* BUG: KASAN: use-after-free in amdgpu_job_free_cb
@ 2018-01-03 8:35 Johannes Hirte
2018-01-03 9:36 ` Johannes Hirte
0 siblings, 1 reply; 17+ messages in thread
From: Johannes Hirte @ 2018-01-03 8:35 UTC (permalink / raw)
To: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, Alex Deucher,
Christian König
I still get a use-after-free with linux-4.15-rc6:
[ 16.788943] ==================================================================
[ 16.788968] BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x140/0x150
[ 16.788975] Read of size 8 at addr ffff8803dfe4b3c8 by task kworker/0:2/1355
[ 16.788986] CPU: 0 PID: 1355 Comm: kworker/0:2 Not tainted 4.15.0-rc6 #438
[ 16.788990] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
[ 16.788998] Workqueue: events amd_sched_job_finish
[ 16.789003] Call Trace:
[ 16.789012] dump_stack+0x99/0x11e
[ 16.789018] ? _atomic_dec_and_lock+0x152/0x152
[ 16.789026] print_address_description+0x65/0x270
[ 16.789032] kasan_report+0x272/0x360
[ 16.789038] ? amdgpu_job_free_cb+0x140/0x150
[ 16.789043] amdgpu_job_free_cb+0x140/0x150
[ 16.789049] amd_sched_job_finish+0x288/0x560
[ 16.789055] ? amd_sched_process_job+0x220/0x220
[ 16.789061] ? __queue_delayed_work+0x211/0x360
[ 16.789067] ? pick_next_task_fair+0xcff/0x10f0
[ 16.789073] ? _raw_spin_unlock_irq+0xbe/0x120
[ 16.789077] ? _raw_spin_unlock+0x120/0x120
[ 16.789082] process_one_work+0x84b/0x1600
[ 16.789088] ? tick_nohz_dep_clear_signal+0x20/0x20
[ 16.789093] ? _raw_spin_unlock_irq+0xbe/0x120
[ 16.789097] ? _raw_spin_unlock+0x120/0x120
[ 16.789101] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[ 16.789107] ? compat_start_thread+0x70/0x70
[ 16.789111] ? cyc2ns_read_end+0x20/0x20
[ 16.789117] ? finish_task_switch+0x27d/0x7f0
[ 16.789121] ? wq_worker_waking_up+0xc0/0xc0
[ 16.789127] ? sched_clock_cpu+0x18/0x1e0
[ 16.789133] ? task_change_group_fair+0x7e0/0x7e0
[ 16.789139] ? pci_mmcfg_check_reserved+0x100/0x100
[ 16.789143] ? load_balance+0x3120/0x3120
[ 16.789148] ? perf_event_exit_task+0x91f/0xe20
[ 16.789156] ? schedule+0xfb/0x3b0
[ 16.789160] ? __schedule+0x19b0/0x19b0
[ 16.789165] ? _raw_spin_unlock_irq+0xb9/0x120
[ 16.789169] ? _raw_spin_unlock_irq+0xbe/0x120
[ 16.789172] ? _raw_spin_unlock+0x120/0x120
[ 16.789177] worker_thread+0x211/0x1790
[ 16.789184] ? pick_next_task_fair+0x97d/0x10f0
[ 16.789188] ? trace_event_raw_event_workqueue_work+0x170/0x170
[ 16.789194] ? tick_nohz_dep_clear_signal+0x20/0x20
[ 16.789199] ? _raw_spin_unlock_irq+0xbe/0x120
[ 16.789202] ? _raw_spin_unlock+0x120/0x120
[ 16.789207] ? compat_start_thread+0x70/0x70
[ 16.789212] ? finish_task_switch+0x27d/0x7f0
[ 16.789217] ? sched_clock_cpu+0x18/0x1e0
[ 16.789223] ? ret_from_fork+0x1f/0x30
[ 16.789228] ? pci_mmcfg_check_reserved+0x100/0x100
[ 16.789233] ? get_task_cred+0x210/0x210
[ 16.789238] ? cyc2ns_read_end+0x20/0x20
[ 16.789245] ? schedule+0xfb/0x3b0
[ 16.789249] ? __schedule+0x19b0/0x19b0
[ 16.789254] ? remove_wait_queue+0x2b0/0x2b0
[ 16.789258] ? arch_vtime_task_switch+0xee/0x190
[ 16.789263] ? _raw_spin_unlock_irqrestore+0xc2/0x130
[ 16.789267] ? _raw_spin_unlock_irq+0x120/0x120
[ 16.789273] ? trace_event_raw_event_workqueue_work+0x170/0x170
[ 16.789277] kthread+0x2d4/0x390
[ 16.789282] ? kthread_create_worker+0xd0/0xd0
[ 16.789286] ? umh_complete+0x60/0x60
[ 16.789290] ret_from_fork+0x1f/0x30
[ 16.789298] Allocated by task 2385:
[ 16.789304] kasan_kmalloc+0xa0/0xd0
[ 16.789309] kmem_cache_alloc_trace+0xd1/0x1e0
[ 16.789314] amdgpu_driver_open_kms+0x12b/0x4d0
[ 16.789320] drm_open+0x7c3/0x1100
[ 16.789324] drm_stub_open+0x2a8/0x400
[ 16.789329] chrdev_open+0x1eb/0x5a0
[ 16.789333] do_dentry_open+0x5a1/0xc50
[ 16.789337] path_openat+0x11d3/0x4e90
[ 16.789341] do_filp_open+0x239/0x3c0
[ 16.789344] do_sys_open+0x402/0x630
[ 16.789349] do_syscall_64+0x220/0x670
[ 16.789353] return_from_SYSCALL_64+0x0/0x65
[ 16.789357] Freed by task 2541:
[ 16.789362] kasan_slab_free+0x71/0xc0
[ 16.789365] kfree+0x88/0x1b0
[ 16.789369] amdgpu_driver_postclose_kms+0x469/0x860
[ 16.789373] drm_release+0x8a8/0x1180
[ 16.789377] __fput+0x2ab/0x730
[ 16.789380] task_work_run+0x14b/0x200
[ 16.789384] exit_to_usermode_loop+0x151/0x180
[ 16.789387] do_syscall_64+0x4ed/0x670
[ 16.789391] return_from_SYSCALL_64+0x0/0x65
[ 16.789397] The buggy address belongs to the object at ffff8803dfe4b300
[ 16.789403] The buggy address is located 200 bytes inside of
[ 16.789406] The buggy address belongs to the page:
[ 16.789413] page:000000004ccd276f count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 16.789421] flags: 0x2000000000008100(slab|head)
[ 16.789428] raw: 2000000000008100 0000000000000000 0000000000000000 00000001000f000f
[ 16.789433] raw: dead000000000100 dead000000000200 ffff8803f3002a80 0000000000000000
[ 16.789436] page dumped because: kasan: bad access detected
[ 16.789441] Memory state around the buggy address:
[ 16.789445] ffff8803dfe4b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 16.789449] ffff8803dfe4b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 16.789452] >ffff8803dfe4b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 16.789455] ^
[ 16.789458] ffff8803dfe4b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 16.789462] ffff8803dfe4b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 16.789465] ==================================================================
[ 16.789468] Disabling lock debugging due to kernel taint
This should be fixed already with
https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html
but's still missing upstream.
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
2018-01-03 8:35 Johannes Hirte
@ 2018-01-03 9:36 ` Johannes Hirte
2018-01-09 14:44 ` Johannes Hirte
0 siblings, 1 reply; 17+ messages in thread
From: Johannes Hirte @ 2018-01-03 9:36 UTC (permalink / raw)
To: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, Alex Deucher,
Christian König
On 2018 Jan 03, Johannes Hirte wrote:
> This should be fixed already with
> https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html
> but's still missing upstream.
>
With this patch, the use-after-free in amdgpu_job_free_cb seems to be
gone. But now I get an use-after-free in
drm_atomic_helper_wait_for_flip_done:
[89387.069387] ==================================================================
[89387.069407] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[89387.069413] Read of size 8 at addr ffff880124df0688 by task kworker/u8:3/31426
[89387.069423] CPU: 1 PID: 31426 Comm: kworker/u8:3 Not tainted 4.15.0-rc6-00001-ge0895ba8d88e #442
[89387.069427] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
[89387.069435] Workqueue: events_unbound commit_work
[89387.069440] Call Trace:
[89387.069448] dump_stack+0x99/0x11e
[89387.069453] ? _atomic_dec_and_lock+0x152/0x152
[89387.069460] print_address_description+0x65/0x270
[89387.069465] kasan_report+0x272/0x360
[89387.069470] ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[89387.069475] drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[89387.069483] amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
[89387.069492] ? dm_crtc_duplicate_state+0x130/0x130
[89387.069498] ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
[89387.069504] commit_tail+0x92/0xe0
[89387.069511] process_one_work+0x84b/0x1600
[89387.069517] ? tick_nohz_dep_clear_signal+0x20/0x20
[89387.069522] ? _raw_spin_unlock_irq+0xbe/0x120
[89387.069525] ? _raw_spin_unlock+0x120/0x120
[89387.069529] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[89387.069534] ? arch_vtime_task_switch+0xee/0x190
[89387.069539] ? finish_task_switch+0x27d/0x7f0
[89387.069542] ? wq_worker_waking_up+0xc0/0xc0
[89387.069547] ? copy_overflow+0x20/0x20
[89387.069550] ? sched_clock_cpu+0x18/0x1e0
[89387.069558] ? pci_mmcfg_check_reserved+0x100/0x100
[89387.069562] ? pci_mmcfg_check_reserved+0x100/0x100
[89387.069569] ? schedule+0xfb/0x3b0
[89387.069574] ? __schedule+0x19b0/0x19b0
[89387.069578] ? _raw_spin_unlock_irq+0xb9/0x120
[89387.069582] ? _raw_spin_unlock_irq+0xbe/0x120
[89387.069585] ? _raw_spin_unlock+0x120/0x120
[89387.069590] worker_thread+0x211/0x1790
[89387.069597] ? pick_next_task_fair+0x313/0x10f0
[89387.069601] ? trace_event_raw_event_workqueue_work+0x170/0x170
[89387.069606] ? __read_once_size_nocheck.constprop.6+0x10/0x10
[89387.069612] ? tick_nohz_dep_clear_signal+0x20/0x20
[89387.069616] ? account_idle_time+0x94/0x1f0
[89387.069620] ? _raw_spin_unlock_irq+0xbe/0x120
[89387.069623] ? _raw_spin_unlock+0x120/0x120
[89387.069628] ? finish_task_switch+0x27d/0x7f0
[89387.069633] ? sched_clock_cpu+0x18/0x1e0
[89387.069639] ? ret_from_fork+0x1f/0x30
[89387.069644] ? pci_mmcfg_check_reserved+0x100/0x100
[89387.069650] ? cyc2ns_read_end+0x20/0x20
[89387.069657] ? schedule+0xfb/0x3b0
[89387.069662] ? __schedule+0x19b0/0x19b0
[89387.069666] ? remove_wait_queue+0x2b0/0x2b0
[89387.069670] ? arch_vtime_task_switch+0xee/0x190
[89387.069675] ? _raw_spin_unlock_irqrestore+0xc2/0x130
[89387.069679] ? _raw_spin_unlock_irq+0x120/0x120
[89387.069683] ? trace_event_raw_event_workqueue_work+0x170/0x170
[89387.069688] kthread+0x2d4/0x390
[89387.069693] ? kthread_create_worker+0xd0/0xd0
[89387.069697] ret_from_fork+0x1f/0x30
[89387.069705] Allocated by task 2387:
[89387.069712] kasan_kmalloc+0xa0/0xd0
[89387.069717] kmem_cache_alloc_trace+0xd1/0x1e0
[89387.069722] dm_crtc_duplicate_state+0x73/0x130
[89387.069726] drm_atomic_get_crtc_state+0x13c/0x400
[89387.069730] page_flip_common+0x52/0x230
[89387.069734] drm_atomic_helper_page_flip+0xa1/0x100
[89387.069739] drm_mode_page_flip_ioctl+0xc10/0x1030
[89387.069744] drm_ioctl_kernel+0x1b5/0x2c0
[89387.069748] drm_ioctl+0x709/0xa00
[89387.069752] amdgpu_drm_ioctl+0x118/0x280
[89387.069756] do_vfs_ioctl+0x18a/0x1260
[89387.069760] SyS_ioctl+0x6f/0x80
[89387.069764] do_syscall_64+0x220/0x670
[89387.069768] return_from_SYSCALL_64+0x0/0x65
[89387.069772] Freed by task 2533:
[89387.069776] kasan_slab_free+0x71/0xc0
[89387.069780] kfree+0x88/0x1b0
[89387.069784] drm_atomic_state_default_clear+0x2c8/0xa00
[89387.069787] __drm_atomic_state_free+0x30/0xd0
[89387.069791] drm_atomic_helper_update_plane+0xb6/0x350
[89387.069794] __setplane_internal+0x5b4/0x9d0
[89387.069798] drm_mode_cursor_universal+0x412/0xc60
[89387.069801] drm_mode_cursor_common+0x4b6/0x890
[89387.069805] drm_mode_cursor_ioctl+0xd3/0x120
[89387.069809] drm_ioctl_kernel+0x1b5/0x2c0
[89387.069813] drm_ioctl+0x709/0xa00
[89387.069816] amdgpu_drm_ioctl+0x118/0x280
[89387.069819] do_vfs_ioctl+0x18a/0x1260
[89387.069822] SyS_ioctl+0x6f/0x80
[89387.069824] do_syscall_64+0x220/0x670
[89387.069828] return_from_SYSCALL_64+0x0/0x65
[89387.069834] The buggy address belongs to the object at ffff880124df0480
[89387.069839] The buggy address is located 520 bytes inside of
[89387.069843] The buggy address belongs to the page:
[89387.069849] page:00000000b20cc097 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[89387.069856] flags: 0x2000000000008100(slab|head)
[89387.069862] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
[89387.069867] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
[89387.069869] page dumped because: kasan: bad access detected
[89387.069874] Memory state around the buggy address:
[89387.069878] ffff880124df0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069881] ffff880124df0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069885] >ffff880124df0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069888] ^
[89387.069891] ffff880124df0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069895] ffff880124df0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069897] ==================================================================
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
2018-01-03 9:36 ` Johannes Hirte
@ 2018-01-09 14:44 ` Johannes Hirte
2018-01-10 21:25 ` Andrey Grodzovsky
0 siblings, 1 reply; 17+ messages in thread
From: Johannes Hirte @ 2018-01-09 14:44 UTC (permalink / raw)
To: amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW, Alex Deucher,
Christian König
On 2018 Jan 03, Johannes Hirte wrote:
> On 2018 Jan 03, Johannes Hirte wrote:
> > This should be fixed already with
> > https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html
> > but's still missing upstream.
> >
>
> With this patch, the use-after-free in amdgpu_job_free_cb seems to be
> gone. But now I get an use-after-free in
> drm_atomic_helper_wait_for_flip_done:
>
> [89387.069387] ==================================================================
> [89387.069407] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> [89387.069413] Read of size 8 at addr ffff880124df0688 by task kworker/u8:3/31426
>
> [89387.069423] CPU: 1 PID: 31426 Comm: kworker/u8:3 Not tainted 4.15.0-rc6-00001-ge0895ba8d88e #442
> [89387.069427] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
> [89387.069435] Workqueue: events_unbound commit_work
> [89387.069440] Call Trace:
> [89387.069448] dump_stack+0x99/0x11e
> [89387.069453] ? _atomic_dec_and_lock+0x152/0x152
> [89387.069460] print_address_description+0x65/0x270
> [89387.069465] kasan_report+0x272/0x360
> [89387.069470] ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> [89387.069475] drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> [89387.069483] amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
> [89387.069492] ? dm_crtc_duplicate_state+0x130/0x130
> [89387.069498] ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
> [89387.069504] commit_tail+0x92/0xe0
> [89387.069511] process_one_work+0x84b/0x1600
> [89387.069517] ? tick_nohz_dep_clear_signal+0x20/0x20
> [89387.069522] ? _raw_spin_unlock_irq+0xbe/0x120
> [89387.069525] ? _raw_spin_unlock+0x120/0x120
> [89387.069529] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
> [89387.069534] ? arch_vtime_task_switch+0xee/0x190
> [89387.069539] ? finish_task_switch+0x27d/0x7f0
> [89387.069542] ? wq_worker_waking_up+0xc0/0xc0
> [89387.069547] ? copy_overflow+0x20/0x20
> [89387.069550] ? sched_clock_cpu+0x18/0x1e0
> [89387.069558] ? pci_mmcfg_check_reserved+0x100/0x100
> [89387.069562] ? pci_mmcfg_check_reserved+0x100/0x100
> [89387.069569] ? schedule+0xfb/0x3b0
> [89387.069574] ? __schedule+0x19b0/0x19b0
> [89387.069578] ? _raw_spin_unlock_irq+0xb9/0x120
> [89387.069582] ? _raw_spin_unlock_irq+0xbe/0x120
> [89387.069585] ? _raw_spin_unlock+0x120/0x120
> [89387.069590] worker_thread+0x211/0x1790
> [89387.069597] ? pick_next_task_fair+0x313/0x10f0
> [89387.069601] ? trace_event_raw_event_workqueue_work+0x170/0x170
> [89387.069606] ? __read_once_size_nocheck.constprop.6+0x10/0x10
> [89387.069612] ? tick_nohz_dep_clear_signal+0x20/0x20
> [89387.069616] ? account_idle_time+0x94/0x1f0
> [89387.069620] ? _raw_spin_unlock_irq+0xbe/0x120
> [89387.069623] ? _raw_spin_unlock+0x120/0x120
> [89387.069628] ? finish_task_switch+0x27d/0x7f0
> [89387.069633] ? sched_clock_cpu+0x18/0x1e0
> [89387.069639] ? ret_from_fork+0x1f/0x30
> [89387.069644] ? pci_mmcfg_check_reserved+0x100/0x100
> [89387.069650] ? cyc2ns_read_end+0x20/0x20
> [89387.069657] ? schedule+0xfb/0x3b0
> [89387.069662] ? __schedule+0x19b0/0x19b0
> [89387.069666] ? remove_wait_queue+0x2b0/0x2b0
> [89387.069670] ? arch_vtime_task_switch+0xee/0x190
> [89387.069675] ? _raw_spin_unlock_irqrestore+0xc2/0x130
> [89387.069679] ? _raw_spin_unlock_irq+0x120/0x120
> [89387.069683] ? trace_event_raw_event_workqueue_work+0x170/0x170
> [89387.069688] kthread+0x2d4/0x390
> [89387.069693] ? kthread_create_worker+0xd0/0xd0
> [89387.069697] ret_from_fork+0x1f/0x30
>
> [89387.069705] Allocated by task 2387:
> [89387.069712] kasan_kmalloc+0xa0/0xd0
> [89387.069717] kmem_cache_alloc_trace+0xd1/0x1e0
> [89387.069722] dm_crtc_duplicate_state+0x73/0x130
> [89387.069726] drm_atomic_get_crtc_state+0x13c/0x400
> [89387.069730] page_flip_common+0x52/0x230
> [89387.069734] drm_atomic_helper_page_flip+0xa1/0x100
> [89387.069739] drm_mode_page_flip_ioctl+0xc10/0x1030
> [89387.069744] drm_ioctl_kernel+0x1b5/0x2c0
> [89387.069748] drm_ioctl+0x709/0xa00
> [89387.069752] amdgpu_drm_ioctl+0x118/0x280
> [89387.069756] do_vfs_ioctl+0x18a/0x1260
> [89387.069760] SyS_ioctl+0x6f/0x80
> [89387.069764] do_syscall_64+0x220/0x670
> [89387.069768] return_from_SYSCALL_64+0x0/0x65
>
> [89387.069772] Freed by task 2533:
> [89387.069776] kasan_slab_free+0x71/0xc0
> [89387.069780] kfree+0x88/0x1b0
> [89387.069784] drm_atomic_state_default_clear+0x2c8/0xa00
> [89387.069787] __drm_atomic_state_free+0x30/0xd0
> [89387.069791] drm_atomic_helper_update_plane+0xb6/0x350
> [89387.069794] __setplane_internal+0x5b4/0x9d0
> [89387.069798] drm_mode_cursor_universal+0x412/0xc60
> [89387.069801] drm_mode_cursor_common+0x4b6/0x890
> [89387.069805] drm_mode_cursor_ioctl+0xd3/0x120
> [89387.069809] drm_ioctl_kernel+0x1b5/0x2c0
> [89387.069813] drm_ioctl+0x709/0xa00
> [89387.069816] amdgpu_drm_ioctl+0x118/0x280
> [89387.069819] do_vfs_ioctl+0x18a/0x1260
> [89387.069822] SyS_ioctl+0x6f/0x80
> [89387.069824] do_syscall_64+0x220/0x670
> [89387.069828] return_from_SYSCALL_64+0x0/0x65
>
> [89387.069834] The buggy address belongs to the object at ffff880124df0480
> [89387.069839] The buggy address is located 520 bytes inside of
> [89387.069843] The buggy address belongs to the page:
> [89387.069849] page:00000000b20cc097 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
> [89387.069856] flags: 0x2000000000008100(slab|head)
> [89387.069862] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
> [89387.069867] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
> [89387.069869] page dumped because: kasan: bad access detected
>
> [89387.069874] Memory state around the buggy address:
> [89387.069878] ffff880124df0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069881] ffff880124df0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069885] >ffff880124df0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069888] ^
> [89387.069891] ffff880124df0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069895] ffff880124df0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069897] ==================================================================
>
ping? There are two different use-after-free in kernel-code and nobody
cares?
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
2018-01-09 14:44 ` Johannes Hirte
@ 2018-01-10 21:25 ` Andrey Grodzovsky
[not found] ` <b30d8818-727e-906b-9203-47a5a5b03605-5C7GfCeVMHo@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Andrey Grodzovsky @ 2018-01-10 21:25 UTC (permalink / raw)
To: Johannes Hirte, amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
Alex Deucher, Christian König, Harry Wentland, Li, Sun peng,
Koenig, Christian
On 01/09/2018 09:44 AM, Johannes Hirte wrote:
> On 2018 Jan 03, Johannes Hirte wrote:
>> On 2018 Jan 03, Johannes Hirte wrote:
>>> This should be fixed already with
>>> https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html
>>> but's still missing upstream.
>>>
>> With this patch, the use-after-free in amdgpu_job_free_cb seems to be
>> gone. But now I get an use-after-free in
>> drm_atomic_helper_wait_for_flip_done:
>>
>> [89387.069387] ==================================================================
>> [89387.069407] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> [89387.069413] Read of size 8 at addr ffff880124df0688 by task kworker/u8:3/31426
>>
>> [89387.069423] CPU: 1 PID: 31426 Comm: kworker/u8:3 Not tainted 4.15.0-rc6-00001-ge0895ba8d88e #442
>> [89387.069427] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
>> [89387.069435] Workqueue: events_unbound commit_work
>> [89387.069440] Call Trace:
>> [89387.069448] dump_stack+0x99/0x11e
>> [89387.069453] ? _atomic_dec_and_lock+0x152/0x152
>> [89387.069460] print_address_description+0x65/0x270
>> [89387.069465] kasan_report+0x272/0x360
>> [89387.069470] ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> [89387.069475] drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> [89387.069483] amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
>> [89387.069492] ? dm_crtc_duplicate_state+0x130/0x130
>> [89387.069498] ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
>> [89387.069504] commit_tail+0x92/0xe0
>> [89387.069511] process_one_work+0x84b/0x1600
>> [89387.069517] ? tick_nohz_dep_clear_signal+0x20/0x20
>> [89387.069522] ? _raw_spin_unlock_irq+0xbe/0x120
>> [89387.069525] ? _raw_spin_unlock+0x120/0x120
>> [89387.069529] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
>> [89387.069534] ? arch_vtime_task_switch+0xee/0x190
>> [89387.069539] ? finish_task_switch+0x27d/0x7f0
>> [89387.069542] ? wq_worker_waking_up+0xc0/0xc0
>> [89387.069547] ? copy_overflow+0x20/0x20
>> [89387.069550] ? sched_clock_cpu+0x18/0x1e0
>> [89387.069558] ? pci_mmcfg_check_reserved+0x100/0x100
>> [89387.069562] ? pci_mmcfg_check_reserved+0x100/0x100
>> [89387.069569] ? schedule+0xfb/0x3b0
>> [89387.069574] ? __schedule+0x19b0/0x19b0
>> [89387.069578] ? _raw_spin_unlock_irq+0xb9/0x120
>> [89387.069582] ? _raw_spin_unlock_irq+0xbe/0x120
>> [89387.069585] ? _raw_spin_unlock+0x120/0x120
>> [89387.069590] worker_thread+0x211/0x1790
>> [89387.069597] ? pick_next_task_fair+0x313/0x10f0
>> [89387.069601] ? trace_event_raw_event_workqueue_work+0x170/0x170
>> [89387.069606] ? __read_once_size_nocheck.constprop.6+0x10/0x10
>> [89387.069612] ? tick_nohz_dep_clear_signal+0x20/0x20
>> [89387.069616] ? account_idle_time+0x94/0x1f0
>> [89387.069620] ? _raw_spin_unlock_irq+0xbe/0x120
>> [89387.069623] ? _raw_spin_unlock+0x120/0x120
>> [89387.069628] ? finish_task_switch+0x27d/0x7f0
>> [89387.069633] ? sched_clock_cpu+0x18/0x1e0
>> [89387.069639] ? ret_from_fork+0x1f/0x30
>> [89387.069644] ? pci_mmcfg_check_reserved+0x100/0x100
>> [89387.069650] ? cyc2ns_read_end+0x20/0x20
>> [89387.069657] ? schedule+0xfb/0x3b0
>> [89387.069662] ? __schedule+0x19b0/0x19b0
>> [89387.069666] ? remove_wait_queue+0x2b0/0x2b0
>> [89387.069670] ? arch_vtime_task_switch+0xee/0x190
>> [89387.069675] ? _raw_spin_unlock_irqrestore+0xc2/0x130
>> [89387.069679] ? _raw_spin_unlock_irq+0x120/0x120
>> [89387.069683] ? trace_event_raw_event_workqueue_work+0x170/0x170
>> [89387.069688] kthread+0x2d4/0x390
>> [89387.069693] ? kthread_create_worker+0xd0/0xd0
>> [89387.069697] ret_from_fork+0x1f/0x30
>>
>> [89387.069705] Allocated by task 2387:
>> [89387.069712] kasan_kmalloc+0xa0/0xd0
>> [89387.069717] kmem_cache_alloc_trace+0xd1/0x1e0
>> [89387.069722] dm_crtc_duplicate_state+0x73/0x130
>> [89387.069726] drm_atomic_get_crtc_state+0x13c/0x400
>> [89387.069730] page_flip_common+0x52/0x230
>> [89387.069734] drm_atomic_helper_page_flip+0xa1/0x100
>> [89387.069739] drm_mode_page_flip_ioctl+0xc10/0x1030
>> [89387.069744] drm_ioctl_kernel+0x1b5/0x2c0
>> [89387.069748] drm_ioctl+0x709/0xa00
>> [89387.069752] amdgpu_drm_ioctl+0x118/0x280
>> [89387.069756] do_vfs_ioctl+0x18a/0x1260
>> [89387.069760] SyS_ioctl+0x6f/0x80
>> [89387.069764] do_syscall_64+0x220/0x670
>> [89387.069768] return_from_SYSCALL_64+0x0/0x65
>>
>> [89387.069772] Freed by task 2533:
>> [89387.069776] kasan_slab_free+0x71/0xc0
>> [89387.069780] kfree+0x88/0x1b0
>> [89387.069784] drm_atomic_state_default_clear+0x2c8/0xa00
>> [89387.069787] __drm_atomic_state_free+0x30/0xd0
>> [89387.069791] drm_atomic_helper_update_plane+0xb6/0x350
>> [89387.069794] __setplane_internal+0x5b4/0x9d0
>> [89387.069798] drm_mode_cursor_universal+0x412/0xc60
>> [89387.069801] drm_mode_cursor_common+0x4b6/0x890
>> [89387.069805] drm_mode_cursor_ioctl+0xd3/0x120
>> [89387.069809] drm_ioctl_kernel+0x1b5/0x2c0
>> [89387.069813] drm_ioctl+0x709/0xa00
>> [89387.069816] amdgpu_drm_ioctl+0x118/0x280
>> [89387.069819] do_vfs_ioctl+0x18a/0x1260
>> [89387.069822] SyS_ioctl+0x6f/0x80
>> [89387.069824] do_syscall_64+0x220/0x670
>> [89387.069828] return_from_SYSCALL_64+0x0/0x65
>>
>> [89387.069834] The buggy address belongs to the object at ffff880124df0480
>> [89387.069839] The buggy address is located 520 bytes inside of
>> [89387.069843] The buggy address belongs to the page:
>> [89387.069849] page:00000000b20cc097 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
>> [89387.069856] flags: 0x2000000000008100(slab|head)
>> [89387.069862] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
>> [89387.069867] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
>> [89387.069869] page dumped because: kasan: bad access detected
>>
>> [89387.069874] Memory state around the buggy address:
>> [89387.069878] ffff880124df0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069881] ffff880124df0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069885] >ffff880124df0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069888] ^
>> [89387.069891] ffff880124df0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069895] ffff880124df0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069897] ==================================================================
>>
> ping? There are two different use-after-free in kernel-code and nobody
> cares?
+ Harry and Leo
Hi, is there a particular scenario when this happens , can you add dmesg
with echo 0x10 > /sys/module/drm/parameters/debug?
From quick look looks like bad refcount over old crtct state,
drm_atomic_state_put in __setplane_internal will cause CRTC state
release from drm_atomic_state_put instead of just decrementing refcount
as it supposed to be since
drm_atomic_commit called from __setplane_internal should've attached
those states to CRTC objects. I would trace the refcounts to verify this.
Thanks,
Andrey
>
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
[not found] ` <b30d8818-727e-906b-9203-47a5a5b03605-5C7GfCeVMHo@public.gmane.org>
@ 2018-01-11 22:55 ` Johannes Hirte
2018-01-12 4:30 ` Andrey Grodzovsky
0 siblings, 1 reply; 17+ messages in thread
From: Johannes Hirte @ 2018-01-11 22:55 UTC (permalink / raw)
To: Andrey Grodzovsky
Cc: Alex Deucher, Li, Sun peng, Harry Wentland, Christian König,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
On 2018 Jan 10, Andrey Grodzovsky wrote:
>
> Hi, is there a particular scenario when this happens ,
Unfortunately no, I still search for a reproducer. Sometimes it takes
several days until the next use-after-free.
> can you add dmesg with echo 0x10 > /sys/module/drm/parameters/debug?
I assume you want the debug output when a use-after-free happened. Here
it is:
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000009b693a40 state to 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000fd68d0e6 state to 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000009b693a40 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000009b693a40
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000bef4ac0a state to 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000487e5e13 state to 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000bef4ac0a to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000bef4ac0a
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000aff36e64
Jan 11 23:21:33 probook kernel: ==================================================================
Jan 11 23:21:33 probook kernel: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
Jan 11 23:21:33 probook kernel: Read of size 8 at addr ffff8801e020d788 by task kworker/u8:6/18738
Jan 11 23:21:33 probook kernel:
Jan 11 23:21:33 probook kernel: CPU: 2 PID: 18738 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00001-gd24b113b5c00 #444
Jan 11 23:21:33 probook kernel: Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
Jan 11 23:21:33 probook kernel: Workqueue: events_unbound commit_work
Jan 11 23:21:33 probook kernel: Call Trace:
Jan 11 23:21:33 probook kernel: dump_stack+0x99/0x11e
Jan 11 23:21:33 probook kernel: ? _atomic_dec_and_lock+0x152/0x152
Jan 11 23:21:33 probook kernel: print_address_description+0x65/0x270
Jan 11 23:21:33 probook kernel: kasan_report+0x272/0x360
Jan 11 23:21:33 probook kernel: ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
Jan 11 23:21:33 probook kernel: drm_atomic_helper_wait_for_flip_done+0x24f/0x270
Jan 11 23:21:33 probook kernel: amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
Jan 11 23:21:33 probook kernel: ? dm_crtc_duplicate_state+0x130/0x130
Jan 11 23:21:33 probook kernel: ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
Jan 11 23:21:33 probook kernel: commit_tail+0x92/0xe0
Jan 11 23:21:33 probook kernel: process_one_work+0x84b/0x1600
Jan 11 23:21:33 probook kernel: ? tick_nohz_dep_clear_signal+0x20/0x20
Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
Jan 11 23:21:33 probook kernel: ? pwq_dec_nr_in_flight+0x3c0/0x3c0
Jan 11 23:21:33 probook kernel: ? arch_vtime_task_switch+0xee/0x190
Jan 11 23:21:33 probook kernel: ? finish_task_switch+0x27d/0x7f0
Jan 11 23:21:33 probook kernel: ? wq_worker_waking_up+0xc0/0xc0
Jan 11 23:21:33 probook kernel: ? copy_overflow+0x20/0x20
Jan 11 23:21:33 probook kernel: ? sched_clock_cpu+0x18/0x1e0
Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
Jan 11 23:21:33 probook kernel: ? preempt_schedule_irq+0x4e/0xb0
Jan 11 23:21:33 probook kernel: ? schedule+0xfb/0x3b0
Jan 11 23:21:33 probook kernel: ? __schedule+0x19b0/0x19b0
Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xb9/0x120
Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
Jan 11 23:21:33 probook kernel: worker_thread+0x211/0x1790
Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
Jan 11 23:21:33 probook kernel: ? vtime_guest_exit+0xe0/0xe0
Jan 11 23:21:33 probook kernel: ? tick_nohz_dep_clear_signal+0x20/0x20
Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
Jan 11 23:21:33 probook kernel: ? finish_task_switch+0x27d/0x7f0
Jan 11 23:21:33 probook kernel: ? sched_clock_cpu+0x18/0x1e0
Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
Jan 11 23:21:33 probook kernel: ? cyc2ns_read_end+0x20/0x20
Jan 11 23:21:33 probook kernel: ? schedule+0xfb/0x3b0
Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
Jan 11 23:21:33 probook kernel: ? __schedule+0x19b0/0x19b0
Jan 11 23:21:33 probook kernel: ? ___preempt_schedule+0x16/0x18
Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irqrestore+0xfe/0x130
Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0x120/0x120
Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
Jan 11 23:21:33 probook kernel: kthread+0x2d4/0x390
Jan 11 23:21:33 probook kernel: ? kthread_create_worker+0xd0/0xd0
Jan 11 23:21:33 probook kernel: ret_from_fork+0x1f/0x30
Jan 11 23:21:33 probook kernel:
Jan 11 23:21:33 probook kernel: Allocated by task 2408:
Jan 11 23:21:33 probook kernel: kasan_kmalloc+0xa0/0xd0
Jan 11 23:21:33 probook kernel: kmem_cache_alloc_trace+0xd1/0x1e0
Jan 11 23:21:33 probook kernel: dm_crtc_duplicate_state+0x73/0x130
Jan 11 23:21:33 probook kernel: drm_atomic_get_crtc_state+0x13c/0x400
Jan 11 23:21:33 probook kernel: page_flip_common+0x52/0x230
Jan 11 23:21:33 probook kernel: drm_atomic_helper_page_flip+0xa1/0x100
Jan 11 23:21:33 probook kernel: drm_mode_page_flip_ioctl+0xc10/0x1030
Jan 11 23:21:33 probook kernel: drm_ioctl_kernel+0x1b5/0x2c0
Jan 11 23:21:33 probook kernel: drm_ioctl+0x709/0xa00
Jan 11 23:21:33 probook kernel: amdgpu_drm_ioctl+0x118/0x280
Jan 11 23:21:33 probook kernel: do_vfs_ioctl+0x18a/0x1260
Jan 11 23:21:33 probook kernel: SyS_ioctl+0x6f/0x80
Jan 11 23:21:33 probook kernel: do_syscall_64+0x220/0x670
Jan 11 23:21:33 probook kernel: return_from_SYSCALL_64+0x0/0x65
Jan 11 23:21:33 probook kernel:
Jan 11 23:21:33 probook kernel: Freed by task 2531:
Jan 11 23:21:33 probook kernel: kasan_slab_free+0x71/0xc0
Jan 11 23:21:33 probook kernel: kfree+0x88/0x1b0
Jan 11 23:21:33 probook kernel: drm_atomic_state_default_clear+0x2c8/0xa00
Jan 11 23:21:33 probook kernel: __drm_atomic_state_free+0x30/0xd0
Jan 11 23:21:33 probook kernel: drm_atomic_helper_update_plane+0xb6/0x350
Jan 11 23:21:33 probook kernel: __setplane_internal+0x5b4/0x9d0
Jan 11 23:21:33 probook kernel: drm_mode_cursor_universal+0x412/0xc60
Jan 11 23:21:33 probook kernel: drm_mode_cursor_common+0x4b6/0x890
Jan 11 23:21:33 probook kernel: drm_mode_cursor_ioctl+0xd3/0x120
Jan 11 23:21:33 probook kernel: drm_ioctl_kernel+0x1b5/0x2c0
Jan 11 23:21:33 probook kernel: drm_ioctl+0x709/0xa00
Jan 11 23:21:33 probook kernel: amdgpu_drm_ioctl+0x118/0x280
Jan 11 23:21:33 probook kernel: do_vfs_ioctl+0x18a/0x1260
Jan 11 23:21:33 probook kernel: SyS_ioctl+0x6f/0x80
Jan 11 23:21:33 probook kernel: do_syscall_64+0x220/0x670
Jan 11 23:21:33 probook kernel: return_from_SYSCALL_64+0x0/0x65
Jan 11 23:21:33 probook kernel:
Jan 11 23:21:33 probook kernel: The buggy address belongs to the object at ffff8801e020d580
Jan 11 23:21:33 probook kernel: The buggy address is located 520 bytes inside of
Jan 11 23:21:33 probook kernel: The buggy address belongs to the page:
Jan 11 23:21:33 probook kernel: page:ffffea0007808200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
Jan 11 23:21:33 probook kernel: flags: 0x2000000000008100(slab|head)
Jan 11 23:21:33 probook kernel: raw: 2000000000008100 0000000000000000 0000000000000000 00000001001c001c
Jan 11 23:21:33 probook kernel: raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
Jan 11 23:21:33 probook kernel: page dumped because: kasan: bad access detected
Jan 11 23:21:33 probook kernel:
Jan 11 23:21:33 probook kernel: Memory state around the buggy address:
Jan 11 23:21:33 probook kernel: ffff8801e020d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel: ffff8801e020d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel: >ffff8801e020d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel: ^
Jan 11 23:21:33 probook kernel: ffff8801e020d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel: ffff8801e020d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel: ==================================================================
Jan 11 23:21:33 probook kernel: Disabling lock debugging due to kernel taint
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000c33882cc state to 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000001d7e9fe state to 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000c33882cc to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000c33882cc
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000021b4ca12 state to 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000005eaf319 state to 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000021b4ca12 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000021b4ca12
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005030c62c
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000005e0d9d34 state to 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000ca793baf state to 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000005e0d9d34 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000005e0d9d34
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000002a6fa7ba state to 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 000000008cb98e24 state to 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000002a6fa7ba to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000002a6fa7ba
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000005030c62c
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000062e99415 state to 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000460cd934 state to 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000062e99415 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000062e99415
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000b8b1a194
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
2018-01-11 22:55 ` Johannes Hirte
@ 2018-01-12 4:30 ` Andrey Grodzovsky
[not found] ` <2d0470e3-2d9c-0139-1bd4-493d97e419eb-5C7GfCeVMHo@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Andrey Grodzovsky @ 2018-01-12 4:30 UTC (permalink / raw)
To: Johannes Hirte
Cc: Alex Deucher, Li, Sun peng, Harry Wentland, Christian König,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
Thanks for the dmesg, unfortunately nothing suspicious from there.
Looking again at KASAN it hints at a race between cursor update and non
blocking part of flip with regard to accessing CRTC states, maybe cursor
update is not properly synchronized against a flip in flight on same CRTC...
P.S What is your setup ? How many displays ?
Thanks,
Andrey
Thanks,
Andrey
On 01/11/2018 05:55 PM, Johannes Hirte wrote:
> On 2018 Jan 10, Andrey Grodzovsky wrote:
>> Hi, is there a particular scenario when this happens ,
> Unfortunately no, I still search for a reproducer. Sometimes it takes
> several days until the next use-after-free.
>
>> can you add dmesg with echo 0x10 > /sys/module/drm/parameters/debug?
> I assume you want the debug output when a use-after-free happened. Here
> it is:
>
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000009b693a40 state to 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000fd68d0e6 state to 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000009b693a40 to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000009b693a40
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000bef4ac0a state to 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000487e5e13 state to 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000bef4ac0a to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000bef4ac0a
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000aff36e64
> Jan 11 23:21:33 probook kernel: ==================================================================
> Jan 11 23:21:33 probook kernel: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> Jan 11 23:21:33 probook kernel: Read of size 8 at addr ffff8801e020d788 by task kworker/u8:6/18738
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: CPU: 2 PID: 18738 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00001-gd24b113b5c00 #444
> Jan 11 23:21:33 probook kernel: Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
> Jan 11 23:21:33 probook kernel: Workqueue: events_unbound commit_work
> Jan 11 23:21:33 probook kernel: Call Trace:
> Jan 11 23:21:33 probook kernel: dump_stack+0x99/0x11e
> Jan 11 23:21:33 probook kernel: ? _atomic_dec_and_lock+0x152/0x152
> Jan 11 23:21:33 probook kernel: print_address_description+0x65/0x270
> Jan 11 23:21:33 probook kernel: kasan_report+0x272/0x360
> Jan 11 23:21:33 probook kernel: ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> Jan 11 23:21:33 probook kernel: drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> Jan 11 23:21:33 probook kernel: amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
> Jan 11 23:21:33 probook kernel: ? dm_crtc_duplicate_state+0x130/0x130
> Jan 11 23:21:33 probook kernel: ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
> Jan 11 23:21:33 probook kernel: commit_tail+0x92/0xe0
> Jan 11 23:21:33 probook kernel: process_one_work+0x84b/0x1600
> Jan 11 23:21:33 probook kernel: ? tick_nohz_dep_clear_signal+0x20/0x20
> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
> Jan 11 23:21:33 probook kernel: ? pwq_dec_nr_in_flight+0x3c0/0x3c0
> Jan 11 23:21:33 probook kernel: ? arch_vtime_task_switch+0xee/0x190
> Jan 11 23:21:33 probook kernel: ? finish_task_switch+0x27d/0x7f0
> Jan 11 23:21:33 probook kernel: ? wq_worker_waking_up+0xc0/0xc0
> Jan 11 23:21:33 probook kernel: ? copy_overflow+0x20/0x20
> Jan 11 23:21:33 probook kernel: ? sched_clock_cpu+0x18/0x1e0
> Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
> Jan 11 23:21:33 probook kernel: ? preempt_schedule_irq+0x4e/0xb0
> Jan 11 23:21:33 probook kernel: ? schedule+0xfb/0x3b0
> Jan 11 23:21:33 probook kernel: ? __schedule+0x19b0/0x19b0
> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xb9/0x120
> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
> Jan 11 23:21:33 probook kernel: worker_thread+0x211/0x1790
> Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
> Jan 11 23:21:33 probook kernel: ? vtime_guest_exit+0xe0/0xe0
> Jan 11 23:21:33 probook kernel: ? tick_nohz_dep_clear_signal+0x20/0x20
> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
> Jan 11 23:21:33 probook kernel: ? finish_task_switch+0x27d/0x7f0
> Jan 11 23:21:33 probook kernel: ? sched_clock_cpu+0x18/0x1e0
> Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
> Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
> Jan 11 23:21:33 probook kernel: ? cyc2ns_read_end+0x20/0x20
> Jan 11 23:21:33 probook kernel: ? schedule+0xfb/0x3b0
> Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
> Jan 11 23:21:33 probook kernel: ? __schedule+0x19b0/0x19b0
> Jan 11 23:21:33 probook kernel: ? ___preempt_schedule+0x16/0x18
> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irqrestore+0xfe/0x130
> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0x120/0x120
> Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
> Jan 11 23:21:33 probook kernel: kthread+0x2d4/0x390
> Jan 11 23:21:33 probook kernel: ? kthread_create_worker+0xd0/0xd0
> Jan 11 23:21:33 probook kernel: ret_from_fork+0x1f/0x30
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: Allocated by task 2408:
> Jan 11 23:21:33 probook kernel: kasan_kmalloc+0xa0/0xd0
> Jan 11 23:21:33 probook kernel: kmem_cache_alloc_trace+0xd1/0x1e0
> Jan 11 23:21:33 probook kernel: dm_crtc_duplicate_state+0x73/0x130
> Jan 11 23:21:33 probook kernel: drm_atomic_get_crtc_state+0x13c/0x400
> Jan 11 23:21:33 probook kernel: page_flip_common+0x52/0x230
> Jan 11 23:21:33 probook kernel: drm_atomic_helper_page_flip+0xa1/0x100
> Jan 11 23:21:33 probook kernel: drm_mode_page_flip_ioctl+0xc10/0x1030
> Jan 11 23:21:33 probook kernel: drm_ioctl_kernel+0x1b5/0x2c0
> Jan 11 23:21:33 probook kernel: drm_ioctl+0x709/0xa00
> Jan 11 23:21:33 probook kernel: amdgpu_drm_ioctl+0x118/0x280
> Jan 11 23:21:33 probook kernel: do_vfs_ioctl+0x18a/0x1260
> Jan 11 23:21:33 probook kernel: SyS_ioctl+0x6f/0x80
> Jan 11 23:21:33 probook kernel: do_syscall_64+0x220/0x670
> Jan 11 23:21:33 probook kernel: return_from_SYSCALL_64+0x0/0x65
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: Freed by task 2531:
> Jan 11 23:21:33 probook kernel: kasan_slab_free+0x71/0xc0
> Jan 11 23:21:33 probook kernel: kfree+0x88/0x1b0
> Jan 11 23:21:33 probook kernel: drm_atomic_state_default_clear+0x2c8/0xa00
> Jan 11 23:21:33 probook kernel: __drm_atomic_state_free+0x30/0xd0
> Jan 11 23:21:33 probook kernel: drm_atomic_helper_update_plane+0xb6/0x350
> Jan 11 23:21:33 probook kernel: __setplane_internal+0x5b4/0x9d0
> Jan 11 23:21:33 probook kernel: drm_mode_cursor_universal+0x412/0xc60
> Jan 11 23:21:33 probook kernel: drm_mode_cursor_common+0x4b6/0x890
> Jan 11 23:21:33 probook kernel: drm_mode_cursor_ioctl+0xd3/0x120
> Jan 11 23:21:33 probook kernel: drm_ioctl_kernel+0x1b5/0x2c0
> Jan 11 23:21:33 probook kernel: drm_ioctl+0x709/0xa00
> Jan 11 23:21:33 probook kernel: amdgpu_drm_ioctl+0x118/0x280
> Jan 11 23:21:33 probook kernel: do_vfs_ioctl+0x18a/0x1260
> Jan 11 23:21:33 probook kernel: SyS_ioctl+0x6f/0x80
> Jan 11 23:21:33 probook kernel: do_syscall_64+0x220/0x670
> Jan 11 23:21:33 probook kernel: return_from_SYSCALL_64+0x0/0x65
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: The buggy address belongs to the object at ffff8801e020d580
> Jan 11 23:21:33 probook kernel: The buggy address is located 520 bytes inside of
> Jan 11 23:21:33 probook kernel: The buggy address belongs to the page:
> Jan 11 23:21:33 probook kernel: page:ffffea0007808200 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
> Jan 11 23:21:33 probook kernel: flags: 0x2000000000008100(slab|head)
> Jan 11 23:21:33 probook kernel: raw: 2000000000008100 0000000000000000 0000000000000000 00000001001c001c
> Jan 11 23:21:33 probook kernel: raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
> Jan 11 23:21:33 probook kernel: page dumped because: kasan: bad access detected
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: Memory state around the buggy address:
> Jan 11 23:21:33 probook kernel: ffff8801e020d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel: ffff8801e020d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel: >ffff8801e020d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel: ^
> Jan 11 23:21:33 probook kernel: ffff8801e020d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel: ffff8801e020d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel: ==================================================================
> Jan 11 23:21:33 probook kernel: Disabling lock debugging due to kernel taint
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000c33882cc state to 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000001d7e9fe state to 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000c33882cc to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000c33882cc
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000021b4ca12 state to 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000005eaf319 state to 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000021b4ca12 to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000021b4ca12
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005030c62c
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000005e0d9d34 state to 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000ca793baf state to 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000005e0d9d34 to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000005e0d9d34
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000002a6fa7ba state to 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 000000008cb98e24 state to 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000002a6fa7ba to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000002a6fa7ba
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000005030c62c
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000062e99415 state to 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000460cd934 state to 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000062e99415 to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000062e99415
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000b8b1a194
>
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
[not found] ` <2d0470e3-2d9c-0139-1bd4-493d97e419eb-5C7GfCeVMHo@public.gmane.org>
@ 2018-01-12 8:54 ` Johannes Hirte
0 siblings, 0 replies; 17+ messages in thread
From: Johannes Hirte @ 2018-01-12 8:54 UTC (permalink / raw)
To: Andrey Grodzovsky
Cc: Alex Deucher, Li, Sun peng, Harry Wentland, Christian König,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
On 2018 Jan 11, Andrey Grodzovsky wrote:
> Thanks for the dmesg, unfortunately nothing suspicious from there.
>
> Looking again at KASAN it hints at a race between cursor update and non
> blocking part of flip with regard to accessing CRTC states, maybe cursor
> update is not properly synchronized against a flip in flight on same CRTC...
>
> P.S What is your setup ? How many displays ?
>
It's a Carizzo A10-8700B R6 with 16G RAM, 512M assigned to graphics
card. Only the laptop display (1920x1080) is connected via eDP, so nothing special.
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
@ 2018-01-12 11:43 Luís Mendes
[not found] ` <CAEzXK1p9b8vOPZ_ed-E6S+CDcpUStwPopHGzny7tN6pnzZdGEQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Luís Mendes @ 2018-01-12 11:43 UTC (permalink / raw)
To: Andrey Grodzovsky, Johannes Hirte
Cc: Alex Deucher, sunpeng.li-5C7GfCeVMHo, Harry Wentland,
Christian König, amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
Hi Andrey, Johannes,
Sorry for getting into this conversation, but I think I might have
something related to this.
I am getting GPU hangs playing some videos, both on ARMv7 and on x86,
although with slightly different blocking paths. On ARMv7 it always
blocks with amdgpu_dm_do_flip. I suspect the GPU hang, fence timeout,
might also be caused by a kernel synchronization issue. I am using a
single HDMI display and testing with VP9 videos on Kodi, but can also
be triggered with youtube videos on firefox.
Could this not exactly be a GPU hang, but rather a software lockup,
that impedes the dma fence to be properly completed on the host side
(due to a synchronization issue on the host side)?
It is always related to the page flip and sometimes I get kernel
messages after a while after the hang stating drm_flip_done timeout or
similar.
Kernel stack trace is always like:
[ 73.432967] [drm:amdgpu_job_timedout [amdgpu]] *ERROR* ring gfx
timeout, last signaled seq=4183, last emitted seq=4185
[ 73.443847] [drm] IP block:gmc_v8_0 is hung!
[ 73.443854] [drm] IP block:gfx_v8_0 is hung!
[ 73.444019] [drm] GPU recovery disabled.
[ 243.672640] INFO: task kworker/u4:3:89 blocked for more than 120
seconds.
[ 243.679466] Not tainted 4.15.0-rc4-drmnext2g #1
[ 243.685337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs"
disables this message.
[ 243.693200] kworker/u4:3 D 0 89 2 0x00000000
[ 243.693232] Workqueue: events_unbound commit_work [drm_kms_helper]
[ 243.693251] [<80b8c6d4>] (__schedule) from [<80b8cdd0>]
(schedule+0x4c/0xac)
[ 243.693259] [<80b8cdd0>] (schedule) from [<80b91024>]
(schedule_timeout+0x228/0x444)
[ 243.693270] [<80b91024>] (schedule_timeout) from [<80886738>]
(dma_fence_default_wait+0x2b4/0x2d8)
[ 243.693276] [<80886738>] (dma_fence_default_wait) from [<80885d60>]
(dma_fence_wait_timeout+0x40/0x150)
[ 243.693284] [<80885d60>] (dma_fence_wait_timeout) from [<80887b1c>]
(reservation_object_wait_timeout_rcu+0xfc/0x34c)
[ 243.693509] [<80887b1c>] (reservation_object_wait_timeout_rcu) from
[<7f331988>] (amdgpu_dm_do_flip+0xec/0x36c [amdgpu])
[ 243.693789] [<7f331988>] (amdgpu_dm_do_flip [amdgpu]) from
[<7f33309c>] (amdgpu_dm_atomic_commit_tail+0xbfc/0xe58 [amdgpu])
[ 243.693941] [<7f33309c>] (amdgpu_dm_atomic_commit_tail [amdgpu])
from [<7f15758c>] (commit_tail+0x50/0x94 [drm_kms_helper])
[ 243.693964] [<7f15758c>] (commit_tail [drm_kms_helper]) from
[<7f1575ec>] (commit_work+0x1c/0x20 [drm_kms_helper])
[ 243.693981] [<7f1575ec>] (commit_work [drm_kms_helper]) from
[<8016f4c8>] (process_one_work+0x1a8/0x4ac)
[ 243.693987] [<8016f4c8>] (process_one_work) from [<8017050c>]
(worker_thread+0x68/0x598)
[ 243.693994] [<8017050c>] (worker_thread) from [<80175e50>]
(kthread+0x16c/0x174)
[ 243.694003] [<80175e50>] (kthread) from [<80109de8>]
(ret_from_fork+0x14/0x2c)
Regards,
Luís
>Thanks for the dmesg, unfortunately nothing suspicious from there.
>
>Looking again at KASAN it hints at a race between cursor update and non
>blocking part of flip with regard to accessing CRTC states, maybe cursor
>update is not properly synchronized against a flip in flight on same CRTC...
>
>P.S What is your setup ? How many displays ?
>
>
>Thanks,
>
>Andrey
>
>
>Thanks,
>
>Andrey
>
>On 01/11/2018 05:55 PM, Johannes Hirte wrote:
>> On 2018 Jan 10, Andrey Grodzovsky wrote:
>>> Hi, is there a particular scenario when this happens ,
>> Unfortunately no, I still search for a reproducer. Sometimes it takes
>> several days until the next use-after-free.
>>
>>> can you add dmesg with echo 0x10 > /sys/module/drm/parameters/debug?
>> I assume you want the debug output when a use-after-free happened. Here
>> it is:
>>
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000009b693a40 state to 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000fd68d0e6 state to 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000009b693a40 to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000009b693a40
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000bef4ac0a state to 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000487e5e13 state to 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000bef4ac0a to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000bef4ac0a
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: ==================================================================
>> Jan 11 23:21:33 probook kernel: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> Jan 11 23:21:33 probook kernel: Read of size 8 at addr ffff8801e020d788 by task kworker/u8:6/18738
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: CPU: 2 PID: 18738 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00001-gd24b113b5c00 #444
>> Jan 11 23:21:33 probook kernel: Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
>> Jan 11 23:21:33 probook kernel: Workqueue: events_unbound commit_work
>> Jan 11 23:21:33 probook kernel: Call Trace:
>> Jan 11 23:21:33 probook kernel: dump_stack+0x99/0x11e
>> Jan 11 23:21:33 probook kernel: ? _atomic_dec_and_lock+0x152/0x152
>> Jan 11 23:21:33 probook kernel: print_address_description+0x65/0x270
>> Jan 11 23:21:33 probook kernel: kasan_report+0x272/0x360
>> Jan 11 23:21:33 probook kernel: ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> Jan 11 23:21:33 probook kernel: drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> Jan 11 23:21:33 probook kernel: amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
>> Jan 11 23:21:33 probook kernel: ? dm_crtc_duplicate_state+0x130/0x130
>> Jan 11 23:21:33 probook kernel: ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
>> Jan 11 23:21:33 probook kernel: commit_tail+0x92/0xe0
>> Jan 11 23:21:33 probook kernel: process_one_work+0x84b/0x1600
>> Jan 11 23:21:33 probook kernel: ? tick_nohz_dep_clear_signal+0x20/0x20
>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
>> Jan 11 23:21:33 probook kernel: ? pwq_dec_nr_in_flight+0x3c0/0x3c0
>> Jan 11 23:21:33 probook kernel: ? arch_vtime_task_switch+0xee/0x190
>> Jan 11 23:21:33 probook kernel: ? finish_task_switch+0x27d/0x7f0
>> Jan 11 23:21:33 probook kernel: ? wq_worker_waking_up+0xc0/0xc0
>> Jan 11 23:21:33 probook kernel: ? copy_overflow+0x20/0x20
>> Jan 11 23:21:33 probook kernel: ? sched_clock_cpu+0x18/0x1e0
>> Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
>> Jan 11 23:21:33 probook kernel: ? preempt_schedule_irq+0x4e/0xb0
>> Jan 11 23:21:33 probook kernel: ? schedule+0xfb/0x3b0
>> Jan 11 23:21:33 probook kernel: ? __schedule+0x19b0/0x19b0
>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xb9/0x120
>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
>> Jan 11 23:21:33 probook kernel: worker_thread+0x211/0x1790
>> Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
>> Jan 11 23:21:33 probook kernel: ? vtime_guest_exit+0xe0/0xe0
>> Jan 11 23:21:33 probook kernel: ? tick_nohz_dep_clear_signal+0x20/0x20
>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
>> Jan 11 23:21:33 probook kernel: ? finish_task_switch+0x27d/0x7f0
>> Jan 11 23:21:33 probook kernel: ? sched_clock_cpu+0x18/0x1e0
>> Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
>> Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
>> Jan 11 23:21:33 probook kernel: ? cyc2ns_read_end+0x20/0x20
>> Jan 11 23:21:33 probook kernel: ? schedule+0xfb/0x3b0
>> Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
>> Jan 11 23:21:33 probook kernel: ? __schedule+0x19b0/0x19b0
>> Jan 11 23:21:33 probook kernel: ? ___preempt_schedule+0x16/0x18
>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irqrestore+0xfe/0x130
>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0x120/0x120
>> Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
>> Jan 11 23:21:33 probook kernel: kthread+0x2d4/0x390
>> Jan 11 23:21:33 probook kernel: ? kthread_create_worker+0xd0/0xd0
>> Jan 11 23:21:33 probook kernel: ret_from_fork+0x1f/0x30
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: Allocated by task 2408:
>> Jan 11 23:21:33 probook kernel: kasan_kmalloc+0xa0/0xd0
>> Jan 11 23:21:33 probook kernel: kmem_cache_alloc_trace+0xd1/0x1e0
>> Jan 11 23:21:33 probook kernel: dm_crtc_duplicate_state+0x73/0x130
>> Jan 11 23:21:33 probook kernel: drm_atomic_get_crtc_state+0x13c/0x400
>> Jan 11 23:21:33 probook kernel: page_flip_common+0x52/0x230
>> Jan 11 23:21:33 probook kernel: drm_atomic_helper_page_flip+0xa1/0x100
>> Jan 11 23:21:33 probook kernel: drm_mode_page_flip_ioctl+0xc10/0x1030
>> Jan 11 23:21:33 probook kernel: drm_ioctl_kernel+0x1b5/0x2c0
>> Jan 11 23:21:33 probook kernel: drm_ioctl+0x709/0xa00
>> Jan 11 23:21:33 probook kernel: amdgpu_drm_ioctl+0x118/0x280
>> Jan 11 23:21:33 probook kernel: do_vfs_ioctl+0x18a/0x1260
>> Jan 11 23:21:33 probook kernel: SyS_ioctl+0x6f/0x80
>> Jan 11 23:21:33 probook kernel: do_syscall_64+0x220/0x670
>> Jan 11 23:21:33 probook kernel: return_from_SYSCALL_64+0x0/0x65
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: Freed by task 2531:
>> Jan 11 23:21:33 probook kernel: kasan_slab_free+0x71/0xc0
>> Jan 11 23:21:33 probook kernel: kfree+0x88/0x1b0
>> Jan 11 23:21:33 probook kernel: drm_atomic_state_default_clear+0x2c8/0xa00
>> Jan 11 23:21:33 probook kernel: __drm_atomic_state_free+0x30/0xd0
>> Jan 11 23:21:33 probook kernel: drm_atomic_helper_update_plane+0xb6/0x350
>> Jan 11 23:21:33 probook kernel: __setplane_internal+0x5b4/0x9d0
>> Jan 11 23:21:33 probook kernel: drm_mode_cursor_universal+0x412/0xc60
>> Jan 11 23:21:33 probook kernel: drm_mode_cursor_common+0x4b6/0x890
>> Jan 11 23:21:33 probook kernel: drm_mode_cursor_ioctl+0xd3/0x120
>> Jan 11 23:21:33 probook kernel: drm_ioctl_kernel+0x1b5/0x2c0
>> Jan 11 23:21:33 probook kernel: drm_ioctl+0x709/0xa00
>> Jan 11 23:21:33 probook kernel: amdgpu_drm_ioctl+0x118/0x280
>> Jan 11 23:21:33 probook kernel: do_vfs_ioctl+0x18a/0x1260
>> Jan 11 23:21:33 probook kernel: SyS_ioctl+0x6f/0x80
>> Jan 11 23:21:33 probook kernel: do_syscall_64+0x220/0x670
>> Jan 11 23:21:33 probook kernel: return_from_SYSCALL_64+0x0/0x65
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: The buggy address belongs to the object at ffff8801e020d580
>> Jan 11 23:21:33 probook kernel: The buggy address is located 520 bytes inside of
>> Jan 11 23:21:33 probook kernel: The buggy address belongs to the page:
>> Jan 11 23:21:33 probook kernel: page:ffffea0007808200 count:1 mapcount:0 mapping: >(null) index:0x0 compound_mapcount: 0
>> Jan 11 23:21:33 probook kernel: flags: 0x2000000000008100(slab|head)
>> Jan 11 23:21:33 probook kernel: raw: 2000000000008100 0000000000000000 0000000000000000 00000001001c001c
>> Jan 11 23:21:33 probook kernel: raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
>> Jan 11 23:21:33 probook kernel: page dumped because: kasan: bad access detected
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: Memory state around the buggy address:
>> Jan 11 23:21:33 probook kernel: ffff8801e020d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel: ffff8801e020d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel: >ffff8801e020d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel: ^
>> Jan 11 23:21:33 probook kernel: ffff8801e020d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel: ffff8801e020d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel: >==================================================================
>> Jan 11 23:21:33 probook kernel: Disabling lock debugging due to kernel taint
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000c33882cc state to 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000001d7e9fe state to 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000c33882cc to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000c33882cc
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000021b4ca12 state to 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000005eaf319 state to 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000021b4ca12 to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000021b4ca12
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005030c62c
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000005e0d9d34 state to 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000ca793baf state to 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000005e0d9d34 to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000005e0d9d34
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000002a6fa7ba state to 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 000000008cb98e24 state to 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000002a6fa7ba to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000002a6fa7ba
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000005030c62c
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000062e99415 state to 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000460cd934 state to 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000062e99415 to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000062e99415
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000b8b1a194
>>
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
[not found] ` <CAEzXK1p9b8vOPZ_ed-E6S+CDcpUStwPopHGzny7tN6pnzZdGEQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2018-01-12 15:20 ` Andrey Grodzovsky
[not found] ` <77f6ae06-988a-54c8-fa57-556df22cc202-5C7GfCeVMHo@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Andrey Grodzovsky @ 2018-01-12 15:20 UTC (permalink / raw)
To: Luís Mendes, Johannes Hirte
Cc: Alex Deucher, sunpeng.li-5C7GfCeVMHo, Harry Wentland,
Christian König, amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
[-- Attachment #1: Type: text/plain, Size: 19798 bytes --]
Hi, looks to me like a different issue (not related) then the one
Johannes, reports, your issue was already reported by some one (can't
remember the thread of hand) and looks like in shader hang or GPU
scheduler synchronization issue while Johannes's use after free is pure
software logic issue in either KMS atomic framework or more probably in
AMDGPU/DC (DAL).
Johanes, I attached a debug patch which forces the cursor update to wait
for any page flip in progress, can you give it a try and see if the
issue is gone ? This is not an actual fix but just to evaluate the reason.
Thanks,
Andrey
On 01/12/2018 06:43 AM, Luís Mendes wrote:
> Hi Andrey, Johannes,
>
> Sorry for getting into this conversation, but I think I might have
> something related to this.
> I am getting GPU hangs playing some videos, both on ARMv7 and on x86,
> although with slightly different blocking paths. On ARMv7 it always
> blocks with amdgpu_dm_do_flip. I suspect the GPU hang, fence timeout,
> might also be caused by a kernel synchronization issue. I am using a
> single HDMI display and testing with VP9 videos on Kodi, but can also
> be triggered with youtube videos on firefox.
> Could this not exactly be a GPU hang, but rather a software lockup,
> that impedes the dma fence to be properly completed on the host side
> (due to a synchronization issue on the host side)?
> It is always related to the page flip and sometimes I get kernel
> messages after a while after the hang stating drm_flip_done timeout or
> similar.
>
> Kernel stack trace is always like:
> [ 73.432967] [drm:amdgpu_job_timedout [amdgpu]] *ERROR* ring gfx
> timeout, last signaled seq=4183, last emitted seq=4185
> [ 73.443847] [drm] IP block:gmc_v8_0 is hung!
> [ 73.443854] [drm] IP block:gfx_v8_0 is hung!
> [ 73.444019] [drm] GPU recovery disabled.
> [ 243.672640] INFO: task kworker/u4:3:89 blocked for more than 120
> seconds.
> [ 243.679466] Not tainted 4.15.0-rc4-drmnext2g #1
> [ 243.685337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs"
> disables this message.
> [ 243.693200] kworker/u4:3 D 0 89 2 0x00000000
> [ 243.693232] Workqueue: events_unbound commit_work [drm_kms_helper]
> [ 243.693251] [<80b8c6d4>] (__schedule) from [<80b8cdd0>]
> (schedule+0x4c/0xac)
> [ 243.693259] [<80b8cdd0>] (schedule) from [<80b91024>]
> (schedule_timeout+0x228/0x444)
> [ 243.693270] [<80b91024>] (schedule_timeout) from [<80886738>]
> (dma_fence_default_wait+0x2b4/0x2d8)
> [ 243.693276] [<80886738>] (dma_fence_default_wait) from [<80885d60>]
> (dma_fence_wait_timeout+0x40/0x150)
> [ 243.693284] [<80885d60>] (dma_fence_wait_timeout) from [<80887b1c>]
> (reservation_object_wait_timeout_rcu+0xfc/0x34c)
> [ 243.693509] [<80887b1c>] (reservation_object_wait_timeout_rcu) from
> [<7f331988>] (amdgpu_dm_do_flip+0xec/0x36c [amdgpu])
> [ 243.693789] [<7f331988>] (amdgpu_dm_do_flip [amdgpu]) from
> [<7f33309c>] (amdgpu_dm_atomic_commit_tail+0xbfc/0xe58 [amdgpu])
> [ 243.693941] [<7f33309c>] (amdgpu_dm_atomic_commit_tail [amdgpu])
> from [<7f15758c>] (commit_tail+0x50/0x94 [drm_kms_helper])
> [ 243.693964] [<7f15758c>] (commit_tail [drm_kms_helper]) from
> [<7f1575ec>] (commit_work+0x1c/0x20 [drm_kms_helper])
> [ 243.693981] [<7f1575ec>] (commit_work [drm_kms_helper]) from
> [<8016f4c8>] (process_one_work+0x1a8/0x4ac)
> [ 243.693987] [<8016f4c8>] (process_one_work) from [<8017050c>]
> (worker_thread+0x68/0x598)
> [ 243.693994] [<8017050c>] (worker_thread) from [<80175e50>]
> (kthread+0x16c/0x174)
> [ 243.694003] [<80175e50>] (kthread) from [<80109de8>]
> (ret_from_fork+0x14/0x2c)
>
> Regards,
> Luís
>
>
>> Thanks for the dmesg, unfortunately nothing suspicious from there.
>>
>> Looking again at KASAN it hints at a race between cursor update and non
>> blocking part of flip with regard to accessing CRTC states, maybe cursor
>> update is not properly synchronized against a flip in flight on same CRTC...
>>
>> P.S What is your setup ? How many displays ?
>>
>>
>> Thanks,
>>
>> Andrey
>>
>>
>> Thanks,
>>
>> Andrey
>>
>> On 01/11/2018 05:55 PM, Johannes Hirte wrote:
>>> On 2018 Jan 10, Andrey Grodzovsky wrote:
>>>> Hi, is there a particular scenario when this happens ,
>>> Unfortunately no, I still search for a reproducer. Sometimes it takes
>>> several days until the next use-after-free.
>>>
>>>> can you add dmesg with echo 0x10 > /sys/module/drm/parameters/debug?
>>> I assume you want the debug output when a use-after-free happened. Here
>>> it is:
>>>
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000009b693a40 state to 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000fd68d0e6 state to 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000009b693a40 to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000009b693a40
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000bef4ac0a state to 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000487e5e13 state to 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000bef4ac0a to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000bef4ac0a
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: ==================================================================
>>> Jan 11 23:21:33 probook kernel: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>>> Jan 11 23:21:33 probook kernel: Read of size 8 at addr ffff8801e020d788 by task kworker/u8:6/18738
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: CPU: 2 PID: 18738 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00001-gd24b113b5c00 #444
>>> Jan 11 23:21:33 probook kernel: Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
>>> Jan 11 23:21:33 probook kernel: Workqueue: events_unbound commit_work
>>> Jan 11 23:21:33 probook kernel: Call Trace:
>>> Jan 11 23:21:33 probook kernel: dump_stack+0x99/0x11e
>>> Jan 11 23:21:33 probook kernel: ? _atomic_dec_and_lock+0x152/0x152
>>> Jan 11 23:21:33 probook kernel: print_address_description+0x65/0x270
>>> Jan 11 23:21:33 probook kernel: kasan_report+0x272/0x360
>>> Jan 11 23:21:33 probook kernel: ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>>> Jan 11 23:21:33 probook kernel: drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>>> Jan 11 23:21:33 probook kernel: amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
>>> Jan 11 23:21:33 probook kernel: ? dm_crtc_duplicate_state+0x130/0x130
>>> Jan 11 23:21:33 probook kernel: ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
>>> Jan 11 23:21:33 probook kernel: commit_tail+0x92/0xe0
>>> Jan 11 23:21:33 probook kernel: process_one_work+0x84b/0x1600
>>> Jan 11 23:21:33 probook kernel: ? tick_nohz_dep_clear_signal+0x20/0x20
>>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
>>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
>>> Jan 11 23:21:33 probook kernel: ? pwq_dec_nr_in_flight+0x3c0/0x3c0
>>> Jan 11 23:21:33 probook kernel: ? arch_vtime_task_switch+0xee/0x190
>>> Jan 11 23:21:33 probook kernel: ? finish_task_switch+0x27d/0x7f0
>>> Jan 11 23:21:33 probook kernel: ? wq_worker_waking_up+0xc0/0xc0
>>> Jan 11 23:21:33 probook kernel: ? copy_overflow+0x20/0x20
>>> Jan 11 23:21:33 probook kernel: ? sched_clock_cpu+0x18/0x1e0
>>> Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
>>> Jan 11 23:21:33 probook kernel: ? preempt_schedule_irq+0x4e/0xb0
>>> Jan 11 23:21:33 probook kernel: ? schedule+0xfb/0x3b0
>>> Jan 11 23:21:33 probook kernel: ? __schedule+0x19b0/0x19b0
>>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xb9/0x120
>>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
>>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
>>> Jan 11 23:21:33 probook kernel: worker_thread+0x211/0x1790
>>> Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
>>> Jan 11 23:21:33 probook kernel: ? vtime_guest_exit+0xe0/0xe0
>>> Jan 11 23:21:33 probook kernel: ? tick_nohz_dep_clear_signal+0x20/0x20
>>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0xbe/0x120
>>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock+0x120/0x120
>>> Jan 11 23:21:33 probook kernel: ? finish_task_switch+0x27d/0x7f0
>>> Jan 11 23:21:33 probook kernel: ? sched_clock_cpu+0x18/0x1e0
>>> Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
>>> Jan 11 23:21:33 probook kernel: ? pci_mmcfg_check_reserved+0x100/0x100
>>> Jan 11 23:21:33 probook kernel: ? cyc2ns_read_end+0x20/0x20
>>> Jan 11 23:21:33 probook kernel: ? schedule+0xfb/0x3b0
>>> Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
>>> Jan 11 23:21:33 probook kernel: ? __schedule+0x19b0/0x19b0
>>> Jan 11 23:21:33 probook kernel: ? ___preempt_schedule+0x16/0x18
>>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irqrestore+0xfe/0x130
>>> Jan 11 23:21:33 probook kernel: ? _raw_spin_unlock_irq+0x120/0x120
>>> Jan 11 23:21:33 probook kernel: ? trace_event_raw_event_workqueue_work+0x170/0x170
>>> Jan 11 23:21:33 probook kernel: kthread+0x2d4/0x390
>>> Jan 11 23:21:33 probook kernel: ? kthread_create_worker+0xd0/0xd0
>>> Jan 11 23:21:33 probook kernel: ret_from_fork+0x1f/0x30
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: Allocated by task 2408:
>>> Jan 11 23:21:33 probook kernel: kasan_kmalloc+0xa0/0xd0
>>> Jan 11 23:21:33 probook kernel: kmem_cache_alloc_trace+0xd1/0x1e0
>>> Jan 11 23:21:33 probook kernel: dm_crtc_duplicate_state+0x73/0x130
>>> Jan 11 23:21:33 probook kernel: drm_atomic_get_crtc_state+0x13c/0x400
>>> Jan 11 23:21:33 probook kernel: page_flip_common+0x52/0x230
>>> Jan 11 23:21:33 probook kernel: drm_atomic_helper_page_flip+0xa1/0x100
>>> Jan 11 23:21:33 probook kernel: drm_mode_page_flip_ioctl+0xc10/0x1030
>>> Jan 11 23:21:33 probook kernel: drm_ioctl_kernel+0x1b5/0x2c0
>>> Jan 11 23:21:33 probook kernel: drm_ioctl+0x709/0xa00
>>> Jan 11 23:21:33 probook kernel: amdgpu_drm_ioctl+0x118/0x280
>>> Jan 11 23:21:33 probook kernel: do_vfs_ioctl+0x18a/0x1260
>>> Jan 11 23:21:33 probook kernel: SyS_ioctl+0x6f/0x80
>>> Jan 11 23:21:33 probook kernel: do_syscall_64+0x220/0x670
>>> Jan 11 23:21:33 probook kernel: return_from_SYSCALL_64+0x0/0x65
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: Freed by task 2531:
>>> Jan 11 23:21:33 probook kernel: kasan_slab_free+0x71/0xc0
>>> Jan 11 23:21:33 probook kernel: kfree+0x88/0x1b0
>>> Jan 11 23:21:33 probook kernel: drm_atomic_state_default_clear+0x2c8/0xa00
>>> Jan 11 23:21:33 probook kernel: __drm_atomic_state_free+0x30/0xd0
>>> Jan 11 23:21:33 probook kernel: drm_atomic_helper_update_plane+0xb6/0x350
>>> Jan 11 23:21:33 probook kernel: __setplane_internal+0x5b4/0x9d0
>>> Jan 11 23:21:33 probook kernel: drm_mode_cursor_universal+0x412/0xc60
>>> Jan 11 23:21:33 probook kernel: drm_mode_cursor_common+0x4b6/0x890
>>> Jan 11 23:21:33 probook kernel: drm_mode_cursor_ioctl+0xd3/0x120
>>> Jan 11 23:21:33 probook kernel: drm_ioctl_kernel+0x1b5/0x2c0
>>> Jan 11 23:21:33 probook kernel: drm_ioctl+0x709/0xa00
>>> Jan 11 23:21:33 probook kernel: amdgpu_drm_ioctl+0x118/0x280
>>> Jan 11 23:21:33 probook kernel: do_vfs_ioctl+0x18a/0x1260
>>> Jan 11 23:21:33 probook kernel: SyS_ioctl+0x6f/0x80
>>> Jan 11 23:21:33 probook kernel: do_syscall_64+0x220/0x670
>>> Jan 11 23:21:33 probook kernel: return_from_SYSCALL_64+0x0/0x65
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: The buggy address belongs to the object at ffff8801e020d580
>>> Jan 11 23:21:33 probook kernel: The buggy address is located 520 bytes inside of
>>> Jan 11 23:21:33 probook kernel: The buggy address belongs to the page:
>>> Jan 11 23:21:33 probook kernel: page:ffffea0007808200 count:1 mapcount:0 mapping: >(null) index:0x0 compound_mapcount: 0
>>> Jan 11 23:21:33 probook kernel: flags: 0x2000000000008100(slab|head)
>>> Jan 11 23:21:33 probook kernel: raw: 2000000000008100 0000000000000000 0000000000000000 00000001001c001c
>>> Jan 11 23:21:33 probook kernel: raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
>>> Jan 11 23:21:33 probook kernel: page dumped because: kasan: bad access detected
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: Memory state around the buggy address:
>>> Jan 11 23:21:33 probook kernel: ffff8801e020d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel: ffff8801e020d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel: >ffff8801e020d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel: ^
>>> Jan 11 23:21:33 probook kernel: ffff8801e020d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel: ffff8801e020d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel: >==================================================================
>>> Jan 11 23:21:33 probook kernel: Disabling lock debugging due to kernel taint
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000c33882cc state to 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000001d7e9fe state to 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000c33882cc to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000c33882cc
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000021b4ca12 state to 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000005eaf319 state to 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000021b4ca12 to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000021b4ca12
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005030c62c
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000005e0d9d34 state to 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000ca793baf state to 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000005e0d9d34 to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000005e0d9d34
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000002a6fa7ba state to 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 000000008cb98e24 state to 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000002a6fa7ba to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000002a6fa7ba
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000005030c62c
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000062e99415 state to 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000460cd934 state to 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000062e99415 to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000062e99415
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000b8b1a194
>>>
[-- Attachment #2: force_cursor_update_wait_for_flip.patch --]
[-- Type: text/x-patch, Size: 799 bytes --]
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 5a70682..323d020 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4908,7 +4908,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
* synchronization events.
*/
- if (lock_and_validation_needed) {
+ if (lock_and_validation_needed || state->legacy_cursor_update == true) {
ret = do_aquire_global_lock(dev, state);
if (ret)
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index a1a751b..6d6ffdf 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
[-- Attachment #3: Type: text/plain, Size: 154 bytes --]
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
[not found] ` <77f6ae06-988a-54c8-fa57-556df22cc202-5C7GfCeVMHo@public.gmane.org>
@ 2018-01-12 21:47 ` Johannes Hirte
2018-01-12 21:52 ` Andrey Grodzovsky
0 siblings, 1 reply; 17+ messages in thread
From: Johannes Hirte @ 2018-01-12 21:47 UTC (permalink / raw)
To: Andrey Grodzovsky
Cc: sunpeng.li-5C7GfCeVMHo, amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
Alex Deucher, Luís Mendes, Harry Wentland,
Christian König
On 2018 Jan 12, Andrey Grodzovsky wrote:
> Hi, looks to me like a different issue (not related) then the one
> Johannes, reports, your issue was already reported by some one (can't
> remember the thread of hand) and looks like in shader hang or GPU
> scheduler synchronization issue while Johannes's use after free is pure
> software logic issue in either KMS atomic framework or more probably in
> AMDGPU/DC (DAL).
>
>
> Johanes, I attached a debug patch which forces the cursor update to wait
> for any page flip in progress, can you give it a try and see if the
> issue is gone ? This is not an actual fix but just to evaluate the reason.
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> index 5a70682..323d020 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> @@ -4908,7 +4908,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
> * synchronization events.
> */
>
> - if (lock_and_validation_needed) {
> + if (lock_and_validation_needed || state->legacy_cursor_update == true) {
>
> ret = do_aquire_global_lock(dev, state);
> if (ret)
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index a1a751b..6d6ffdf 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
The patch seems incomplete.
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
2018-01-12 21:47 ` Johannes Hirte
@ 2018-01-12 21:52 ` Andrey Grodzovsky
[not found] ` <11b826ef-1a47-33db-dccd-7a4867547fbf-5C7GfCeVMHo@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Andrey Grodzovsky @ 2018-01-12 21:52 UTC (permalink / raw)
To: Johannes Hirte
Cc: sunpeng.li-5C7GfCeVMHo, amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
Alex Deucher, Luís Mendes, Harry Wentland,
Christian König
Yea, I know , just dumped diff of one file into it, please search in
code for
"ret = do_aquire_global_lock(dev, state);" it appears only in one place
in entire code base, and manually apply the one line change.
Thanks,
Andrey
On 01/12/2018 04:47 PM, Johannes Hirte wrote:
> On 2018 Jan 12, Andrey Grodzovsky wrote:
>> Hi, looks to me like a different issue (not related) then the one
>> Johannes, reports, your issue was already reported by some one (can't
>> remember the thread of hand) and looks like in shader hang or GPU
>> scheduler synchronization issue while Johannes's use after free is pure
>> software logic issue in either KMS atomic framework or more probably in
>> AMDGPU/DC (DAL).
>>
>>
>> Johanes, I attached a debug patch which forces the cursor update to wait
>> for any page flip in progress, can you give it a try and see if the
>> issue is gone ? This is not an actual fix but just to evaluate the reason.
>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> index 5a70682..323d020 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> @@ -4908,7 +4908,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
>> * synchronization events.
>> */
>>
>> - if (lock_and_validation_needed) {
>> + if (lock_and_validation_needed || state->legacy_cursor_update == true) {
>>
>> ret = do_aquire_global_lock(dev, state);
>> if (ret)
>> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
>> index a1a751b..6d6ffdf 100644
>> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
>> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> The patch seems incomplete.
>
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
[not found] ` <11b826ef-1a47-33db-dccd-7a4867547fbf-5C7GfCeVMHo@public.gmane.org>
@ 2018-01-13 19:47 ` Johannes Hirte
2018-01-14 16:44 ` Grodzovsky, Andrey
0 siblings, 1 reply; 17+ messages in thread
From: Johannes Hirte @ 2018-01-13 19:47 UTC (permalink / raw)
To: Andrey Grodzovsky
Cc: sunpeng.li-5C7GfCeVMHo, amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
Alex Deucher, Luís Mendes, Harry Wentland,
Christian König
On 2018 Jan 12, Andrey Grodzovsky wrote:
> Yea, I know , just dumped diff of one file into it, please search in
> code for
>
> "ret = do_aquire_global_lock(dev, state);" it appears only in one place
> in entire code base, and manually apply the one line change.
>
with patch applied:
[ 6887.679618] [drm] {1920x1080, 2250x1132@152840Khz}
[ 6887.806430] [drm] HBRx2 pass VS=1, PE=0
[12432.070076] [drm] {1920x1080, 2250x1132@152840Khz}
[12432.194472] [drm] HBRx2 pass VS=1, PE=0
[13677.257767] ==================================================================
[13677.257812] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257820] Read of size 8 at addr ffff8803f0533388 by task kworker/u8:6/22172
[13677.257832] CPU: 2 PID: 22172 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00002-g617b2907a7aa #445
[13677.257837] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
[13677.257848] Workqueue: events_unbound commit_work
[13677.257853] Call Trace:
[13677.257867] dump_stack+0x99/0x11e
[13677.257874] ? _atomic_dec_and_lock+0x152/0x152
[13677.257886] print_address_description+0x65/0x270
[13677.257892] kasan_report+0x272/0x360
[13677.257898] ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257903] drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257913] amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
[13677.257923] ? dm_crtc_duplicate_state+0x130/0x130
[13677.257931] ? trace_raw_output_rcu_utilization+0xa0/0xa0
[13677.257939] ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
[13677.257945] commit_tail+0x92/0xe0
[13677.257953] process_one_work+0x84b/0x1600
[13677.257961] ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.257969] ? _raw_spin_unlock_irq+0xbe/0x120
[13677.257973] ? _raw_spin_unlock+0x120/0x120
[13677.257977] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[13677.257984] ? arch_vtime_task_switch+0xee/0x190
[13677.257991] ? finish_task_switch+0x27d/0x7f0
[13677.257995] ? wq_worker_waking_up+0xc0/0xc0
[13677.258000] ? copy_overflow+0x20/0x20
[13677.258010] ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258014] ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258022] ? schedule+0xfb/0x3b0
[13677.258027] ? __schedule+0x19b0/0x19b0
[13677.258031] ? preempt_schedule_common+0x30/0xb0
[13677.258038] ? ___preempt_schedule+0x16/0x18
[13677.258043] ? _raw_spin_unlock_irq+0xfa/0x120
[13677.258047] ? _raw_spin_unlock+0x120/0x120
[13677.258052] worker_thread+0x211/0x1790
[13677.258060] ? pick_next_task_fair+0x313/0x10f0
[13677.258065] ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258073] ? cyc2ns_read_end+0x20/0x20
[13677.258078] ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.258083] ? get_vtime_delta+0x16/0xd0
[13677.258087] ? _raw_spin_unlock_irq+0xbe/0x120
[13677.258091] ? _raw_spin_unlock+0x120/0x120
[13677.258098] ? finish_task_switch+0x27d/0x7f0
[13677.258104] ? sched_clock_cpu+0x18/0x1e0
[13677.258110] ? ret_from_fork+0x1f/0x30
[13677.258116] ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258120] ? get_vtime_delta+0x16/0xd0
[13677.258125] ? cyc2ns_read_end+0x20/0x20
[13677.258131] ? schedule+0xfb/0x3b0
[13677.258136] ? __schedule+0x19b0/0x19b0
[13677.258141] ? remove_wait_queue+0x2b0/0x2b0
[13677.258146] ? arch_vtime_task_switch+0xee/0x190
[13677.258151] ? _raw_spin_unlock_irqrestore+0xc2/0x130
[13677.258156] ? _raw_spin_unlock_irq+0x120/0x120
[13677.258162] ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258167] kthread+0x2d4/0x390
[13677.258172] ? kthread_create_worker+0xd0/0xd0
[13677.258177] ret_from_fork+0x1f/0x30
[13677.258188] Allocated by task 2377:
[13677.258196] kasan_kmalloc+0xa0/0xd0
[13677.258202] kmem_cache_alloc_trace+0xd1/0x1e0
[13677.258208] dm_crtc_duplicate_state+0x73/0x130
[13677.258214] drm_atomic_get_crtc_state+0x13c/0x400
[13677.258218] page_flip_common+0x52/0x230
[13677.258223] drm_atomic_helper_page_flip+0xa1/0x100
[13677.258230] drm_mode_page_flip_ioctl+0xc10/0x1030
[13677.258236] drm_ioctl_kernel+0x1b5/0x2c0
[13677.258240] drm_ioctl+0x709/0xa00
[13677.258245] amdgpu_drm_ioctl+0x118/0x280
[13677.258250] do_vfs_ioctl+0x18a/0x1260
[13677.258254] SyS_ioctl+0x6f/0x80
[13677.258258] do_syscall_64+0x220/0x670
[13677.258262] return_from_SYSCALL_64+0x0/0x65
[13677.258267] Freed by task 2523:
[13677.258273] kasan_slab_free+0x71/0xc0
[13677.258276] kfree+0x88/0x1b0
[13677.258280] drm_atomic_state_default_clear+0x2c8/0xa00
[13677.258285] __drm_atomic_state_free+0x30/0xd0
[13677.258289] drm_atomic_helper_update_plane+0xb6/0x350
[13677.258293] __setplane_internal+0x5b4/0x9d0
[13677.258297] drm_mode_cursor_universal+0x412/0xc60
[13677.258301] drm_mode_cursor_common+0x4b6/0x890
[13677.258305] drm_mode_cursor_ioctl+0xd3/0x120
[13677.258309] drm_ioctl_kernel+0x1b5/0x2c0
[13677.258313] drm_ioctl+0x709/0xa00
[13677.258316] amdgpu_drm_ioctl+0x118/0x280
[13677.258319] do_vfs_ioctl+0x18a/0x1260
[13677.258323] SyS_ioctl+0x6f/0x80
[13677.258326] do_syscall_64+0x220/0x670
[13677.258330] return_from_SYSCALL_64+0x0/0x65
[13677.258336] The buggy address belongs to the object at ffff8803f0533180
which belongs to the cache kmalloc-1024 of size 1024
[13677.258343] The buggy address is located 520 bytes inside of
1024-byte region [ffff8803f0533180, ffff8803f0533580)
[13677.258347] The buggy address belongs to the page:
[13677.258354] page:ffffea000fc14c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[13677.258364] flags: 0x2000000000008100(slab|head)
[13677.258374] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
[13677.258380] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
[13677.258383] page dumped because: kasan: bad access detected
[13677.258388] Memory state around the buggy address:
[13677.258393] ffff8803f0533280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258398] ffff8803f0533300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258402] >ffff8803f0533380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258404] ^
[13677.258408] ffff8803f0533400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258411] ffff8803f0533480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258415] ==================================================================
[13677.258418] Disabling lock debugging due to kernel taint
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
2018-01-13 19:47 ` Johannes Hirte
@ 2018-01-14 16:44 ` Grodzovsky, Andrey
[not found] ` <BN6PR1201MB0115E7D6A5932AC3A932FA98EA150-6iU6OBHu2P+5DJ1TLF5OxWrFom/aUZj6nBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Grodzovsky, Andrey @ 2018-01-14 16:44 UTC (permalink / raw)
To: Johannes Hirte
Cc: Li, Sun peng (Leo),
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
Deucher, Alexander, Luís Mendes, Wentland, Harry,
Koenig, Christian
To be sure it was inserted at the correct place please send me output of git diff on your modified branch.
Thanks,
Andrey
________________________________________
From: Johannes Hirte <johannes.hirte@datenkhaos.de>
Sent: 13 January 2018 14:47:50
To: Grodzovsky, Andrey
Cc: Luís Mendes; Deucher, Alexander; Li, Sun peng (Leo); Wentland, Harry; Koenig, Christian; amd-gfx@lists.freedesktop.org
Subject: Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
On 2018 Jan 12, Andrey Grodzovsky wrote:
> Yea, I know , just dumped diff of one file into it, please search in
> code for
>
> "ret = do_aquire_global_lock(dev, state);" it appears only in one place
> in entire code base, and manually apply the one line change.
>
with patch applied:
[ 6887.679618] [drm] {1920x1080, 2250x1132@152840Khz}
[ 6887.806430] [drm] HBRx2 pass VS=1, PE=0
[12432.070076] [drm] {1920x1080, 2250x1132@152840Khz}
[12432.194472] [drm] HBRx2 pass VS=1, PE=0
[13677.257767] ==================================================================
[13677.257812] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257820] Read of size 8 at addr ffff8803f0533388 by task kworker/u8:6/22172
[13677.257832] CPU: 2 PID: 22172 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00002-g617b2907a7aa #445
[13677.257837] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
[13677.257848] Workqueue: events_unbound commit_work
[13677.257853] Call Trace:
[13677.257867] dump_stack+0x99/0x11e
[13677.257874] ? _atomic_dec_and_lock+0x152/0x152
[13677.257886] print_address_description+0x65/0x270
[13677.257892] kasan_report+0x272/0x360
[13677.257898] ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257903] drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257913] amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
[13677.257923] ? dm_crtc_duplicate_state+0x130/0x130
[13677.257931] ? trace_raw_output_rcu_utilization+0xa0/0xa0
[13677.257939] ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
[13677.257945] commit_tail+0x92/0xe0
[13677.257953] process_one_work+0x84b/0x1600
[13677.257961] ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.257969] ? _raw_spin_unlock_irq+0xbe/0x120
[13677.257973] ? _raw_spin_unlock+0x120/0x120
[13677.257977] ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[13677.257984] ? arch_vtime_task_switch+0xee/0x190
[13677.257991] ? finish_task_switch+0x27d/0x7f0
[13677.257995] ? wq_worker_waking_up+0xc0/0xc0
[13677.258000] ? copy_overflow+0x20/0x20
[13677.258010] ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258014] ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258022] ? schedule+0xfb/0x3b0
[13677.258027] ? __schedule+0x19b0/0x19b0
[13677.258031] ? preempt_schedule_common+0x30/0xb0
[13677.258038] ? ___preempt_schedule+0x16/0x18
[13677.258043] ? _raw_spin_unlock_irq+0xfa/0x120
[13677.258047] ? _raw_spin_unlock+0x120/0x120
[13677.258052] worker_thread+0x211/0x1790
[13677.258060] ? pick_next_task_fair+0x313/0x10f0
[13677.258065] ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258073] ? cyc2ns_read_end+0x20/0x20
[13677.258078] ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.258083] ? get_vtime_delta+0x16/0xd0
[13677.258087] ? _raw_spin_unlock_irq+0xbe/0x120
[13677.258091] ? _raw_spin_unlock+0x120/0x120
[13677.258098] ? finish_task_switch+0x27d/0x7f0
[13677.258104] ? sched_clock_cpu+0x18/0x1e0
[13677.258110] ? ret_from_fork+0x1f/0x30
[13677.258116] ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258120] ? get_vtime_delta+0x16/0xd0
[13677.258125] ? cyc2ns_read_end+0x20/0x20
[13677.258131] ? schedule+0xfb/0x3b0
[13677.258136] ? __schedule+0x19b0/0x19b0
[13677.258141] ? remove_wait_queue+0x2b0/0x2b0
[13677.258146] ? arch_vtime_task_switch+0xee/0x190
[13677.258151] ? _raw_spin_unlock_irqrestore+0xc2/0x130
[13677.258156] ? _raw_spin_unlock_irq+0x120/0x120
[13677.258162] ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258167] kthread+0x2d4/0x390
[13677.258172] ? kthread_create_worker+0xd0/0xd0
[13677.258177] ret_from_fork+0x1f/0x30
[13677.258188] Allocated by task 2377:
[13677.258196] kasan_kmalloc+0xa0/0xd0
[13677.258202] kmem_cache_alloc_trace+0xd1/0x1e0
[13677.258208] dm_crtc_duplicate_state+0x73/0x130
[13677.258214] drm_atomic_get_crtc_state+0x13c/0x400
[13677.258218] page_flip_common+0x52/0x230
[13677.258223] drm_atomic_helper_page_flip+0xa1/0x100
[13677.258230] drm_mode_page_flip_ioctl+0xc10/0x1030
[13677.258236] drm_ioctl_kernel+0x1b5/0x2c0
[13677.258240] drm_ioctl+0x709/0xa00
[13677.258245] amdgpu_drm_ioctl+0x118/0x280
[13677.258250] do_vfs_ioctl+0x18a/0x1260
[13677.258254] SyS_ioctl+0x6f/0x80
[13677.258258] do_syscall_64+0x220/0x670
[13677.258262] return_from_SYSCALL_64+0x0/0x65
[13677.258267] Freed by task 2523:
[13677.258273] kasan_slab_free+0x71/0xc0
[13677.258276] kfree+0x88/0x1b0
[13677.258280] drm_atomic_state_default_clear+0x2c8/0xa00
[13677.258285] __drm_atomic_state_free+0x30/0xd0
[13677.258289] drm_atomic_helper_update_plane+0xb6/0x350
[13677.258293] __setplane_internal+0x5b4/0x9d0
[13677.258297] drm_mode_cursor_universal+0x412/0xc60
[13677.258301] drm_mode_cursor_common+0x4b6/0x890
[13677.258305] drm_mode_cursor_ioctl+0xd3/0x120
[13677.258309] drm_ioctl_kernel+0x1b5/0x2c0
[13677.258313] drm_ioctl+0x709/0xa00
[13677.258316] amdgpu_drm_ioctl+0x118/0x280
[13677.258319] do_vfs_ioctl+0x18a/0x1260
[13677.258323] SyS_ioctl+0x6f/0x80
[13677.258326] do_syscall_64+0x220/0x670
[13677.258330] return_from_SYSCALL_64+0x0/0x65
[13677.258336] The buggy address belongs to the object at ffff8803f0533180
which belongs to the cache kmalloc-1024 of size 1024
[13677.258343] The buggy address is located 520 bytes inside of
1024-byte region [ffff8803f0533180, ffff8803f0533580)
[13677.258347] The buggy address belongs to the page:
[13677.258354] page:ffffea000fc14c00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[13677.258364] flags: 0x2000000000008100(slab|head)
[13677.258374] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
[13677.258380] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
[13677.258383] page dumped because: kasan: bad access detected
[13677.258388] Memory state around the buggy address:
[13677.258393] ffff8803f0533280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258398] ffff8803f0533300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258402] >ffff8803f0533380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258404] ^
[13677.258408] ffff8803f0533400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258411] ffff8803f0533480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258415] ==================================================================
[13677.258418] Disabling lock debugging due to kernel taint
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
[not found] ` <BN6PR1201MB0115E7D6A5932AC3A932FA98EA150-6iU6OBHu2P+5DJ1TLF5OxWrFom/aUZj6nBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
@ 2018-01-14 20:34 ` Johannes Hirte
2018-01-14 23:22 ` Grodzovsky, Andrey
0 siblings, 1 reply; 17+ messages in thread
From: Johannes Hirte @ 2018-01-14 20:34 UTC (permalink / raw)
To: Grodzovsky, Andrey
Cc: Li, Sun peng (Leo),
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
Deucher, Alexander, Luís Mendes, Wentland, Harry,
Koenig, Christian
On 2018 Jan 14, Grodzovsky, Andrey wrote:
> To be sure it was inserted at the correct place please send me output of git diff on your modified branch.
>
> Thanks,
> Andrey
>
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index bb5fa895fb64..bc2050a5a5c6 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4802,7 +4802,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
* synchronization events.
*/
- if (lock_and_validation_needed) {
+ if (lock_and_validation_needed || state->legacy_cursor_update == true) {
ret = do_aquire_global_lock(dev, state);
if (ret)
If this matters, I've applied the patch on top of 4.15-rc7 with your
"Fix: Save job's priority on it's creation instead of accessing it from s_entity later on."
patch. This one is still not upstream, but without I see the other
use-after-free
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
2018-01-14 20:34 ` Johannes Hirte
@ 2018-01-14 23:22 ` Grodzovsky, Andrey
[not found] ` <BN6PR1201MB0115FCD51D291D0831F6887BEA150-6iU6OBHu2P+5DJ1TLF5OxWrFom/aUZj6nBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Grodzovsky, Andrey @ 2018-01-14 23:22 UTC (permalink / raw)
To: Johannes Hirte
Cc: Li, Sun peng (Leo),
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org,
Deucher, Alexander, Luís Mendes, Wentland, Harry,
Koenig, Christian
Thanks, you did it right. I will try to think more how this happened, Harry, Leo, if you have banwidth to try and reproduce it it would help, from Kasan prints it seems the way to make it more probable to happen is to move the mouse repeatedly during flipping like video playback, also maybe trying async flip mode makes it more probable.
Thanks,
Andrey
________________________________________
From: Johannes Hirte <johannes.hirte@datenkhaos.de>
Sent: 14 January 2018 15:34:16
To: Grodzovsky, Andrey
Cc: Luís Mendes; Deucher, Alexander; Li, Sun peng (Leo); Wentland, Harry; Koenig, Christian; amd-gfx@lists.freedesktop.org
Subject: Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
On 2018 Jan 14, Grodzovsky, Andrey wrote:
> To be sure it was inserted at the correct place please send me output of git diff on your modified branch.
>
> Thanks,
> Andrey
>
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index bb5fa895fb64..bc2050a5a5c6 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4802,7 +4802,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
* synchronization events.
*/
- if (lock_and_validation_needed) {
+ if (lock_and_validation_needed || state->legacy_cursor_update == true) {
ret = do_aquire_global_lock(dev, state);
if (ret)
If this matters, I've applied the patch on top of 4.15-rc7 with your
"Fix: Save job's priority on it's creation instead of accessing it from s_entity later on."
patch. This one is still not upstream, but without I see the other
use-after-free
--
Regards,
Johannes
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
[not found] ` <BN6PR1201MB0115FCD51D291D0831F6887BEA150-6iU6OBHu2P+5DJ1TLF5OxWrFom/aUZj6nBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
@ 2018-01-15 14:58 ` Harry Wentland
[not found] ` <fe824e81-6548-5c6e-ae3f-80aaf7ee45a2-5C7GfCeVMHo@public.gmane.org>
0 siblings, 1 reply; 17+ messages in thread
From: Harry Wentland @ 2018-01-15 14:58 UTC (permalink / raw)
To: Grodzovsky, Andrey, Johannes Hirte
Cc: Deucher, Alexander, Li, Sun peng (Leo), Luís Mendes,
Koenig, Christian,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
Hey Andrey,
been sick for the last few days which is why I wasn't able to follow up on that other email thread. I'm still working from home today so won't be able to give this a spin. Leo, if you got a chance it'd be useful to see if we can repro it. If not I'll try it tomorrow.
Harry
On 2018-01-14 06:22 PM, Grodzovsky, Andrey wrote:
> Thanks, you did it right. I will try to think more how this happened, Harry, Leo, if you have banwidth to try and reproduce it it would help, from Kasan prints it seems the way to make it more probable to happen is to move the mouse repeatedly during flipping like video playback, also maybe trying async flip mode makes it more probable.
>
> Thanks,
> Andrey
>
> ________________________________________
> From: Johannes Hirte <johannes.hirte@datenkhaos.de>
> Sent: 14 January 2018 15:34:16
> To: Grodzovsky, Andrey
> Cc: Luís Mendes; Deucher, Alexander; Li, Sun peng (Leo); Wentland, Harry; Koenig, Christian; amd-gfx@lists.freedesktop.org
> Subject: Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
>
> On 2018 Jan 14, Grodzovsky, Andrey wrote:
>> To be sure it was inserted at the correct place please send me output of git diff on your modified branch.
>>
>> Thanks,
>> Andrey
>>
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> index bb5fa895fb64..bc2050a5a5c6 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> @@ -4802,7 +4802,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
> * synchronization events.
> */
>
> - if (lock_and_validation_needed) {
> + if (lock_and_validation_needed || state->legacy_cursor_update == true) {
>
> ret = do_aquire_global_lock(dev, state);
> if (ret)
>
> If this matters, I've applied the patch on top of 4.15-rc7 with your
> "Fix: Save job's priority on it's creation instead of accessing it from s_entity later on."
> patch. This one is still not upstream, but without I see the other
> use-after-free
>
> --
> Regards,
> Johannes
>
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
[not found] ` <fe824e81-6548-5c6e-ae3f-80aaf7ee45a2-5C7GfCeVMHo@public.gmane.org>
@ 2018-01-15 16:26 ` Andrey Grodzovsky
0 siblings, 0 replies; 17+ messages in thread
From: Andrey Grodzovsky @ 2018-01-15 16:26 UTC (permalink / raw)
To: Harry Wentland, Johannes Hirte
Cc: Deucher, Alexander, Li, Sun peng (Leo), Luís Mendes,
Koenig, Christian,
amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
Thanks Harry,
P.S Just spotted following memory leak in DAL when loading/unloading
Xorg - maybe something you also wanna take a look .
unreferenced object 0xffff880059fc0000 (size 24640):
comm "Xorg", pid 1395, jiffies 4295164722 (age 6699.912s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000000e9d80ff>] dc_create_transfer_func+0x1a/0x40 [amdgpu]
[<000000005a24894c>]
fill_stream_properties_from_drm_display_mode+0x25/0x410 [amdgpu]
[<0000000098c1adc7>] create_stream_for_sink+0x19a/0x790 [amdgpu]
[<000000000ab720fc>] amdgpu_dm_connector_mode_valid+0xe3/0x4d0 [amdgpu]
[<000000004a8a0d75>]
drm_helper_probe_single_connector_modes+0x811/0xb20 [drm_kms_helper]
[<00000000d551192f>] drm_mode_getconnector+0x536/0x580 [drm]
[<00000000d9a8e32d>] drm_ioctl_kernel+0xa7/0xf0 [drm]
[<00000000f08bfd00>] drm_ioctl+0x3ef/0x490 [drm]
[<00000000583ca5f6>] amdgpu_drm_ioctl+0x72/0xd0 [amdgpu]
[<000000003d352ad0>] do_vfs_ioctl+0x11a/0x830
[<000000008290460f>] SyS_ioctl+0x74/0x80
[<000000003e42a381>] do_syscall_64+0xe1/0x270
[<00000000ea5f5530>] return_from_SYSCALL_64+0x0/0x65
[<00000000941b2638>] 0xffffffffffffffff
unreferenced object 0xffff880059fc8000 (size 24640):
comm "Xorg", pid 1395, jiffies 4295164722 (age 6699.916s)
On 01/15/2018 09:58 AM, Harry Wentland wrote:
> Hey Andrey,
>
> been sick for the last few days which is why I wasn't able to follow up on that other email thread. I'm still working from home today so won't be able to give this a spin. Leo, if you got a chance it'd be useful to see if we can repro it. If not I'll try it tomorrow.
>
> Harry
>
> On 2018-01-14 06:22 PM, Grodzovsky, Andrey wrote:
>> Thanks, you did it right. I will try to think more how this happened, Harry, Leo, if you have banwidth to try and reproduce it it would help, from Kasan prints it seems the way to make it more probable to happen is to move the mouse repeatedly during flipping like video playback, also maybe trying async flip mode makes it more probable.
>>
>> Thanks,
>> Andrey
>>
>> ________________________________________
>> From: Johannes Hirte <johannes.hirte@datenkhaos.de>
>> Sent: 14 January 2018 15:34:16
>> To: Grodzovsky, Andrey
>> Cc: Luís Mendes; Deucher, Alexander; Li, Sun peng (Leo); Wentland, Harry; Koenig, Christian; amd-gfx@lists.freedesktop.org
>> Subject: Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
>>
>> On 2018 Jan 14, Grodzovsky, Andrey wrote:
>>> To be sure it was inserted at the correct place please send me output of git diff on your modified branch.
>>>
>>> Thanks,
>>> Andrey
>>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> index bb5fa895fb64..bc2050a5a5c6 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> @@ -4802,7 +4802,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
>> * synchronization events.
>> */
>>
>> - if (lock_and_validation_needed) {
>> + if (lock_and_validation_needed || state->legacy_cursor_update == true) {
>>
>> ret = do_aquire_global_lock(dev, state);
>> if (ret)
>>
>> If this matters, I've applied the patch on top of 4.15-rc7 with your
>> "Fix: Save job's priority on it's creation instead of accessing it from s_entity later on."
>> patch. This one is still not upstream, but without I see the other
>> use-after-free
>>
>> --
>> Regards,
>> Johannes
>>
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2018-01-15 16:26 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-12 11:43 BUG: KASAN: use-after-free in amdgpu_job_free_cb Luís Mendes
[not found] ` <CAEzXK1p9b8vOPZ_ed-E6S+CDcpUStwPopHGzny7tN6pnzZdGEQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2018-01-12 15:20 ` Andrey Grodzovsky
[not found] ` <77f6ae06-988a-54c8-fa57-556df22cc202-5C7GfCeVMHo@public.gmane.org>
2018-01-12 21:47 ` Johannes Hirte
2018-01-12 21:52 ` Andrey Grodzovsky
[not found] ` <11b826ef-1a47-33db-dccd-7a4867547fbf-5C7GfCeVMHo@public.gmane.org>
2018-01-13 19:47 ` Johannes Hirte
2018-01-14 16:44 ` Grodzovsky, Andrey
[not found] ` <BN6PR1201MB0115E7D6A5932AC3A932FA98EA150-6iU6OBHu2P+5DJ1TLF5OxWrFom/aUZj6nBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2018-01-14 20:34 ` Johannes Hirte
2018-01-14 23:22 ` Grodzovsky, Andrey
[not found] ` <BN6PR1201MB0115FCD51D291D0831F6887BEA150-6iU6OBHu2P+5DJ1TLF5OxWrFom/aUZj6nBOFsp37pqbUKgpGm//BTAC/G2K4zDHf@public.gmane.org>
2018-01-15 14:58 ` Harry Wentland
[not found] ` <fe824e81-6548-5c6e-ae3f-80aaf7ee45a2-5C7GfCeVMHo@public.gmane.org>
2018-01-15 16:26 ` Andrey Grodzovsky
-- strict thread matches above, loose matches on Subject: below --
2018-01-03 8:35 Johannes Hirte
2018-01-03 9:36 ` Johannes Hirte
2018-01-09 14:44 ` Johannes Hirte
2018-01-10 21:25 ` Andrey Grodzovsky
[not found] ` <b30d8818-727e-906b-9203-47a5a5b03605-5C7GfCeVMHo@public.gmane.org>
2018-01-11 22:55 ` Johannes Hirte
2018-01-12 4:30 ` Andrey Grodzovsky
[not found] ` <2d0470e3-2d9c-0139-1bd4-493d97e419eb-5C7GfCeVMHo@public.gmane.org>
2018-01-12 8:54 ` Johannes Hirte
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.