Re: Use after free from intel_alloc_iova
Quoting Lu Baolu (2019-06-22 09:46:36) > Hi, > > On 6/22/19 4:09 PM, Chris Wilson wrote: > > Quoting Lu Baolu (2019-06-22 07:49:22) > >> Hi Chris, > >> > >> Thanks for the test and report. > >> > >> On 6/21/19 9:27 PM, Chris Wilson wrote: > >>> We see a use-after-free in our CI about 20% of the time on a Skylake > >>> iommu testing host, present since enabling that host. Sadly, it has not > >>> presented itself while running under KASAN. > >>> > >>> <4> [302.391799] general protection fault: [#1] PREEMPT SMP PTI > >>> <4> [302.391803] CPU: 7 PID: 4854 Comm: i915_selftest Tainted: G U > >>> 5.2.0-rc5-CI-CI_DRM_6320+ #1 > >> > >> Since it's CI-CI_DRM_6320+, what kind of patches have you applied on top > >> of 5.2.0-rc5? > > > > $ git diff --stat v5.2-rc5..intel/CI_DRM_6320 > > ... > > 1383 files changed, 62481 insertions(+), 35301 deletions(-) > > > > The usual drivers/gpu churn, and nothing inside drivers/iommu. > > Can this be reproduced with any bare mainline rc's? So that people can > reproduce and debug it. Yes. The earlier reports are on code that is all in 5.0. -Chris ___ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
Re: Use after free from intel_alloc_iova
Hi, On 6/22/19 4:09 PM, Chris Wilson wrote: Quoting Lu Baolu (2019-06-22 07:49:22) Hi Chris, Thanks for the test and report. On 6/21/19 9:27 PM, Chris Wilson wrote: We see a use-after-free in our CI about 20% of the time on a Skylake iommu testing host, present since enabling that host. Sadly, it has not presented itself while running under KASAN. <4> [302.391799] general protection fault: [#1] PREEMPT SMP PTI <4> [302.391803] CPU: 7 PID: 4854 Comm: i915_selftest Tainted: G U 5.2.0-rc5-CI-CI_DRM_6320+ #1 Since it's CI-CI_DRM_6320+, what kind of patches have you applied on top of 5.2.0-rc5? $ git diff --stat v5.2-rc5..intel/CI_DRM_6320 ... 1383 files changed, 62481 insertions(+), 35301 deletions(-) The usual drivers/gpu churn, and nothing inside drivers/iommu. Can this be reproduced with any bare mainline rc's? So that people can reproduce and debug it. Best regards, Baolu Our oldest report (when the machine was configured) was with 4.19.0-CI-CI_DRM_5049. The tags are available from git://git.freedesktop.org/git/gfx-ci/linux -Chris ___ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
Re: Use after free from intel_alloc_iova
Quoting Lu Baolu (2019-06-22 07:49:22) > Hi Chris, > > Thanks for the test and report. > > On 6/21/19 9:27 PM, Chris Wilson wrote: > > We see a use-after-free in our CI about 20% of the time on a Skylake > > iommu testing host, present since enabling that host. Sadly, it has not > > presented itself while running under KASAN. > > > > <4> [302.391799] general protection fault: [#1] PREEMPT SMP PTI > > <4> [302.391803] CPU: 7 PID: 4854 Comm: i915_selftest Tainted: G U > > 5.2.0-rc5-CI-CI_DRM_6320+ #1 > > Since it's CI-CI_DRM_6320+, what kind of patches have you applied on top > of 5.2.0-rc5? $ git diff --stat v5.2-rc5..intel/CI_DRM_6320 ... 1383 files changed, 62481 insertions(+), 35301 deletions(-) The usual drivers/gpu churn, and nothing inside drivers/iommu. Our oldest report (when the machine was configured) was with 4.19.0-CI-CI_DRM_5049. The tags are available from git://git.freedesktop.org/git/gfx-ci/linux -Chris ___ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
Re: Use after free from intel_alloc_iova
Hi Chris, Thanks for the test and report. On 6/21/19 9:27 PM, Chris Wilson wrote: We see a use-after-free in our CI about 20% of the time on a Skylake iommu testing host, present since enabling that host. Sadly, it has not presented itself while running under KASAN. <4> [302.391799] general protection fault: [#1] PREEMPT SMP PTI <4> [302.391803] CPU: 7 PID: 4854 Comm: i915_selftest Tainted: G U 5.2.0-rc5-CI-CI_DRM_6320+ #1 Since it's CI-CI_DRM_6320+, what kind of patches have you applied on top of 5.2.0-rc5? Best regards, Baolu <4> [302.391805] Hardware name: System manufacturer System Product Name/Z170I PRO GAMING, BIOS 1809 07/11/2016 <4> [302.391809] RIP: 0010:rb_prev+0x16/0x50 <4> [302.391811] Code: d0 e9 a5 fe ff ff 4c 89 49 10 c3 4c 89 41 10 c3 0f 1f 40 00 48 8b 0f 48 39 cf 74 36 48 8b 47 10 48 85 c0 75 05 eb 1a 48 89 d0 <48> 8b 50 08 48 85 d2 75 f4 f3 c3 48 3b 79 10 75 15 48 8b 09 48 89 <4> [302.391813] RSP: 0018:c954f850 EFLAGS: 00010002 <4> [302.391816] RAX: 6b6b6b6b6b6b6b6b RBX: 0010 RCX: 6b6b6b6b6b6b6b6b <4> [302.391818] RDX: 0001 RSI: RDI: 88806504dfc0 <4> [302.391820] RBP: 2000 R08: 0001 R09: <4> [302.391821] R10: c954f7d0 R11: R12: 88822b1d0370 <4> [302.391823] R13: 000fe000 R14: 88809a48f840 R15: 88806504dfc0 <4> [302.391825] FS: 7fdec7d6de40() GS:88822eb8() knlGS: <4> [302.391827] CS: 0010 DS: ES: CR0: 80050033 <4> [302.391829] CR2: 55e125021b78 CR3: 00011277e004 CR4: 003606e0 <4> [302.391830] DR0: DR1: DR2: <4> [302.391832] DR3: DR6: fffe0ff0 DR7: 0400 <4> [302.391833] Call Trace: <4> [302.391838] alloc_iova+0xb3/0x150 <4> [302.391842] alloc_iova_fast+0x51/0x270 <4> [302.391846] intel_alloc_iova+0xa0/0xd0 <4> [302.391849] intel_map_sg+0xae/0x190 <4> [302.391902] i915_gem_gtt_prepare_pages+0x3e/0xf0 [i915] <4> [302.391946] i915_gem_object_get_pages_internal+0x225/0x2b0 [i915] <4> [302.391981] i915_gem_object_get_pages+0x1d/0xa0 [i915] <4> [302.392027] i915_gem_object_pin_map+0x1cf/0x2a0 [i915] <4> [302.392073] igt_fill_blt+0xdb/0x4e0 [i915] <4> [302.392130] __i915_subtests+0x1a4/0x1e0 [i915] <4> [302.392184] __run_selftests+0x112/0x170 [i915] <4> [302.392236] i915_live_selftests+0x2c/0x60 [i915] <4> [302.392279] i915_pci_probe+0x83/0x1a0 [i915] <4> [302.392282] ? _raw_spin_unlock_irqrestore+0x39/0x60 <4> [302.392285] pci_device_probe+0x9e/0x120 <4> [302.392287] really_probe+0xea/0x3c0 <4> [302.392289] driver_probe_device+0x10b/0x120 <4> [302.392291] device_driver_attach+0x4a/0x50 <4> [302.392293] __driver_attach+0x97/0x130 <4> [302.392295] ? device_driver_attach+0x50/0x50 <4> [302.392296] bus_for_each_dev+0x74/0xc0 <4> [302.392298] bus_add_driver+0x13f/0x210 <4> [302.392300] ? 0xa01d8000 <4> [302.392302] driver_register+0x56/0xe0 <4> [302.392303] ? 0xa01d8000 <4> [302.392305] do_one_initcall+0x58/0x300 <4> [302.392308] ? kmem_cache_alloc_trace+0x1e8/0x290 <4> [302.392311] do_init_module+0x56/0x1f6 <4> [302.392312] load_module+0x24d1/0x2990 <4> [302.392318] ? __se_sys_finit_module+0xd3/0xf0 <4> [302.392319] __se_sys_finit_module+0xd3/0xf0 <4> [302.392323] do_syscall_64+0x55/0x1c0 <4> [302.392325] entry_SYSCALL_64_after_hwframe+0x49/0xbe <4> [302.392326] RIP: 0033:0x7fdec7428839 <4> [302.392329] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48 <4> [302.392331] RSP: 002b:7ffec5007258 EFLAGS: 0246 ORIG_RAX: 0139 <4> [302.392333] RAX: ffda RBX: 55fcf119cc00 RCX: 7fdec7428839 <4> [302.392335] RDX: RSI: 55fcf119e570 RDI: 0006 <4> [302.392336] RBP: 55fcf119e570 R08: 0004 R09: 55fcf000bc1b <4> [302.392338] R10: 7ffec50074a0 R11: 0246 R12: <4> [302.392340] R13: 55fcf1197070 R14: 0020 R15: 0042 https://intel-gfx-ci.01.org/tree/drm-tip/CI_DRM_6320/fi-skl-iommu/igt@i915_selftest@live_blt.html https://bugs.freedesktop.org/show_bug.cgi?id=108602 -Chris ___ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
