Re: BUG: KASAN: use-after-free in amdgpu_job_free_cb

[Johannes Hirte]

On 2018 Jan 12, Andrey Grodzovsky wrote:
> Yea, I know , just dumped diff of one file into it, please search in 
> code for
> 
> "ret = do_aquire_global_lock(dev, state);" it appears only in one place 
> in entire code base, and manually apply the one line change.
>

with patch applied:

[ 6887.679618] [drm] {1920x1080, 2250x1132@152840Khz}
[ 6887.806430] [drm] HBRx2 pass VS=1, PE=0
[12432.070076] [drm] {1920x1080, 2250x1132@152840Khz}
[12432.194472] [drm] HBRx2 pass VS=1, PE=0
[13677.257767] 
==
[13677.257812] BUG: KASAN: use-after-free in 
drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257820] Read of size 8 at addr 8803f0533388 by task 
kworker/u8:6/22172

[13677.257832] CPU: 2 PID: 22172 Comm: kworker/u8:6 Not tainted 
4.15.0-rc7-2-g617b2907a7aa #445
[13677.257837] Hardware name: HP HP ProBook 645 G2/80FE, BIOS N77 Ver. 01.10 
10/12/2017
[13677.257848] Workqueue: events_unbound commit_work
[13677.257853] Call Trace:
[13677.257867]  dump_stack+0x99/0x11e
[13677.257874]  ? _atomic_dec_and_lock+0x152/0x152
[13677.257886]  print_address_description+0x65/0x270
[13677.257892]  kasan_report+0x272/0x360
[13677.257898]  ? drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257903]  drm_atomic_helper_wait_for_flip_done+0x24f/0x270
[13677.257913]  amdgpu_dm_atomic_commit_tail+0x185e/0x2b90
[13677.257923]  ? dm_crtc_duplicate_state+0x130/0x130
[13677.257931]  ? trace_raw_output_rcu_utilization+0xa0/0xa0
[13677.257939]  ? drm_atomic_helper_wait_for_dependencies+0x3f2/0x800
[13677.257945]  commit_tail+0x92/0xe0
[13677.257953]  process_one_work+0x84b/0x1600
[13677.257961]  ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.257969]  ? _raw_spin_unlock_irq+0xbe/0x120
[13677.257973]  ? _raw_spin_unlock+0x120/0x120
[13677.257977]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
[13677.257984]  ? arch_vtime_task_switch+0xee/0x190
[13677.257991]  ? finish_task_switch+0x27d/0x7f0
[13677.257995]  ? wq_worker_waking_up+0xc0/0xc0
[13677.258000]  ? copy_overflow+0x20/0x20
[13677.258010]  ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258014]  ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258022]  ? schedule+0xfb/0x3b0
[13677.258027]  ? __schedule+0x19b0/0x19b0
[13677.258031]  ? preempt_schedule_common+0x30/0xb0
[13677.258038]  ? ___preempt_schedule+0x16/0x18
[13677.258043]  ? _raw_spin_unlock_irq+0xfa/0x120
[13677.258047]  ? _raw_spin_unlock+0x120/0x120
[13677.258052]  worker_thread+0x211/0x1790
[13677.258060]  ? pick_next_task_fair+0x313/0x10f0
[13677.258065]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258073]  ? cyc2ns_read_end+0x20/0x20
[13677.258078]  ? tick_nohz_dep_clear_signal+0x20/0x20
[13677.258083]  ? get_vtime_delta+0x16/0xd0
[13677.258087]  ? _raw_spin_unlock_irq+0xbe/0x120
[13677.258091]  ? _raw_spin_unlock+0x120/0x120
[13677.258098]  ? finish_task_switch+0x27d/0x7f0
[13677.258104]  ? sched_clock_cpu+0x18/0x1e0
[13677.258110]  ? ret_from_fork+0x1f/0x30
[13677.258116]  ? pci_mmcfg_check_reserved+0x100/0x100
[13677.258120]  ? get_vtime_delta+0x16/0xd0
[13677.258125]  ? cyc2ns_read_end+0x20/0x20
[13677.258131]  ? schedule+0xfb/0x3b0
[13677.258136]  ? __schedule+0x19b0/0x19b0
[13677.258141]  ? remove_wait_queue+0x2b0/0x2b0
[13677.258146]  ? arch_vtime_task_switch+0xee/0x190
[13677.258151]  ? _raw_spin_unlock_irqrestore+0xc2/0x130
[13677.258156]  ? _raw_spin_unlock_irq+0x120/0x120
[13677.258162]  ? trace_event_raw_event_workqueue_work+0x170/0x170
[13677.258167]  kthread+0x2d4/0x390
[13677.258172]  ? kthread_create_worker+0xd0/0xd0
[13677.258177]  ret_from_fork+0x1f/0x30

[13677.258188] Allocated by task 2377:
[13677.258196]  kasan_kmalloc+0xa0/0xd0
[13677.258202]  kmem_cache_alloc_trace+0xd1/0x1e0
[13677.258208]  dm_crtc_duplicate_state+0x73/0x130
[13677.258214]  drm_atomic_get_crtc_state+0x13c/0x400
[13677.258218]  page_flip_common+0x52/0x230
[13677.258223]  drm_atomic_helper_page_flip+0xa1/0x100
[13677.258230]  drm_mode_page_flip_ioctl+0xc10/0x1030
[13677.258236]  drm_ioctl_kernel+0x1b5/0x2c0
[13677.258240]  drm_ioctl+0x709/0xa00
[13677.258245]  amdgpu_drm_ioctl+0x118/0x280
[13677.258250]  do_vfs_ioctl+0x18a/0x1260
[13677.258254]  SyS_ioctl+0x6f/0x80
[13677.258258]  do_syscall_64+0x220/0x670
[13677.258262]  return_from_SYSCALL_64+0x0/0x65

[13677.258267] Freed by task 2523:
[13677.258273]  kasan_slab_free+0x71/0xc0
[13677.258276]  kfree+0x88/0x1b0
[13677.258280]  drm_atomic_state_default_clear+0x2c8/0xa00
[13677.258285]  __drm_atomic_state_free+0x30/0xd0
[13677.258289]  drm_atomic_helper_update_plane+0xb6/0x350
[13677.258293]  __setplane_internal+0x5b4/0x9d0
[13677.258297]  drm_mode_cursor_universal+0x412/0xc60
[13677.258301]  drm_mode_cursor_common+0x4b6/0x890
[13677.258305]  drm_mode_cursor_ioctl+0xd3/0x120
[13677.258309]  drm_ioctl_kernel+0x1b5/0x2c0
[13677.258313]  drm_ioctl+0x709/0xa00
[13677.258316]  amdgpu_drm_ioctl+0x118/0x280
[13677.258319]  do_vfs_ioctl+0x18a/0x1260
[13677.258323]  SyS_ioctl+0x6f/0x80
[13677.258326]  do_syscall_

Re: [PATCH 1/1] drm/amdgpu: only set dma_buf ops when it is valid

[Christian König]

Commit message and signed-of-by line is missing.

Apart from that the patch is Reviewed-by: Christian König 
.


Regards,
Christian.

Am 13.01.2018 um 00:01 schrieb Samuel Li:

Change-Id: I37daecbf695da13eaeea1d362c270b92a894393a
---
  drivers/gpu/drm/amd/amdgpu/amdgpu_prime.c | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_prime.c 
b/drivers/gpu/drm/amd/amdgpu/amdgpu_prime.c
index a14234b..8afec21 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_prime.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_prime.c
@@ -221,9 +221,10 @@ struct dma_buf *amdgpu_gem_prime_export(struct drm_device 
*dev,
return ERR_PTR(-EPERM);
  
  	buf = drm_gem_prime_export(dev, gobj, flags);

-   if (!IS_ERR(buf))
+   if (!IS_ERR(buf)) {
buf->file->f_mapping = dev->anon_inode->i_mapping;
-   buf->ops = &amdgpu_dmabuf_ops;
+   buf->ops = &amdgpu_dmabuf_ops;
+   }
  
  	return buf;

  }


___
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx