KASAN picked up something during today's piglit run on amd-staging-drm-next, see attached. I've never seen this one before. -- Earthling Michel Dänzer | http://www.amd.com Libre software enthusiast | Mesa and X developer -------------- next part -------------- [ 386.246490] ================================================================== [ 386.246604] BUG: KASAN: use-after-free in amdgpu_ttm_tt_pte_flags+0x11f/0x170 [amdgpu] [ 386.246610] Read of size 4 at addr ffff8803dd6871f0 by task amdgpu_cs:0/2132 [ 386.246621] CPU: 0 PID: 2132 Comm: amdgpu_cs:0 Tainted: G B D W OE 4.16.0-rc7+ #104 [ 386.246626] Hardware name: Micro-Star International Co., Ltd. MS-7A34/B350 TOMAHAWK (MS-7A34), BIOS 1.80 09/13/2017 [ 386.246631] Call Trace: [ 386.246640] dump_stack+0x85/0xc1 [ 386.246649] print_address_description+0x6a/0x270 [ 386.246657] kasan_report+0x258/0x380 [ 386.246762] ? amdgpu_ttm_tt_pte_flags+0x11f/0x170 [amdgpu] [ 386.246862] amdgpu_ttm_tt_pte_flags+0x11f/0x170 [amdgpu] [ 386.246971] amdgpu_vm_bo_update+0x11a3/0x1cb0 [amdgpu] [ 386.246983] ? lock_downgrade+0x5e0/0x5e0 [ 386.247092] ? amdgpu_vm_handle_moved+0x92/0x5c0 [amdgpu] [ 386.247202] amdgpu_vm_handle_moved+0x239/0x5c0 [amdgpu] [ 386.247291] ? amdgpu_vm_clear_freed+0x450/0x450 [amdgpu] [ 386.247380] ? amdgpu_sync_fence+0x145/0x560 [amdgpu] [ 386.247468] amdgpu_cs_ioctl+0x3e8c/0x4d80 [amdgpu] [ 386.247552] ? amdgpu_cs_find_mapping+0x3c0/0x3c0 [amdgpu] [ 386.247638] ? amdgpu_bo_list_ioctl+0x2aa/0x650 [amdgpu] [ 386.247643] ? save_stack+0x89/0xb0 [ 386.247649] ? __kasan_slab_free+0x136/0x180 [ 386.247654] ? kfree+0xf9/0x2f0 [ 386.247740] ? amdgpu_bo_list_ioctl+0x2aa/0x650 [amdgpu] [ 386.247764] ? drm_ioctl_kernel+0x135/0x1c0 [drm] [ 386.247786] ? drm_ioctl+0x67a/0x980 [drm] [ 386.247867] ? amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu] [ 386.247872] ? do_vfs_ioctl+0x192/0xee0 [ 386.247876] ? SyS_ioctl+0x74/0x80 [ 386.247881] ? do_syscall_64+0x198/0x5c0 [ 386.247886] ? entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 386.247894] ? idr_get_free+0x4b3/0x980 [ 386.247904] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 386.247925] ? get_futex_key+0xc20/0xc20 [ 386.248011] ? amdgpu_cs_find_mapping+0x3c0/0x3c0 [amdgpu] [ 386.248035] drm_ioctl_kernel+0x135/0x1c0 [drm] [ 386.248061] drm_ioctl+0x67a/0x980 [drm] [ 386.248148] ? amdgpu_cs_find_mapping+0x3c0/0x3c0 [amdgpu] [ 386.248172] ? drm_getstats+0x20/0x20 [drm] [ 386.248179] ? lock_downgrade+0x5e0/0x5e0 [ 386.248184] ? __pm_runtime_resume+0x68/0xf0 [ 386.248190] ? debug_check_no_locks_freed+0x2c0/0x2c0 [ 386.248276] amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu] [ 386.248283] do_vfs_ioctl+0x192/0xee0 [ 386.248290] ? ioctl_preallocate+0x1b0/0x1b0 [ 386.248296] ? __fget+0x1bc/0x300 [ 386.248302] ? lock_downgrade+0x5e0/0x5e0 [ 386.248306] ? __fget+0x49/0x300 [ 386.248312] ? SyS_futex+0x197/0x200 [ 386.248319] ? __fget+0x1db/0x300 [ 386.248328] SyS_ioctl+0x74/0x80 [ 386.248333] ? do_vfs_ioctl+0xee0/0xee0 [ 386.248338] do_syscall_64+0x198/0x5c0 [ 386.248346] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 386.248351] RIP: 0033:0x7f98ef330f07 [ 386.248355] RSP: 002b:00007f98e4cb4ae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 386.248361] RAX: ffffffffffffffda RBX: 00007f98e4cb4bd8 RCX: 00007f98ef330f07 [ 386.248365] RDX: 00007f98e4cb4b50 RSI: 00000000c0186444 RDI: 000000000000000e [ 386.248369] RBP: 00007f98e4cb4b10 R08: 00007f98e4cb4c00 R09: 00007f98e4cb4bd8 [ 386.248373] R10: 00007f98e4cb4c00 R11: 0000000000000246 R12: 00007f98e4cb4b50 [ 386.248376] R13: 00000000c0186444 R14: 000000000000000e R15: 0000000000000000 [ 386.248390] Allocated by task 17099: [ 386.248395] kasan_kmalloc+0xa0/0xd0 [ 386.248399] kmem_cache_alloc_trace+0x12f/0x310 [ 386.248482] amdgpu_ttm_tt_create+0x47/0xc0 [amdgpu] [ 386.248492] ttm_tt_create+0x171/0x2d0 [ttm] [ 386.248502] ttm_bo_handle_move_mem+0x1441/0x2270 [ttm] [ 386.248511] ttm_bo_evict+0x35a/0x960 [ttm] [ 386.248521] ttm_mem_evict_first+0x349/0x550 [ttm] [ 386.248531] ttm_bo_mem_space+0x78a/0xe10 [ttm] [ 386.248541] ttm_bo_validate+0x293/0x4a0 [ttm] [ 386.248625] amdgpu_cs_bo_validate+0x34c/0x860 [amdgpu] [ 386.248709] amdgpu_cs_validate+0x94/0xb40 [amdgpu] [ 386.248793] amdgpu_cs_list_validate+0x197/0x3e0 [amdgpu] [ 386.248877] amdgpu_cs_ioctl+0x3310/0x4d80 [amdgpu] [ 386.248899] drm_ioctl_kernel+0x135/0x1c0 [drm] [ 386.248921] drm_ioctl+0x67a/0x980 [drm] [ 386.249002] amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu] [ 386.249006] do_vfs_ioctl+0x192/0xee0 [ 386.249010] SyS_ioctl+0x74/0x80 [ 386.249014] do_syscall_64+0x198/0x5c0 [ 386.249019] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 386.249024] Freed by task 17598: [ 386.249029] __kasan_slab_free+0x136/0x180 [ 386.249033] kfree+0xf9/0x2f0 [ 386.249043] ttm_bo_pipeline_move+0x870/0xa50 [ttm] [ 386.249126] amdgpu_move_blit.constprop.16+0x1f1/0x240 [amdgpu] [ 386.249209] amdgpu_move_ram_vram.constprop.14+0x1df/0x270 [amdgpu] [ 386.249293] amdgpu_bo_move+0x511/0x640 [amdgpu] [ 386.249303] ttm_bo_handle_move_mem+0x8b3/0x2270 [ttm] [ 386.249312] ttm_bo_validate+0x3b1/0x4a0 [ttm] [ 386.249396] amdgpu_cs_bo_validate+0x34c/0x860 [amdgpu] [ 386.249481] amdgpu_cs_validate+0x94/0xb40 [amdgpu] [ 386.249565] amdgpu_cs_list_validate+0x197/0x3e0 [amdgpu] [ 386.249649] amdgpu_cs_ioctl+0x3310/0x4d80 [amdgpu] [ 386.249671] drm_ioctl_kernel+0x135/0x1c0 [drm] [ 386.249694] drm_ioctl+0x67a/0x980 [drm] [ 386.249779] amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu] [ 386.249783] do_vfs_ioctl+0x192/0xee0 [ 386.249787] SyS_ioctl+0x74/0x80 [ 386.249792] do_syscall_64+0x198/0x5c0 [ 386.249797] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 386.249804] The buggy address belongs to the object at ffff8803dd687180 which belongs to the cache kmalloc-256 of size 256 [ 386.249810] The buggy address is located 112 bytes inside of 256-byte region [ffff8803dd687180, ffff8803dd687280) [ 386.249814] The buggy address belongs to the page: [ 386.249819] page:ffffea000f75a180 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [ 386.249826] flags: 0x17fffc000008100(slab|head) [ 386.249832] raw: 017fffc000008100 0000000000000000 0000000000000000 0000000180190019 [ 386.249838] raw: dead000000000100 dead000000000200 ffff8803ed80ee00 0000000000000000 [ 386.249841] page dumped because: kasan: bad access detected [ 386.249847] Memory state around the buggy address: [ 386.249851] ffff8803dd687080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 386.249856] ffff8803dd687100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 386.249860] >ffff8803dd687180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 386.249864] ^ [ 386.249868] ffff8803dd687200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 386.249872] ffff8803dd687280: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 386.249875] ================================================================== [ 692.664488] amdgpu 0000:23:00.0: Disabling VM faults because of PRT request!