I've hit a bunch of complete & partial lockups with 4.15. I finally built a kasan kernel and caught this: [50772.217692] ================================================================== [50772.217773] BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x26/0xb0 [amdgpu] [50772.217776] Read of size 8 at addr ffff880ccf431a48 by task kworker/7:1/112 [50772.217781] CPU: 7 PID: 112 Comm: kworker/7:1 Not tainted 4.15.7 #18 [50772.217782] Hardware name: System manufacturer System Product Name/PRIME X370-PRO, BIOS 3803 01/22/2018 [50772.217861] Workqueue: events amd_sched_job_finish [amdgpu] [50772.217863] Call Trace: [50772.217869] dump_stack+0x46/0x5a [50772.217874] print_address_description+0x82/0x2c0 [50772.217878] kasan_report+0x289/0x380 [50772.217973] ? amdgpu_job_free_cb+0x26/0xb0 [amdgpu] [50772.218047] amdgpu_job_free_cb+0x26/0xb0 [amdgpu] [50772.218052] process_one_work+0x3cd/0x660 [50772.218055] worker_thread+0x81/0x7b0 [50772.218058] ? create_worker+0x2a0/0x2a0 [50772.218060] kthread+0x1ae/0x1d0 [50772.218062] ? kthread_create_worker+0xd0/0xd0 [50772.218065] ret_from_fork+0x22/0x40 [50772.218069] Allocated by task 489: [50772.218072] kasan_kmalloc+0xb0/0xf0 [50772.218132] amdgpu_driver_open_kms+0x8c/0x1f0 [amdgpu] [50772.218136] drm_open+0x39e/0x720 [50772.218138] drm_stub_open+0x155/0x1d0 [50772.218140] chrdev_open+0x168/0x300 [50772.218143] do_dentry_open.isra.20+0x325/0x510 [50772.218145] path_openat+0x7f6/0x1ac0 [50772.218148] do_filp_open+0x125/0x1d0 [50772.218149] do_sys_open+0x251/0x300 [50772.218152] do_syscall_64+0xf3/0x2b0 [50772.218154] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [50772.218155] Freed by task 19848: [50772.218158] kasan_slab_free+0x7c/0xe0 [50772.218160] kfree+0x91/0x1a0 [50772.218220] amdgpu_driver_postclose_kms+0x154/0x360 [amdgpu] [50772.218222] drm_release+0x45e/0x5f0 [50772.218224] __fput+0x14e/0x2e0 [50772.218226] task_work_run+0xa0/0xc0 [50772.218229] do_exit+0x3c4/0x10f0 [50772.218231] do_group_exit+0x74/0x110 [50772.218234] get_signal+0x1ab/0x760 [50772.218237] do_signal+0xb4/0xa80 [50772.218238] exit_to_usermode_loop+0x74/0xa0 [50772.218240] do_syscall_64+0x2a0/0x2b0 [50772.218242] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [50772.218245] The buggy address belongs to the object at ffff880ccf431980 which belongs to the cache kmalloc-2048 of size 2048 [50772.218247] The buggy address is located 200 bytes inside of 2048-byte region [ffff880ccf431980, ffff880ccf432180) [50772.218249] The buggy address belongs to the page: [50772.218252] page:ffffea00333d0c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [50772.218255] flags: 0x8000000000008100(slab|head) [50772.218260] raw: 8000000000008100 0000000000000000 0000000000000000 00000001000f000f [50772.218263] raw: dead000000000100 dead000000000200 ffff880f98c03040 0000000000000000 [50772.218264] page dumped because: kasan: bad access detected [50772.218265] Memory state around the buggy address: [50772.218267] ffff880ccf431900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [50772.218270] ffff880ccf431980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [50772.218272] >ffff880ccf431a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [50772.218273] ^ [50772.218275] ffff880ccf431a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [50772.218277] ffff880ccf431b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [50772.218278] ================================================================== lspci: 0a:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Ellesmere [Radeon RX 470/480/570/580] (rev cf) (prog-if 00 [VGA controller]) Subsystem: PC Partner Limited / Sapphire Technology Radeon RX 470 Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+ Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx- Latency: 0, Cache Line Size: 64 bytes Interrupt: pin A routed to IRQ 53 Region 0: Memory at e0000000 (64-bit, prefetchable) [size=256M] Region 2: Memory at f0000000 (64-bit, prefetchable) [size=2M] Region 4: I/O ports at e000 [size=256] Region 5: Memory at fe800000 (32-bit, non-prefetchable) [size=256K] Expansion ROM at 000c0000 [disabled] [size=128K] Capabilities: [48] Vendor Specific Information: Len=08 <?> Capabilities: [50] Power Management version 3 Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=0mA PME(D0-,D1+,D2+,D3hot+,D3cold+) Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME- Capabilities: [58] Express (v2) Legacy Endpoint, MSI 00 DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s <4us, L1 unlimited ExtTag+ AttnBtn- AttnInd- PwrInd- RBE+ FLReset- DevCtl: Report errors: Correctable- Non-Fatal- Fatal- Unsupported- RlxdOrd+ ExtTag+ PhantFunc- AuxPwr- NoSnoop+ MaxPayload 256 bytes, MaxReadReq 512 bytes DevSta: CorrErr+ UncorrErr- FatalErr- UnsuppReq+ AuxPwr- TransPend- LnkCap: Port #0, Speed 8GT/s, Width x16, ASPM L1, Exit Latency L1 <1us ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+ LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- CommClk+ ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt- LnkSta: Speed 2.5GT/s, Width x16, TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt- DevCap2: Completion Timeout: Not Supported, TimeoutDis-, LTR+, OBFF Not Supported AtomicOpsCap: 32bit+ 64bit+ 128bitCAS- DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, OBFF Disabled AtomicOpsCtl: ReqEn- LnkCtl2: Target Link Speed: 8GT/s, EnterCompliance- SpeedDis- Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS- Compliance De-emphasis: -6dB LnkSta2: Current De-emphasis Level: -3.5dB, EqualizationComplete+, EqualizationPhase1+ EqualizationPhase2+, EqualizationPhase3+, LinkEqualizationRequest- Capabilities: [a0] MSI: Enable+ Count=1/1 Maskable- 64bit+ Address: 00000000fee00000 Data: 0000 Capabilities: [100 v1] Vendor Specific Information: ID=0001 Rev=1 Len=010 <?> Capabilities: [150 v2] Advanced Error Reporting UESta: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol- UEMsk: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol- UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol- CESta: RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+ CEMsk: RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+ AERCap: First Error Pointer: 00, ECRCGenCap+ ECRCGenEn- ECRCChkCap+ ECRCChkEn- MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap- HeaderLog: 00000000 00000000 00000000 00000000 Capabilities: [200 v1] #15 Capabilities: [270 v1] #19 Capabilities: [2b0 v1] Address Translation Service (ATS) ATSCap: Invalidate Queue Depth: 00 ATSCtl: Enable+, Smallest Translation Unit: 00 Capabilities: [2c0 v1] Page Request Interface (PRI) PRICtl: Enable- Reset- PRISta: RF- UPRGI- Stopped+ Page Request Capacity: 00000020, Page Request Allocation: 00000000 Capabilities: [2d0 v1] Process Address Space ID (PASID) PASIDCap: Exec+ Priv+, Max PASID Width: 10 PASIDCtl: Enable- Exec- Priv- Capabilities: [320 v1] Latency Tolerance Reporting Max snoop latency: 0ns Max no snoop latency: 0ns Capabilities: [328 v1] Alternative Routing-ID Interpretation (ARI) ARICap: MFVC- ACS-, Next Function: 1 ARICtl: MFVC- ACS-, Function Group: 0 Capabilities: [370 v1] L1 PM Substates L1SubCap: PCI-PM_L1.2+ PCI-PM_L1.1+ ASPM_L1.2+ ASPM_L1.1+ L1_PM_Substates+ PortCommonModeRestoreTime=0us PortTPowerOnTime=170us L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1- T_CommonMode=0us LTR1.2_Threshold=0ns L1SubCtl2: T_PwrOn=10us Kernel driver in use: amdgpu Kernel modules: amdgpu
mesa3d 17.3.6-1 CONFIG_DRM_AMDGPU=m CONFIG_DRM_AMD_DC=y CONFIG_DRM_AMD_DC_PRE_VEGA=y
That is fixed by: commit d1f6dc1a9a106a73510181cfad9b4a7a0b140990 Author: Andrey Grodzovsky <Andrey.Grodzovsky@amd.com> Date: Thu Oct 19 14:29:46 2017 -0400 drm/amdgpu: Avoid accessing job->entity after the job is scheduled. Bug: amdgpu_job_free_cb was accessing s_job->s_entity when the allocated amdgpu_ctx (and the entity inside it) were already deallocated from amdgpu_cs_parser_fini. Fix: Save job's priority on it's creation instead of accessing it from s_entity later on. Signed-off-by: Andrey Grodzovsky <Andrey.Grodzovsky@amd.com> Reviewed-by: Andres Rodriguez <andresx7@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Not sure why that didn't ended up in 4.15.
Still missing from 4.15.8
I've applied the patch you mentioned above. Is this related or should I open a new bug?: [56091.713961] ================================================================== [56091.714058] BUG: KASAN: use-after-free in dc_create_stream_for_sink+0x73/0x440 [amdgpu] [56091.714062] Read of size 8 at addr ffff88092d66fc68 by task X/490 [56091.714066] CPU: 11 PID: 490 Comm: X Not tainted 4.15.9 #21 [56091.714068] Hardware name: System manufacturer System Product Name/PRIME X370-PRO, BIOS 3803 01/22/2018 [56091.714069] Call Trace: [56091.714075] dump_stack+0x46/0x5a [56091.714080] print_address_description+0x82/0x2c0 [56091.714084] kasan_report+0x289/0x380 [56091.714175] ? dc_create_stream_for_sink+0x73/0x440 [amdgpu] [56091.714265] dc_create_stream_for_sink+0x73/0x440 [amdgpu] [56091.714357] create_stream_for_sink+0xe5/0x7c0 [amdgpu] [56091.714451] ? fill_stream_properties_from_drm_display_mode+0x400/0x400 [amdgpu] [56091.714454] ? kasan_kmalloc+0xb0/0xf0 [56091.714458] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.714461] ? drm_atomic_commit+0x2d/0xb0 [56091.714465] ? drm_atomic_helper_legacy_gamma_set+0x190/0x1e0 [56091.714469] ? drm_mode_gamma_set_ioctl+0x28a/0x320 [56091.714473] ? drm_atomic_get_connector_state+0xaa/0x2a0 [56091.714565] dm_update_crtcs_state+0x1d2/0x5e0 [amdgpu] [56091.714569] ? drm_atomic_get_crtc_state+0x76/0x1d0 [56091.714660] ? dc_resource_state_copy_construct+0x199/0x1d0 [amdgpu] [56091.714759] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu] [56091.714764] ? __radix_tree_replace+0x95/0x150 [56091.714766] ? node_tag_clear+0x66/0xb0 [56091.714859] ? dm_update_planes_state.part.28+0x1150/0x1150 [amdgpu] [56091.714862] ? __mutex_lock_interruptible_slowpath+0x1/0x10 [56091.714865] ? __fprop_inc_percpu_max+0x180/0x180 [56091.714869] drm_atomic_check_only+0x6b8/0x940 [56091.714872] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.714876] ? drm_atomic_set_crtc_for_connector+0x1d0/0x1d0 [56091.714878] ? drm_mode_object_get+0x51/0x70 [56091.714882] drm_atomic_commit+0x2d/0xb0 [56091.714886] drm_atomic_helper_legacy_gamma_set+0x190/0x1e0 [56091.714889] ? drm_atomic_helper_update_plane+0x1a0/0x1a0 [56091.714892] drm_mode_gamma_set_ioctl+0x28a/0x320 [56091.714896] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.714899] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.714902] ? drm_lease_owner+0x15/0x30 [56091.714905] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.714908] drm_ioctl_kernel+0xaf/0x120 [56091.714911] drm_ioctl+0x4bf/0x570 [56091.714915] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.714917] ? drm_ioctl_kernel+0x120/0x120 [56091.714922] ? set_current_blocked+0x20/0x20 [56091.714924] ? get_signal+0x5c8/0x760 [56091.714927] ? memset+0x2d/0x50 [56091.714930] ? fpstate_init+0x6c/0x80 [56091.714933] ? fpu__initialize+0x1c/0x50 [56091.714936] ? __fpu__restore_sig+0x327/0x510 [56091.714940] do_vfs_ioctl+0x155/0x920 [56091.714943] ? ioctl_preallocate+0x140/0x140 [56091.714945] ? recalc_sigpending_tsk+0x95/0xa0 [56091.714948] ? recalc_sigpending+0x12/0x20 [56091.714950] ? do_sigaltstack+0x1d0/0x270 [56091.714955] ? SyS_futex+0x1be/0x250 [56091.714959] ? __rcu_read_unlock+0x76/0xa0 [56091.714961] ? __fget+0xc2/0x100 [56091.714964] SyS_ioctl+0x47/0x90 [56091.714967] ? do_vfs_ioctl+0x920/0x920 [56091.714970] do_syscall_64+0xf3/0x2b0 [56091.714974] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [56091.714976] RIP: 0033:0x7f3385a95397 [56091.714978] RSP: 002b:00007ffe5b715608 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [56091.714982] RAX: ffffffffffffffda RBX: 000055cc1d92d2a0 RCX: 00007f3385a95397 [56091.714984] RDX: 00007ffe5b715640 RSI: 00000000c02064a5 RDI: 000000000000000c [56091.714985] RBP: 00007ffe5b715640 R08: 000055cc1d92d960 R09: 000055cc1d92db60 [56091.714987] R10: 0000000000000001 R11: 0000000000000246 R12: 00000000c02064a5 [56091.714989] R13: 000000000000000c R14: 000055cc1d92b130 R15: 000055cc1d92d760 [56091.714992] Allocated by task 490: [56091.714996] kasan_kmalloc+0xb0/0xf0 [56091.715086] dc_sink_create+0x41/0x140 [amdgpu] [56091.715178] create_stream_for_sink+0x6a7/0x7c0 [amdgpu] [56091.715270] dm_update_crtcs_state+0x1d2/0x5e0 [amdgpu] [56091.715362] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu] [56091.715365] drm_atomic_check_only+0x6b8/0x940 [56091.715367] drm_atomic_commit+0x2d/0xb0 [56091.715370] drm_atomic_connector_commit_dpms+0x1ea/0x210 [56091.715373] drm_mode_obj_set_property_ioctl+0x2fb/0x410 [56091.715376] drm_mode_connector_property_set_ioctl+0xb5/0xf0 [56091.715378] drm_ioctl_kernel+0xaf/0x120 [56091.715381] drm_ioctl+0x4bf/0x570 [56091.715383] do_vfs_ioctl+0x155/0x920 [56091.715385] SyS_ioctl+0x47/0x90 [56091.715387] do_syscall_64+0xf3/0x2b0 [56091.715390] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [56091.715392] Freed by task 112: [56091.715395] kasan_slab_free+0x7c/0xe0 [56091.715397] kfree+0x91/0x1a0 [56091.715487] dc_link_detect+0x21a/0x1030 [amdgpu] [56091.715579] handle_hpd_irq+0x65/0xd0 [amdgpu] [56091.715671] dm_irq_work_func+0x86/0xa0 [amdgpu] [56091.715674] process_one_work+0x3cd/0x660 [56091.715676] worker_thread+0x81/0x7b0 [56091.715678] kthread+0x1ae/0x1d0 [56091.715680] ret_from_fork+0x22/0x40 [56091.715683] The buggy address belongs to the object at ffff88092d66f980 which belongs to the cache kmalloc-1024 of size 1024 [56091.715687] The buggy address is located 744 bytes inside of 1024-byte region [ffff88092d66f980, ffff88092d66fd80) [56091.715688] The buggy address belongs to the page: [56091.715691] page:ffffea0024b59a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [56091.715696] flags: 0x8000000000008100(slab|head) [56091.715701] raw: 8000000000008100 0000000000000000 0000000000000000 00000001001c001c [56091.715704] raw: dead000000000100 dead000000000200 ffff880f98c03180 0000000000000000 [56091.715707] page dumped because: kasan: bad access detected [56091.715709] Memory state around the buggy address: [56091.715714] ffff88092d66fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715717] ffff88092d66fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715720] >ffff88092d66fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715721] ^ [56091.715724] ffff88092d66fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715727] ffff88092d66fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.715729] ================================================================== [56091.715730] Disabling lock debugging due to kernel taint [56091.715777] ================================================================== [56091.715780] BUG: KASAN: double-free or invalid-free in (null) [56091.715792] CPU: 11 PID: 490 Comm: X Tainted: G B 4.15.9 #21 [56091.715795] Hardware name: System manufacturer System Product Name/PRIME X370-PRO, BIOS 3803 01/22/2018 [56091.715800] Call Trace: [56091.715806] dump_stack+0x46/0x5a [56091.715812] print_address_description+0x82/0x2c0 [56091.715818] kasan_report_double_free+0x60/0xa0 [56091.715824] kasan_slab_free+0xb5/0xe0 [56091.715919] ? dc_stream_release+0x3c/0x90 [amdgpu] [56091.715925] kfree+0x91/0x1a0 [56091.716021] dc_stream_release+0x3c/0x90 [amdgpu] [56091.716119] dm_update_crtcs_state+0x23d/0x5e0 [amdgpu] [56091.716126] ? drm_atomic_get_crtc_state+0x76/0x1d0 [56091.716221] ? dc_resource_state_copy_construct+0x199/0x1d0 [amdgpu] [56091.716318] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu] [56091.716325] ? __radix_tree_replace+0x95/0x150 [56091.716330] ? node_tag_clear+0x66/0xb0 [56091.716427] ? dm_update_planes_state.part.28+0x1150/0x1150 [amdgpu] [56091.716433] ? __mutex_lock_interruptible_slowpath+0x1/0x10 [56091.716438] ? __fprop_inc_percpu_max+0x180/0x180 [56091.716444] drm_atomic_check_only+0x6b8/0x940 [56091.716450] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.716457] ? drm_atomic_set_crtc_for_connector+0x1d0/0x1d0 [56091.716463] ? drm_mode_object_get+0x51/0x70 [56091.716469] drm_atomic_commit+0x2d/0xb0 [56091.716476] drm_atomic_helper_legacy_gamma_set+0x190/0x1e0 [56091.716482] ? drm_atomic_helper_update_plane+0x1a0/0x1a0 [56091.716488] drm_mode_gamma_set_ioctl+0x28a/0x320 [56091.716495] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.716501] ? drm_legacy_ioremapfree+0xd0/0xd0 [56091.716507] ? drm_lease_owner+0x15/0x30 [56091.716513] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.716518] drm_ioctl_kernel+0xaf/0x120 [56091.716525] drm_ioctl+0x4bf/0x570 [56091.716529] ? drm_crtc_enable_color_mgmt+0x140/0x140 [56091.716532] ? drm_ioctl_kernel+0x120/0x120 [56091.716535] ? set_current_blocked+0x20/0x20 [56091.716538] ? get_signal+0x5c8/0x760 [56091.716541] ? memset+0x2d/0x50 [56091.716544] ? fpstate_init+0x6c/0x80 [56091.716547] ? fpu__initialize+0x1c/0x50 [56091.716550] ? __fpu__restore_sig+0x327/0x510 [56091.716553] do_vfs_ioctl+0x155/0x920 [56091.716556] ? ioctl_preallocate+0x140/0x140 [56091.716559] ? recalc_sigpending_tsk+0x95/0xa0 [56091.716561] ? recalc_sigpending+0x12/0x20 [56091.716564] ? do_sigaltstack+0x1d0/0x270 [56091.716568] ? SyS_futex+0x1be/0x250 [56091.716571] ? __rcu_read_unlock+0x76/0xa0 [56091.716573] ? __fget+0xc2/0x100 [56091.716576] SyS_ioctl+0x47/0x90 [56091.716579] ? do_vfs_ioctl+0x920/0x920 [56091.716581] do_syscall_64+0xf3/0x2b0 [56091.716585] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [56091.716587] RIP: 0033:0x7f3385a95397 [56091.716589] RSP: 002b:00007ffe5b715608 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [56091.716592] RAX: ffffffffffffffda RBX: 000055cc1d92d2a0 RCX: 00007f3385a95397 [56091.716594] RDX: 00007ffe5b715640 RSI: 00000000c02064a5 RDI: 000000000000000c [56091.716596] RBP: 00007ffe5b715640 R08: 000055cc1d92d960 R09: 000055cc1d92db60 [56091.716598] R10: 0000000000000001 R11: 0000000000000246 R12: 00000000c02064a5 [56091.716599] R13: 000000000000000c R14: 000055cc1d92b130 R15: 000055cc1d92d760 [56091.716602] Allocated by task 490: [56091.716606] kasan_kmalloc+0xb0/0xf0 [56091.716698] dc_sink_create+0x41/0x140 [amdgpu] [56091.716794] create_stream_for_sink+0x6a7/0x7c0 [amdgpu] [56091.716891] dm_update_crtcs_state+0x1d2/0x5e0 [amdgpu] [56091.716986] amdgpu_dm_atomic_check+0x24b/0x6d0 [amdgpu] [56091.716990] drm_atomic_check_only+0x6b8/0x940 [56091.716993] drm_atomic_commit+0x2d/0xb0 [56091.716996] drm_atomic_connector_commit_dpms+0x1ea/0x210 [56091.716999] drm_mode_obj_set_property_ioctl+0x2fb/0x410 [56091.717001] drm_mode_connector_property_set_ioctl+0xb5/0xf0 [56091.717004] drm_ioctl_kernel+0xaf/0x120 [56091.717007] drm_ioctl+0x4bf/0x570 [56091.717009] do_vfs_ioctl+0x155/0x920 [56091.717011] SyS_ioctl+0x47/0x90 [56091.717013] do_syscall_64+0xf3/0x2b0 [56091.717016] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [56091.717018] Freed by task 112: [56091.717021] kasan_slab_free+0x7c/0xe0 [56091.717023] kfree+0x91/0x1a0 [56091.717118] dc_link_detect+0x21a/0x1030 [amdgpu] [56091.717209] handle_hpd_irq+0x65/0xd0 [amdgpu] [56091.717297] dm_irq_work_func+0x86/0xa0 [amdgpu] [56091.717299] process_one_work+0x3cd/0x660 [56091.717302] worker_thread+0x81/0x7b0 [56091.717303] kthread+0x1ae/0x1d0 [56091.717306] ret_from_fork+0x22/0x40 [56091.717308] The buggy address belongs to the object at ffff88092d66f980 which belongs to the cache kmalloc-1024 of size 1024 [56091.717312] The buggy address is located 0 bytes inside of 1024-byte region [ffff88092d66f980, ffff88092d66fd80) [56091.717313] The buggy address belongs to the page: [56091.717315] page:ffffea0024b59a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [56091.717319] flags: 0x8000000000008100(slab|head) [56091.717323] raw: 8000000000008100 0000000000000000 0000000000000000 00000001001c001c [56091.717327] raw: dead000000000100 dead000000000200 ffff880f98c03180 0000000000000000 [56091.717328] page dumped because: kasan: bad access detected [56091.717330] Memory state around the buggy address: [56091.717332] ffff88092d66f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.717335] ffff88092d66f900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [56091.717337] >ffff88092d66f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.717338] ^ [56091.717341] ffff88092d66fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.717343] ffff88092d66fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [56091.717344] ==================================================================