From: bugzilla-daemon@bugzilla.kernel.org
To: dri-devel@lists.freedesktop.org
Subject: [Bug 198985] New: BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x26/0xb0 [amdgpu]
Date: Sat, 03 Mar 2018 14:53:58 +0000 [thread overview]
Message-ID: <bug-198985-2300@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=198985
Bug ID: 198985
Summary: BUG: KASAN: use-after-free in
amdgpu_job_free_cb+0x26/0xb0 [amdgpu]
Product: Drivers
Version: 2.5
Kernel Version: 4.15.7
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Video(DRI - non Intel)
Assignee: drivers_video-dri@kernel-bugs.osdl.org
Reporter: fredrik@planet-express.se
Regression: No
I've hit a bunch of complete & partial lockups with 4.15. I finally built a
kasan kernel and caught this:
[50772.217692]
==================================================================
[50772.217773] BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x26/0xb0
[amdgpu]
[50772.217776] Read of size 8 at addr ffff880ccf431a48 by task kworker/7:1/112
[50772.217781] CPU: 7 PID: 112 Comm: kworker/7:1 Not tainted 4.15.7 #18
[50772.217782] Hardware name: System manufacturer System Product Name/PRIME
X370-PRO, BIOS 3803 01/22/2018
[50772.217861] Workqueue: events amd_sched_job_finish [amdgpu]
[50772.217863] Call Trace:
[50772.217869] dump_stack+0x46/0x5a
[50772.217874] print_address_description+0x82/0x2c0
[50772.217878] kasan_report+0x289/0x380
[50772.217973] ? amdgpu_job_free_cb+0x26/0xb0 [amdgpu]
[50772.218047] amdgpu_job_free_cb+0x26/0xb0 [amdgpu]
[50772.218052] process_one_work+0x3cd/0x660
[50772.218055] worker_thread+0x81/0x7b0
[50772.218058] ? create_worker+0x2a0/0x2a0
[50772.218060] kthread+0x1ae/0x1d0
[50772.218062] ? kthread_create_worker+0xd0/0xd0
[50772.218065] ret_from_fork+0x22/0x40
[50772.218069] Allocated by task 489:
[50772.218072] kasan_kmalloc+0xb0/0xf0
[50772.218132] amdgpu_driver_open_kms+0x8c/0x1f0 [amdgpu]
[50772.218136] drm_open+0x39e/0x720
[50772.218138] drm_stub_open+0x155/0x1d0
[50772.218140] chrdev_open+0x168/0x300
[50772.218143] do_dentry_open.isra.20+0x325/0x510
[50772.218145] path_openat+0x7f6/0x1ac0
[50772.218148] do_filp_open+0x125/0x1d0
[50772.218149] do_sys_open+0x251/0x300
[50772.218152] do_syscall_64+0xf3/0x2b0
[50772.218154] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[50772.218155] Freed by task 19848:
[50772.218158] kasan_slab_free+0x7c/0xe0
[50772.218160] kfree+0x91/0x1a0
[50772.218220] amdgpu_driver_postclose_kms+0x154/0x360 [amdgpu]
[50772.218222] drm_release+0x45e/0x5f0
[50772.218224] __fput+0x14e/0x2e0
[50772.218226] task_work_run+0xa0/0xc0
[50772.218229] do_exit+0x3c4/0x10f0
[50772.218231] do_group_exit+0x74/0x110
[50772.218234] get_signal+0x1ab/0x760
[50772.218237] do_signal+0xb4/0xa80
[50772.218238] exit_to_usermode_loop+0x74/0xa0
[50772.218240] do_syscall_64+0x2a0/0x2b0
[50772.218242] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[50772.218245] The buggy address belongs to the object at ffff880ccf431980
which belongs to the cache kmalloc-2048 of size 2048
[50772.218247] The buggy address is located 200 bytes inside of
2048-byte region [ffff880ccf431980, ffff880ccf432180)
[50772.218249] The buggy address belongs to the page:
[50772.218252] page:ffffea00333d0c00 count:1 mapcount:0 mapping:
(null) index:0x0 compound_mapcount: 0
[50772.218255] flags: 0x8000000000008100(slab|head)
[50772.218260] raw: 8000000000008100 0000000000000000 0000000000000000
00000001000f000f
[50772.218263] raw: dead000000000100 dead000000000200 ffff880f98c03040
0000000000000000
[50772.218264] page dumped because: kasan: bad access detected
[50772.218265] Memory state around the buggy address:
[50772.218267] ffff880ccf431900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[50772.218270] ffff880ccf431980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[50772.218272] >ffff880ccf431a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[50772.218273] ^
[50772.218275] ffff880ccf431a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[50772.218277] ffff880ccf431b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[50772.218278]
==================================================================
lspci:
0a:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI]
Ellesmere [Radeon RX 470/480/570/580] (rev cf) (prog-if 00 [VGA controller])
Subsystem: PC Partner Limited / Sapphire Technology Radeon RX 470
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 53
Region 0: Memory at e0000000 (64-bit, prefetchable) [size=256M]
Region 2: Memory at f0000000 (64-bit, prefetchable) [size=2M]
Region 4: I/O ports at e000 [size=256]
Region 5: Memory at fe800000 (32-bit, non-prefetchable) [size=256K]
Expansion ROM at 000c0000 [disabled] [size=128K]
Capabilities: [48] Vendor Specific Information: Len=08 <?>
Capabilities: [50] Power Management version 3
Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=0mA
PME(D0-,D1+,D2+,D3hot+,D3cold+)
Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [58] Express (v2) Legacy Endpoint, MSI 00
DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s <4us, L1
unlimited
ExtTag+ AttnBtn- AttnInd- PwrInd- RBE+ FLReset-
DevCtl: Report errors: Correctable- Non-Fatal- Fatal-
Unsupported-
RlxdOrd+ ExtTag+ PhantFunc- AuxPwr- NoSnoop+
MaxPayload 256 bytes, MaxReadReq 512 bytes
DevSta: CorrErr+ UncorrErr- FatalErr- UnsuppReq+ AuxPwr-
TransPend-
LnkCap: Port #0, Speed 8GT/s, Width x16, ASPM L1, Exit Latency
L1 <1us
ClockPM- Surprise- LLActRep- BwNot- ASPMOptComp+
LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s, Width x16, TrErr- Train- SlotClk+
DLActive- BWMgmt- ABWMgmt-
DevCap2: Completion Timeout: Not Supported, TimeoutDis-, LTR+,
OBFF Not Supported
AtomicOpsCap: 32bit+ 64bit+ 128bitCAS-
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-,
OBFF Disabled
AtomicOpsCtl: ReqEn-
LnkCtl2: Target Link Speed: 8GT/s, EnterCompliance- SpeedDis-
Transmit Margin: Normal Operating Range,
EnterModifiedCompliance- ComplianceSOS-
Compliance De-emphasis: -6dB
LnkSta2: Current De-emphasis Level: -3.5dB,
EqualizationComplete+, EqualizationPhase1+
EqualizationPhase2+, EqualizationPhase3+,
LinkEqualizationRequest-
Capabilities: [a0] MSI: Enable+ Count=1/1 Maskable- 64bit+
Address: 00000000fee00000 Data: 0000
Capabilities: [100 v1] Vendor Specific Information: ID=0001 Rev=1
Len=010 <?>
Capabilities: [150 v2] Advanced Error Reporting
UESta: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt-
RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UEMsk: DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt-
RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt-
RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
CESta: RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
CEMsk: RxErr- BadTLP- BadDLLP- Rollover- Timeout- NonFatalErr+
AERCap: First Error Pointer: 00, ECRCGenCap+ ECRCGenEn-
ECRCChkCap+ ECRCChkEn-
MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap-
HeaderLog: 00000000 00000000 00000000 00000000
Capabilities: [200 v1] #15
Capabilities: [270 v1] #19
Capabilities: [2b0 v1] Address Translation Service (ATS)
ATSCap: Invalidate Queue Depth: 00
ATSCtl: Enable+, Smallest Translation Unit: 00
Capabilities: [2c0 v1] Page Request Interface (PRI)
PRICtl: Enable- Reset-
PRISta: RF- UPRGI- Stopped+
Page Request Capacity: 00000020, Page Request Allocation:
00000000
Capabilities: [2d0 v1] Process Address Space ID (PASID)
PASIDCap: Exec+ Priv+, Max PASID Width: 10
PASIDCtl: Enable- Exec- Priv-
Capabilities: [320 v1] Latency Tolerance Reporting
Max snoop latency: 0ns
Max no snoop latency: 0ns
Capabilities: [328 v1] Alternative Routing-ID Interpretation (ARI)
ARICap: MFVC- ACS-, Next Function: 1
ARICtl: MFVC- ACS-, Function Group: 0
Capabilities: [370 v1] L1 PM Substates
L1SubCap: PCI-PM_L1.2+ PCI-PM_L1.1+ ASPM_L1.2+ ASPM_L1.1+
L1_PM_Substates+
PortCommonModeRestoreTime=0us PortTPowerOnTime=170us
L1SubCtl1: PCI-PM_L1.2- PCI-PM_L1.1- ASPM_L1.2- ASPM_L1.1-
T_CommonMode=0us LTR1.2_Threshold=0ns
L1SubCtl2: T_PwrOn=10us
Kernel driver in use: amdgpu
Kernel modules: amdgpu
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next reply other threads:[~2018-03-03 14:54 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-03 14:53 bugzilla-daemon [this message]
2018-03-03 14:56 ` [Bug 198985] BUG: KASAN: use-after-free in amdgpu_job_free_cb+0x26/0xb0 [amdgpu] bugzilla-daemon
2018-03-06 8:45 ` bugzilla-daemon
2018-03-09 15:49 ` bugzilla-daemon
2018-03-15 16:58 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-198985-2300@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=dri-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.