BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2018 Jan 03, Johannes Hirte wrote:
> On 2018 Jan 03, Johannes Hirte wrote:
> > This should be fixed already with 
> > https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html
> > but's still missing upstream.
> > 
> 
> With this patch, the use-after-free in amdgpu_job_free_cb seems to be
> gone. But now I get an use-after-free in
> drm_atomic_helper_wait_for_flip_done:
> 
> [89387.069387] ==================================================================
> [89387.069407] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> [89387.069413] Read of size 8 at addr ffff880124df0688 by task kworker/u8:3/31426
> 
> [89387.069423] CPU: 1 PID: 31426 Comm: kworker/u8:3 Not tainted 4.15.0-rc6-00001-ge0895ba8d88e #442
> [89387.069427] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
> [89387.069435] Workqueue: events_unbound commit_work
> [89387.069440] Call Trace:
> [89387.069448]  dump_stack+0x99/0x11e
> [89387.069453]  ? _atomic_dec_and_lock+0x152/0x152
> [89387.069460]  print_address_description+0x65/0x270
> [89387.069465]  kasan_report+0x272/0x360
> [89387.069470]  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> [89387.069475]  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> [89387.069483]  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
> [89387.069492]  ? dm_crtc_duplicate_state+0x130/0x130
> [89387.069498]  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
> [89387.069504]  commit_tail+0x92/0xe0
> [89387.069511]  process_one_work+0x84b/0x1600
> [89387.069517]  ? tick_nohz_dep_clear_signal+0x20/0x20
> [89387.069522]  ? _raw_spin_unlock_irq+0xbe/0x120
> [89387.069525]  ? _raw_spin_unlock+0x120/0x120
> [89387.069529]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
> [89387.069534]  ? arch_vtime_task_switch+0xee/0x190
> [89387.069539]  ? finish_task_switch+0x27d/0x7f0
> [89387.069542]  ? wq_worker_waking_up+0xc0/0xc0
> [89387.069547]  ? copy_overflow+0x20/0x20
> [89387.069550]  ? sched_clock_cpu+0x18/0x1e0
> [89387.069558]  ? pci_mmcfg_check_reserved+0x100/0x100
> [89387.069562]  ? pci_mmcfg_check_reserved+0x100/0x100
> [89387.069569]  ? schedule+0xfb/0x3b0
> [89387.069574]  ? __schedule+0x19b0/0x19b0
> [89387.069578]  ? _raw_spin_unlock_irq+0xb9/0x120
> [89387.069582]  ? _raw_spin_unlock_irq+0xbe/0x120
> [89387.069585]  ? _raw_spin_unlock+0x120/0x120
> [89387.069590]  worker_thread+0x211/0x1790
> [89387.069597]  ? pick_next_task_fair+0x313/0x10f0
> [89387.069601]  ? trace_event_raw_event_workqueue_work+0x170/0x170
> [89387.069606]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
> [89387.069612]  ? tick_nohz_dep_clear_signal+0x20/0x20
> [89387.069616]  ? account_idle_time+0x94/0x1f0
> [89387.069620]  ? _raw_spin_unlock_irq+0xbe/0x120
> [89387.069623]  ? _raw_spin_unlock+0x120/0x120
> [89387.069628]  ? finish_task_switch+0x27d/0x7f0
> [89387.069633]  ? sched_clock_cpu+0x18/0x1e0
> [89387.069639]  ? ret_from_fork+0x1f/0x30
> [89387.069644]  ? pci_mmcfg_check_reserved+0x100/0x100
> [89387.069650]  ? cyc2ns_read_end+0x20/0x20
> [89387.069657]  ? schedule+0xfb/0x3b0
> [89387.069662]  ? __schedule+0x19b0/0x19b0
> [89387.069666]  ? remove_wait_queue+0x2b0/0x2b0
> [89387.069670]  ? arch_vtime_task_switch+0xee/0x190
> [89387.069675]  ? _raw_spin_unlock_irqrestore+0xc2/0x130
> [89387.069679]  ? _raw_spin_unlock_irq+0x120/0x120
> [89387.069683]  ? trace_event_raw_event_workqueue_work+0x170/0x170
> [89387.069688]  kthread+0x2d4/0x390
> [89387.069693]  ? kthread_create_worker+0xd0/0xd0
> [89387.069697]  ret_from_fork+0x1f/0x30
> 
> [89387.069705] Allocated by task 2387:
> [89387.069712]  kasan_kmalloc+0xa0/0xd0
> [89387.069717]  kmem_cache_alloc_trace+0xd1/0x1e0
> [89387.069722]  dm_crtc_duplicate_state+0x73/0x130
> [89387.069726]  drm_atomic_get_crtc_state+0x13c/0x400
> [89387.069730]  page_flip_common+0x52/0x230
> [89387.069734]  drm_atomic_helper_page_flip+0xa1/0x100
> [89387.069739]  drm_mode_page_flip_ioctl+0xc10/0x1030
> [89387.069744]  drm_ioctl_kernel+0x1b5/0x2c0
> [89387.069748]  drm_ioctl+0x709/0xa00
> [89387.069752]  amdgpu_drm_ioctl+0x118/0x280
> [89387.069756]  do_vfs_ioctl+0x18a/0x1260
> [89387.069760]  SyS_ioctl+0x6f/0x80
> [89387.069764]  do_syscall_64+0x220/0x670
> [89387.069768]  return_from_SYSCALL_64+0x0/0x65
> 
> [89387.069772] Freed by task 2533:
> [89387.069776]  kasan_slab_free+0x71/0xc0
> [89387.069780]  kfree+0x88/0x1b0
> [89387.069784]  drm_atomic_state_default_clear+0x2c8/0xa00
> [89387.069787]  __drm_atomic_state_free+0x30/0xd0
> [89387.069791]  drm_atomic_helper_update_plane+0xb6/0x350
> [89387.069794]  __setplane_internal+0x5b4/0x9d0
> [89387.069798]  drm_mode_cursor_universal+0x412/0xc60
> [89387.069801]  drm_mode_cursor_common+0x4b6/0x890
> [89387.069805]  drm_mode_cursor_ioctl+0xd3/0x120
> [89387.069809]  drm_ioctl_kernel+0x1b5/0x2c0
> [89387.069813]  drm_ioctl+0x709/0xa00
> [89387.069816]  amdgpu_drm_ioctl+0x118/0x280
> [89387.069819]  do_vfs_ioctl+0x18a/0x1260
> [89387.069822]  SyS_ioctl+0x6f/0x80
> [89387.069824]  do_syscall_64+0x220/0x670
> [89387.069828]  return_from_SYSCALL_64+0x0/0x65
> 
> [89387.069834] The buggy address belongs to the object at ffff880124df0480
> [89387.069839] The buggy address is located 520 bytes inside of
> [89387.069843] The buggy address belongs to the page:
> [89387.069849] page:00000000b20cc097 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> [89387.069856] flags: 0x2000000000008100(slab|head)
> [89387.069862] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
> [89387.069867] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
> [89387.069869] page dumped because: kasan: bad access detected
> 
> [89387.069874] Memory state around the buggy address:
> [89387.069878]  ffff880124df0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069881]  ffff880124df0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069885] >ffff880124df0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069888]                       ^
> [89387.069891]  ffff880124df0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069895]  ffff880124df0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069897] ==================================================================
> 

ping? There are two different use-after-free in kernel-code and nobody
cares?

-- 
Regards,
  Johannes



[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux