[Bug 199425] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260

bugzilla-daemon@xxxxxxxxxxxxxxxxxxx · Mon, 20 Aug 2018 06:28:02 +0000

https://bugzilla.kernel.org/show_bug.cgi?id=199425

--- Comment #18 from Johannes Hirte (johannes.hirte@xxxxxxxxxxxxx) ---
[183309.195913]
==================================================================
[183309.195937] BUG: KASAN: use-after-free in
drm_atomic_helper_wait_for_flip_done+0x212/0x270
[183309.195944] Read of size 8 at addr ffff880115b906a8 by task
kworker/u8:1/12462

[183309.195956] CPU: 1 PID: 12462 Comm: kworker/u8:1 Not tainted
4.18.0-00001-g61b0dd9978b0 #14
[183309.195961] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.15
03/26/2018
[183309.195968] Workqueue: events_unbound commit_work
[183309.195973] Call Trace:
[183309.195985]  dump_stack+0x5b/0x90
[183309.195993]  print_address_description+0x60/0x229
[183309.195999]  ? drm_atomic_helper_wait_for_flip_done+0x212/0x270
[183309.196005]  kasan_report.cold.5+0x241/0x2ff
[183309.196011]  drm_atomic_helper_wait_for_flip_done+0x212/0x270
[183309.196020]  amdgpu_dm_atomic_commit_tail+0x2718/0x4040
[183309.196029]  ? _raw_spin_unlock_irq+0x35/0x50
[183309.196034]  ? wait_for_completion_timeout+0x214/0x2d0
[183309.196040]  ? commit_planes_to_stream.constprop.47+0x13b0/0x13b0
[183309.196047]  ? finish_task_switch+0x1a0/0x700
[183309.196052]  ? drm_atomic_helper_wait_for_dependencies+0x478/0x7e0
[183309.196058]  commit_tail+0x91/0xe0
[183309.196064]  process_one_work+0x866/0x1460
[183309.196071]  worker_thread+0x82/0xf60
[183309.196076]  ? _raw_spin_unlock_irqrestore+0x3a/0x70
[183309.196081]  ? __kthread_parkme+0x7d/0xf0
[183309.196086]  ? rescuer_thread+0xcd0/0xcd0
[183309.196090]  kthread+0x2cf/0x380
[183309.196095]  ? kthread_create_worker+0xd0/0xd0
[183309.196100]  ret_from_fork+0x22/0x40

[183309.196109] Allocated by task 570:
[183309.196116]  kasan_kmalloc+0xbf/0xe0
[183309.196123]  kmem_cache_alloc_trace+0xf3/0x1f0
[183309.196128]  dm_crtc_duplicate_state+0x73/0x130
[183309.196134]  drm_atomic_get_crtc_state+0x142/0x400
[183309.196138]  page_flip_common+0x52/0x220
[183309.196142]  drm_atomic_helper_page_flip+0xa1/0x100
[183309.196148]  drm_mode_page_flip_ioctl+0xc46/0x1090
[183309.196152]  drm_ioctl_kernel+0x192/0x210
[183309.196156]  drm_ioctl+0x3ea/0x850
[183309.196161]  amdgpu_drm_ioctl+0xc7/0x1a0
[183309.196165]  do_vfs_ioctl+0x18e/0xed0
[183309.196169]  ksys_ioctl+0x5b/0x90
[183309.196173]  __x64_sys_ioctl+0x6a/0xb0
[183309.196177]  do_syscall_64+0x95/0x2f0
[183309.196183]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[183309.196188] Freed by task 634:
[183309.196193]  __kasan_slab_free+0x125/0x170
[183309.196197]  kfree+0x8b/0x1c0
[183309.196202]  drm_atomic_state_default_clear+0x310/0xc40
[183309.196206]  __drm_atomic_state_free+0x30/0xc0
[183309.196210]  drm_atomic_helper_update_plane+0xa7/0x350
[183309.196214]  __setplane_internal+0x2d1/0x820
[183309.196218]  drm_mode_cursor_universal+0x2f0/0x910
[183309.196222]  drm_mode_cursor_common+0x49a/0x880
[183309.196226]  drm_mode_cursor_ioctl+0x81/0xb0
[183309.196229]  drm_ioctl_kernel+0x192/0x210
[183309.196233]  drm_ioctl+0x3ea/0x850
[183309.196237]  amdgpu_drm_ioctl+0xc7/0x1a0
[183309.196241]  do_vfs_ioctl+0x18e/0xed0
[183309.196244]  ksys_ioctl+0x5b/0x90
[183309.196248]  __x64_sys_ioctl+0x6a/0xb0
[183309.196252]  do_syscall_64+0x95/0x2f0
[183309.196256]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[183309.196263] The buggy address belongs to the object at ffff880115b90480
                 which belongs to the cache kmalloc-1024 of size 1024
[183309.196269] The buggy address is located 552 bytes inside of
                 1024-byte region [ffff880115b90480, ffff880115b90880)
[183309.196274] The buggy address belongs to the page:
[183309.196279] page:ffffea000456e400 count:1 mapcount:0
mapping:ffff8803ef002c40 index:0x0 compound_mapcount: 0
[183309.196286] flags: 0x2000000000008100(slab|head)
[183309.196294] raw: 2000000000008100 ffffea000ceba800 0000000200000002
ffff8803ef002c40
[183309.196300] raw: 0000000000000000 00000000801c001c 00000001ffffffff
0000000000000000
[183309.196303] page dumped because: kasan: bad access detected

[183309.196308] Memory state around the buggy address:
[183309.196312]  ffff880115b90580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196317]  ffff880115b90600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196321] >ffff880115b90680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196324]                                   ^
[183309.196328]  ffff880115b90700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196332]  ffff880115b90780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196335]
==================================================================
[183309.196338] Disabling lock debugging due to kernel taint

This is with kernel 4.18.0 and your patch on top.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel