From: Rob Clark <robdclark@gmail.com>
To: dri-devel@lists.freedesktop.org
Cc: Rob Clark <robdclark@chromium.org>,
Alexander Potapenko <glider@google.com>,
Luben Tuikov <luben.tuikov@amd.com>,
David Airlie <airlied@gmail.com>, Daniel Vetter <daniel@ffwll.ch>,
linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] drm/scheduler: Add missing RCU flag to fence slab
Date: Mon, 10 Jul 2023 13:56:24 -0700 [thread overview]
Message-ID: <20230710205625.130664-1-robdclark@gmail.com> (raw)
From: Rob Clark <robdclark@chromium.org>
Fixes the KASAN splat:
==================================================================
BUG: KASAN: use-after-free in msm_ioctl_wait_fence+0x31c/0x7b0
Read of size 4 at addr ffffff808cb7c2f8 by task syz-executor/12236
CPU: 6 PID: 12236 Comm: syz-executor Tainted: G W 5.15.119-lockdep-19932-g4a017c53fe63 #1 b15455e5b94c63032dd99eb0190c27e582b357ed
Hardware name: Google Homestar (rev3) (DT)
Call trace:
dump_backtrace+0x0/0x4e8
show_stack+0x34/0x50
dump_stack_lvl+0xdc/0x11c
print_address_description+0x30/0x2d8
kasan_report+0x178/0x1e4
kasan_check_range+0x1b0/0x1b8
__kasan_check_read+0x44/0x54
msm_ioctl_wait_fence+0x31c/0x7b0
drm_ioctl_kernel+0x214/0x418
drm_ioctl+0x524/0xbe8
__arm64_sys_ioctl+0x154/0x1d0
invoke_syscall+0x98/0x278
el0_svc_common+0x214/0x274
do_el0_svc+0x9c/0x19c
el0_svc+0x5c/0xc0
el0t_64_sync_handler+0x78/0x108
el0t_64_sync+0x1a4/0x1a8
Allocated by task 12224:
kasan_save_stack+0x38/0x68
__kasan_slab_alloc+0x6c/0x88
kmem_cache_alloc+0x1b8/0x428
drm_sched_fence_alloc+0x30/0x94
drm_sched_job_init+0x7c/0x178
msm_ioctl_gem_submit+0x2b8/0x5ac4
drm_ioctl_kernel+0x214/0x418
drm_ioctl+0x524/0xbe8
__arm64_sys_ioctl+0x154/0x1d0
invoke_syscall+0x98/0x278
el0_svc_common+0x214/0x274
do_el0_svc+0x9c/0x19c
el0_svc+0x5c/0xc0
el0t_64_sync_handler+0x78/0x108
el0t_64_sync+0x1a4/0x1a8
Freed by task 32:
kasan_save_stack+0x38/0x68
kasan_set_track+0x28/0x3c
kasan_set_free_info+0x28/0x4c
____kasan_slab_free+0x110/0x164
__kasan_slab_free+0x18/0x28
kmem_cache_free+0x1e0/0x904
drm_sched_fence_free_rcu+0x80/0x9c
rcu_do_batch+0x318/0xcf0
rcu_nocb_cb_kthread+0x1a0/0xc4c
kthread+0x2e4/0x3a0
ret_from_fork+0x10/0x20
Last potentially related work creation:
kasan_save_stack+0x38/0x68
kasan_record_aux_stack+0xd4/0x114
__call_rcu_common+0xd4/0x1478
call_rcu+0x1c/0x28
drm_sched_fence_release_scheduled+0x108/0x158
dma_fence_release+0x178/0x564
drm_sched_fence_release_finished+0xb4/0x124
dma_fence_release+0x178/0x564
__msm_gem_submit_destroy+0x150/0x488
msm_job_free+0x9c/0xdc
drm_sched_main+0xec/0x9ac
kthread+0x2e4/0x3a0
ret_from_fork+0x10/0x20
Second to last potentially related work creation:
kasan_save_stack+0x38/0x68
kasan_record_aux_stack+0xd4/0x114
__call_rcu_common+0xd4/0x1478
call_rcu+0x1c/0x28
drm_sched_fence_release_scheduled+0x108/0x158
dma_fence_release+0x178/0x564
drm_sched_fence_release_finished+0xb4/0x124
dma_fence_release+0x178/0x564
drm_sched_entity_fini+0x170/0x238
drm_sched_entity_destroy+0x34/0x44
__msm_file_private_destroy+0x60/0x118
msm_submitqueue_destroy+0xd0/0x110
__msm_gem_submit_destroy+0x384/0x488
retire_submits+0x6a8/0xa14
recover_worker+0x764/0xa50
kthread_worker_fn+0x3f4/0x9ec
kthread+0x2e4/0x3a0
ret_from_fork+0x10/0x20
The buggy address belongs to the object at ffffff808cb7c280
The buggy address is located 120 bytes inside of
The buggy address belongs to the page:
page:000000008b01d27d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10cb7c
head:000000008b01d27d order:1 compound_mapcount:0
flags: 0x8000000000010200(slab|head|zone=2)
raw: 8000000000010200 fffffffe06844d80 0000000300000003 ffffff80860dca00
raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffff808cb7c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffff808cb7c200: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffffff808cb7c280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffffff808cb7c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
ffffff808cb7c380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
Suggested-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Rob Clark <robdclark@chromium.org>
---
drivers/gpu/drm/scheduler/sched_fence.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/scheduler/sched_fence.c b/drivers/gpu/drm/scheduler/sched_fence.c
index ef120475e7c6..b624711c6e03 100644
--- a/drivers/gpu/drm/scheduler/sched_fence.c
+++ b/drivers/gpu/drm/scheduler/sched_fence.c
@@ -35,7 +35,7 @@ static int __init drm_sched_fence_slab_init(void)
{
sched_fence_slab = kmem_cache_create(
"drm_sched_fence", sizeof(struct drm_sched_fence), 0,
- SLAB_HWCACHE_ALIGN, NULL);
+ SLAB_HWCACHE_ALIGN | SLAB_TYPESAFE_BY_RCU, NULL);
if (!sched_fence_slab)
return -ENOMEM;
--
2.41.0
next reply other threads:[~2023-07-10 20:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-10 20:56 Rob Clark [this message]
2023-07-10 21:15 ` [PATCH] drm/scheduler: Add missing RCU flag to fence slab Luben Tuikov
2023-07-11 7:46 ` Christian König
2023-07-11 14:49 ` Rob Clark
2023-07-12 6:45 ` Christian König
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230710205625.130664-1-robdclark@gmail.com \
--to=robdclark@gmail.com \
--cc=airlied@gmail.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=glider@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luben.tuikov@amd.com \
--cc=robdclark@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox