dri-devel.lists.freedesktop.org archive mirror
 help / color / mirror / Atom feed
From: bugzilla-daemon@bugzilla.kernel.org
To: dri-devel@lists.freedesktop.org
Subject: [Bug 199425] BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260
Date: Mon, 20 Aug 2018 06:28:02 +0000	[thread overview]
Message-ID: <bug-199425-2300-SjPWMcj8e8@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-199425-2300@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=199425

--- Comment #18 from Johannes Hirte (johannes.hirte@datenkhaos.de) ---
[183309.195913]
==================================================================
[183309.195937] BUG: KASAN: use-after-free in
drm_atomic_helper_wait_for_flip_done+0x212/0x270
[183309.195944] Read of size 8 at addr ffff880115b906a8 by task
kworker/u8:1/12462

[183309.195956] CPU: 1 PID: 12462 Comm: kworker/u8:1 Not tainted
4.18.0-00001-g61b0dd9978b0 #14
[183309.195961] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.15
03/26/2018
[183309.195968] Workqueue: events_unbound commit_work
[183309.195973] Call Trace:
[183309.195985]  dump_stack+0x5b/0x90
[183309.195993]  print_address_description+0x60/0x229
[183309.195999]  ? drm_atomic_helper_wait_for_flip_done+0x212/0x270
[183309.196005]  kasan_report.cold.5+0x241/0x2ff
[183309.196011]  drm_atomic_helper_wait_for_flip_done+0x212/0x270
[183309.196020]  amdgpu_dm_atomic_commit_tail+0x2718/0x4040
[183309.196029]  ? _raw_spin_unlock_irq+0x35/0x50
[183309.196034]  ? wait_for_completion_timeout+0x214/0x2d0
[183309.196040]  ? commit_planes_to_stream.constprop.47+0x13b0/0x13b0
[183309.196047]  ? finish_task_switch+0x1a0/0x700
[183309.196052]  ? drm_atomic_helper_wait_for_dependencies+0x478/0x7e0
[183309.196058]  commit_tail+0x91/0xe0
[183309.196064]  process_one_work+0x866/0x1460
[183309.196071]  worker_thread+0x82/0xf60
[183309.196076]  ? _raw_spin_unlock_irqrestore+0x3a/0x70
[183309.196081]  ? __kthread_parkme+0x7d/0xf0
[183309.196086]  ? rescuer_thread+0xcd0/0xcd0
[183309.196090]  kthread+0x2cf/0x380
[183309.196095]  ? kthread_create_worker+0xd0/0xd0
[183309.196100]  ret_from_fork+0x22/0x40

[183309.196109] Allocated by task 570:
[183309.196116]  kasan_kmalloc+0xbf/0xe0
[183309.196123]  kmem_cache_alloc_trace+0xf3/0x1f0
[183309.196128]  dm_crtc_duplicate_state+0x73/0x130
[183309.196134]  drm_atomic_get_crtc_state+0x142/0x400
[183309.196138]  page_flip_common+0x52/0x220
[183309.196142]  drm_atomic_helper_page_flip+0xa1/0x100
[183309.196148]  drm_mode_page_flip_ioctl+0xc46/0x1090
[183309.196152]  drm_ioctl_kernel+0x192/0x210
[183309.196156]  drm_ioctl+0x3ea/0x850
[183309.196161]  amdgpu_drm_ioctl+0xc7/0x1a0
[183309.196165]  do_vfs_ioctl+0x18e/0xed0
[183309.196169]  ksys_ioctl+0x5b/0x90
[183309.196173]  __x64_sys_ioctl+0x6a/0xb0
[183309.196177]  do_syscall_64+0x95/0x2f0
[183309.196183]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[183309.196188] Freed by task 634:
[183309.196193]  __kasan_slab_free+0x125/0x170
[183309.196197]  kfree+0x8b/0x1c0
[183309.196202]  drm_atomic_state_default_clear+0x310/0xc40
[183309.196206]  __drm_atomic_state_free+0x30/0xc0
[183309.196210]  drm_atomic_helper_update_plane+0xa7/0x350
[183309.196214]  __setplane_internal+0x2d1/0x820
[183309.196218]  drm_mode_cursor_universal+0x2f0/0x910
[183309.196222]  drm_mode_cursor_common+0x49a/0x880
[183309.196226]  drm_mode_cursor_ioctl+0x81/0xb0
[183309.196229]  drm_ioctl_kernel+0x192/0x210
[183309.196233]  drm_ioctl+0x3ea/0x850
[183309.196237]  amdgpu_drm_ioctl+0xc7/0x1a0
[183309.196241]  do_vfs_ioctl+0x18e/0xed0
[183309.196244]  ksys_ioctl+0x5b/0x90
[183309.196248]  __x64_sys_ioctl+0x6a/0xb0
[183309.196252]  do_syscall_64+0x95/0x2f0
[183309.196256]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[183309.196263] The buggy address belongs to the object at ffff880115b90480
                 which belongs to the cache kmalloc-1024 of size 1024
[183309.196269] The buggy address is located 552 bytes inside of
                 1024-byte region [ffff880115b90480, ffff880115b90880)
[183309.196274] The buggy address belongs to the page:
[183309.196279] page:ffffea000456e400 count:1 mapcount:0
mapping:ffff8803ef002c40 index:0x0 compound_mapcount: 0
[183309.196286] flags: 0x2000000000008100(slab|head)
[183309.196294] raw: 2000000000008100 ffffea000ceba800 0000000200000002
ffff8803ef002c40
[183309.196300] raw: 0000000000000000 00000000801c001c 00000001ffffffff
0000000000000000
[183309.196303] page dumped because: kasan: bad access detected

[183309.196308] Memory state around the buggy address:
[183309.196312]  ffff880115b90580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196317]  ffff880115b90600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196321] >ffff880115b90680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196324]                                   ^
[183309.196328]  ffff880115b90700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196332]  ffff880115b90780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[183309.196335]
==================================================================
[183309.196338] Disabling lock debugging due to kernel taint


This is with kernel 4.18.0 and your patch on top.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

      parent reply	other threads:[~2018-08-20  6:28 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-17  8:01 [Bug 199425] New: BUG: KASAN: use-after-free in drm_atomic_helper_wait_for_flip_done+0x247/0x260 bugzilla-daemon
2018-04-25 21:08 ` [Bug 199425] " bugzilla-daemon
2018-05-22 16:34 ` bugzilla-daemon
2018-05-23 17:22 ` bugzilla-daemon
2018-05-23 17:30 ` bugzilla-daemon
2018-05-24 18:33 ` bugzilla-daemon
2018-05-24 20:47 ` bugzilla-daemon
2018-05-25 12:00 ` bugzilla-daemon
2018-05-28 16:01 ` bugzilla-daemon
2018-06-15 14:24 ` bugzilla-daemon
2018-06-21 13:10 ` bugzilla-daemon
2018-06-27 15:04 ` bugzilla-daemon
2018-07-03 20:57 ` bugzilla-daemon
2018-07-24 19:38 ` bugzilla-daemon
2018-07-25 13:02 ` bugzilla-daemon
2018-07-25 14:12 ` bugzilla-daemon
2018-07-25 16:40 ` bugzilla-daemon
2018-08-17  9:31 ` bugzilla-daemon
2018-08-20  6:28 ` bugzilla-daemon [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-199425-2300-SjPWMcj8e8@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).