Dear Linux Kernel Developers,I’ve encountered a KASAN-reported slab-use-after-free in the DRM atomic helper on Linux 6.14.0-rc4 during a commit operation. Here are the details: Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025) Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config Kernel Log: https://github.com/Strforexc/LinuxKernelbug/blob/main/drm_atomic_helper_wait_for_vblanks/log0 Reproduce.c: https://github.com/Strforexc/LinuxKernelbug/blob/main/drm_atomic_helper_wait_for_vblanks/repro.cprog Bug Description: KASAN detects a use-after-free read of size 1 at address ffff88806b08cc09 in drm_atomic_helper_wait_for_vblanks (drivers/gpu/drm/drm_atomic_helper.c:1662), triggered by a workqueue commit following a page flip and client restore. Analysis: Location: The fault occurs in drm_atomic_helper_wait_for_vblanks at old_state->crtcs[i].last_vblank_count, accessing a freed struct drm_atomic_state (old_state). Cause: old_state is allocated for a page flip, passed to a commit workqueue, and freed during a client restore (drm_client_modeset_commit_locked) before the workqueue completes, leading to a use-after-free. Context: The race involves a page flip (task 12321), a client restore (task 12320), and an asynchronous commit (task 9416), likely triggered by Syzkaller’s DRM testing. Could DRM maintainers investigate? Possible issues: 1. insufficient reference counting for drm_atomic_state passed to commit_work. 2. Race between drm_client_modeset_commit_locked freeing the state and the commit workqueue using it. Suggested fixes: 1.increment old_state refcount before queuing commit_work, decrement after drm_atomic_helper_wait_for_vblanks. 2. Synchronize state cleanup with pending commits. Our knowledge of the kernel is somewhat limited, and we'd appreciate it if you could determine if there is such an issue. If this issue doesn't have an impact, please ignore it ☺. If you fix this issue, please add the following tag to the commit: Reported-by: Zhizhuo Tang strforexctzzchange@xxxxxxxxxxx, Jianzhou Zhao xnxc22xnxc22@xxxxxx, Haoran Liu <cherest_san@xxxxxxx> ================================================================== BUG: KASAN: slab-use-after-free in drm_atomic_helper_wait_for_vblanks+0x801/0x8d0 drivers/gpu/drm/drm_atomic_helper.c:1662 Read of size 1 at addr ffff88806b08cc09 by task kworker/u10:6/9416 CPU: 1 UID: 0 PID: 9416 Comm: kworker/u10:6 Not tainted 6.14.0-rc4 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events_unbound commit_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description.constprop.0+0x2c/0x420 mm/kasan/report.c:408 print_report+0xaa/0x270 mm/kasan/report.c:521 kasan_report+0xbd/0x100 mm/kasan/report.c:634 drm_atomic_helper_wait_for_vblanks+0x801/0x8d0 drivers/gpu/drm/drm_atomic_helper.c:1662 drm_atomic_helper_commit_tail+0x8a/0xa0 drivers/gpu/drm/drm_atomic_helper.c:1758 commit_tail+0x357/0x400 drivers/gpu/drm/drm_atomic_helper.c:1835 process_one_work+0x109d/0x18c0 kernel/workqueue.c:3236 process_scheduled_works kernel/workqueue.c:3317 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3398 kthread+0x3b3/0x760 kernel/kthread.c:464 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 12321: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x40 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xba/0xc0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] drm_atomic_helper_crtc_duplicate_state+0x73/0xe0 drivers/gpu/drm/drm_atomic_state_helper.c:177 drm_atomic_get_crtc_state+0x191/0x490 drivers/gpu/drm/drm_atomic.c:360 page_flip_common+0x57/0x320 drivers/gpu/drm/drm_atomic_helper.c:3631 drm_atomic_helper_page_flip+0xb8/0x190 drivers/gpu/drm/drm_atomic_helper.c:3692 drm_mode_page_flip_ioctl+0xf20/0x1280 drivers/gpu/drm/drm_plane.c:1516 drm_ioctl_kernel+0x1f0/0x3f0 drivers/gpu/drm/drm_ioctl.c:796 drm_ioctl+0x588/0xb70 drivers/gpu/drm/drm_ioctl.c:893 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x1af/0x210 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 12320: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x40 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x80 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x54/0x80 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4609 [inline] kfree+0x12e/0x420 mm/slub.c:4757 drm_atomic_state_default_clear+0x43f/0xe10 drivers/gpu/drm/drm_atomic.c:224 drm_atomic_state_clear drivers/gpu/drm/drm_atomic.c:293 [inline] __drm_atomic_state_free+0x185/0x2b0 drivers/gpu/drm/drm_atomic.c:310 kref_put include/linux/kref.h:65 [inline] drm_atomic_state_put include/drm/drm_atomic.h:538 [inline] drm_client_modeset_commit_atomic+0x697/0x7d0 drivers/gpu/drm/drm_client_modeset.c:1085 drm_client_modeset_commit_locked+0x147/0x1c0 drivers/gpu/drm/drm_client_modeset.c:1182 drm_client_modeset_commit+0x51/0x90 drivers/gpu/drm/drm_client_modeset.c:1208 __drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:237 [inline] drm_fb_helper_restore_fbdev_mode_unlocked drivers/gpu/drm/drm_fb_helper.c:264 [inline] drm_fb_helper_lastclose+0xc5/0x160 drivers/gpu/drm/drm_fb_helper.c:1977 drm_fbdev_client_restore+0x2c/0x50 drivers/gpu/drm/clients/drm_fbdev_client.c:31 drm_client_dev_restore+0x18b/0x2a0 drivers/gpu/drm/drm_client_event.c:104 drm_lastclose drivers/gpu/drm/drm_file.c:396 [inline] drm_release+0x2cd/0x360 drivers/gpu/drm/drm_file.c:429 __fput+0x402/0xb50 fs/file_table.c:464 task_work_run+0x16c/0x270 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xd8/0x260 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88806b08cc00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 9 bytes inside of freed 512-byte region [ffff88806b08cc00, ffff88806b08ce00) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6b08c head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 04fff00000000040 ffff88801b441c80 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 04fff00000000040 ffff88801b441c80 0000000000000000 dead000000000001 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 04fff00000000002 ffffea0001ac2301 ffffffffffffffff 0000000000000000 head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 11415, tgid 11415 (kworker/u10:6), ts 71479693708, free_ts 71465778238 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1a3/0x1d0 mm/page_alloc.c:1551 prep_new_page mm/page_alloc.c:1559 [inline] get_page_from_freelist+0x8a5/0xfa0 mm/page_alloc.c:3477 __alloc_frozen_pages_noprof+0x1d8/0x3b0 mm/page_alloc.c:4739 alloc_pages_mpol+0x1f2/0x550 mm/mempolicy.c:2270 alloc_slab_page mm/slub.c:2423 [inline] allocate_slab+0x229/0x310 mm/slub.c:2587 ___slab_alloc+0x7f3/0x12b0 mm/slub.c:3826 __slab_alloc.constprop.0+0x56/0xc0 mm/slub.c:3916 __slab_alloc_node mm/slub.c:3991 [inline] slab_alloc_node mm/slub.c:4152 [inline] __kmalloc_cache_noprof+0x280/0x450 mm/slub.c:4320 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] alloc_bprm+0x80/0x6d0 fs/exec.c:1523 kernel_execve+0xb0/0x3b0 fs/exec.c:1991 call_usermodehelper_exec_async+0x25f/0x4e0 kernel/umh.c:109 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 page last free pid 9621 tgid 9621 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_frozen_pages+0x71f/0xff0 mm/page_alloc.c:2660 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x50/0x130 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a5/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x6f/0xa0 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4115 [inline] slab_alloc_node mm/slub.c:4164 [inline] __do_kmalloc_node mm/slub.c:4293 [inline] __kmalloc_node_noprof+0x1c0/0x570 mm/slub.c:4300 kmalloc_node_noprof include/linux/slab.h:928 [inline] qdisc_alloc+0xb6/0xca0 net/sched/sch_generic.c:947 qdisc_create_dflt+0x75/0x230 net/sched/sch_generic.c:1009 attach_one_default_qdisc net/sched/sch_generic.c:1175 [inline] netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] attach_default_qdiscs+0x16c/0xb30 net/sched/sch_generic.c:1193 dev_activate+0x4da/0x610 net/sched/sch_generic.c:1252 __dev_open+0x3f5/0x540 net/core/dev.c:1644 __dev_change_flags+0x570/0x730 net/core/dev.c:9260 dev_change_flags+0x8e/0x170 net/core/dev.c:9332 do_setlink.constprop.0+0x8c8/0x29e0 net/core/rtnetlink.c:3118 rtnl_changelink net/core/rtnetlink.c:3733 [inline] __rtnl_newlink+0x775/0xa80 net/core/rtnetlink.c:3885 rtnl_newlink+0x7eb/0xc90 net/core/rtnetlink.c:4022 rtnetlink_rcv_msg+0x9f4/0xfc0 net/core/rtnetlink.c:6912 Memory state around the buggy address: ffff88806b08cb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88806b08cb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88806b08cc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88806b08cc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806b08cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Regards, Zhizhuo Tang
