https://bugzilla.kernel.org/show_bug.cgi?id=199425 Bug ID: 199425 Summary: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260 Product: Drivers Version: 2.5 Kernel Version: 4.17-rc1 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: Video(DRI - non Intel) Assignee: drivers_video-dri@xxxxxxxxxxxxxxxxxxxx Reporter: johannes.hirte@xxxxxxxxxxxxx Regression: No With dc enabled, I get the following use-after-free on my Carrizo: [53213.875800] ================================================================== [53213.875826] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260 [53213.875835] Read of size 8 at addr ffff8801063aaa88 by task kworker/u8:3/9911 [53213.875848] CPU: 3 PID: 9911 Comm: kworker/u8:3 Not tainted 4.17.0-rc1-00001-g9e7729e9a66c #566 [53213.875855] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.12 12/19/2017 [53213.875864] Workqueue: events_unbound commit_work [53213.875870] Call Trace: [53213.875881] dump_stack+0x5b/0x8b [53213.875890] ? drm_atomic_helper_wait_for_flip_done+0x247/0x260 [53213.875899] print_address_description+0x65/0x270 [53213.875907] ? drm_atomic_helper_wait_for_flip_done+0x247/0x260 [53213.875913] kasan_report+0x232/0x350 [53213.875920] drm_atomic_helper_wait_for_flip_done+0x247/0x260 [53213.875930] amdgpu_dm_atomic_commit_tail+0x1b19/0x4010 [53213.875940] ? _raw_spin_unlock_irq+0x35/0x50 [53213.875946] ? wait_for_completion_timeout+0x215/0x2b0 [53213.875953] ? btrfs_rmap_block+0x9c0/0x9c0 [53213.875959] ? dm_update_crtcs_state+0xcb0/0xcb0 [53213.875966] ? _raw_spin_unlock_irqrestore+0x3a/0x70 [53213.875973] ? try_to_wake_up+0xa1/0xf90 [53213.875980] ? drm_atomic_helper_wait_for_dependencies+0x3de/0x7d0 [53213.875986] ? normal_work_helper+0x273/0xa70 [53213.875993] commit_tail+0x95/0xf0 [53213.876000] process_one_work+0x7c8/0x1330 [53213.876006] ? _raw_spin_lock_irq+0x1c/0x40 [53213.876013] worker_thread+0xc9/0xef0 [53213.876021] ? process_one_work+0x1330/0x1330 [53213.876026] kthread+0x2d6/0x390 [53213.876032] ? kthread_create_worker+0xd0/0xd0 [53213.876038] ret_from_fork+0x22/0x40 [53213.876049] Allocated by task 508: [53213.876056] kasan_kmalloc+0xa0/0xd0 [53213.876063] kmem_cache_alloc_trace+0xf3/0x1f0 [53213.876068] dm_crtc_duplicate_state+0x73/0x130 [53213.876075] drm_atomic_get_crtc_state+0x142/0x400 [53213.876080] page_flip_common+0x52/0x220 [53213.876086] drm_atomic_helper_page_flip+0xa1/0x100 [53213.876093] drm_mode_page_flip_ioctl+0xbe3/0xff0 [53213.876100] drm_ioctl_kernel+0x13d/0x1d0 [53213.876106] drm_ioctl+0x63d/0x920 [53213.876112] amdgpu_drm_ioctl+0xc7/0x1a0 [53213.876120] do_vfs_ioctl+0x173/0xde0 [53213.876125] ksys_ioctl+0x6b/0x80 [53213.876130] __x64_sys_ioctl+0x6a/0xb0 [53213.876137] do_syscall_64+0x95/0x2f0 [53213.876142] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [53213.876149] Freed by task 637: [53213.876154] __kasan_slab_free+0x130/0x180 [53213.876159] kfree+0x8b/0x1c0 [53213.876164] drm_atomic_state_default_clear+0x2c5/0xa00 [53213.876169] __drm_atomic_state_free+0x30/0xc0 [53213.876174] drm_atomic_helper_update_plane+0xb6/0x350 [53213.876179] __setplane_internal+0x48c/0x7f0 [53213.876184] drm_mode_cursor_universal+0x2e7/0x970 [53213.876189] drm_mode_cursor_common+0x493/0x860 [53213.876194] drm_mode_cursor_ioctl+0x7a/0xa0 [53213.876199] drm_ioctl_kernel+0x13d/0x1d0 [53213.876203] drm_ioctl+0x63d/0x920 [53213.876207] amdgpu_drm_ioctl+0xc7/0x1a0 [53213.876212] do_vfs_ioctl+0x173/0xde0 [53213.876216] ksys_ioctl+0x6b/0x80 [53213.876221] __x64_sys_ioctl+0x6a/0xb0 [53213.876225] do_syscall_64+0x95/0x2f0 [53213.876230] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [53213.876239] The buggy address belongs to the object at ffff8801063aa880 which belongs to the cache kmalloc-1024 of size 1024 [53213.876247] The buggy address is located 520 bytes inside of 1024-byte region [ffff8801063aa880, ffff8801063aac80) [53213.876252] The buggy address belongs to the page: [53213.876258] page:ffffea000418ea00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [53213.876268] flags: 0x2000000000008100(slab|head) [53213.876278] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c [53213.876284] raw: dead000000000100 dead000000000200 ffff8803f3402c40 0000000000000000 [53213.876288] page dumped because: kasan: bad access detected [53213.876294] Memory state around the buggy address: [53213.876300] ffff8801063aa980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [53213.876305] ffff8801063aaa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [53213.876310] >ffff8801063aaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [53213.876313] ^ [53213.876319] ffff8801063aab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [53213.876324] ffff8801063aab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [53213.876327] ================================================================== [53213.876331] Disabling lock debugging due to kernel taint I've obverved this already with kernel 4.14, 4.15 and 4.16. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/dri-devel
