On 2018 Jan 12, Andrey Grodzovsky wrote:
> Yea, I know , just dumped diff of one file into it, please search in
> code for
>
> "ret = do_aquire_global_lock(dev, state);" it appears only in one place
> in entire code base, and manually apply the one line change.
>
with patch applied:
[ 6887.679618] [drm] {1920x1080, 2250x1132 at 152840Khz}
[ 6887.806430] [drm] HBRx2 pass VS=1, PE=0
[12432.070076] [drm] {1920x1080, 2250x1132 at 152840Khz}
[12432.194472] [drm] HBRx2 pass VS=1, PE=0
[13677.257767] ==================================================================
[13677.257812] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257820] Read of size 8 at addr ffff8803f0533388 by task kworker/u8:6/22172
[13677.257832] CPU: 2 PID: 22172 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00002-g617b2907a7aa #445
[13677.257837] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
[13677.257848] Workqueue: events_unbound commit_work
[13677.257853] Call Trace:
[13677.257867] dump_stack+0x99/0x11e
[13677.257874] ? _atomic_dec_and_lock+0x152/0x152
[13677.257886] print_address_description+0x65/0x270
[13677.257892] kasan_report+0x272/0x360
[13677.257898] ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257903] drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257913] amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
[13677.257923] ? dm_crtc_duplicate_state+0x130/0x130
[13677.257931] ? trace_raw_output_rcu_utilization+0xa0/0xa0
[13677.257939] ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
[13677.257945] commit_tail+0x92/0xe0
[13677.257953] process_one_work+0x84b/0x1600
[13677.257961] ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.257969] ? _raw_spin_unlock_irq+0xbe/0x120
[13677.257973] ? _raw_spin_unlock+0x120/0x120
[13677.257977] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[13677.257984] ? arch_vtime_task_switch+0xee/0x190
[13677.257991] ? finish_task_switch+0x27d/0x7f0
[13677.257995] ? wq_worker_waking_up+0xc0/0xc0
[13677.258000] ? copy_overflow+0x20/0x20
[13677.258010] ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258014] ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258022] ? schedule+0xfb/0x3b0
[13677.258027] ? __schedule+0x19b0/0x19b0
[13677.258031] ? preempt_schedule_common+0x30/0xb0
[13677.258038] ? ___preempt_schedule+0x16/0x18
[13677.258043] ? _raw_spin_unlock_irq+0xfa/0x120
[13677.258047] ? _raw_spin_unlock+0x120/0x120
[13677.258052] worker_thread+0x211/0x1790
[13677.258060] ? pick_next_task_fair+0x313/0x10f0
[13677.258065] ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258073] ? cyc2ns_read_end+0x20/0x20
[13677.258078] ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.258083] ? get_vtime_delta+0x16/0xd0
[13677.258087] ? _raw_spin_unlock_irq+0xbe/0x120
[13677.258091] ? _raw_spin_unlock+0x120/0x120
[13677.258098] ? finish_task_switch+0x27d/0x7f0
[13677.258104] ? sched_clock_cpu+0x18/0x1e0
[13677.258110] ? ret_from_fork+0x1f/0x30
[13677.258116] ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258120] ? get_vtime_delta+0x16/0xd0
[13677.258125] ? cyc2ns_read_end+0x20/0x20
[13677.258131] ? schedule+0xfb/0x3b0
[13677.258136] ? __schedule+0x19b0/0x19b0
[13677.258141] ? remove_wait_queue+0x2b0/0x2b0
[13677.258146] ? arch_vtime_task_switch+0xee/0x190
[13677.258151] ? _raw_spin_unlock_irqrestore+0xc2/0x130
[13677.258156] ? _raw_spin_unlock_irq+0x120/0x120
[13677.258162] ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258167] kthread+0x2d4/0x390
[13677.258172] ? kthread_create_worker+0xd0/0xd0
[13677.258177] ret_from_fork+0x1f/0x30
[13677.258188] Allocated by task 2377:
[13677.258196] kasan_kmalloc+0xa0/0xd0
[13677.258202] kmem_cache_alloc_trace+0xd1/0x1e0
[13677.258208] dm_crtc_duplicate_state+0x73/0x130
[13677.258214] drm_atomic_get_crtc_state+0x13c/0x400
[13677.258218] page_flip_common+0x52/0x230
[13677.258223] drm_atomic_helper_page_flip+0xa1/0x100
[13677.258230] drm_mode_page_flip_ioctl+0xc10/0x1030
[13677.258236] drm_ioctl_kernel+0x1b5/0x2c0
[13677.258240] drm_ioctl+0x709/0xa00
[13677.258245] amdgpu_drm_ioctl+0x118/0x280
[13677.258250] do_vfs_ioctl+0x18a/0x1260
[13677.258254] SyS_ioctl+0x6f/0x80
[13677.258258] do_syscall_64+0x220/0x670
[13677.258262] return_from_SYSCALL_64+0x0/0x65
[13677.258267] Freed by task 2523:
[13677.258273] kasan_slab_free+0x71/0xc0
[13677.258276] kfree+0x88/0x1b0
[13677.258280] drm_atomic_state_default_clear+0x2c8/0xa00
[13677.258285] __drm_atomic_state_free+0x30/0xd0
[13677.258289] drm_atomic_helper_update_plane+0xb6/0x350
[13677.258293] __setplane_internal+0x5b4/0x9d0
[13677.258297] drm_mode_cursor_universal+0x412/0xc60
[13677.258301] drm_mode_cursor_common+0x4b6/0x890
[13677.258305] drm_mode_cursor_ioctl+0xd3/0x120
[13677.258309] drm_ioctl_kernel+0x1b5/0x2c0
[13677.258313] drm_ioctl+0x709/0xa00
[13677.258316] amdgpu_drm_ioctl+0x118/0x280
[13677.258319] do_vfs_ioctl+0x18a/0x1260
[13677.258323] SyS_ioctl+0x6f/0x80
[13677.258326] do_syscall_64+0x220/0x670
[13677.258330] return_from_SYSCALL_64+0x0/0x65
[13677.258336] The buggy address belongs to the object at ffff8803f0533180
which belongs to the cache kmalloc-1024 of size 1024
[13677.258343] The buggy address is located 520 bytes inside of
1024-byte region [ffff8803f0533180, ffff8803f0533580)
[13677.258347] The buggy address belongs to the page:
[13677.258354] page:ffffea000fc14c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[13677.258364] flags: 0x2000000000008100(slab|head)
[13677.258374] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
[13677.258380] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
[13677.258383] page dumped because: kasan: bad access detected
[13677.258388] Memory state around the buggy address:
[13677.258393] ffff8803f0533280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258398] ffff8803f0533300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258402] >ffff8803f0533380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258404] ^
[13677.258408] ffff8803f0533400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258411] ffff8803f0533480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258415] ==================================================================
[13677.258418] Disabling lock debugging due to kernel taint
--
Regards,
Johannes
