] [56091.714454] ? kasan_kmalloc+0xb0/0xf0 [56091.714458] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.714461] ? drm_atomic_commit+0x2d/0xb0 [56091.714465] ? drm_atomic_helper_legacy_gamma_set+0x190/0x1e0 [56091.714469] ? drm_mode_gamma_set_ioctl+0x28a/0x320 [56091.714473] ? drm_atomic_get_connector_state+0xaa/0x2a0 [56091.714565] dm_update_crtcs_state+0x1d2/0x5e0 [amdgpu] [56091.714569] ? drm_atomic_get_crtc_state+0x76/0x1d0 [56091.714660] ? dc_resource_state_copy_construct+0x199/0x1d0 [amdgpu] [56091.714759] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu] [56091.714764] ? __radix_tree_replace+0x95/0x150 [56091.714766] ? node_tag_clear+0x66/0xb0 [56091.714859] ? dm_update_planes_state.part.28+0x1150/0x1150 [amdgpu] [56091.714862] ? __mutex_lock_interruptible_slowpath+0x1/0x10 [56091.714865] ? __fprop_inc_percpu_max+0x180/0x180 [56091.714869] drm_atomic_check_only+0x6b8/0x940 [56091.714872] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.714876] ? drm_atomic_set_crtc_for_connector+0x1d0/0x1d0 [56091.714878] ? drm_mode_object_get+0x51/0x70 [56091.714882] drm_atomic_commit+0x2d/0xb0 [56091.714886] drm_atomic_helper_legacy_gamma_set+0x190/0x1e0 [56091.714889] ? drm_atomic_helper_update_plane+0x1a0/0x1a0 [56091.714892] drm_mode_gamma_set_ioctl+0x28a/0x320 [56091.714896] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.714899] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.714902] ? drm_lease_owner+0x15/0x30 [56091.714905] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.714908] drm_ioctl_kernel+0xaf/0x120 [56091.714911] drm_ioctl+0x4bf/0x570 [56091.714915] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.714917] ? drm_ioctl_kernel+0x120/0x120 [56091.714922] ? set_current_blocked+0x20/0x20 [56091.714924] ? get_signal+0x5c8/0x760 [56091.714927] ? memset+0x2d/0x50 [56091.714930] ? fpstate_init+0x6c/0x80 [56091.714933] ? fpu__initialize+0x1c/0x50 [56091.714936] ? __fpu__restore_sig+0x327/0x510 [56091.714940] do_vfs_ioctl+0x155/0x920 [56091.714943] ? ioctl_preallocate+0x140/0x140 [56091.714945] ? recalc_sigpending_tsk+0x95/0xa0 [56091.714948] ? recalc_sigpending+0x12/0x20 [56091.714950] ? do_sigaltstack+0x1d0/0x270 [56091.714955] ? SyS_futex+0x1be/0x250 [56091.714959] ? __rcu_read_unlock+0x76/0xa0 [56091.714961] ? __fget+0xc2/0x100 [56091.714964] SyS_ioctl+0x47/0x90 [56091.714967] ? do_vfs_ioctl+0x920/0x920 [56091.714970] do_syscall_64+0xf3/0x2b0 [56091.714974] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [56091.714976] RIP: 0033:0x7f3385a95397 [56091.714978] RSP: 002b:00007ffe5b715608 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [56091.714982] RAX: ffffffffffffffda RBX: 000055cc1d92d2a0 RCX: 00007f3385a95397 [56091.714984] RDX: 00007ffe5b715640 RSI: 00000000c02064a5 RDI: 000000000000000c [56091.714985] RBP: 00007ffe5b715640 R08: 000055cc1d92d960 R09: 000055cc1d92db60 [56091.714987] R10: 0000000000000001 R11: 0000000000000246 R12: 00000000c02064a5 [56091.714989] R13: 000000000000000c R14: 000055cc1d92b130 R15: 000055cc1d92d760 [56091.714992] Allocated by task 490: [56091.714996] kasan_kmalloc+0xb0/0xf0 [56091.715086] dc_sink_create+0x41/0x140 [amdgpu] [56091.715178] create_stream_for_sink+0x6a7/0x7c0 [amdgpu] [56091.715270] dm_update_crtcs_state+0x1d2/0x5e0 [amdgpu] [56091.715362] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu] [56091.715365] drm_atomic_check_only+0x6b8/0x940 [56091.715367] drm_atomic_commit+0x2d/0xb0 [56091.715370] drm_atomic_connector_commit_dpms+0x1ea/0x210 [56091.715373] drm_mode_obj_set_property_ioctl+0x2fb/0x410 [56091.715376] drm_mode_connector_property_set_ioctl+0xb5/0xf0 [56091.715378] drm_ioctl_kernel+0xaf/0x120 [56091.715381] drm_ioctl+0x4bf/0x570 [56091.715383] do_vfs_ioctl+0x155/0x920 [56091.715385] SyS_ioctl+0x47/0x90 [56091.715387] do_syscall_64+0xf3/0x2b0 [56091.715390] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [56091.715392] Freed by task 112: [56091.715395] kasan_slab_free+0x7c/0xe0 [56091.715397] kfree+0x91/0x1a0 [56091.715487] dc_link_detect+0x21a/0x1030 [amdgpu] [56091.715579] handle_hpd_irq+0x65/0xd0 [amdgpu] [56091.715671] dm_irq_work_func+0x86/0xa0 [amdgpu] [56091.715674] process_one_work+0x3cd/0x660 [56091.715676] worker_thread+0x81/0x7b0 [56091.715678] kthread+0x1ae/0x1d0 [56091.715680] ret_from_fork+0x22/0x40 [56091.715683] The buggy address belongs to the object at ffff88092d66f980 which belongs to the cache kmalloc-1024 of size 1024 [56091.715687] The buggy address is located 744 bytes inside of 1024-byte region [ffff88092d66f980, ffff88092d66fd80) [56091.715688] The buggy address belongs to the page: [56091.715691] page:ffffea0024b59a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [56091.715696] flags: 0x8000000000008100(slab|head) [56091.715701] raw: 8000000000008100 0000000000000000 0000000000000000 00000001001c001c [56091.715704] raw: dead000000000100 dead000000000200 ffff880f98c03180 0000000000000000 [56091.715707] page dumped because: kasan: bad access detected [56091.715709] Memory state around the buggy address: [56091.715714] ffff88092d66fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715717] ffff88092d66fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715720] >ffff88092d66fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715721] ^ [56091.715724] ffff88092d66fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715727] ffff88092d66fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715729] ================================================================== [56091.715730] Disabling lock debugging due to kernel taint [56091.715777] ================================================================== [56091.715780] BUG: KASAN: double-free or invalid-free in (null) [56091.715792] CPU: 11 PID: 490 Comm: X Tainted: G B 4.15.9 #21 [56091.715795] Hardware name: System manufacturer System Product Name/PRIME X370-PRO, BIOS 3803 01/22/2018 [56091.715800] Call Trace: [56091.715806] dump_stack+0x46/0x5a [56091.715812] print_address_description+0x82/0x2c0 [56091.715818] kasan_report_double_free+0x60/0xa0 [56091.715824] kasan_slab_free+0xb5/0xe0 [56091.715919] ? dc_stream_release+0x3c/0x90 [amdgpu] [56091.715925] kfree+0x91/0x1a0 [56091.716021] dc_stream_release+0x3c/0x90 [amdgpu] [56091.716119] dm_update_crtcs_state+0x23d/0x5e0 [amdgpu] [56091.716126] ? drm_atomic_get_crtc_state+0x76/0x1d0 [56091.716221] ? dc_resource_state_copy_construct+0x199/0x1d0 [amdgpu] [56091.716318] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu] [56091.716325] ? __radix_tree_replace+0x95/0x150 [56091.716330] ? node_tag_clear+0x66/0xb0 [56091.716427] ? dm_update_planes_state.part.28+0x1150/0x1150 [amdgpu] [56091.716433] ? __mutex_lock_interruptible_slowpath+0x1/0x10 [56091.716438] ? __fprop_inc_percpu_max+0x180/0x180 [56091.716444] drm_atomic_check_only+0x6b8/0x940 [56091.716450] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.716457] ? drm_atomic_set_crtc_for_connector+0x1d0/0x1d0 [56091.716463] ? drm_mode_object_get+0x51/0x70 [56091.716469] drm_atomic_commit+0x2d/0xb0 [56091.716476] drm_atomic_helper_legacy_gamma_set+0x190/0x1e0 [56091.716482] ? drm_atomic_helper_update_plane+0x1a0/0x1a0 [56091.716488] drm_mode_gamma_set_ioctl+0x28a/0x320 [56091.716495] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.716501] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.716507] ? drm_lease_owner+0x15/0x30 [56091.716513] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.716518] drm_ioctl_kernel+0xaf/0x120 [56091.716525] drm_ioctl+0x4bf/0x570 [56091.716529] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.716532] ? drm_ioctl_kernel+0x120/0x120 [56091.716535] ? set_current_blocked+0x20/0x20 [56091.716538] ? get_signal+0x5c8/0x760 [56091.716541] ? memset+0x2d/0x50 [56091.716544] ? fpstate_init+0x6c/0x80 [56091.716547] ? fpu__initialize+0x1c/0x50 [56091.716550] ? __fpu__restore_sig+0x327/0x510 [56091.716553] do_vfs_ioctl+0x155/0x920 [56091.716556] ? ioctl_preallocate+0x140/0x140 [56091.716559] ? recalc_sigpending_tsk+0x95/0xa0 [56091.716561] ? recalc_sigpending+0x12/0x20 [56091.716564] ? do_sigaltstack+0x1d0/0x270 [56091.716568] ? SyS_futex+0x1be/0x250 [56091.716571] ? __rcu_read_unlock+0x76/0xa0 [56091.716573] ? __fget+0xc2/0x100 [56091.716576] SyS_ioctl+0x47/0x90 [56091.716579] ? do_vfs_ioctl+0x920/0x920 [56091.716581] do_syscall_64+0xf3/0x2b0 [56091.716585] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [56091.716587] RIP: 0033:0x7f3385a95397 [56091.716589] RSP: 002b:00007ffe5b715608 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [56091.716592] RAX: ffffffffffffffda RBX: 000055cc1d92d2a0 RCX: 00007f3385a95397 [56091.716594] RDX: 00007ffe5b715640 RSI: 00000000c02064a5 RDI: 000000000000000c [56091.716596] RBP: 00007ffe5b715640 R08: 000055cc1d92d960 R09: 000055cc1d92db60 [56091.716598] R10: 0000000000000001 R11: 0000000000000246 R12: 00000000c02064a5 [56091.716599] R13: 000000000000000c R14: 000055cc1d92b130 R15: 000055cc1d92d760 [56091.716602] Allocated by task 490: [56091.716606] kasan_kmalloc+0xb0/0xf0 [56091.716698] dc_sink_create+0x41/0x140 [amdgpu] [56091.716794] create_stream_for_sink+0x6a7/0x7c0 [amdgpu] [56091.716891] dm_update_crtcs_state+0x1d2/0x5e0 [amdgpu] [56091.716986] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu] [56091.716990] drm_atomic_check_only+0x6b8/0x940 [56091.716993] drm_atomic_commit+0x2d/0xb0 [56091.716996] drm_atomic_connector_commit_dpms+0x1ea/0x210 [56091.716999] drm_mode_obj_set_property_ioctl+0x2fb/0x410 [56091.717001] drm_mode_connector_property_set_ioctl+0xb5/0xf0 [56091.717004] drm_ioctl_kernel+0xaf/0x120 [56091.717007] drm_ioctl+0x4bf/0x570 [56091.717009] do_vfs_ioctl+0x155/0x920 [56091.717011] SyS_ioctl+0x47/0x90 [56091.717013] do_syscall_64+0xf3/0x2b0 [56091.717016] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [56091.717018] Freed by task 112: [56091.717021] kasan_slab_free+0x7c/0xe0 [56091.717023] kfree+0x91/0x1a0 [56091.717118] dc_link_detect+0x21a/0x1030 [amdgpu] [56091.717209] handle_hpd_irq+0x65/0xd0 [amdgpu] [56091.717297] dm_irq_work_func+0x86/0xa0 [amdgpu] [56091.717299] process_one_work+0x3cd/0x660 [56091.717302] worker_thread+0x81/0x7b0 [56091.717303] kthread+0x1ae/0x1d0 [56091.717306] ret_from_fork+0x22/0x40 [56091.717308] The buggy address belongs to the object at ffff88092d66f980 which belongs to the cache kmalloc-1024 of size 1024 [56091.717312] The buggy address is located 0 bytes inside of 1024-byte region [ffff88092d66f980, ffff88092d66fd80) [56091.717313] The buggy address belongs to the page: [56091.717315] page:ffffea0024b59a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [56091.717319] flags: 0x8000000000008100(slab|head) [56091.717323] raw: 8000000000008100 0000000000000000 0000000000000000 00000001001c001c [56091.717327] raw: dead000000000100 dead000000000200 ffff880f98c03180 0000000000000000 [56091.717328] page dumped because: kasan: bad access detected [56091.717330] Memory state around the buggy address: [56091.717332] ffff88092d66f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.717335] ffff88092d66f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [56091.717337] >ffff88092d66f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.717338] ^ [56091.717341] ffff88092d66fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.717343] ffff88092d66fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.717344] ================================================================== |