Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Luís Mendes]

Hi Andrey, Johannes,

Sorry for getting into this conversation, but I think I might have
something related to this.
I am getting GPU hangs playing some videos, both on ARMv7 and on x86,
although with slightly different blocking paths. On ARMv7 it always
blocks with amdgpu_dm_do_flip. I suspect the GPU hang, fence timeout,
might also be caused by a kernel synchronization issue. I am using a
single HDMI display and testing with VP9 videos on Kodi, but can also
be triggered with youtube videos on firefox.
Could this not exactly be a GPU hang, but rather a software lockup,
that impedes the dma fence to be properly completed on the host side
(due to a synchronization issue on the host side)?
It is always related to the page flip and sometimes I get kernel
messages after a while after the hang stating drm_flip_done timeout or
similar.

Kernel stack trace is always like:
[   73.432967] [drm:amdgpu_job_timedout [amdgpu]] *ERROR* ring gfx
timeout, last signaled seq=4183, last emitted seq=4185
[   73.443847] [drm] IP block:gmc_v8_0 is hung!
[   73.443854] [drm] IP block:gfx_v8_0 is hung!
[   73.444019] [drm] GPU recovery disabled.
[  243.672640] INFO: task kworker/u4:3:89 blocked for more than 120
seconds.
[  243.679466]       Not tainted 4.15.0-rc4-drmnext2g #1
[  243.685337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs"
disables this message.
[  243.693200] kworker/u4:3    D    0    89      2 0x00000000
[  243.693232] Workqueue: events_unbound commit_work [drm_kms_helper]
[  243.693251] [<80b8c6d4>] (__schedule) from [<80b8cdd0>]
(schedule+0x4c/0xac)
[  243.693259] [<80b8cdd0>] (schedule) from [<80b91024>]
(schedule_timeout+0x228/0x444)
[  243.693270] [<80b91024>] (schedule_timeout) from [<80886738>]
(dma_fence_default_wait+0x2b4/0x2d8)
[  243.693276] [<80886738>] (dma_fence_default_wait) from [<80885d60>]
(dma_fence_wait_timeout+0x40/0x150)
[  243.693284] [<80885d60>] (dma_fence_wait_timeout) from [<80887b1c>]
(reservation_object_wait_timeout_rcu+0xfc/0x34c)
[  243.693509] [<80887b1c>] (reservation_object_wait_timeout_rcu) from
[<7f331988>] (amdgpu_dm_do_flip+0xec/0x36c [amdgpu])
[  243.693789] [<7f331988>] (amdgpu_dm_do_flip [amdgpu]) from
[<7f33309c>] (amdgpu_dm_atomic_commit_tail+0xbfc/0xe58 [amdgpu])
[  243.693941] [<7f33309c>] (amdgpu_dm_atomic_commit_tail [amdgpu])
from [<7f15758c>] (commit_tail+0x50/0x94 [drm_kms_helper])
[  243.693964] [<7f15758c>] (commit_tail [drm_kms_helper]) from
[<7f1575ec>] (commit_work+0x1c/0x20 [drm_kms_helper])
[  243.693981] [<7f1575ec>] (commit_work [drm_kms_helper]) from
[<8016f4c8>] (process_one_work+0x1a8/0x4ac)
[  243.693987] [<8016f4c8>] (process_one_work) from [<8017050c>]
(worker_thread+0x68/0x598)
[  243.693994] [<8017050c>] (worker_thread) from [<80175e50>]
(kthread+0x16c/0x174)
[  243.694003] [<80175e50>] (kthread) from [<80109de8>]
(ret_from_fork+0x14/0x2c)

Regards,
Luís


>Thanks for the dmesg, unfortunately nothing suspicious from there.
>
>Looking again at KASAN it hints at a race between cursor update and non
>blocking part of flip with regard to accessing CRTC states, maybe cursor
>update is not properly synchronized against a flip in flight on same CRTC...
>
>P.S What is your setup ? How many displays ?
>
>
>Thanks,
>
>Andrey
>
>
>Thanks,
>
>Andrey
>
>On 01/11/2018 05:55 PM, Johannes Hirte wrote:
>> On 2018 Jan 10, Andrey Grodzovsky wrote:
>>> Hi, is there a particular scenario when this happens ,
>> Unfortunately no, I still search for a reproducer. Sometimes it takes
>> several days until the next use-after-free.
>>
>>> can you add dmesg with echo 0x10 > /sys/module/drm/parameters/debug?
>> I assume you want the debug output when a use-after-free happened. Here
>> it is:
>>
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000009b693a40 state to 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000fd68d0e6 state to 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000009b693a40 to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000009b693a40
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000a67d7f62
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000bef4ac0a state to 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000487e5e13 state to 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000bef4ac0a to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000bef4ac0a
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000aff36e64
>> Jan 11 23:21:33 probook kernel: ==================================================================
>> Jan 11 23:21:33 probook kernel: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> Jan 11 23:21:33 probook kernel: Read of size 8 at addr ffff8801e020d788 by task kworker/u8:6/18738
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: CPU: 2 PID: 18738 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00001-gd24b113b5c00 #444
>> Jan 11 23:21:33 probook kernel: Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
>> Jan 11 23:21:33 probook kernel: Workqueue: events_unbound commit_work
>> Jan 11 23:21:33 probook kernel: Call Trace:
>> Jan 11 23:21:33 probook kernel:  dump_stack+0x99/0x11e
>> Jan 11 23:21:33 probook kernel:  ? _atomic_dec_and_lock+0x152/0x152
>> Jan 11 23:21:33 probook kernel:  print_address_description+0x65/0x270
>> Jan 11 23:21:33 probook kernel:  kasan_report+0x272/0x360
>> Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> Jan 11 23:21:33 probook kernel:  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> Jan 11 23:21:33 probook kernel:  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
>> Jan 11 23:21:33 probook kernel:  ? dm_crtc_duplicate_state+0x130/0x130
>> Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
>> Jan 11 23:21:33 probook kernel:  commit_tail+0x92/0xe0
>> Jan 11 23:21:33 probook kernel:  process_one_work+0x84b/0x1600
>> Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
>> Jan 11 23:21:33 probook kernel:  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
>> Jan 11 23:21:33 probook kernel:  ? arch_vtime_task_switch+0xee/0x190
>> Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
>> Jan 11 23:21:33 probook kernel:  ? wq_worker_waking_up+0xc0/0xc0
>> Jan 11 23:21:33 probook kernel:  ? copy_overflow+0x20/0x20
>> Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
>> Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
>> Jan 11 23:21:33 probook kernel:  ? preempt_schedule_irq+0x4e/0xb0
>> Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
>> Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xb9/0x120
>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
>> Jan 11 23:21:33 probook kernel:  worker_thread+0x211/0x1790
>> Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
>> Jan 11 23:21:33 probook kernel:  ? vtime_guest_exit+0xe0/0xe0
>> Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
>> Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
>> Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
>> Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
>> Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
>> Jan 11 23:21:33 probook kernel:  ? cyc2ns_read_end+0x20/0x20
>> Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
>> Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
>> Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
>> Jan 11 23:21:33 probook kernel:  ? ___preempt_schedule+0x16/0x18
>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irqrestore+0xfe/0x130
>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0x120/0x120
>> Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
>> Jan 11 23:21:33 probook kernel:  kthread+0x2d4/0x390
>> Jan 11 23:21:33 probook kernel:  ? kthread_create_worker+0xd0/0xd0
>> Jan 11 23:21:33 probook kernel:  ret_from_fork+0x1f/0x30
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: Allocated by task 2408:
>> Jan 11 23:21:33 probook kernel:  kasan_kmalloc+0xa0/0xd0
>> Jan 11 23:21:33 probook kernel:  kmem_cache_alloc_trace+0xd1/0x1e0
>> Jan 11 23:21:33 probook kernel:  dm_crtc_duplicate_state+0x73/0x130
>> Jan 11 23:21:33 probook kernel:  drm_atomic_get_crtc_state+0x13c/0x400
>> Jan 11 23:21:33 probook kernel:  page_flip_common+0x52/0x230
>> Jan 11 23:21:33 probook kernel:  drm_atomic_helper_page_flip+0xa1/0x100
>> Jan 11 23:21:33 probook kernel:  drm_mode_page_flip_ioctl+0xc10/0x1030
>> Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
>> Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
>> Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
>> Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
>> Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
>> Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
>> Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: Freed by task 2531:
>> Jan 11 23:21:33 probook kernel:  kasan_slab_free+0x71/0xc0
>> Jan 11 23:21:33 probook kernel:  kfree+0x88/0x1b0
>> Jan 11 23:21:33 probook kernel:  drm_atomic_state_default_clear+0x2c8/0xa00
>> Jan 11 23:21:33 probook kernel:  __drm_atomic_state_free+0x30/0xd0
>> Jan 11 23:21:33 probook kernel:  drm_atomic_helper_update_plane+0xb6/0x350
>> Jan 11 23:21:33 probook kernel:  __setplane_internal+0x5b4/0x9d0
>> Jan 11 23:21:33 probook kernel:  drm_mode_cursor_universal+0x412/0xc60
>> Jan 11 23:21:33 probook kernel:  drm_mode_cursor_common+0x4b6/0x890
>> Jan 11 23:21:33 probook kernel:  drm_mode_cursor_ioctl+0xd3/0x120
>> Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
>> Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
>> Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
>> Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
>> Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
>> Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
>> Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: The buggy address belongs to the object at ffff8801e020d580
>> Jan 11 23:21:33 probook kernel: The buggy address is located 520 bytes inside of
>> Jan 11 23:21:33 probook kernel: The buggy address belongs to the page:
>> Jan 11 23:21:33 probook kernel: page:ffffea0007808200 count:1 mapcount:0 mapping:          >(null) index:0x0 compound_mapcount: 0
>> Jan 11 23:21:33 probook kernel: flags: 0x2000000000008100(slab|head)
>> Jan 11 23:21:33 probook kernel: raw: 2000000000008100 0000000000000000 0000000000000000 00000001001c001c
>> Jan 11 23:21:33 probook kernel: raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
>> Jan 11 23:21:33 probook kernel: page dumped because: kasan: bad access detected
>> Jan 11 23:21:33 probook kernel:
>> Jan 11 23:21:33 probook kernel: Memory state around the buggy address:
>> Jan 11 23:21:33 probook kernel:  ffff8801e020d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel:  ffff8801e020d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel: >ffff8801e020d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel:                       ^
>> Jan 11 23:21:33 probook kernel:  ffff8801e020d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel:  ffff8801e020d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> Jan 11 23:21:33 probook kernel: >==================================================================
>> Jan 11 23:21:33 probook kernel: Disabling lock debugging due to kernel taint
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000c33882cc state to 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000001d7e9fe state to 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000c33882cc to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000c33882cc
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000c428f190
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000021b4ca12 state to 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000005eaf319 state to 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000021b4ca12 to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000021b4ca12
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000008beb2208
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005030c62c
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000005e0d9d34 state to 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000ca793baf state to 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000005e0d9d34 to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000005e0d9d34
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 0000000004ea9707
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000002a6fa7ba state to 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 000000008cb98e24 state to 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000002a6fa7ba to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000002a6fa7ba
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000978683e0
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000005030c62c
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000062e99415 state to 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000460cd934 state to 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000062e99415 to [CRTC:41:crtc-0]
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000062e99415
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000b8b1a194
>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000b8b1a194
>>
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Andrey Grodzovsky]

[-- Attachment #1: Type: text/plain, Size: 19798 bytes --]

Hi, looks to me  like a different issue (not related) then the one  
Johannes, reports, your issue was already reported by some one (can't 
remember the thread of hand) and looks like in shader hang or GPU 
scheduler synchronization issue while  Johannes's use after free is pure 
software logic issue in either KMS atomic framework or more probably in 
AMDGPU/DC (DAL).


Johanes, I attached a debug patch which forces the cursor update to wait 
for any  page flip in progress, can you give it a try and see if the 
issue is gone ? This is not an actual fix but just to evaluate the reason.


Thanks,

Andrey


On 01/12/2018 06:43 AM, Luís Mendes wrote:
> Hi Andrey, Johannes,
>
> Sorry for getting into this conversation, but I think I might have
> something related to this.
> I am getting GPU hangs playing some videos, both on ARMv7 and on x86,
> although with slightly different blocking paths. On ARMv7 it always
> blocks with amdgpu_dm_do_flip. I suspect the GPU hang, fence timeout,
> might also be caused by a kernel synchronization issue. I am using a
> single HDMI display and testing with VP9 videos on Kodi, but can also
> be triggered with youtube videos on firefox.
> Could this not exactly be a GPU hang, but rather a software lockup,
> that impedes the dma fence to be properly completed on the host side
> (due to a synchronization issue on the host side)?
> It is always related to the page flip and sometimes I get kernel
> messages after a while after the hang stating drm_flip_done timeout or
> similar.
>
> Kernel stack trace is always like:
> [   73.432967] [drm:amdgpu_job_timedout [amdgpu]] *ERROR* ring gfx
> timeout, last signaled seq=4183, last emitted seq=4185
> [   73.443847] [drm] IP block:gmc_v8_0 is hung!
> [   73.443854] [drm] IP block:gfx_v8_0 is hung!
> [   73.444019] [drm] GPU recovery disabled.
> [  243.672640] INFO: task kworker/u4:3:89 blocked for more than 120
> seconds.
> [  243.679466]       Not tainted 4.15.0-rc4-drmnext2g #1
> [  243.685337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs"
> disables this message.
> [  243.693200] kworker/u4:3    D    0    89      2 0x00000000
> [  243.693232] Workqueue: events_unbound commit_work [drm_kms_helper]
> [  243.693251] [<80b8c6d4>] (__schedule) from [<80b8cdd0>]
> (schedule+0x4c/0xac)
> [  243.693259] [<80b8cdd0>] (schedule) from [<80b91024>]
> (schedule_timeout+0x228/0x444)
> [  243.693270] [<80b91024>] (schedule_timeout) from [<80886738>]
> (dma_fence_default_wait+0x2b4/0x2d8)
> [  243.693276] [<80886738>] (dma_fence_default_wait) from [<80885d60>]
> (dma_fence_wait_timeout+0x40/0x150)
> [  243.693284] [<80885d60>] (dma_fence_wait_timeout) from [<80887b1c>]
> (reservation_object_wait_timeout_rcu+0xfc/0x34c)
> [  243.693509] [<80887b1c>] (reservation_object_wait_timeout_rcu) from
> [<7f331988>] (amdgpu_dm_do_flip+0xec/0x36c [amdgpu])
> [  243.693789] [<7f331988>] (amdgpu_dm_do_flip [amdgpu]) from
> [<7f33309c>] (amdgpu_dm_atomic_commit_tail+0xbfc/0xe58 [amdgpu])
> [  243.693941] [<7f33309c>] (amdgpu_dm_atomic_commit_tail [amdgpu])
> from [<7f15758c>] (commit_tail+0x50/0x94 [drm_kms_helper])
> [  243.693964] [<7f15758c>] (commit_tail [drm_kms_helper]) from
> [<7f1575ec>] (commit_work+0x1c/0x20 [drm_kms_helper])
> [  243.693981] [<7f1575ec>] (commit_work [drm_kms_helper]) from
> [<8016f4c8>] (process_one_work+0x1a8/0x4ac)
> [  243.693987] [<8016f4c8>] (process_one_work) from [<8017050c>]
> (worker_thread+0x68/0x598)
> [  243.693994] [<8017050c>] (worker_thread) from [<80175e50>]
> (kthread+0x16c/0x174)
> [  243.694003] [<80175e50>] (kthread) from [<80109de8>]
> (ret_from_fork+0x14/0x2c)
>
> Regards,
> Luís
>
>
>> Thanks for the dmesg, unfortunately nothing suspicious from there.
>>
>> Looking again at KASAN it hints at a race between cursor update and non
>> blocking part of flip with regard to accessing CRTC states, maybe cursor
>> update is not properly synchronized against a flip in flight on same CRTC...
>>
>> P.S What is your setup ? How many displays ?
>>
>>
>> Thanks,
>>
>> Andrey
>>
>>
>> Thanks,
>>
>> Andrey
>>
>> On 01/11/2018 05:55 PM, Johannes Hirte wrote:
>>> On 2018 Jan 10, Andrey Grodzovsky wrote:
>>>> Hi, is there a particular scenario when this happens ,
>>> Unfortunately no, I still search for a reproducer. Sometimes it takes
>>> several days until the next use-after-free.
>>>
>>>> can you add dmesg with echo 0x10 > /sys/module/drm/parameters/debug?
>>> I assume you want the debug output when a use-after-free happened. Here
>>> it is:
>>>
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000009b693a40 state to 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000fd68d0e6 state to 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000009b693a40 to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000009b693a40
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000a67d7f62
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000bef4ac0a state to 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000487e5e13 state to 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000bef4ac0a to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000bef4ac0a
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000aff36e64
>>> Jan 11 23:21:33 probook kernel: ==================================================================
>>> Jan 11 23:21:33 probook kernel: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>>> Jan 11 23:21:33 probook kernel: Read of size 8 at addr ffff8801e020d788 by task kworker/u8:6/18738
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: CPU: 2 PID: 18738 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00001-gd24b113b5c00 #444
>>> Jan 11 23:21:33 probook kernel: Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
>>> Jan 11 23:21:33 probook kernel: Workqueue: events_unbound commit_work
>>> Jan 11 23:21:33 probook kernel: Call Trace:
>>> Jan 11 23:21:33 probook kernel:  dump_stack+0x99/0x11e
>>> Jan 11 23:21:33 probook kernel:  ? _atomic_dec_and_lock+0x152/0x152
>>> Jan 11 23:21:33 probook kernel:  print_address_description+0x65/0x270
>>> Jan 11 23:21:33 probook kernel:  kasan_report+0x272/0x360
>>> Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>>> Jan 11 23:21:33 probook kernel:  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>>> Jan 11 23:21:33 probook kernel:  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
>>> Jan 11 23:21:33 probook kernel:  ? dm_crtc_duplicate_state+0x130/0x130
>>> Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
>>> Jan 11 23:21:33 probook kernel:  commit_tail+0x92/0xe0
>>> Jan 11 23:21:33 probook kernel:  process_one_work+0x84b/0x1600
>>> Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
>>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
>>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
>>> Jan 11 23:21:33 probook kernel:  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
>>> Jan 11 23:21:33 probook kernel:  ? arch_vtime_task_switch+0xee/0x190
>>> Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
>>> Jan 11 23:21:33 probook kernel:  ? wq_worker_waking_up+0xc0/0xc0
>>> Jan 11 23:21:33 probook kernel:  ? copy_overflow+0x20/0x20
>>> Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
>>> Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
>>> Jan 11 23:21:33 probook kernel:  ? preempt_schedule_irq+0x4e/0xb0
>>> Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
>>> Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
>>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xb9/0x120
>>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
>>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
>>> Jan 11 23:21:33 probook kernel:  worker_thread+0x211/0x1790
>>> Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
>>> Jan 11 23:21:33 probook kernel:  ? vtime_guest_exit+0xe0/0xe0
>>> Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
>>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
>>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
>>> Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
>>> Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
>>> Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
>>> Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
>>> Jan 11 23:21:33 probook kernel:  ? cyc2ns_read_end+0x20/0x20
>>> Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
>>> Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
>>> Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
>>> Jan 11 23:21:33 probook kernel:  ? ___preempt_schedule+0x16/0x18
>>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irqrestore+0xfe/0x130
>>> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0x120/0x120
>>> Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
>>> Jan 11 23:21:33 probook kernel:  kthread+0x2d4/0x390
>>> Jan 11 23:21:33 probook kernel:  ? kthread_create_worker+0xd0/0xd0
>>> Jan 11 23:21:33 probook kernel:  ret_from_fork+0x1f/0x30
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: Allocated by task 2408:
>>> Jan 11 23:21:33 probook kernel:  kasan_kmalloc+0xa0/0xd0
>>> Jan 11 23:21:33 probook kernel:  kmem_cache_alloc_trace+0xd1/0x1e0
>>> Jan 11 23:21:33 probook kernel:  dm_crtc_duplicate_state+0x73/0x130
>>> Jan 11 23:21:33 probook kernel:  drm_atomic_get_crtc_state+0x13c/0x400
>>> Jan 11 23:21:33 probook kernel:  page_flip_common+0x52/0x230
>>> Jan 11 23:21:33 probook kernel:  drm_atomic_helper_page_flip+0xa1/0x100
>>> Jan 11 23:21:33 probook kernel:  drm_mode_page_flip_ioctl+0xc10/0x1030
>>> Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
>>> Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
>>> Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
>>> Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
>>> Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
>>> Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
>>> Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: Freed by task 2531:
>>> Jan 11 23:21:33 probook kernel:  kasan_slab_free+0x71/0xc0
>>> Jan 11 23:21:33 probook kernel:  kfree+0x88/0x1b0
>>> Jan 11 23:21:33 probook kernel:  drm_atomic_state_default_clear+0x2c8/0xa00
>>> Jan 11 23:21:33 probook kernel:  __drm_atomic_state_free+0x30/0xd0
>>> Jan 11 23:21:33 probook kernel:  drm_atomic_helper_update_plane+0xb6/0x350
>>> Jan 11 23:21:33 probook kernel:  __setplane_internal+0x5b4/0x9d0
>>> Jan 11 23:21:33 probook kernel:  drm_mode_cursor_universal+0x412/0xc60
>>> Jan 11 23:21:33 probook kernel:  drm_mode_cursor_common+0x4b6/0x890
>>> Jan 11 23:21:33 probook kernel:  drm_mode_cursor_ioctl+0xd3/0x120
>>> Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
>>> Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
>>> Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
>>> Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
>>> Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
>>> Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
>>> Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: The buggy address belongs to the object at ffff8801e020d580
>>> Jan 11 23:21:33 probook kernel: The buggy address is located 520 bytes inside of
>>> Jan 11 23:21:33 probook kernel: The buggy address belongs to the page:
>>> Jan 11 23:21:33 probook kernel: page:ffffea0007808200 count:1 mapcount:0 mapping:          >(null) index:0x0 compound_mapcount: 0
>>> Jan 11 23:21:33 probook kernel: flags: 0x2000000000008100(slab|head)
>>> Jan 11 23:21:33 probook kernel: raw: 2000000000008100 0000000000000000 0000000000000000 00000001001c001c
>>> Jan 11 23:21:33 probook kernel: raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
>>> Jan 11 23:21:33 probook kernel: page dumped because: kasan: bad access detected
>>> Jan 11 23:21:33 probook kernel:
>>> Jan 11 23:21:33 probook kernel: Memory state around the buggy address:
>>> Jan 11 23:21:33 probook kernel:  ffff8801e020d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel:  ffff8801e020d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel: >ffff8801e020d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel:                       ^
>>> Jan 11 23:21:33 probook kernel:  ffff8801e020d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel:  ffff8801e020d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> Jan 11 23:21:33 probook kernel: >==================================================================
>>> Jan 11 23:21:33 probook kernel: Disabling lock debugging due to kernel taint
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000c33882cc state to 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000001d7e9fe state to 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000c33882cc to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000c33882cc
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000c428f190
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000021b4ca12 state to 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000005eaf319 state to 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000021b4ca12 to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000021b4ca12
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000008beb2208
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005030c62c
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000005e0d9d34 state to 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000ca793baf state to 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000005e0d9d34 to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000005e0d9d34
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 0000000004ea9707
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000002a6fa7ba state to 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 000000008cb98e24 state to 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000002a6fa7ba to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000002a6fa7ba
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000978683e0
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000005030c62c
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000062e99415 state to 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000460cd934 state to 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000062e99415 to [CRTC:41:crtc-0]
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000062e99415
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000b8b1a194
>>> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000b8b1a194
>>>


[-- Attachment #2: force_cursor_update_wait_for_flip.patch --]
[-- Type: text/x-patch, Size: 799 bytes --]

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 5a70682..323d020 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4908,7 +4908,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
         * synchronization events.
         */
 
-       if (lock_and_validation_needed) {
+       if (lock_and_validation_needed || state->legacy_cursor_update == true) {
 
                ret = do_aquire_global_lock(dev, state);
                if (ret)
diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
index a1a751b..6d6ffdf 100644
--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c


[-- Attachment #3: Type: text/plain, Size: 154 bytes --]

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Johannes Hirte]

On 2018 Jan 12, Andrey Grodzovsky wrote:
> Hi, looks to me  like a different issue (not related) then the one  
> Johannes, reports, your issue was already reported by some one (can't 
> remember the thread of hand) and looks like in shader hang or GPU 
> scheduler synchronization issue while  Johannes's use after free is pure 
> software logic issue in either KMS atomic framework or more probably in 
> AMDGPU/DC (DAL).
> 
> 
> Johanes, I attached a debug patch which forces the cursor update to wait 
> for any  page flip in progress, can you give it a try and see if the 
> issue is gone ? This is not an actual fix but just to evaluate the reason.
> 

> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> index 5a70682..323d020 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> @@ -4908,7 +4908,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
>          * synchronization events.
>          */
>  
> -       if (lock_and_validation_needed) {
> +       if (lock_and_validation_needed || state->legacy_cursor_update == true) {
>  
>                 ret = do_aquire_global_lock(dev, state);
>                 if (ret)
> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> index a1a751b..6d6ffdf 100644
> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c

The patch seems incomplete. 

-- 
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Andrey Grodzovsky]

Yea, I know , just dumped diff of one file into it, please search in 
code for

"ret = do_aquire_global_lock(dev, state);" it appears only in one place 
in entire code base, and manually apply the one line change.


Thanks,

Andrey


On 01/12/2018 04:47 PM, Johannes Hirte wrote:
> On 2018 Jan 12, Andrey Grodzovsky wrote:
>> Hi, looks to me  like a different issue (not related) then the one
>> Johannes, reports, your issue was already reported by some one (can't
>> remember the thread of hand) and looks like in shader hang or GPU
>> scheduler synchronization issue while  Johannes's use after free is pure
>> software logic issue in either KMS atomic framework or more probably in
>> AMDGPU/DC (DAL).
>>
>>
>> Johanes, I attached a debug patch which forces the cursor update to wait
>> for any  page flip in progress, can you give it a try and see if the
>> issue is gone ? This is not an actual fix but just to evaluate the reason.
>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> index 5a70682..323d020 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> @@ -4908,7 +4908,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
>>           * synchronization events.
>>           */
>>   
>> -       if (lock_and_validation_needed) {
>> +       if (lock_and_validation_needed || state->legacy_cursor_update == true) {
>>   
>>                  ret = do_aquire_global_lock(dev, state);
>>                  if (ret)
>> diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
>> index a1a751b..6d6ffdf 100644
>> --- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
>> +++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
> The patch seems incomplete.
>

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Johannes Hirte]

On 2018 Jan 12, Andrey Grodzovsky wrote:
> Yea, I know , just dumped diff of one file into it, please search in 
> code for
> 
> "ret = do_aquire_global_lock(dev, state);" it appears only in one place 
> in entire code base, and manually apply the one line change.
>

with patch applied:

[ 6887.679618] [drm] {1920x1080, 2250x1132@152840Khz}
[ 6887.806430] [drm] HBRx2 pass VS=1, PE=0
[12432.070076] [drm] {1920x1080, 2250x1132@152840Khz}
[12432.194472] [drm] HBRx2 pass VS=1, PE=0
[13677.257767] ==================================================================
[13677.257812] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257820] Read of size 8 at addr ffff8803f0533388 by task kworker/u8:6/22172

[13677.257832] CPU: 2 PID: 22172 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00002-g617b2907a7aa #445
[13677.257837] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
[13677.257848] Workqueue: events_unbound commit_work
[13677.257853] Call Trace:
[13677.257867]  dump_stack+0x99/0x11e
[13677.257874]  ? _atomic_dec_and_lock+0x152/0x152
[13677.257886]  print_address_description+0x65/0x270
[13677.257892]  kasan_report+0x272/0x360
[13677.257898]  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257903]  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257913]  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
[13677.257923]  ? dm_crtc_duplicate_state+0x130/0x130
[13677.257931]  ? trace_raw_output_rcu_utilization+0xa0/0xa0
[13677.257939]  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
[13677.257945]  commit_tail+0x92/0xe0
[13677.257953]  process_one_work+0x84b/0x1600
[13677.257961]  ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.257969]  ? _raw_spin_unlock_irq+0xbe/0x120
[13677.257973]  ? _raw_spin_unlock+0x120/0x120
[13677.257977]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[13677.257984]  ? arch_vtime_task_switch+0xee/0x190
[13677.257991]  ? finish_task_switch+0x27d/0x7f0
[13677.257995]  ? wq_worker_waking_up+0xc0/0xc0
[13677.258000]  ? copy_overflow+0x20/0x20
[13677.258010]  ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258014]  ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258022]  ? schedule+0xfb/0x3b0
[13677.258027]  ? __schedule+0x19b0/0x19b0
[13677.258031]  ? preempt_schedule_common+0x30/0xb0
[13677.258038]  ? ___preempt_schedule+0x16/0x18
[13677.258043]  ? _raw_spin_unlock_irq+0xfa/0x120
[13677.258047]  ? _raw_spin_unlock+0x120/0x120
[13677.258052]  worker_thread+0x211/0x1790
[13677.258060]  ? pick_next_task_fair+0x313/0x10f0
[13677.258065]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258073]  ? cyc2ns_read_end+0x20/0x20
[13677.258078]  ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.258083]  ? get_vtime_delta+0x16/0xd0
[13677.258087]  ? _raw_spin_unlock_irq+0xbe/0x120
[13677.258091]  ? _raw_spin_unlock+0x120/0x120
[13677.258098]  ? finish_task_switch+0x27d/0x7f0
[13677.258104]  ? sched_clock_cpu+0x18/0x1e0
[13677.258110]  ? ret_from_fork+0x1f/0x30
[13677.258116]  ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258120]  ? get_vtime_delta+0x16/0xd0
[13677.258125]  ? cyc2ns_read_end+0x20/0x20
[13677.258131]  ? schedule+0xfb/0x3b0
[13677.258136]  ? __schedule+0x19b0/0x19b0
[13677.258141]  ? remove_wait_queue+0x2b0/0x2b0
[13677.258146]  ? arch_vtime_task_switch+0xee/0x190
[13677.258151]  ? _raw_spin_unlock_irqrestore+0xc2/0x130
[13677.258156]  ? _raw_spin_unlock_irq+0x120/0x120
[13677.258162]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258167]  kthread+0x2d4/0x390
[13677.258172]  ? kthread_create_worker+0xd0/0xd0
[13677.258177]  ret_from_fork+0x1f/0x30

[13677.258188] Allocated by task 2377:
[13677.258196]  kasan_kmalloc+0xa0/0xd0
[13677.258202]  kmem_cache_alloc_trace+0xd1/0x1e0
[13677.258208]  dm_crtc_duplicate_state+0x73/0x130
[13677.258214]  drm_atomic_get_crtc_state+0x13c/0x400
[13677.258218]  page_flip_common+0x52/0x230
[13677.258223]  drm_atomic_helper_page_flip+0xa1/0x100
[13677.258230]  drm_mode_page_flip_ioctl+0xc10/0x1030
[13677.258236]  drm_ioctl_kernel+0x1b5/0x2c0
[13677.258240]  drm_ioctl+0x709/0xa00
[13677.258245]  amdgpu_drm_ioctl+0x118/0x280
[13677.258250]  do_vfs_ioctl+0x18a/0x1260
[13677.258254]  SyS_ioctl+0x6f/0x80
[13677.258258]  do_syscall_64+0x220/0x670
[13677.258262]  return_from_SYSCALL_64+0x0/0x65

[13677.258267] Freed by task 2523:
[13677.258273]  kasan_slab_free+0x71/0xc0
[13677.258276]  kfree+0x88/0x1b0
[13677.258280]  drm_atomic_state_default_clear+0x2c8/0xa00
[13677.258285]  __drm_atomic_state_free+0x30/0xd0
[13677.258289]  drm_atomic_helper_update_plane+0xb6/0x350
[13677.258293]  __setplane_internal+0x5b4/0x9d0
[13677.258297]  drm_mode_cursor_universal+0x412/0xc60
[13677.258301]  drm_mode_cursor_common+0x4b6/0x890
[13677.258305]  drm_mode_cursor_ioctl+0xd3/0x120
[13677.258309]  drm_ioctl_kernel+0x1b5/0x2c0
[13677.258313]  drm_ioctl+0x709/0xa00
[13677.258316]  amdgpu_drm_ioctl+0x118/0x280
[13677.258319]  do_vfs_ioctl+0x18a/0x1260
[13677.258323]  SyS_ioctl+0x6f/0x80
[13677.258326]  do_syscall_64+0x220/0x670
[13677.258330]  return_from_SYSCALL_64+0x0/0x65

[13677.258336] The buggy address belongs to the object at ffff8803f0533180
                which belongs to the cache kmalloc-1024 of size 1024
[13677.258343] The buggy address is located 520 bytes inside of
                1024-byte region [ffff8803f0533180, ffff8803f0533580)
[13677.258347] The buggy address belongs to the page:
[13677.258354] page:ffffea000fc14c00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[13677.258364] flags: 0x2000000000008100(slab|head)
[13677.258374] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
[13677.258380] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
[13677.258383] page dumped because: kasan: bad access detected

[13677.258388] Memory state around the buggy address:
[13677.258393]  ffff8803f0533280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258398]  ffff8803f0533300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258402] >ffff8803f0533380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258404]                       ^
[13677.258408]  ffff8803f0533400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258411]  ffff8803f0533480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258415] ==================================================================
[13677.258418] Disabling lock debugging due to kernel taint


-- 
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Grodzovsky, Andrey]

To be sure it was inserted at the correct place please send me output of git diff on your modified branch.

Thanks,
Andrey

________________________________________
From: Johannes Hirte <johannes.hirte@datenkhaos.de>
Sent: 13 January 2018 14:47:50
To: Grodzovsky, Andrey
Cc: Luís Mendes; Deucher, Alexander; Li, Sun peng (Leo); Wentland, Harry; Koenig, Christian; amd-gfx@lists.freedesktop.org
Subject: Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

On 2018 Jan 12, Andrey Grodzovsky wrote:
> Yea, I know , just dumped diff of one file into it, please search in
> code for
>
> "ret = do_aquire_global_lock(dev, state);" it appears only in one place
> in entire code base, and manually apply the one line change.
>

with patch applied:

[ 6887.679618] [drm] {1920x1080, 2250x1132@152840Khz}
[ 6887.806430] [drm] HBRx2 pass VS=1, PE=0
[12432.070076] [drm] {1920x1080, 2250x1132@152840Khz}
[12432.194472] [drm] HBRx2 pass VS=1, PE=0
[13677.257767] ==================================================================
[13677.257812] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257820] Read of size 8 at addr ffff8803f0533388 by task kworker/u8:6/22172

[13677.257832] CPU: 2 PID: 22172 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00002-g617b2907a7aa #445
[13677.257837] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
[13677.257848] Workqueue: events_unbound commit_work
[13677.257853] Call Trace:
[13677.257867]  dump_stack+0x99/0x11e
[13677.257874]  ? _atomic_dec_and_lock+0x152/0x152
[13677.257886]  print_address_description+0x65/0x270
[13677.257892]  kasan_report+0x272/0x360
[13677.257898]  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257903]  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257913]  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
[13677.257923]  ? dm_crtc_duplicate_state+0x130/0x130
[13677.257931]  ? trace_raw_output_rcu_utilization+0xa0/0xa0
[13677.257939]  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
[13677.257945]  commit_tail+0x92/0xe0
[13677.257953]  process_one_work+0x84b/0x1600
[13677.257961]  ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.257969]  ? _raw_spin_unlock_irq+0xbe/0x120
[13677.257973]  ? _raw_spin_unlock+0x120/0x120
[13677.257977]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[13677.257984]  ? arch_vtime_task_switch+0xee/0x190
[13677.257991]  ? finish_task_switch+0x27d/0x7f0
[13677.257995]  ? wq_worker_waking_up+0xc0/0xc0
[13677.258000]  ? copy_overflow+0x20/0x20
[13677.258010]  ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258014]  ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258022]  ? schedule+0xfb/0x3b0
[13677.258027]  ? __schedule+0x19b0/0x19b0
[13677.258031]  ? preempt_schedule_common+0x30/0xb0
[13677.258038]  ? ___preempt_schedule+0x16/0x18
[13677.258043]  ? _raw_spin_unlock_irq+0xfa/0x120
[13677.258047]  ? _raw_spin_unlock+0x120/0x120
[13677.258052]  worker_thread+0x211/0x1790
[13677.258060]  ? pick_next_task_fair+0x313/0x10f0
[13677.258065]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258073]  ? cyc2ns_read_end+0x20/0x20
[13677.258078]  ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.258083]  ? get_vtime_delta+0x16/0xd0
[13677.258087]  ? _raw_spin_unlock_irq+0xbe/0x120
[13677.258091]  ? _raw_spin_unlock+0x120/0x120
[13677.258098]  ? finish_task_switch+0x27d/0x7f0
[13677.258104]  ? sched_clock_cpu+0x18/0x1e0
[13677.258110]  ? ret_from_fork+0x1f/0x30
[13677.258116]  ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258120]  ? get_vtime_delta+0x16/0xd0
[13677.258125]  ? cyc2ns_read_end+0x20/0x20
[13677.258131]  ? schedule+0xfb/0x3b0
[13677.258136]  ? __schedule+0x19b0/0x19b0
[13677.258141]  ? remove_wait_queue+0x2b0/0x2b0
[13677.258146]  ? arch_vtime_task_switch+0xee/0x190
[13677.258151]  ? _raw_spin_unlock_irqrestore+0xc2/0x130
[13677.258156]  ? _raw_spin_unlock_irq+0x120/0x120
[13677.258162]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258167]  kthread+0x2d4/0x390
[13677.258172]  ? kthread_create_worker+0xd0/0xd0
[13677.258177]  ret_from_fork+0x1f/0x30

[13677.258188] Allocated by task 2377:
[13677.258196]  kasan_kmalloc+0xa0/0xd0
[13677.258202]  kmem_cache_alloc_trace+0xd1/0x1e0
[13677.258208]  dm_crtc_duplicate_state+0x73/0x130
[13677.258214]  drm_atomic_get_crtc_state+0x13c/0x400
[13677.258218]  page_flip_common+0x52/0x230
[13677.258223]  drm_atomic_helper_page_flip+0xa1/0x100
[13677.258230]  drm_mode_page_flip_ioctl+0xc10/0x1030
[13677.258236]  drm_ioctl_kernel+0x1b5/0x2c0
[13677.258240]  drm_ioctl+0x709/0xa00
[13677.258245]  amdgpu_drm_ioctl+0x118/0x280
[13677.258250]  do_vfs_ioctl+0x18a/0x1260
[13677.258254]  SyS_ioctl+0x6f/0x80
[13677.258258]  do_syscall_64+0x220/0x670
[13677.258262]  return_from_SYSCALL_64+0x0/0x65

[13677.258267] Freed by task 2523:
[13677.258273]  kasan_slab_free+0x71/0xc0
[13677.258276]  kfree+0x88/0x1b0
[13677.258280]  drm_atomic_state_default_clear+0x2c8/0xa00
[13677.258285]  __drm_atomic_state_free+0x30/0xd0
[13677.258289]  drm_atomic_helper_update_plane+0xb6/0x350
[13677.258293]  __setplane_internal+0x5b4/0x9d0
[13677.258297]  drm_mode_cursor_universal+0x412/0xc60
[13677.258301]  drm_mode_cursor_common+0x4b6/0x890
[13677.258305]  drm_mode_cursor_ioctl+0xd3/0x120
[13677.258309]  drm_ioctl_kernel+0x1b5/0x2c0
[13677.258313]  drm_ioctl+0x709/0xa00
[13677.258316]  amdgpu_drm_ioctl+0x118/0x280
[13677.258319]  do_vfs_ioctl+0x18a/0x1260
[13677.258323]  SyS_ioctl+0x6f/0x80
[13677.258326]  do_syscall_64+0x220/0x670
[13677.258330]  return_from_SYSCALL_64+0x0/0x65

[13677.258336] The buggy address belongs to the object at ffff8803f0533180
                which belongs to the cache kmalloc-1024 of size 1024
[13677.258343] The buggy address is located 520 bytes inside of
                1024-byte region [ffff8803f0533180, ffff8803f0533580)
[13677.258347] The buggy address belongs to the page:
[13677.258354] page:ffffea000fc14c00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[13677.258364] flags: 0x2000000000008100(slab|head)
[13677.258374] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
[13677.258380] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
[13677.258383] page dumped because: kasan: bad access detected

[13677.258388] Memory state around the buggy address:
[13677.258393]  ffff8803f0533280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258398]  ffff8803f0533300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258402] >ffff8803f0533380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258404]                       ^
[13677.258408]  ffff8803f0533400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258411]  ffff8803f0533480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[13677.258415] ==================================================================
[13677.258418] Disabling lock debugging due to kernel taint


--
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Johannes Hirte]

On 2018 Jan 14, Grodzovsky, Andrey wrote:
> To be sure it was inserted at the correct place please send me output of git diff on your modified branch.
> 
> Thanks,
> Andrey
> 

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index bb5fa895fb64..bc2050a5a5c6 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4802,7 +4802,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
         * synchronization events.
         */

-       if (lock_and_validation_needed) {
+       if (lock_and_validation_needed || state->legacy_cursor_update == true) {

                ret = do_aquire_global_lock(dev, state);
                if (ret)

If this matters, I've applied the patch on top of 4.15-rc7 with your 
"Fix: Save job's priority on it's creation instead of accessing it from s_entity later on." 
patch. This one is still not upstream, but without I see the other
use-after-free

-- 
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Grodzovsky, Andrey]

Thanks, you did it right. I will try to think more how this happened, Harry, Leo, if you have banwidth to try and reproduce it it would help, from Kasan prints it seems the way to make it more probable to happen is to move the mouse repeatedly during flipping like video playback, also maybe trying async flip mode makes it more probable.

Thanks,
Andrey

________________________________________
From: Johannes Hirte <johannes.hirte@datenkhaos.de>
Sent: 14 January 2018 15:34:16
To: Grodzovsky, Andrey
Cc: Luís Mendes; Deucher, Alexander; Li, Sun peng (Leo); Wentland, Harry; Koenig, Christian; amd-gfx@lists.freedesktop.org
Subject: Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

On 2018 Jan 14, Grodzovsky, Andrey wrote:
> To be sure it was inserted at the correct place please send me output of git diff on your modified branch.
>
> Thanks,
> Andrey
>

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index bb5fa895fb64..bc2050a5a5c6 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4802,7 +4802,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
         * synchronization events.
         */

-       if (lock_and_validation_needed) {
+       if (lock_and_validation_needed || state->legacy_cursor_update == true) {

                ret = do_aquire_global_lock(dev, state);
                if (ret)

If this matters, I've applied the patch on top of 4.15-rc7 with your
"Fix: Save job's priority on it's creation instead of accessing it from s_entity later on."
patch. This one is still not upstream, but without I see the other
use-after-free

--
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Harry Wentland]

Hey Andrey,

been sick for the last few days which is why I wasn't able to follow up on that other email thread. I'm still working from home today so won't be able to give this a spin. Leo, if you got a chance it'd be useful to see if we can repro it. If not I'll try it tomorrow.

Harry

On 2018-01-14 06:22 PM, Grodzovsky, Andrey wrote:
> Thanks, you did it right. I will try to think more how this happened, Harry, Leo, if you have banwidth to try and reproduce it it would help, from Kasan prints it seems the way to make it more probable to happen is to move the mouse repeatedly during flipping like video playback, also maybe trying async flip mode makes it more probable.
> 
> Thanks,
> Andrey
> 
> ________________________________________
> From: Johannes Hirte <johannes.hirte@datenkhaos.de>
> Sent: 14 January 2018 15:34:16
> To: Grodzovsky, Andrey
> Cc: Luís Mendes; Deucher, Alexander; Li, Sun peng (Leo); Wentland, Harry; Koenig, Christian; amd-gfx@lists.freedesktop.org
> Subject: Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
> 
> On 2018 Jan 14, Grodzovsky, Andrey wrote:
>> To be sure it was inserted at the correct place please send me output of git diff on your modified branch.
>>
>> Thanks,
>> Andrey
>>
> 
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> index bb5fa895fb64..bc2050a5a5c6 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> @@ -4802,7 +4802,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
>          * synchronization events.
>          */
> 
> -       if (lock_and_validation_needed) {
> +       if (lock_and_validation_needed || state->legacy_cursor_update == true) {
> 
>                 ret = do_aquire_global_lock(dev, state);
>                 if (ret)
> 
> If this matters, I've applied the patch on top of 4.15-rc7 with your
> "Fix: Save job's priority on it's creation instead of accessing it from s_entity later on."
> patch. This one is still not upstream, but without I see the other
> use-after-free
> 
> --
> Regards,
>   Johannes
> 
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Andrey Grodzovsky]

Thanks Harry,

P.S Just spotted following memory leak in DAL when loading/unloading 
Xorg - maybe something you also wanna take a look .

unreferenced object 0xffff880059fc0000 (size 24640):
   comm "Xorg", pid 1395, jiffies 4295164722 (age 6699.912s)
   hex dump (first 32 bytes):
     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
   backtrace:
     [<000000000e9d80ff>] dc_create_transfer_func+0x1a/0x40 [amdgpu]
     [<000000005a24894c>] 
fill_stream_properties_from_drm_display_mode+0x25/0x410 [amdgpu]
     [<0000000098c1adc7>] create_stream_for_sink+0x19a/0x790 [amdgpu]
     [<000000000ab720fc>] amdgpu_dm_connector_mode_valid+0xe3/0x4d0 [amdgpu]
     [<000000004a8a0d75>] 
drm_helper_probe_single_connector_modes+0x811/0xb20 [drm_kms_helper]
     [<00000000d551192f>] drm_mode_getconnector+0x536/0x580 [drm]
     [<00000000d9a8e32d>] drm_ioctl_kernel+0xa7/0xf0 [drm]
     [<00000000f08bfd00>] drm_ioctl+0x3ef/0x490 [drm]
     [<00000000583ca5f6>] amdgpu_drm_ioctl+0x72/0xd0 [amdgpu]
     [<000000003d352ad0>] do_vfs_ioctl+0x11a/0x830
     [<000000008290460f>] SyS_ioctl+0x74/0x80
     [<000000003e42a381>] do_syscall_64+0xe1/0x270
     [<00000000ea5f5530>] return_from_SYSCALL_64+0x0/0x65
     [<00000000941b2638>] 0xffffffffffffffff
unreferenced object 0xffff880059fc8000 (size 24640):
   comm "Xorg", pid 1395, jiffies 4295164722 (age 6699.916s)


On 01/15/2018 09:58 AM, Harry Wentland wrote:
> Hey Andrey,
>
> been sick for the last few days which is why I wasn't able to follow up on that other email thread. I'm still working from home today so won't be able to give this a spin. Leo, if you got a chance it'd be useful to see if we can repro it. If not I'll try it tomorrow.
>
> Harry
>
> On 2018-01-14 06:22 PM, Grodzovsky, Andrey wrote:
>> Thanks, you did it right. I will try to think more how this happened, Harry, Leo, if you have banwidth to try and reproduce it it would help, from Kasan prints it seems the way to make it more probable to happen is to move the mouse repeatedly during flipping like video playback, also maybe trying async flip mode makes it more probable.
>>
>> Thanks,
>> Andrey
>>
>> ________________________________________
>> From: Johannes Hirte <johannes.hirte@datenkhaos.de>
>> Sent: 14 January 2018 15:34:16
>> To: Grodzovsky, Andrey
>> Cc: Luís Mendes; Deucher, Alexander; Li, Sun peng (Leo); Wentland, Harry; Koenig, Christian; amd-gfx@lists.freedesktop.org
>> Subject: Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb
>>
>> On 2018 Jan 14, Grodzovsky, Andrey wrote:
>>> To be sure it was inserted at the correct place please send me output of git diff on your modified branch.
>>>
>>> Thanks,
>>> Andrey
>>>
>> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> index bb5fa895fb64..bc2050a5a5c6 100644
>> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
>> @@ -4802,7 +4802,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
>>           * synchronization events.
>>           */
>>
>> -       if (lock_and_validation_needed) {
>> +       if (lock_and_validation_needed || state->legacy_cursor_update == true) {
>>
>>                  ret = do_aquire_global_lock(dev, state);
>>                  if (ret)
>>
>> If this matters, I've applied the patch on top of 4.15-rc7 with your
>> "Fix: Save job's priority on it's creation instead of accessing it from s_entity later on."
>> patch. This one is still not upstream, but without I see the other
>> use-after-free
>>
>> --
>> Regards,
>>    Johannes
>>

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Johannes Hirte]

I still get a use-after-free with linux-4.15-rc6:

[   16.788943] ==================================================================
[   16.788968] BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x140/0x150
[   16.788975] Read of size 8 at addr ffff8803dfe4b3c8 by task kworker/0:2/1355

[   16.788986] CPU: 0 PID: 1355 Comm: kworker/0:2 Not tainted 4.15.0-rc6 #438
[   16.788990] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
[   16.788998] Workqueue: events amd_sched_job_finish
[   16.789003] Call Trace:
[   16.789012]  dump_stack+0x99/0x11e
[   16.789018]  ? _atomic_dec_and_lock+0x152/0x152
[   16.789026]  print_address_description+0x65/0x270
[   16.789032]  kasan_report+0x272/0x360
[   16.789038]  ? amdgpu_job_free_cb+0x140/0x150
[   16.789043]  amdgpu_job_free_cb+0x140/0x150
[   16.789049]  amd_sched_job_finish+0x288/0x560
[   16.789055]  ? amd_sched_process_job+0x220/0x220
[   16.789061]  ? __queue_delayed_work+0x211/0x360
[   16.789067]  ? pick_next_task_fair+0xcff/0x10f0
[   16.789073]  ? _raw_spin_unlock_irq+0xbe/0x120
[   16.789077]  ? _raw_spin_unlock+0x120/0x120
[   16.789082]  process_one_work+0x84b/0x1600
[   16.789088]  ? tick_nohz_dep_clear_signal+0x20/0x20
[   16.789093]  ? _raw_spin_unlock_irq+0xbe/0x120
[   16.789097]  ? _raw_spin_unlock+0x120/0x120
[   16.789101]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[   16.789107]  ? compat_start_thread+0x70/0x70
[   16.789111]  ? cyc2ns_read_end+0x20/0x20
[   16.789117]  ? finish_task_switch+0x27d/0x7f0
[   16.789121]  ? wq_worker_waking_up+0xc0/0xc0
[   16.789127]  ? sched_clock_cpu+0x18/0x1e0
[   16.789133]  ? task_change_group_fair+0x7e0/0x7e0
[   16.789139]  ? pci_mmcfg_check_reserved+0x100/0x100
[   16.789143]  ? load_balance+0x3120/0x3120
[   16.789148]  ? perf_event_exit_task+0x91f/0xe20
[   16.789156]  ? schedule+0xfb/0x3b0
[   16.789160]  ? __schedule+0x19b0/0x19b0
[   16.789165]  ? _raw_spin_unlock_irq+0xb9/0x120
[   16.789169]  ? _raw_spin_unlock_irq+0xbe/0x120
[   16.789172]  ? _raw_spin_unlock+0x120/0x120
[   16.789177]  worker_thread+0x211/0x1790
[   16.789184]  ? pick_next_task_fair+0x97d/0x10f0
[   16.789188]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[   16.789194]  ? tick_nohz_dep_clear_signal+0x20/0x20
[   16.789199]  ? _raw_spin_unlock_irq+0xbe/0x120
[   16.789202]  ? _raw_spin_unlock+0x120/0x120
[   16.789207]  ? compat_start_thread+0x70/0x70
[   16.789212]  ? finish_task_switch+0x27d/0x7f0
[   16.789217]  ? sched_clock_cpu+0x18/0x1e0
[   16.789223]  ? ret_from_fork+0x1f/0x30
[   16.789228]  ? pci_mmcfg_check_reserved+0x100/0x100
[   16.789233]  ? get_task_cred+0x210/0x210
[   16.789238]  ? cyc2ns_read_end+0x20/0x20
[   16.789245]  ? schedule+0xfb/0x3b0
[   16.789249]  ? __schedule+0x19b0/0x19b0
[   16.789254]  ? remove_wait_queue+0x2b0/0x2b0
[   16.789258]  ? arch_vtime_task_switch+0xee/0x190
[   16.789263]  ? _raw_spin_unlock_irqrestore+0xc2/0x130
[   16.789267]  ? _raw_spin_unlock_irq+0x120/0x120
[   16.789273]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[   16.789277]  kthread+0x2d4/0x390
[   16.789282]  ? kthread_create_worker+0xd0/0xd0
[   16.789286]  ? umh_complete+0x60/0x60
[   16.789290]  ret_from_fork+0x1f/0x30

[   16.789298] Allocated by task 2385:
[   16.789304]  kasan_kmalloc+0xa0/0xd0
[   16.789309]  kmem_cache_alloc_trace+0xd1/0x1e0
[   16.789314]  amdgpu_driver_open_kms+0x12b/0x4d0
[   16.789320]  drm_open+0x7c3/0x1100
[   16.789324]  drm_stub_open+0x2a8/0x400
[   16.789329]  chrdev_open+0x1eb/0x5a0
[   16.789333]  do_dentry_open+0x5a1/0xc50
[   16.789337]  path_openat+0x11d3/0x4e90
[   16.789341]  do_filp_open+0x239/0x3c0
[   16.789344]  do_sys_open+0x402/0x630
[   16.789349]  do_syscall_64+0x220/0x670
[   16.789353]  return_from_SYSCALL_64+0x0/0x65

[   16.789357] Freed by task 2541:
[   16.789362]  kasan_slab_free+0x71/0xc0
[   16.789365]  kfree+0x88/0x1b0
[   16.789369]  amdgpu_driver_postclose_kms+0x469/0x860
[   16.789373]  drm_release+0x8a8/0x1180
[   16.789377]  __fput+0x2ab/0x730
[   16.789380]  task_work_run+0x14b/0x200
[   16.789384]  exit_to_usermode_loop+0x151/0x180
[   16.789387]  do_syscall_64+0x4ed/0x670
[   16.789391]  return_from_SYSCALL_64+0x0/0x65

[   16.789397] The buggy address belongs to the object at ffff8803dfe4b300
[   16.789403] The buggy address is located 200 bytes inside of
[   16.789406] The buggy address belongs to the page:
[   16.789413] page:000000004ccd276f count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[   16.789421] flags: 0x2000000000008100(slab|head)
[   16.789428] raw: 2000000000008100 0000000000000000 0000000000000000 00000001000f000f
[   16.789433] raw: dead000000000100 dead000000000200 ffff8803f3002a80 0000000000000000
[   16.789436] page dumped because: kasan: bad access detected

[   16.789441] Memory state around the buggy address:
[   16.789445]  ffff8803dfe4b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   16.789449]  ffff8803dfe4b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   16.789452] >ffff8803dfe4b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   16.789455]                                               ^
[   16.789458]  ffff8803dfe4b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   16.789462]  ffff8803dfe4b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   16.789465] ==================================================================
[   16.789468] Disabling lock debugging due to kernel taint

This should be fixed already with 
https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html
but's still missing upstream.

-- 
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Johannes Hirte]

On 2018 Jan 03, Johannes Hirte wrote:
> This should be fixed already with 
> https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html
> but's still missing upstream.
> 

With this patch, the use-after-free in amdgpu_job_free_cb seems to be
gone. But now I get an use-after-free in
drm_atomic_helper_wait_for_flip_done:

[89387.069387] ==================================================================
[89387.069407] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[89387.069413] Read of size 8 at addr ffff880124df0688 by task kworker/u8:3/31426

[89387.069423] CPU: 1 PID: 31426 Comm: kworker/u8:3 Not tainted 4.15.0-rc6-00001-ge0895ba8d88e #442
[89387.069427] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
[89387.069435] Workqueue: events_unbound commit_work
[89387.069440] Call Trace:
[89387.069448]  dump_stack+0x99/0x11e
[89387.069453]  ? _atomic_dec_and_lock+0x152/0x152
[89387.069460]  print_address_description+0x65/0x270
[89387.069465]  kasan_report+0x272/0x360
[89387.069470]  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[89387.069475]  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[89387.069483]  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
[89387.069492]  ? dm_crtc_duplicate_state+0x130/0x130
[89387.069498]  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
[89387.069504]  commit_tail+0x92/0xe0
[89387.069511]  process_one_work+0x84b/0x1600
[89387.069517]  ? tick_nohz_dep_clear_signal+0x20/0x20
[89387.069522]  ? _raw_spin_unlock_irq+0xbe/0x120
[89387.069525]  ? _raw_spin_unlock+0x120/0x120
[89387.069529]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[89387.069534]  ? arch_vtime_task_switch+0xee/0x190
[89387.069539]  ? finish_task_switch+0x27d/0x7f0
[89387.069542]  ? wq_worker_waking_up+0xc0/0xc0
[89387.069547]  ? copy_overflow+0x20/0x20
[89387.069550]  ? sched_clock_cpu+0x18/0x1e0
[89387.069558]  ? pci_mmcfg_check_reserved+0x100/0x100
[89387.069562]  ? pci_mmcfg_check_reserved+0x100/0x100
[89387.069569]  ? schedule+0xfb/0x3b0
[89387.069574]  ? __schedule+0x19b0/0x19b0
[89387.069578]  ? _raw_spin_unlock_irq+0xb9/0x120
[89387.069582]  ? _raw_spin_unlock_irq+0xbe/0x120
[89387.069585]  ? _raw_spin_unlock+0x120/0x120
[89387.069590]  worker_thread+0x211/0x1790
[89387.069597]  ? pick_next_task_fair+0x313/0x10f0
[89387.069601]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[89387.069606]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[89387.069612]  ? tick_nohz_dep_clear_signal+0x20/0x20
[89387.069616]  ? account_idle_time+0x94/0x1f0
[89387.069620]  ? _raw_spin_unlock_irq+0xbe/0x120
[89387.069623]  ? _raw_spin_unlock+0x120/0x120
[89387.069628]  ? finish_task_switch+0x27d/0x7f0
[89387.069633]  ? sched_clock_cpu+0x18/0x1e0
[89387.069639]  ? ret_from_fork+0x1f/0x30
[89387.069644]  ? pci_mmcfg_check_reserved+0x100/0x100
[89387.069650]  ? cyc2ns_read_end+0x20/0x20
[89387.069657]  ? schedule+0xfb/0x3b0
[89387.069662]  ? __schedule+0x19b0/0x19b0
[89387.069666]  ? remove_wait_queue+0x2b0/0x2b0
[89387.069670]  ? arch_vtime_task_switch+0xee/0x190
[89387.069675]  ? _raw_spin_unlock_irqrestore+0xc2/0x130
[89387.069679]  ? _raw_spin_unlock_irq+0x120/0x120
[89387.069683]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[89387.069688]  kthread+0x2d4/0x390
[89387.069693]  ? kthread_create_worker+0xd0/0xd0
[89387.069697]  ret_from_fork+0x1f/0x30

[89387.069705] Allocated by task 2387:
[89387.069712]  kasan_kmalloc+0xa0/0xd0
[89387.069717]  kmem_cache_alloc_trace+0xd1/0x1e0
[89387.069722]  dm_crtc_duplicate_state+0x73/0x130
[89387.069726]  drm_atomic_get_crtc_state+0x13c/0x400
[89387.069730]  page_flip_common+0x52/0x230
[89387.069734]  drm_atomic_helper_page_flip+0xa1/0x100
[89387.069739]  drm_mode_page_flip_ioctl+0xc10/0x1030
[89387.069744]  drm_ioctl_kernel+0x1b5/0x2c0
[89387.069748]  drm_ioctl+0x709/0xa00
[89387.069752]  amdgpu_drm_ioctl+0x118/0x280
[89387.069756]  do_vfs_ioctl+0x18a/0x1260
[89387.069760]  SyS_ioctl+0x6f/0x80
[89387.069764]  do_syscall_64+0x220/0x670
[89387.069768]  return_from_SYSCALL_64+0x0/0x65

[89387.069772] Freed by task 2533:
[89387.069776]  kasan_slab_free+0x71/0xc0
[89387.069780]  kfree+0x88/0x1b0
[89387.069784]  drm_atomic_state_default_clear+0x2c8/0xa00
[89387.069787]  __drm_atomic_state_free+0x30/0xd0
[89387.069791]  drm_atomic_helper_update_plane+0xb6/0x350
[89387.069794]  __setplane_internal+0x5b4/0x9d0
[89387.069798]  drm_mode_cursor_universal+0x412/0xc60
[89387.069801]  drm_mode_cursor_common+0x4b6/0x890
[89387.069805]  drm_mode_cursor_ioctl+0xd3/0x120
[89387.069809]  drm_ioctl_kernel+0x1b5/0x2c0
[89387.069813]  drm_ioctl+0x709/0xa00
[89387.069816]  amdgpu_drm_ioctl+0x118/0x280
[89387.069819]  do_vfs_ioctl+0x18a/0x1260
[89387.069822]  SyS_ioctl+0x6f/0x80
[89387.069824]  do_syscall_64+0x220/0x670
[89387.069828]  return_from_SYSCALL_64+0x0/0x65

[89387.069834] The buggy address belongs to the object at ffff880124df0480
[89387.069839] The buggy address is located 520 bytes inside of
[89387.069843] The buggy address belongs to the page:
[89387.069849] page:00000000b20cc097 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[89387.069856] flags: 0x2000000000008100(slab|head)
[89387.069862] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
[89387.069867] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
[89387.069869] page dumped because: kasan: bad access detected

[89387.069874] Memory state around the buggy address:
[89387.069878]  ffff880124df0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069881]  ffff880124df0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069885] >ffff880124df0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069888]                       ^
[89387.069891]  ffff880124df0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069895]  ffff880124df0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[89387.069897] ==================================================================

-- 
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Johannes Hirte]

On 2018 Jan 03, Johannes Hirte wrote:
> On 2018 Jan 03, Johannes Hirte wrote:
> > This should be fixed already with 
> > https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html
> > but's still missing upstream.
> > 
> 
> With this patch, the use-after-free in amdgpu_job_free_cb seems to be
> gone. But now I get an use-after-free in
> drm_atomic_helper_wait_for_flip_done:
> 
> [89387.069387] ==================================================================
> [89387.069407] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> [89387.069413] Read of size 8 at addr ffff880124df0688 by task kworker/u8:3/31426
> 
> [89387.069423] CPU: 1 PID: 31426 Comm: kworker/u8:3 Not tainted 4.15.0-rc6-00001-ge0895ba8d88e #442
> [89387.069427] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
> [89387.069435] Workqueue: events_unbound commit_work
> [89387.069440] Call Trace:
> [89387.069448]  dump_stack+0x99/0x11e
> [89387.069453]  ? _atomic_dec_and_lock+0x152/0x152
> [89387.069460]  print_address_description+0x65/0x270
> [89387.069465]  kasan_report+0x272/0x360
> [89387.069470]  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> [89387.069475]  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> [89387.069483]  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
> [89387.069492]  ? dm_crtc_duplicate_state+0x130/0x130
> [89387.069498]  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
> [89387.069504]  commit_tail+0x92/0xe0
> [89387.069511]  process_one_work+0x84b/0x1600
> [89387.069517]  ? tick_nohz_dep_clear_signal+0x20/0x20
> [89387.069522]  ? _raw_spin_unlock_irq+0xbe/0x120
> [89387.069525]  ? _raw_spin_unlock+0x120/0x120
> [89387.069529]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
> [89387.069534]  ? arch_vtime_task_switch+0xee/0x190
> [89387.069539]  ? finish_task_switch+0x27d/0x7f0
> [89387.069542]  ? wq_worker_waking_up+0xc0/0xc0
> [89387.069547]  ? copy_overflow+0x20/0x20
> [89387.069550]  ? sched_clock_cpu+0x18/0x1e0
> [89387.069558]  ? pci_mmcfg_check_reserved+0x100/0x100
> [89387.069562]  ? pci_mmcfg_check_reserved+0x100/0x100
> [89387.069569]  ? schedule+0xfb/0x3b0
> [89387.069574]  ? __schedule+0x19b0/0x19b0
> [89387.069578]  ? _raw_spin_unlock_irq+0xb9/0x120
> [89387.069582]  ? _raw_spin_unlock_irq+0xbe/0x120
> [89387.069585]  ? _raw_spin_unlock+0x120/0x120
> [89387.069590]  worker_thread+0x211/0x1790
> [89387.069597]  ? pick_next_task_fair+0x313/0x10f0
> [89387.069601]  ? trace_event_raw_event_workqueue_work+0x170/0x170
> [89387.069606]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
> [89387.069612]  ? tick_nohz_dep_clear_signal+0x20/0x20
> [89387.069616]  ? account_idle_time+0x94/0x1f0
> [89387.069620]  ? _raw_spin_unlock_irq+0xbe/0x120
> [89387.069623]  ? _raw_spin_unlock+0x120/0x120
> [89387.069628]  ? finish_task_switch+0x27d/0x7f0
> [89387.069633]  ? sched_clock_cpu+0x18/0x1e0
> [89387.069639]  ? ret_from_fork+0x1f/0x30
> [89387.069644]  ? pci_mmcfg_check_reserved+0x100/0x100
> [89387.069650]  ? cyc2ns_read_end+0x20/0x20
> [89387.069657]  ? schedule+0xfb/0x3b0
> [89387.069662]  ? __schedule+0x19b0/0x19b0
> [89387.069666]  ? remove_wait_queue+0x2b0/0x2b0
> [89387.069670]  ? arch_vtime_task_switch+0xee/0x190
> [89387.069675]  ? _raw_spin_unlock_irqrestore+0xc2/0x130
> [89387.069679]  ? _raw_spin_unlock_irq+0x120/0x120
> [89387.069683]  ? trace_event_raw_event_workqueue_work+0x170/0x170
> [89387.069688]  kthread+0x2d4/0x390
> [89387.069693]  ? kthread_create_worker+0xd0/0xd0
> [89387.069697]  ret_from_fork+0x1f/0x30
> 
> [89387.069705] Allocated by task 2387:
> [89387.069712]  kasan_kmalloc+0xa0/0xd0
> [89387.069717]  kmem_cache_alloc_trace+0xd1/0x1e0
> [89387.069722]  dm_crtc_duplicate_state+0x73/0x130
> [89387.069726]  drm_atomic_get_crtc_state+0x13c/0x400
> [89387.069730]  page_flip_common+0x52/0x230
> [89387.069734]  drm_atomic_helper_page_flip+0xa1/0x100
> [89387.069739]  drm_mode_page_flip_ioctl+0xc10/0x1030
> [89387.069744]  drm_ioctl_kernel+0x1b5/0x2c0
> [89387.069748]  drm_ioctl+0x709/0xa00
> [89387.069752]  amdgpu_drm_ioctl+0x118/0x280
> [89387.069756]  do_vfs_ioctl+0x18a/0x1260
> [89387.069760]  SyS_ioctl+0x6f/0x80
> [89387.069764]  do_syscall_64+0x220/0x670
> [89387.069768]  return_from_SYSCALL_64+0x0/0x65
> 
> [89387.069772] Freed by task 2533:
> [89387.069776]  kasan_slab_free+0x71/0xc0
> [89387.069780]  kfree+0x88/0x1b0
> [89387.069784]  drm_atomic_state_default_clear+0x2c8/0xa00
> [89387.069787]  __drm_atomic_state_free+0x30/0xd0
> [89387.069791]  drm_atomic_helper_update_plane+0xb6/0x350
> [89387.069794]  __setplane_internal+0x5b4/0x9d0
> [89387.069798]  drm_mode_cursor_universal+0x412/0xc60
> [89387.069801]  drm_mode_cursor_common+0x4b6/0x890
> [89387.069805]  drm_mode_cursor_ioctl+0xd3/0x120
> [89387.069809]  drm_ioctl_kernel+0x1b5/0x2c0
> [89387.069813]  drm_ioctl+0x709/0xa00
> [89387.069816]  amdgpu_drm_ioctl+0x118/0x280
> [89387.069819]  do_vfs_ioctl+0x18a/0x1260
> [89387.069822]  SyS_ioctl+0x6f/0x80
> [89387.069824]  do_syscall_64+0x220/0x670
> [89387.069828]  return_from_SYSCALL_64+0x0/0x65
> 
> [89387.069834] The buggy address belongs to the object at ffff880124df0480
> [89387.069839] The buggy address is located 520 bytes inside of
> [89387.069843] The buggy address belongs to the page:
> [89387.069849] page:00000000b20cc097 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> [89387.069856] flags: 0x2000000000008100(slab|head)
> [89387.069862] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
> [89387.069867] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
> [89387.069869] page dumped because: kasan: bad access detected
> 
> [89387.069874] Memory state around the buggy address:
> [89387.069878]  ffff880124df0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069881]  ffff880124df0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069885] >ffff880124df0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069888]                       ^
> [89387.069891]  ffff880124df0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069895]  ffff880124df0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [89387.069897] ==================================================================
> 

ping? There are two different use-after-free in kernel-code and nobody
cares?

-- 
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Andrey Grodzovsky]

On 01/09/2018 09:44 AM, Johannes Hirte wrote:
> On 2018 Jan 03, Johannes Hirte wrote:
>> On 2018 Jan 03, Johannes Hirte wrote:
>>> This should be fixed already with
>>> https://lists.freedesktop.org/archives/amd-gfx/2017-October/014932.html
>>> but's still missing upstream.
>>>
>> With this patch, the use-after-free in amdgpu_job_free_cb seems to be
>> gone. But now I get an use-after-free in
>> drm_atomic_helper_wait_for_flip_done:
>>
>> [89387.069387] ==================================================================
>> [89387.069407] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> [89387.069413] Read of size 8 at addr ffff880124df0688 by task kworker/u8:3/31426
>>
>> [89387.069423] CPU: 1 PID: 31426 Comm: kworker/u8:3 Not tainted 4.15.0-rc6-00001-ge0895ba8d88e #442
>> [89387.069427] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
>> [89387.069435] Workqueue: events_unbound commit_work
>> [89387.069440] Call Trace:
>> [89387.069448]  dump_stack+0x99/0x11e
>> [89387.069453]  ? _atomic_dec_and_lock+0x152/0x152
>> [89387.069460]  print_address_description+0x65/0x270
>> [89387.069465]  kasan_report+0x272/0x360
>> [89387.069470]  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> [89387.069475]  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
>> [89387.069483]  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
>> [89387.069492]  ? dm_crtc_duplicate_state+0x130/0x130
>> [89387.069498]  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
>> [89387.069504]  commit_tail+0x92/0xe0
>> [89387.069511]  process_one_work+0x84b/0x1600
>> [89387.069517]  ? tick_nohz_dep_clear_signal+0x20/0x20
>> [89387.069522]  ? _raw_spin_unlock_irq+0xbe/0x120
>> [89387.069525]  ? _raw_spin_unlock+0x120/0x120
>> [89387.069529]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
>> [89387.069534]  ? arch_vtime_task_switch+0xee/0x190
>> [89387.069539]  ? finish_task_switch+0x27d/0x7f0
>> [89387.069542]  ? wq_worker_waking_up+0xc0/0xc0
>> [89387.069547]  ? copy_overflow+0x20/0x20
>> [89387.069550]  ? sched_clock_cpu+0x18/0x1e0
>> [89387.069558]  ? pci_mmcfg_check_reserved+0x100/0x100
>> [89387.069562]  ? pci_mmcfg_check_reserved+0x100/0x100
>> [89387.069569]  ? schedule+0xfb/0x3b0
>> [89387.069574]  ? __schedule+0x19b0/0x19b0
>> [89387.069578]  ? _raw_spin_unlock_irq+0xb9/0x120
>> [89387.069582]  ? _raw_spin_unlock_irq+0xbe/0x120
>> [89387.069585]  ? _raw_spin_unlock+0x120/0x120
>> [89387.069590]  worker_thread+0x211/0x1790
>> [89387.069597]  ? pick_next_task_fair+0x313/0x10f0
>> [89387.069601]  ? trace_event_raw_event_workqueue_work+0x170/0x170
>> [89387.069606]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
>> [89387.069612]  ? tick_nohz_dep_clear_signal+0x20/0x20
>> [89387.069616]  ? account_idle_time+0x94/0x1f0
>> [89387.069620]  ? _raw_spin_unlock_irq+0xbe/0x120
>> [89387.069623]  ? _raw_spin_unlock+0x120/0x120
>> [89387.069628]  ? finish_task_switch+0x27d/0x7f0
>> [89387.069633]  ? sched_clock_cpu+0x18/0x1e0
>> [89387.069639]  ? ret_from_fork+0x1f/0x30
>> [89387.069644]  ? pci_mmcfg_check_reserved+0x100/0x100
>> [89387.069650]  ? cyc2ns_read_end+0x20/0x20
>> [89387.069657]  ? schedule+0xfb/0x3b0
>> [89387.069662]  ? __schedule+0x19b0/0x19b0
>> [89387.069666]  ? remove_wait_queue+0x2b0/0x2b0
>> [89387.069670]  ? arch_vtime_task_switch+0xee/0x190
>> [89387.069675]  ? _raw_spin_unlock_irqrestore+0xc2/0x130
>> [89387.069679]  ? _raw_spin_unlock_irq+0x120/0x120
>> [89387.069683]  ? trace_event_raw_event_workqueue_work+0x170/0x170
>> [89387.069688]  kthread+0x2d4/0x390
>> [89387.069693]  ? kthread_create_worker+0xd0/0xd0
>> [89387.069697]  ret_from_fork+0x1f/0x30
>>
>> [89387.069705] Allocated by task 2387:
>> [89387.069712]  kasan_kmalloc+0xa0/0xd0
>> [89387.069717]  kmem_cache_alloc_trace+0xd1/0x1e0
>> [89387.069722]  dm_crtc_duplicate_state+0x73/0x130
>> [89387.069726]  drm_atomic_get_crtc_state+0x13c/0x400
>> [89387.069730]  page_flip_common+0x52/0x230
>> [89387.069734]  drm_atomic_helper_page_flip+0xa1/0x100
>> [89387.069739]  drm_mode_page_flip_ioctl+0xc10/0x1030
>> [89387.069744]  drm_ioctl_kernel+0x1b5/0x2c0
>> [89387.069748]  drm_ioctl+0x709/0xa00
>> [89387.069752]  amdgpu_drm_ioctl+0x118/0x280
>> [89387.069756]  do_vfs_ioctl+0x18a/0x1260
>> [89387.069760]  SyS_ioctl+0x6f/0x80
>> [89387.069764]  do_syscall_64+0x220/0x670
>> [89387.069768]  return_from_SYSCALL_64+0x0/0x65
>>
>> [89387.069772] Freed by task 2533:
>> [89387.069776]  kasan_slab_free+0x71/0xc0
>> [89387.069780]  kfree+0x88/0x1b0
>> [89387.069784]  drm_atomic_state_default_clear+0x2c8/0xa00
>> [89387.069787]  __drm_atomic_state_free+0x30/0xd0
>> [89387.069791]  drm_atomic_helper_update_plane+0xb6/0x350
>> [89387.069794]  __setplane_internal+0x5b4/0x9d0
>> [89387.069798]  drm_mode_cursor_universal+0x412/0xc60
>> [89387.069801]  drm_mode_cursor_common+0x4b6/0x890
>> [89387.069805]  drm_mode_cursor_ioctl+0xd3/0x120
>> [89387.069809]  drm_ioctl_kernel+0x1b5/0x2c0
>> [89387.069813]  drm_ioctl+0x709/0xa00
>> [89387.069816]  amdgpu_drm_ioctl+0x118/0x280
>> [89387.069819]  do_vfs_ioctl+0x18a/0x1260
>> [89387.069822]  SyS_ioctl+0x6f/0x80
>> [89387.069824]  do_syscall_64+0x220/0x670
>> [89387.069828]  return_from_SYSCALL_64+0x0/0x65
>>
>> [89387.069834] The buggy address belongs to the object at ffff880124df0480
>> [89387.069839] The buggy address is located 520 bytes inside of
>> [89387.069843] The buggy address belongs to the page:
>> [89387.069849] page:00000000b20cc097 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
>> [89387.069856] flags: 0x2000000000008100(slab|head)
>> [89387.069862] raw: 2000000000008100 0000000000000000 0000000000000000 00000001801c001c
>> [89387.069867] raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
>> [89387.069869] page dumped because: kasan: bad access detected
>>
>> [89387.069874] Memory state around the buggy address:
>> [89387.069878]  ffff880124df0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069881]  ffff880124df0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069885] >ffff880124df0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069888]                       ^
>> [89387.069891]  ffff880124df0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069895]  ffff880124df0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [89387.069897] ==================================================================
>>
> ping? There are two different use-after-free in kernel-code and nobody
> cares?
+ Harry and Leo

Hi, is there a particular scenario when this happens , can you add dmesg 
with echo 0x10 > /sys/module/drm/parameters/debug?

 From quick look looks like bad refcount over old crtct state, 
drm_atomic_state_put in __setplane_internal will cause CRTC state 
release from drm_atomic_state_put instead of just decrementing refcount 
as it supposed to be since
drm_atomic_commit called from __setplane_internal should've attached 
those states to CRTC objects. I would trace the refcounts to verify this.

Thanks,
Andrey


>

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Johannes Hirte]

On 2018 Jan 10, Andrey Grodzovsky wrote:
> 
> Hi, is there a particular scenario when this happens , 

Unfortunately no, I still search for a reproducer. Sometimes it takes
several days until the next use-after-free.

> can you add dmesg with echo 0x10 > /sys/module/drm/parameters/debug?

I assume you want the debug output when a use-after-free happened. Here
it is:

Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000009b693a40 state to 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000fd68d0e6 state to 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000009b693a40 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000009b693a40
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000a67d7f62
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000bef4ac0a state to 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000487e5e13 state to 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000bef4ac0a to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000bef4ac0a
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000aff36e64
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000aff36e64
Jan 11 23:21:33 probook kernel: ==================================================================
Jan 11 23:21:33 probook kernel: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
Jan 11 23:21:33 probook kernel: Read of size 8 at addr ffff8801e020d788 by task kworker/u8:6/18738
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: CPU: 2 PID: 18738 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00001-gd24b113b5c00 #444
Jan 11 23:21:33 probook kernel: Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
Jan 11 23:21:33 probook kernel: Workqueue: events_unbound commit_work
Jan 11 23:21:33 probook kernel: Call Trace:
Jan 11 23:21:33 probook kernel:  dump_stack+0x99/0x11e
Jan 11 23:21:33 probook kernel:  ? _atomic_dec_and_lock+0x152/0x152
Jan 11 23:21:33 probook kernel:  print_address_description+0x65/0x270
Jan 11 23:21:33 probook kernel:  kasan_report+0x272/0x360
Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
Jan 11 23:21:33 probook kernel:  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
Jan 11 23:21:33 probook kernel:  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
Jan 11 23:21:33 probook kernel:  ? dm_crtc_duplicate_state+0x130/0x130
Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
Jan 11 23:21:33 probook kernel:  commit_tail+0x92/0xe0
Jan 11 23:21:33 probook kernel:  process_one_work+0x84b/0x1600
Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
Jan 11 23:21:33 probook kernel:  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
Jan 11 23:21:33 probook kernel:  ? arch_vtime_task_switch+0xee/0x190
Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
Jan 11 23:21:33 probook kernel:  ? wq_worker_waking_up+0xc0/0xc0
Jan 11 23:21:33 probook kernel:  ? copy_overflow+0x20/0x20
Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
Jan 11 23:21:33 probook kernel:  ? preempt_schedule_irq+0x4e/0xb0
Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xb9/0x120
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
Jan 11 23:21:33 probook kernel:  worker_thread+0x211/0x1790
Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
Jan 11 23:21:33 probook kernel:  ? vtime_guest_exit+0xe0/0xe0
Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
Jan 11 23:21:33 probook kernel:  ? cyc2ns_read_end+0x20/0x20
Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
Jan 11 23:21:33 probook kernel:  ? ___preempt_schedule+0x16/0x18
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irqrestore+0xfe/0x130
Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0x120/0x120
Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
Jan 11 23:21:33 probook kernel:  kthread+0x2d4/0x390
Jan 11 23:21:33 probook kernel:  ? kthread_create_worker+0xd0/0xd0
Jan 11 23:21:33 probook kernel:  ret_from_fork+0x1f/0x30
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: Allocated by task 2408:
Jan 11 23:21:33 probook kernel:  kasan_kmalloc+0xa0/0xd0
Jan 11 23:21:33 probook kernel:  kmem_cache_alloc_trace+0xd1/0x1e0
Jan 11 23:21:33 probook kernel:  dm_crtc_duplicate_state+0x73/0x130
Jan 11 23:21:33 probook kernel:  drm_atomic_get_crtc_state+0x13c/0x400
Jan 11 23:21:33 probook kernel:  page_flip_common+0x52/0x230
Jan 11 23:21:33 probook kernel:  drm_atomic_helper_page_flip+0xa1/0x100
Jan 11 23:21:33 probook kernel:  drm_mode_page_flip_ioctl+0xc10/0x1030
Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: Freed by task 2531:
Jan 11 23:21:33 probook kernel:  kasan_slab_free+0x71/0xc0
Jan 11 23:21:33 probook kernel:  kfree+0x88/0x1b0
Jan 11 23:21:33 probook kernel:  drm_atomic_state_default_clear+0x2c8/0xa00
Jan 11 23:21:33 probook kernel:  __drm_atomic_state_free+0x30/0xd0
Jan 11 23:21:33 probook kernel:  drm_atomic_helper_update_plane+0xb6/0x350
Jan 11 23:21:33 probook kernel:  __setplane_internal+0x5b4/0x9d0
Jan 11 23:21:33 probook kernel:  drm_mode_cursor_universal+0x412/0xc60
Jan 11 23:21:33 probook kernel:  drm_mode_cursor_common+0x4b6/0x890
Jan 11 23:21:33 probook kernel:  drm_mode_cursor_ioctl+0xd3/0x120
Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: The buggy address belongs to the object at ffff8801e020d580
Jan 11 23:21:33 probook kernel: The buggy address is located 520 bytes inside of
Jan 11 23:21:33 probook kernel: The buggy address belongs to the page:
Jan 11 23:21:33 probook kernel: page:ffffea0007808200 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
Jan 11 23:21:33 probook kernel: flags: 0x2000000000008100(slab|head)
Jan 11 23:21:33 probook kernel: raw: 2000000000008100 0000000000000000 0000000000000000 00000001001c001c
Jan 11 23:21:33 probook kernel: raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
Jan 11 23:21:33 probook kernel: page dumped because: kasan: bad access detected
Jan 11 23:21:33 probook kernel: 
Jan 11 23:21:33 probook kernel: Memory state around the buggy address:
Jan 11 23:21:33 probook kernel:  ffff8801e020d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel:  ffff8801e020d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel: >ffff8801e020d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel:                       ^
Jan 11 23:21:33 probook kernel:  ffff8801e020d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel:  ffff8801e020d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Jan 11 23:21:33 probook kernel: ==================================================================
Jan 11 23:21:33 probook kernel: Disabling lock debugging due to kernel taint
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000c33882cc state to 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000001d7e9fe state to 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000c33882cc to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000c33882cc
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000c428f190
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000021b4ca12 state to 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000005eaf319 state to 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000021b4ca12 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000021b4ca12
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000008beb2208
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005030c62c
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000005e0d9d34 state to 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000ca793baf state to 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000005e0d9d34 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000005e0d9d34
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 0000000004ea9707
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000002a6fa7ba state to 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 000000008cb98e24 state to 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000002a6fa7ba to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000002a6fa7ba
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000978683e0
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000005030c62c
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000062e99415 state to 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000460cd934 state to 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000062e99415 to [CRTC:41:crtc-0]
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000062e99415
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000b8b1a194
Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000b8b1a194

-- 
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Andrey Grodzovsky]

Thanks for the dmesg, unfortunately nothing suspicious from there.

Looking again at KASAN it hints at a race between cursor update and non 
blocking part of flip with regard to accessing CRTC states, maybe cursor 
update is not properly synchronized against a flip in flight on same CRTC...

P.S What is your setup ? How many displays ?


Thanks,

Andrey


Thanks,

Andrey

On 01/11/2018 05:55 PM, Johannes Hirte wrote:
> On 2018 Jan 10, Andrey Grodzovsky wrote:
>> Hi, is there a particular scenario when this happens ,
> Unfortunately no, I still search for a reproducer. Sometimes it takes
> several days until the next use-after-free.
>
>> can you add dmesg with echo 0x10 > /sys/module/drm/parameters/debug?
> I assume you want the debug output when a use-after-free happened. Here
> it is:
>
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000009b693a40 state to 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000fd68d0e6 state to 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000009b693a40 to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000009b693a40
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000a67d7f62
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000bef4ac0a state to 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000487e5e13 state to 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000bef4ac0a to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000bef4ac0a
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000aff36e64
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000aff36e64
> Jan 11 23:21:33 probook kernel: ==================================================================
> Jan 11 23:21:33 probook kernel: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> Jan 11 23:21:33 probook kernel: Read of size 8 at addr ffff8801e020d788 by task kworker/u8:6/18738
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: CPU: 2 PID: 18738 Comm: kworker/u8:6 Not tainted 4.15.0-rc7-00001-gd24b113b5c00 #444
> Jan 11 23:21:33 probook kernel: Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 10/12/2017
> Jan 11 23:21:33 probook kernel: Workqueue: events_unbound commit_work
> Jan 11 23:21:33 probook kernel: Call Trace:
> Jan 11 23:21:33 probook kernel:  dump_stack+0x99/0x11e
> Jan 11 23:21:33 probook kernel:  ? _atomic_dec_and_lock+0x152/0x152
> Jan 11 23:21:33 probook kernel:  print_address_description+0x65/0x270
> Jan 11 23:21:33 probook kernel:  kasan_report+0x272/0x360
> Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> Jan 11 23:21:33 probook kernel:  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
> Jan 11 23:21:33 probook kernel:  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
> Jan 11 23:21:33 probook kernel:  ? dm_crtc_duplicate_state+0x130/0x130
> Jan 11 23:21:33 probook kernel:  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
> Jan 11 23:21:33 probook kernel:  commit_tail+0x92/0xe0
> Jan 11 23:21:33 probook kernel:  process_one_work+0x84b/0x1600
> Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
> Jan 11 23:21:33 probook kernel:  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
> Jan 11 23:21:33 probook kernel:  ? arch_vtime_task_switch+0xee/0x190
> Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
> Jan 11 23:21:33 probook kernel:  ? wq_worker_waking_up+0xc0/0xc0
> Jan 11 23:21:33 probook kernel:  ? copy_overflow+0x20/0x20
> Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
> Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
> Jan 11 23:21:33 probook kernel:  ? preempt_schedule_irq+0x4e/0xb0
> Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
> Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xb9/0x120
> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
> Jan 11 23:21:33 probook kernel:  worker_thread+0x211/0x1790
> Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
> Jan 11 23:21:33 probook kernel:  ? vtime_guest_exit+0xe0/0xe0
> Jan 11 23:21:33 probook kernel:  ? tick_nohz_dep_clear_signal+0x20/0x20
> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0xbe/0x120
> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock+0x120/0x120
> Jan 11 23:21:33 probook kernel:  ? finish_task_switch+0x27d/0x7f0
> Jan 11 23:21:33 probook kernel:  ? sched_clock_cpu+0x18/0x1e0
> Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
> Jan 11 23:21:33 probook kernel:  ? pci_mmcfg_check_reserved+0x100/0x100
> Jan 11 23:21:33 probook kernel:  ? cyc2ns_read_end+0x20/0x20
> Jan 11 23:21:33 probook kernel:  ? schedule+0xfb/0x3b0
> Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
> Jan 11 23:21:33 probook kernel:  ? __schedule+0x19b0/0x19b0
> Jan 11 23:21:33 probook kernel:  ? ___preempt_schedule+0x16/0x18
> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irqrestore+0xfe/0x130
> Jan 11 23:21:33 probook kernel:  ? _raw_spin_unlock_irq+0x120/0x120
> Jan 11 23:21:33 probook kernel:  ? trace_event_raw_event_workqueue_work+0x170/0x170
> Jan 11 23:21:33 probook kernel:  kthread+0x2d4/0x390
> Jan 11 23:21:33 probook kernel:  ? kthread_create_worker+0xd0/0xd0
> Jan 11 23:21:33 probook kernel:  ret_from_fork+0x1f/0x30
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: Allocated by task 2408:
> Jan 11 23:21:33 probook kernel:  kasan_kmalloc+0xa0/0xd0
> Jan 11 23:21:33 probook kernel:  kmem_cache_alloc_trace+0xd1/0x1e0
> Jan 11 23:21:33 probook kernel:  dm_crtc_duplicate_state+0x73/0x130
> Jan 11 23:21:33 probook kernel:  drm_atomic_get_crtc_state+0x13c/0x400
> Jan 11 23:21:33 probook kernel:  page_flip_common+0x52/0x230
> Jan 11 23:21:33 probook kernel:  drm_atomic_helper_page_flip+0xa1/0x100
> Jan 11 23:21:33 probook kernel:  drm_mode_page_flip_ioctl+0xc10/0x1030
> Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
> Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
> Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
> Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
> Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
> Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
> Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: Freed by task 2531:
> Jan 11 23:21:33 probook kernel:  kasan_slab_free+0x71/0xc0
> Jan 11 23:21:33 probook kernel:  kfree+0x88/0x1b0
> Jan 11 23:21:33 probook kernel:  drm_atomic_state_default_clear+0x2c8/0xa00
> Jan 11 23:21:33 probook kernel:  __drm_atomic_state_free+0x30/0xd0
> Jan 11 23:21:33 probook kernel:  drm_atomic_helper_update_plane+0xb6/0x350
> Jan 11 23:21:33 probook kernel:  __setplane_internal+0x5b4/0x9d0
> Jan 11 23:21:33 probook kernel:  drm_mode_cursor_universal+0x412/0xc60
> Jan 11 23:21:33 probook kernel:  drm_mode_cursor_common+0x4b6/0x890
> Jan 11 23:21:33 probook kernel:  drm_mode_cursor_ioctl+0xd3/0x120
> Jan 11 23:21:33 probook kernel:  drm_ioctl_kernel+0x1b5/0x2c0
> Jan 11 23:21:33 probook kernel:  drm_ioctl+0x709/0xa00
> Jan 11 23:21:33 probook kernel:  amdgpu_drm_ioctl+0x118/0x280
> Jan 11 23:21:33 probook kernel:  do_vfs_ioctl+0x18a/0x1260
> Jan 11 23:21:33 probook kernel:  SyS_ioctl+0x6f/0x80
> Jan 11 23:21:33 probook kernel:  do_syscall_64+0x220/0x670
> Jan 11 23:21:33 probook kernel:  return_from_SYSCALL_64+0x0/0x65
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: The buggy address belongs to the object at ffff8801e020d580
> Jan 11 23:21:33 probook kernel: The buggy address is located 520 bytes inside of
> Jan 11 23:21:33 probook kernel: The buggy address belongs to the page:
> Jan 11 23:21:33 probook kernel: page:ffffea0007808200 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
> Jan 11 23:21:33 probook kernel: flags: 0x2000000000008100(slab|head)
> Jan 11 23:21:33 probook kernel: raw: 2000000000008100 0000000000000000 0000000000000000 00000001001c001c
> Jan 11 23:21:33 probook kernel: raw: dead000000000100 dead000000000200 ffff8803f3002c40 0000000000000000
> Jan 11 23:21:33 probook kernel: page dumped because: kasan: bad access detected
> Jan 11 23:21:33 probook kernel:
> Jan 11 23:21:33 probook kernel: Memory state around the buggy address:
> Jan 11 23:21:33 probook kernel:  ffff8801e020d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel:  ffff8801e020d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel: >ffff8801e020d780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel:                       ^
> Jan 11 23:21:33 probook kernel:  ffff8801e020d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel:  ffff8801e020d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> Jan 11 23:21:33 probook kernel: ==================================================================
> Jan 11 23:21:33 probook kernel: Disabling lock debugging due to kernel taint
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 00000000c33882cc state to 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000001d7e9fe state to 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 00000000c33882cc to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 00000000c33882cc
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000c428f190
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000021b4ca12 state to 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 0000000005eaf319 state to 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000021b4ca12 to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000021b4ca12
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000008beb2208
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 000000005030c62c
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000005e0d9d34 state to 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000ca793baf state to 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000005e0d9d34 to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000005e0d9d34
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 0000000004ea9707
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 000000002a6fa7ba state to 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 000000008cb98e24 state to 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 000000002a6fa7ba to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 000000002a6fa7ba
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000978683e0
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 000000005030c62c
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_init] Allocated atomic state 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_plane_state] Added [PLANE:40:plane-4] 0000000062e99415 state to 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_get_crtc_state] Added [CRTC:41:crtc-0] 00000000460cd934 state to 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_crtc_for_plane] Link plane state 0000000062e99415 to [CRTC:41:crtc-0]
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_set_fb_for_plane] Set [FB:48] for plane state 0000000062e99415
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_check_only] checking 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_commit] committing 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:drm_atomic_state_default_clear] Clearing atomic state 00000000b8b1a194
> Jan 11 23:21:33 probook kernel: [drm:__drm_atomic_state_free] Freeing atomic state 00000000b8b1a194
>

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Johannes Hirte]

On 2018 Jan 11, Andrey Grodzovsky wrote:
> Thanks for the dmesg, unfortunately nothing suspicious from there.
> 
> Looking again at KASAN it hints at a race between cursor update and non 
> blocking part of flip with regard to accessing CRTC states, maybe cursor 
> update is not properly synchronized against a flip in flight on same CRTC...
> 
> P.S What is your setup ? How many displays ?
> 

It's a Carizzo A10-8700B R6 with 16G RAM, 512M assigned to graphics
card. Only the laptop display (1920x1080) is connected via eDP, so nothing special.

-- 
Regards,
  Johannes

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx