Bug 205279

Summary: BUG: KASAN: global-out-of-bounds in read_indirect_azalia_reg+0x69/0x100 [amdgpu]
Product: Drivers Reporter: ilkka.prusi
Component: Video(DRI - non Intel)Assignee: drivers_video-dri
Status: NEW ---    
Severity: normal    
Priority: P1    
Hardware: Intel   
OS: Linux   
Kernel Version: 5.4.0-rc3+ Subsystem:
Regression: No Bisected commit-id:

Description ilkka.prusi 2019-10-20 18:11:44 UTC 
KASAN reported bug.

Note: Bug 205265 - gpio_generic: module verification failed: signature and/or required key missing - tainting kernel


[   34.581969] ==================================================================
[   34.582156] BUG: KASAN: global-out-of-bounds in read_indirect_azalia_reg+0x69/0x100 [amdgpu]
[   34.582175] Read of size 4 at addr ffffffffc1c70828 by task systemd-udevd/465

[   34.582199] CPU: 1 PID: 465 Comm: systemd-udevd Tainted: G            E     5.4.0-rc3+ #3
[   34.582201] Hardware name: System manufacturer System Product Name/TUF B450-PLUS GAMING, BIOS 1804 07/29/2019
[   34.582203] Call Trace:
[   34.582209]  dump_stack+0x9a/0xf0
[   34.582215]  print_address_description.constprop.0+0x1b/0x210
[   34.582380]  ? read_indirect_azalia_reg+0x69/0x100 [amdgpu]
[   34.582551]  ? read_indirect_azalia_reg+0x69/0x100 [amdgpu]
[   34.582555]  __kasan_report.cold+0x1a/0x33
[   34.582560]  ? memmove+0x50/0x50
[   34.582730]  ? read_indirect_azalia_reg+0x69/0x100 [amdgpu]
[   34.582736]  kasan_report+0xe/0x20
[   34.582907]  read_indirect_azalia_reg+0x69/0x100 [amdgpu]
[   34.583082]  dce_aud_endpoint_valid+0xf/0x20 [amdgpu]
[   34.583250]  resource_construct+0x1da/0x520 [amdgpu]
[   34.583423]  ? dc_destroy_resource_pool+0x70/0x70 [amdgpu]
[   34.583427]  ? kasan_unpoison_shadow+0x33/0x40
[   34.583602]  dce120_create_resource_pool+0x9cb/0xba0 [amdgpu]
[   34.583776]  ? dce120_i2c_hw_create+0x80/0x80 [amdgpu]
[   34.583779]  ? kasan_unpoison_shadow+0x33/0x40
[   34.583782]  ? __kasan_kmalloc.constprop.0+0xc2/0xd0
[   34.583954]  dc_create_resource_pool+0xfe/0x230 [amdgpu]
[   34.584130]  dc_create+0x473/0xc80 [amdgpu]
[   34.584303]  ? destruct+0x280/0x280 [amdgpu]
[   34.584308]  ? create_object+0x234/0x560
[   34.584312]  ? _raw_write_unlock_irqrestore+0x59/0x70
[   34.584318]  ? preempt_count_sub+0x43/0x50
[   34.584322]  ? _raw_write_unlock_irqrestore+0x46/0x70
[   34.584326]  ? create_object+0x387/0x560
[   34.584331]  ? kasan_unpoison_shadow+0x33/0x40
[   34.584334]  ? __kasan_kmalloc.constprop.0+0xc2/0xd0
[   34.584508]  amdgpu_dm_init+0x26f/0x330 [amdgpu]
[   34.584664]  ? amdgpu_mm_rreg+0xe0/0x200 [amdgpu]
[   34.584836]  ? dm_resume+0x5e0/0x5e0 [amdgpu]
[   34.585006]  ? vega10_enable_fan_control_feature+0x75/0x90 [amdgpu]
[   34.585174]  ? vega10_fan_ctrl_start_smc_fan_control+0x26/0x40 [amdgpu]
[   34.585341]  ? vega10_start_thermal_controller+0x30c/0x320 [amdgpu]
[   34.585354]  ? memcpy+0x35/0x50
[   34.585522]  ? psm_set_states+0x90/0xb0 [amdgpu]
[   34.585697]  dm_hw_init+0xe/0x20 [amdgpu]
[   34.585864]  amdgpu_device_init.cold+0x2540/0x266f [amdgpu]
[   34.586023]  ? amdgpu_device_has_dc_support+0x30/0x30 [amdgpu]
[   34.586026]  ? _raw_write_unlock_irqrestore+0x59/0x70
[   34.586031]  ? preempt_count_sub+0x43/0x50
[   34.586035]  ? _raw_write_unlock_irqrestore+0x46/0x70
[   34.586039]  ? create_object+0x387/0x560
[   34.586046]  ? kmalloc_order+0x8d/0xa0
[   34.586204]  amdgpu_driver_load_kms+0xd5/0x360 [amdgpu]
[   34.586359]  ? amdgpu_register_gpu_instance+0xd0/0xd0 [amdgpu]
[   34.586363]  ? __kasan_slab_free+0x141/0x170
[   34.586396]  drm_dev_register+0x1d8/0x220 [drm]
[   34.586553]  amdgpu_pci_probe+0x128/0x190 [amdgpu]
[   34.586707]  ? amdgpu_pmops_runtime_idle+0xe0/0xe0 [amdgpu]
[   34.586712]  local_pci_probe+0x74/0xc0
[   34.586717]  pci_device_probe+0x1ee/0x2f0
[   34.586721]  ? pci_device_remove+0x1a0/0x1a0
[   34.586728]  ? sysfs_do_create_link_sd.isra.0+0x74/0xd0
[   34.586736]  really_probe+0x184/0x530
[   34.586743]  driver_probe_device+0x119/0x180
[   34.586748]  device_driver_attach+0x87/0x90
[   34.586752]  ? device_driver_attach+0x90/0x90
[   34.586755]  __driver_attach+0xb0/0x1a0
[   34.586760]  ? device_driver_attach+0x90/0x90
[   34.586763]  bus_for_each_dev+0xe9/0x140
[   34.586767]  ? subsys_dev_iter_exit+0x10/0x10
[   34.586771]  ? __list_add_valid+0x2f/0x60
[   34.586779]  bus_add_driver+0x22c/0x2e0
[   34.586786]  driver_register+0xd8/0x160
[   34.586790]  ? 0xffffffffc1218000
[   34.586795]  do_one_initcall+0xd4/0x384
[   34.586799]  ? perf_trace_initcall_level+0x250/0x250
[   34.586803]  ? _raw_write_unlock_irqrestore+0x46/0x70
[   34.586806]  ? create_object+0x387/0x560
[   34.586811]  ? kasan_unpoison_shadow+0x33/0x40
[   34.586814]  ? kasan_unpoison_shadow+0x33/0x40
[   34.586822]  do_init_module+0xfd/0x380
[   34.586829]  load_module+0x3dc1/0x4160
[   34.586854]  ? module_frob_arch_sections+0x20/0x20
[   34.586860]  ? kernel_read+0x9b/0xc0
[   34.586866]  ? kernel_read_file+0x187/0x330
[   34.586871]  ? remove_arg_zero+0x2b0/0x2b0
[   34.586875]  ? __seccomp_filter+0x12a/0x9d0
[   34.586888]  ? __do_sys_finit_module+0x121/0x1b0
[   34.586891]  __do_sys_finit_module+0x121/0x1b0
[   34.586895]  ? __ia32_sys_init_module+0x40/0x40
[   34.586900]  ? randomize_stack_top+0x80/0x80
[   34.586916]  ? trace_hardirqs_off_caller+0x2f/0x130
[   34.586919]  ? do_syscall_64+0x14/0x1e0
[   34.586926]  do_syscall_64+0x72/0x1e0
[   34.586931]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   34.586933] RIP: 0033:0x7fe4e28940c9
[   34.586937] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 3d 0c 00 f7 d8 64 89 01 48
[   34.586939] RSP: 002b:00007ffde7f9bd48 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   34.586942] RAX: ffffffffffffffda RBX: 00005631cd3b1620 RCX: 00007fe4e28940c9
[   34.586945] RDX: 0000000000000000 RSI: 00007fe4e2797cad RDI: 0000000000000013
[   34.586947] RBP: 0000000000020000 R08: 0000000000000000 R09: 00005631cd399e48
[   34.586949] R10: 0000000000000013 R11: 0000000000000246 R12: 00007fe4e2797cad
[   34.586951] R13: 0000000000000000 R14: 00005631cd3a2ab0 R15: 00005631cd3b1620

[   34.586968] The buggy address belongs to the variable:
[   34.587136]  audio_regs+0x108/0xffffffffffeed8e0 [amdgpu]

[   34.587155] Memory state around the buggy address:
[   34.587169]  ffffffffc1c70700: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
[   34.587186]  ffffffffc1c70780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.587204] >ffffffffc1c70800: 00 00 00 00 00 fa fa fa fa fa fa fa 00 00 00 00
[   34.587221]                                   ^
[   34.587233]  ffffffffc1c70880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   34.587251]  ffffffffc1c70900: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
[   34.587268] ==================================================================