OK, it doesn't matter, maybe my latest amd-staging-dkms-4.13 doesn't
sync to drm-next.
Just find it when I try KASAN config.
Regards,
David Zhou
On 2017å¹´10æ??24æ?¥ 18:01, Christian König wrote:
> Andrey already submitted a fix for this a few days ago.
>
> Christian.
>
> Am 24.10.2017 um 11:55 schrieb Chunming Zhou:
>> The s_entity presented process could already be closed when calling
>> amdgpu_job_free_cb.
>> the s_entity will be buggy pointer after it's freed. See below
>> calltrace:
>>
>> [Â 355.616964]
>> ==================================================================
>> [Â 355.617191] BUG: KASAN: use-after-free in
>> amdgpu_job_free_cb+0x2f/0xc0 [amdgpu]
>> [Â 355.617197] Read of size 8 at addr ffff88039d593c40 by task
>> kworker/9:1/100
>>
>> [Â 355.617206] CPU: 9 PID: 100 Comm: kworker/9:1 Not tainted
>> 4.13.0-custom #1
>> [Â 355.617208] Hardware name: Gigabyte Technology Co., Ltd. Default
>> string/X99P-SLI-CF, BIOS F23 07/22/2016
>> [Â 355.617342] Workqueue: events amd_sched_job_finish [amdgpu]
>> [Â 355.617344] Call Trace:
>> [Â 355.617351]Â dump_stack+0x63/0x8d
>> [Â 355.617356]Â print_address_description+0x70/0x290
>> [Â 355.617474]Â ? amdgpu_job_free_cb+0x2f/0xc0 [amdgpu]
>> [Â 355.617477]Â kasan_report+0x265/0x350
>> [Â 355.617479]Â __asan_load8+0x54/0x90
>> [Â 355.617603]Â amdgpu_job_free_cb+0x2f/0xc0 [amdgpu]
>> [Â 355.617721]Â amd_sched_job_finish+0x161/0x180 [amdgpu]
>> [Â 355.617725]Â process_one_work+0x2ab/0x700
>> [Â 355.617727]Â worker_thread+0x90/0x720
>> [Â 355.617731]Â kthread+0x18c/0x1e0
>> [Â 355.617732]Â ? process_one_work+0x700/0x700
>> [Â 355.617735]Â ? kthread_create_on_node+0xb0/0xb0
>> [Â 355.617738]Â ret_from_fork+0x25/0x30
>>
>> [Â 355.617742] Allocated by task 1347:
>> [Â 355.617747]Â save_stack_trace+0x1b/0x20
>> [Â 355.617749]Â save_stack+0x46/0xd0
>> [Â 355.617751]Â kasan_kmalloc+0xad/0xe0
>> [Â 355.617753]Â kmem_cache_alloc_trace+0xef/0x200
>> [Â 355.617853]Â amdgpu_driver_open_kms+0x98/0x290 [amdgpu]
>> [Â 355.617883]Â drm_open+0x38c/0x6e0 [drm]
>> [Â 355.617908]Â drm_stub_open+0x144/0x1b0 [drm]
>> [Â 355.617911]Â chrdev_open+0x180/0x320
>> [Â 355.617913]Â do_dentry_open+0x3a2/0x570
>> [Â 355.617915]Â vfs_open+0x86/0xe0
>> [Â 355.617918]Â path_openat+0x49e/0x1db0
>> [Â 355.617919]Â do_filp_open+0x11c/0x1a0
>> [Â 355.617921]Â do_sys_open+0x16f/0x2a0
>> [Â 355.617923]Â SyS_open+0x1e/0x20
>> [Â 355.617926]Â do_syscall_64+0xea/0x210
>> [Â 355.617928]Â return_from_SYSCALL_64+0x0/0x6a
>>
>> [Â 355.617931] Freed by task 1347:
>> [Â 355.617934]Â save_stack_trace+0x1b/0x20
>> [Â 355.617936]Â save_stack+0x46/0xd0
>> [Â 355.617937]Â kasan_slab_free+0x70/0xc0
>> [Â 355.617939]Â kfree+0x9d/0x1c0
>> [Â 355.618038]Â amdgpu_driver_postclose_kms+0x1bc/0x3e0 [amdgpu]
>> [Â 355.618063]Â drm_release+0x454/0x610 [drm]
>> [Â 355.618065]Â __fput+0x177/0x350
>> [Â 355.618066]Â ____fput+0xe/0x10
>> [Â 355.618068]Â task_work_run+0xa0/0xc0
>> [Â 355.618070]Â do_exit+0x456/0x1320
>> [Â 355.618072]Â do_group_exit+0x86/0x130
>> [Â 355.618074]Â SyS_exit_group+0x1d/0x20
>> [Â 355.618076]Â do_syscall_64+0xea/0x210
>> [Â 355.618078]Â return_from_SYSCALL_64+0x0/0x6a
>>
>> [Â 355.618081] The buggy address belongs to the object at
>> ffff88039d593b80
>> Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â which belongs to the cache kmalloc-2048 of size 2048
>> [Â 355.618085] The buggy address is located 192 bytes inside of
>> Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â 2048-byte region [ffff88039d593b80, ffff88039d594380)
>> [Â 355.618087] The buggy address belongs to the page:
>> [Â 355.618091] page:ffffea000e756400 count:1 mapcount:0
>> mapping:Â Â Â Â Â Â Â Â Â (null) index:0x0 compound_mapcount: 0
>> [Â 355.618095] flags: 0x2ffff0000008100(slab|head)
>> [Â 355.618099] raw: 02ffff0000008100 0000000000000000
>> 0000000000000000 00000001000f000f
>> [Â 355.618103] raw: ffffea000edb0600 0000000200000002
>> ffff8803bfc0ea00 0000000000000000
>> [Â 355.618105] page dumped because: kasan: bad access detected
>>
>> [Â 355.618108] Memory state around the buggy address:
>> [Â 355.618110]Â ffff88039d593b00: fc fc fc fc fc fc fc fc fc fc fc fc
>> fc fc fc fc
>> [Â 355.618113]Â ffff88039d593b80: fb fb fb fb fb fb fb fb fb fb fb fb
>> fb fb fb fb
>> [Â 355.618116] >ffff88039d593c00: fb fb fb fb fb fb fb fb fb fb fb fb
>> fb fb fb fb
>> [Â 355.618117]Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â ^
>> [Â 355.618120]Â ffff88039d593c80: fb fb fb fb fb fb fb fb fb fb fb fb
>> fb fb fb fb
>> [Â 355.618122]Â ffff88039d593d00: fb fb fb fb fb fb fb fb fb fb fb fb
>> fb fb fb fb
>> [Â 355.618124]
>> ==================================================================
>> [Â 355.618126] Disabling lock debugging due to kernel taint
>>
>> Change-Id: I8ff7122796b8cd16fc26e9c40e8d4c8153d67e0c
>> Signed-off-by: Chunming Zhou <david1.zhou at amd.com>
>> ---
>> Â drivers/gpu/drm/amd/scheduler/gpu_scheduler.c |Â 1 +
>> Â drivers/gpu/drm/amd/scheduler/gpu_scheduler.h | 27
>> ++++++++++++++-------------
>> Â 2 files changed, 15 insertions(+), 13 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/amd/scheduler/gpu_scheduler.c
>> b/drivers/gpu/drm/amd/scheduler/gpu_scheduler.c
>> index 007fdbd..8101ed7 100644
>> --- a/drivers/gpu/drm/amd/scheduler/gpu_scheduler.c
>> +++ b/drivers/gpu/drm/amd/scheduler/gpu_scheduler.c
>> @@ -535,6 +535,7 @@ int amd_sched_job_init(struct amd_sched_job *job,
>> Â Â Â Â Â if (!job->s_fence)
>> Â Â Â Â Â Â Â Â Â return -ENOMEM;
>> Â Â Â Â Â job->id = atomic64_inc_return(&sched->job_id_count);
>> +Â Â Â job->priority = job->s_entity->rq - job->sched->sched_rq;
>> Â Â Â Â Â Â INIT_WORK(&job->finish_work, amd_sched_job_finish);
>> Â Â Â Â Â INIT_LIST_HEAD(&job->node);
>> diff --git a/drivers/gpu/drm/amd/scheduler/gpu_scheduler.h
>> b/drivers/gpu/drm/amd/scheduler/gpu_scheduler.h
>> index e21299c..8808eb1 100644
>> --- a/drivers/gpu/drm/amd/scheduler/gpu_scheduler.h
>> +++ b/drivers/gpu/drm/amd/scheduler/gpu_scheduler.h
>> @@ -77,6 +77,18 @@ struct amd_sched_fence {
>>      void                           *owner;
>> Â };
>> Â +enum amd_sched_priority {
>> +Â Â Â AMD_SCHED_PRIORITY_MIN,
>> +Â Â Â AMD_SCHED_PRIORITY_LOW = AMD_SCHED_PRIORITY_MIN,
>> +Â Â Â AMD_SCHED_PRIORITY_NORMAL,
>> +Â Â Â AMD_SCHED_PRIORITY_HIGH_SW,
>> +Â Â Â AMD_SCHED_PRIORITY_HIGH_HW,
>> +Â Â Â AMD_SCHED_PRIORITY_KERNEL,
>> +Â Â Â AMD_SCHED_PRIORITY_MAX,
>> +Â Â Â AMD_SCHED_PRIORITY_INVALID = -1,
>> +Â Â Â AMD_SCHED_PRIORITY_UNSET = -2
>> +};
>> +
>> Â struct amd_sched_job {
>>      struct amd_gpu_scheduler       *sched;
>>      struct amd_sched_entity        *s_entity;
>> @@ -87,6 +99,7 @@ struct amd_sched_job {
>>      struct delayed_work       work_tdr;
>>      uint64_t           id;
>> Â Â Â Â Â atomic_t karma;
>> +   enum amd_sched_priority       priority;
>> Â };
>> Â Â extern const struct dma_fence_ops amd_sched_fence_ops_scheduled;
>> @@ -118,18 +131,6 @@ struct amd_sched_backend_ops {
>> Â Â Â Â Â void (*free_job)(struct amd_sched_job *sched_job);
>> Â };
>> Â -enum amd_sched_priority {
>> -Â Â Â AMD_SCHED_PRIORITY_MIN,
>> -Â Â Â AMD_SCHED_PRIORITY_LOW = AMD_SCHED_PRIORITY_MIN,
>> -Â Â Â AMD_SCHED_PRIORITY_NORMAL,
>> -Â Â Â AMD_SCHED_PRIORITY_HIGH_SW,
>> -Â Â Â AMD_SCHED_PRIORITY_HIGH_HW,
>> -Â Â Â AMD_SCHED_PRIORITY_KERNEL,
>> -Â Â Â AMD_SCHED_PRIORITY_MAX,
>> -Â Â Â AMD_SCHED_PRIORITY_INVALID = -1,
>> -Â Â Â AMD_SCHED_PRIORITY_UNSET = -2
>> -};
>> -
>> Â /**
>> Â Â * One scheduler is implemented for each hardware ring
>> Â */
>> @@ -183,7 +184,7 @@ void amd_sched_job_kickout(struct amd_sched_job
>> *s_job);
>> Â static inline enum amd_sched_priority
>> Â amd_sched_get_job_priority(struct amd_sched_job *job)
>> Â {
>> -Â Â Â return (job->s_entity->rq - job->sched->sched_rq);
>> +Â Â Â return job->priority;
>> Â }
>> Â Â #endif
>
>
