KASAN: use-after-free in drm_sched_entity_pop_job with amdgpu

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



KASAN caught something during today's piglit run, see the attached dmesg
excerpt.

Looks like amdgpu destroys the VM while the scheduler still has a
reference to its entity?


-- 
Earthling Michel Dänzer               |               http://www.amd.com
Libre software enthusiast             |             Mesa and X developer
Dec  6 15:21:35 kaveri kernel: [ 8318.734239] ==================================================================
Dec  6 15:21:35 kaveri kernel: [ 8318.736505] BUG: KASAN: use-after-free in drm_sched_entity_pop_job+0x50f/0x910 [gpu_sched]
Dec  6 15:21:35 kaveri kernel: [ 8318.736661] Write of size 4 at addr ffff888261b9b460 by task sdma0/827
Dec  6 15:21:35 kaveri kernel: [ 8318.736769] 
Dec  6 15:21:35 kaveri kernel: [ 8318.736941] CPU: 7 PID: 827 Comm: sdma0 Tainted: G           OE     4.20.0-rc3+ #118
Dec  6 15:21:35 kaveri kernel: [ 8318.737091] Hardware name: Micro-Star International Co., Ltd. MS-7A34/B350 TOMAHAWK (MS-7A34), BIOS 1.80 09/13/2017
Dec  6 15:21:35 kaveri kernel: [ 8318.737220] Call Trace:
Dec  6 15:21:35 kaveri kernel: [ 8318.737416]  dump_stack+0x7c/0xc0
Dec  6 15:21:35 kaveri kernel: [ 8318.737639]  print_address_description+0x65/0x22e
Dec  6 15:21:35 kaveri kernel: [ 8318.737919]  ? drm_sched_entity_pop_job+0x50f/0x910 [gpu_sched]
Dec  6 15:21:35 kaveri kernel: [ 8318.738089]  kasan_report.cold.5+0x241/0x306
Dec  6 15:21:35 kaveri kernel: [ 8318.738446]  drm_sched_entity_pop_job+0x50f/0x910 [gpu_sched]
Dec  6 15:21:35 kaveri kernel: [ 8318.738882]  drm_sched_main+0xe4/0x5a0 [gpu_sched]
Dec  6 15:21:35 kaveri kernel: [ 8318.739340]  ? drm_sched_job_recovery+0x470/0x470 [gpu_sched]
Dec  6 15:21:35 kaveri kernel: [ 8318.739750]  ? lock_acquire+0x103/0x2c0
Dec  6 15:21:35 kaveri kernel: [ 8318.739967]  ? __kthread_parkme+0x50/0xf0
Dec  6 15:21:35 kaveri kernel: [ 8318.740275]  ? finish_wait+0x230/0x230
Dec  6 15:21:35 kaveri kernel: [ 8318.740517]  ? lockdep_hardirqs_on+0x37c/0x560
Dec  6 15:21:35 kaveri kernel: [ 8318.740924]  ? drm_sched_job_recovery+0x470/0x470 [gpu_sched]
Dec  6 15:21:35 kaveri kernel: [ 8318.741111]  kthread+0x2e2/0x3a0
Dec  6 15:21:35 kaveri kernel: [ 8318.741279]  ? kthread_park+0x120/0x120
Dec  6 15:21:35 kaveri kernel: [ 8318.741536]  ret_from_fork+0x27/0x50
Dec  6 15:21:35 kaveri kernel: [ 8318.742118] 
Dec  6 15:21:35 kaveri kernel: [ 8318.742264] Allocated by task 8273:
Dec  6 15:21:35 kaveri kernel: [ 8318.742480]  kasan_kmalloc+0xbf/0xe0
Dec  6 15:21:35 kaveri kernel: [ 8318.742652]  kmem_cache_alloc_trace+0x12d/0x290
Dec  6 15:21:35 kaveri kernel: [ 8318.743245]  amdgpu_driver_open_kms+0xe6/0x4c0 [amdgpu]
Dec  6 15:21:35 kaveri kernel: [ 8318.743275]  drm_file_alloc+0x43a/0x980 [drm]
Dec  6 15:21:35 kaveri kernel: [ 8318.743303]  drm_open+0x21c/0x730 [drm]
Dec  6 15:21:35 kaveri kernel: [ 8318.743332]  drm_stub_open+0x25e/0x410 [drm]
Dec  6 15:21:35 kaveri kernel: [ 8318.743339]  chrdev_open+0x1e0/0x4e0
Dec  6 15:21:35 kaveri kernel: [ 8318.743346]  do_dentry_open+0x3c4/0xda0
Dec  6 15:21:35 kaveri kernel: [ 8318.743353]  path_openat+0xa1e/0x3650
Dec  6 15:21:35 kaveri kernel: [ 8318.743359]  do_filp_open+0x17c/0x250
Dec  6 15:21:35 kaveri kernel: [ 8318.743365]  do_sys_open+0x1db/0x310
Dec  6 15:21:35 kaveri kernel: [ 8318.743373]  do_syscall_64+0x9c/0x3d0
Dec  6 15:21:35 kaveri kernel: [ 8318.743380]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
Dec  6 15:21:35 kaveri kernel: [ 8318.743385] 
Dec  6 15:21:35 kaveri kernel: [ 8318.743391] Freed by task 6916:
Dec  6 15:21:35 kaveri kernel: [ 8318.743398]  __kasan_slab_free+0x125/0x170
Dec  6 15:21:35 kaveri kernel: [ 8318.743404]  kfree+0xe2/0x290
Dec  6 15:21:35 kaveri kernel: [ 8318.743520]  amdgpu_driver_postclose_kms+0x4e7/0x8e0 [amdgpu]
Dec  6 15:21:35 kaveri kernel: [ 8318.743548]  drm_file_free.part.3+0x7d6/0xe30 [drm]
Dec  6 15:21:35 kaveri kernel: [ 8318.743576]  drm_release+0x231/0x3f0 [drm]
Dec  6 15:21:35 kaveri kernel: [ 8318.743582]  __fput+0x235/0x710
Dec  6 15:21:35 kaveri kernel: [ 8318.743590]  task_work_run+0x10e/0x180
Dec  6 15:21:35 kaveri kernel: [ 8318.743596]  exit_to_usermode_loop+0x136/0x160
Dec  6 15:21:35 kaveri kernel: [ 8318.743602]  do_syscall_64+0x32e/0x3d0
Dec  6 15:21:35 kaveri kernel: [ 8318.743609]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
Dec  6 15:21:35 kaveri kernel: [ 8318.743613] 
Dec  6 15:21:35 kaveri kernel: [ 8318.743619] The buggy address belongs to the object at ffff888261b9b300
Dec  6 15:21:35 kaveri kernel: [ 8318.743619]  which belongs to the cache kmalloc-4k of size 4096
Dec  6 15:21:35 kaveri kernel: [ 8318.743627] The buggy address is located 352 bytes inside of
Dec  6 15:21:35 kaveri kernel: [ 8318.743627]  4096-byte region [ffff888261b9b300, ffff888261b9c300)
Dec  6 15:21:35 kaveri kernel: [ 8318.743633] The buggy address belongs to the page:
Dec  6 15:21:35 kaveri kernel: [ 8318.743639] page:ffffea000986e600 count:1 mapcount:0 mapping:ffff8883ed80e600 index:0x0 compound_mapcount: 0
Dec  6 15:21:35 kaveri kernel: [ 8318.743649] flags: 0x17fffc000010200(slab|head)
Dec  6 15:21:35 kaveri kernel: [ 8318.743657] raw: 017fffc000010200 ffffea00074fca00 0000000300000003 ffff8883ed80e600
Dec  6 15:21:35 kaveri kernel: [ 8318.743664] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
Dec  6 15:21:35 kaveri kernel: [ 8318.743669] page dumped because: kasan: bad access detected
Dec  6 15:21:35 kaveri kernel: [ 8318.743672] 
Dec  6 15:21:35 kaveri kernel: [ 8318.743677] Memory state around the buggy address:
Dec  6 15:21:35 kaveri kernel: [ 8318.743683]  ffff888261b9b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Dec  6 15:21:35 kaveri kernel: [ 8318.743689]  ffff888261b9b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Dec  6 15:21:35 kaveri kernel: [ 8318.743695] >ffff888261b9b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Dec  6 15:21:35 kaveri kernel: [ 8318.743700]                                                        ^
Dec  6 15:21:35 kaveri kernel: [ 8318.743706]  ffff888261b9b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Dec  6 15:21:35 kaveri kernel: [ 8318.743712]  ffff888261b9b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Dec  6 15:21:35 kaveri kernel: [ 8318.743717] ==================================================================
_______________________________________________
amd-gfx mailing list
amd-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux