I still get a use-after-free with linux-4.15-rc6: [ 16.788943] ================================================================== [ 16.788968] BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x140/0x150 [ 16.788975] Read of size 8 at addr ffff8803dfe4b3c8 by task kworker/0:2/1355 [ 16.788986] CPU: 0 PID: 1355 Comm: kworker/0:2 Not tainted 4.15.0-rc6 #438 [ 16.788990] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017 [ 16.788998] Workqueue: events amd_sched_job_finish [ 16.789003] Call Trace: [ 16.789012] dump_stack+0x99/0x11e [ 16.789018] ? _atomic_dec_and_lock+0x152/0x152 [ 16.789026] print_address_description+0x65/0x270 [ 16.789032] kasan_report+0x272/0x360 [ 16.789038] ? amdgpu_job_free_cb+0x140/0x150 [ 16.789043] amdgpu_job_free_cb+0x140/0x150 [ 16.789049] amd_sched_job_finish+0x288/0x560 [ 16.789055] ? amd_sched_process_job+0x220/0x220 [ 16.789061] ? __queue_delayed_work+0x211/0x360 [ 16.789067] ? pick_next_task_fair+0xcff/0x10f0 [ 16.789073] ? _raw_spin_unlock_irq+0xbe/0x120 [ 16.789077] ? _raw_spin_unlock+0x120/0x120 [ 16.789082] process_one_work+0x84b/0x1600 [ 16.789088] ? tick_nohz_dep_clear_signal+0x20/0x20 [ 16.789093] ? _raw_spin_unlock_irq+0xbe/0x120 [ 16.789097] ? _raw_spin_unlock+0x120/0x120 [ 16.789101] ? pwq_dec_nr_in_flight+0x3c0/0x3c0 [ 16.789107] ? compat_start_thread+0x70/0x70 [ 16.789111] ? cyc2ns_read_end+0x20/0x20 [ 16.789117] ? finish_task_switch+0x27d/0x7f0 [ 16.789121] ? wq_worker_waking_up+0xc0/0xc0 [ 16.789127] ? sched_clock_cpu+0x18/0x1e0 [ 16.789133] ? task_change_group_fair+0x7e0/0x7e0 [ 16.789139] ? pci_mmcfg_check_reserved+0x100/0x100 [ 16.789143] ? load_balance+0x3120/0x3120 [ 16.789148] ? perf_event_exit_task+0x91f/0xe20 [ 16.789156] ? schedule+0xfb/0x3b0 [ 16.789160] ? __schedule+0x19b0/0x19b0 [ 16.789165] ? _raw_spin_unlock_irq+0xb9/0x120 [ 16.789169] ? _raw_spin_unlock_irq+0xbe/0x120 [ 16.789172] ? _raw_spin_unlock+0x120/0x120 [ 16.789177] worker_thread+0x211/0x1790 [ 16.789184] ? pick_next_task_fair+0x97d/0x10f0 [ 16.789188] ? trace_event_raw_event_workqueue_work+0x170/0x170 [ 16.789194] ? tick_nohz_dep_clear_signal+0x20/0x20 [ 16.789199] ? _raw_spin_unlock_irq+0xbe/0x120 [ 16.789202] ? _raw_spin_unlock+0x120/0x120 [ 16.789207] ? compat_start_thread+0x70/0x70 [ 16.789212] ? finish_task_switch+0x27d/0x7f0 [ 16.789217] ? sched_clock_cpu+0x18/0x1e0 [ 16.789223] ? ret_from_fork+0x1f/0x30 [ 16.789228] ? pci_mmcfg_check_reserved+0x100/0x100 [ 16.789233] ? get_task_cred+0x210/0x210 [ 16.789238] ? cyc2ns_read_end+0x20/0x20 [ 16.789245] ? schedule+0xfb/0x3b0 [ 16.789249] ? __schedule+0x19b0/0x19b0 [ 16.789254] ? remove_wait_queue+0x2b0/0x2b0 [ 16.789258] ? arch_vtime_task_switch+0xee/0x190 [ 16.789263] ? _raw_spin_unlock_irqrestore+0xc2/0x130 [ 16.789267] ? _raw_spin_unlock_irq+0x120/0x120 [ 16.789273] ? trace_event_raw_event_workqueue_work+0x170/0x170 [ 16.789277] kthread+0x2d4/0x390 [ 16.789282] ? kthread_create_worker+0xd0/0xd0 [ 16.789286] ? umh_complete+0x60/0x60 [ 16.789290] ret_from_fork+0x1f/0x30 [ 16.789298] Allocated by task 2385: [ 16.789304] kasan_kmalloc+0xa0/0xd0 [ 16.789309] kmem_cache_alloc_trace+0xd1/0x1e0 [ 16.789314] amdgpu_driver_open_kms+0x12b/0x4d0 [ 16.789320] drm_open+0x7c3/0x1100 [ 16.789324] drm_stub_open+0x2a8/0x400 [ 16.789329] chrdev_open+0x1eb/0x5a0 [ 16.789333] do_dentry_open+0x5a1/0xc50 [ 16.789337] path_openat+0x11d3/0x4e90 [ 16.789341] do_filp_open+0x239/0x3c0 [ 16.789344] do_sys_open+0x402/0x630 [ 16.789349] do_syscall_64+0x220/0x670 [ 16.789353] return_from_SYSCALL_64+0x0/0x65 [ 16.789357] Freed by task 2541: [ 16.789362] kasan_slab_free+0x71/0xc0 [ 16.789365] kfree+0x88/0x1b0 [ 16.789369] amdgpu_driver_postclose_kms+0x469/0x860 [ 16.789373] drm_release+0x8a8/0x1180 [ 16.789377] __fput+0x2ab/0x730 [ 16.789380] task_work_run+0x14b/0x200 [ 16.789384] exit_to_usermode_loop+0x151/0x180 [ 16.789387] do_syscall_64+0x4ed/0x670 [ 16.789391] return_from_SYSCALL_64+0x0/0x65 [ 16.789397] The buggy address belongs to the object at ffff8803dfe4b300 [ 16.789403] The buggy address is located 200 bytes inside of [ 16.789406] The buggy address belongs to the page: [ 16.789413] page:000000004ccd276f count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 16.789421] flags: 0x2000000000008100(slab|head) [ 16.789428] raw: 2000000000008100 0000000000000000 0000000000000000 00000001000f000f [ 16.789433] raw: dead000000000100 dead000000000200 ffff8803f3002a80 0000000000000000 [ 16.789436] page dumped because: kasan: bad access detected [ 16.789441] Memory state around the buggy address: [ 16.789445] ffff8803dfe4b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 16.789449] ffff8803dfe4b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.789452] >ffff8803dfe4b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.789455] ^ [ 16.789458] ffff8803dfe4b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.789462] ffff8803dfe4b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 16.789465] ================================================================== [ 16.789468] Disabling lock debugging due to kernel taint This should be fixed already with https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html but's still missing upstream. -- Regards, Johannes
