BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2018 Jan 10, Andrey Grodzovsky wrote:
> 
> Hi, is there a particular scenario when this happens , 

Unfortunately no, I still search for a reproducer. Sometimes it takes
several days until the next use-after-free.

> can you add dmesg with echo 0x10 > /sys/module/drm/parameters/debug?

I assume you want the debug output when a use-after-free happened. Here
it is:

Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000009b693a40 state to 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000fd68d0e6 state to 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000009b693a40 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000009b693a40
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000bef4ac0a state to 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000487e5e13 state to 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000bef4ac0a to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000bef4ac0a
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000aff36e64
Jan 11 23:21:33 probook kernel: ==================================================================
Jan 11 23:21:33 probook kernel: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
Jan 11 23:21:33 probook kernel: Read of size 8 at addr ffff8801e020d788 by task kworker/u8:6/18738
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: CPU: 2 PID: 18738 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00001-gd24b113b5c00 #444
Jan 11 23:21:33 probook kernel: Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
Jan 11 23:21:33 probook kernel: Workqueue: events_unbound commit_work
Jan 11 23:21:33 probook kernel: Call Trace:
Jan 11 23:21:33 probook kernel:  dump_stack+0x99/0x11e
Jan 11 23:21:33 probook kernel:  ? _atomic_dec_and_lock+0x152/0x152
Jan 11 23:21:33 probook kernel:  print_address_description+0x65/0x270
Jan 11 23:21:33 probook kernel:  kasan_report+0x272/0x360
Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
Jan 11 23:21:33 probook kernel:  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
Jan 11 23:21:33 probook kernel:  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
Jan 11 23:21:33 probook kernel:  ? dm_crtc_duplicate_state+0x130/0x130
Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
Jan 11 23:21:33 probook kernel:  commit_tail+0x92/0xe0
Jan 11 23:21:33 probook kernel:  process_one_work+0x84b/0x1600
Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
Jan 11 23:21:33 probook kernel:  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
Jan 11 23:21:33 probook kernel:  ? arch_vtime_task_switch+0xee/0x190
Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
Jan 11 23:21:33 probook kernel:  ? wq_worker_waking_up+0xc0/0xc0
Jan 11 23:21:33 probook kernel:  ? copy_overflow+0x20/0x20
Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
Jan 11 23:21:33 probook kernel:  ? preempt_schedule_irq+0x4e/0xb0
Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xb9/0x120
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
Jan 11 23:21:33 probook kernel:  worker_thread+0x211/0x1790
Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
Jan 11 23:21:33 probook kernel:  ? vtime_guest_exit+0xe0/0xe0
Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
Jan 11 23:21:33 probook kernel:  ? cyc2ns_read_end+0x20/0x20
Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
Jan 11 23:21:33 probook kernel:  ? ___preempt_schedule+0x16/0x18
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irqrestore+0xfe/0x130
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0x120/0x120
Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
Jan 11 23:21:33 probook kernel:  kthread+0x2d4/0x390
Jan 11 23:21:33 probook kernel:  ? kthread_create_worker+0xd0/0xd0
Jan 11 23:21:33 probook kernel:  ret_from_fork+0x1f/0x30
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: Allocated by task 2408:
Jan 11 23:21:33 probook kernel:  kasan_kmalloc+0xa0/0xd0
Jan 11 23:21:33 probook kernel:  kmem_cache_alloc_trace+0xd1/0x1e0
Jan 11 23:21:33 probook kernel:  dm_crtc_duplicate_state+0x73/0x130
Jan 11 23:21:33 probook kernel:  drm_atomic_get_crtc_state+0x13c/0x400
Jan 11 23:21:33 probook kernel:  page_flip_common+0x52/0x230
Jan 11 23:21:33 probook kernel:  drm_atomic_helper_page_flip+0xa1/0x100
Jan 11 23:21:33 probook kernel:  drm_mode_page_flip_ioctl+0xc10/0x1030
Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: Freed by task 2531:
Jan 11 23:21:33 probook kernel:  kasan_slab_free+0x71/0xc0
Jan 11 23:21:33 probook kernel:  kfree+0x88/0x1b0
Jan 11 23:21:33 probook kernel:  drm_atomic_state_default_clear+0x2c8/0xa00
Jan 11 23:21:33 probook kernel:  __drm_atomic_state_free+0x30/0xd0
Jan 11 23:21:33 probook kernel:  drm_atomic_helper_update_plane+0xb6/0x350
Jan 11 23:21:33 probook kernel:  __setplane_internal+0x5b4/0x9d0
Jan 11 23:21:33 probook kernel:  drm_mode_cursor_universal+0x412/0xc60
Jan 11 23:21:33 probook kernel:  drm_mode_cursor_common+0x4b6/0x890
Jan 11 23:21:33 probook kernel:  drm_mode_cursor_ioctl+0xd3/0x120
Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: The buggy address belongs to the object at ffff8801e020d580
Jan 11 23:21:33 probook kernel: The buggy address is located 520 bytes inside of
Jan 11 23:21:33 probook kernel: The buggy address belongs to the page:
Jan 11 23:21:33 probook kernel: page:ffffea0007808200 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
Jan 11 23:21:33 probook kernel: flags: 0x2000000000008100(slab|head)
Jan 11 23:21:33 probook kernel: raw: 2000000000008100 0000000000000000 0000000000000000 00000001001c001c
Jan 11 23:21:33 probook kernel: raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
Jan 11 23:21:33 probook kernel: page dumped because: kasan: bad access detected
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: Memory state around the buggy address:
Jan 11 23:21:33 probook kernel:  ffff8801e020d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel:  ffff8801e020d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel: >ffff8801e020d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel:                       ^
Jan 11 23:21:33 probook kernel:  ffff8801e020d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel:  ffff8801e020d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel: ==================================================================
Jan 11 23:21:33 probook kernel: Disabling lock debugging due to kernel taint
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000c33882cc state to 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000001d7e9fe state to 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000c33882cc to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000c33882cc
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000021b4ca12 state to 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000005eaf319 state to 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000021b4ca12 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000021b4ca12
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005030c62c
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000005e0d9d34 state to 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000ca793baf state to 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000005e0d9d34 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000005e0d9d34
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000002a6fa7ba state to 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 000000008cb98e24 state to 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000002a6fa7ba to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000002a6fa7ba
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000005030c62c
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000062e99415 state to 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000460cd934 state to 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000062e99415 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000062e99415
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000b8b1a194

-- 
Regards,
  Johannes



[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux