KASAN: use-after-free in amdgpu_ttm_tt_pte_flags

KASAN: use-after-free in amdgpu_ttm_tt_pte_flags

[Michel Dänzer]

[-- Attachment #1: Type: text/plain, Size: 278 bytes --]


KASAN picked up something during today's piglit run on
amd-staging-drm-next, see attached. I've never seen this one before.


-- 
Earthling Michel Dänzer               |               http://www.amd.com
Libre software enthusiast             |             Mesa and X developer

[-- Attachment #2: dmesg.txt --]
[-- Type: text/plain, Size: 6905 bytes --]

[  386.246490] ==================================================================
[  386.246604] BUG: KASAN: use-after-free in amdgpu_ttm_tt_pte_flags+0x11f/0x170 [amdgpu]
[  386.246610] Read of size 4 at addr ffff8803dd6871f0 by task amdgpu_cs:0/2132

[  386.246621] CPU: 0 PID: 2132 Comm: amdgpu_cs:0 Tainted: G    B D W  OE    4.16.0-rc7+ #104
[  386.246626] Hardware name: Micro-Star International Co., Ltd. MS-7A34/B350 TOMAHAWK (MS-7A34), BIOS 1.80 09/13/2017
[  386.246631] Call Trace:
[  386.246640]  dump_stack+0x85/0xc1
[  386.246649]  print_address_description+0x6a/0x270
[  386.246657]  kasan_report+0x258/0x380
[  386.246762]  ? amdgpu_ttm_tt_pte_flags+0x11f/0x170 [amdgpu]
[  386.246862]  amdgpu_ttm_tt_pte_flags+0x11f/0x170 [amdgpu]
[  386.246971]  amdgpu_vm_bo_update+0x11a3/0x1cb0 [amdgpu]
[  386.246983]  ? lock_downgrade+0x5e0/0x5e0
[  386.247092]  ? amdgpu_vm_handle_moved+0x92/0x5c0 [amdgpu]
[  386.247202]  amdgpu_vm_handle_moved+0x239/0x5c0 [amdgpu]
[  386.247291]  ? amdgpu_vm_clear_freed+0x450/0x450 [amdgpu]
[  386.247380]  ? amdgpu_sync_fence+0x145/0x560 [amdgpu]
[  386.247468]  amdgpu_cs_ioctl+0x3e8c/0x4d80 [amdgpu]
[  386.247552]  ? amdgpu_cs_find_mapping+0x3c0/0x3c0 [amdgpu]
[  386.247638]  ? amdgpu_bo_list_ioctl+0x2aa/0x650 [amdgpu]
[  386.247643]  ? save_stack+0x89/0xb0
[  386.247649]  ? __kasan_slab_free+0x136/0x180
[  386.247654]  ? kfree+0xf9/0x2f0
[  386.247740]  ? amdgpu_bo_list_ioctl+0x2aa/0x650 [amdgpu]
[  386.247764]  ? drm_ioctl_kernel+0x135/0x1c0 [drm]
[  386.247786]  ? drm_ioctl+0x67a/0x980 [drm]
[  386.247867]  ? amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu]
[  386.247872]  ? do_vfs_ioctl+0x192/0xee0
[  386.247876]  ? SyS_ioctl+0x74/0x80
[  386.247881]  ? do_syscall_64+0x198/0x5c0
[  386.247886]  ? entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  386.247894]  ? idr_get_free+0x4b3/0x980
[  386.247904]  ? debug_check_no_locks_freed+0x2c0/0x2c0
[  386.247925]  ? get_futex_key+0xc20/0xc20
[  386.248011]  ? amdgpu_cs_find_mapping+0x3c0/0x3c0 [amdgpu]
[  386.248035]  drm_ioctl_kernel+0x135/0x1c0 [drm]
[  386.248061]  drm_ioctl+0x67a/0x980 [drm]
[  386.248148]  ? amdgpu_cs_find_mapping+0x3c0/0x3c0 [amdgpu]
[  386.248172]  ? drm_getstats+0x20/0x20 [drm]
[  386.248179]  ? lock_downgrade+0x5e0/0x5e0
[  386.248184]  ? __pm_runtime_resume+0x68/0xf0
[  386.248190]  ? debug_check_no_locks_freed+0x2c0/0x2c0
[  386.248276]  amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu]
[  386.248283]  do_vfs_ioctl+0x192/0xee0
[  386.248290]  ? ioctl_preallocate+0x1b0/0x1b0
[  386.248296]  ? __fget+0x1bc/0x300
[  386.248302]  ? lock_downgrade+0x5e0/0x5e0
[  386.248306]  ? __fget+0x49/0x300
[  386.248312]  ? SyS_futex+0x197/0x200
[  386.248319]  ? __fget+0x1db/0x300
[  386.248328]  SyS_ioctl+0x74/0x80
[  386.248333]  ? do_vfs_ioctl+0xee0/0xee0
[  386.248338]  do_syscall_64+0x198/0x5c0
[  386.248346]  entry_SYSCALL_64_after_hwframe+0x42/0xb7
[  386.248351] RIP: 0033:0x7f98ef330f07
[  386.248355] RSP: 002b:00007f98e4cb4ae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  386.248361] RAX: ffffffffffffffda RBX: 00007f98e4cb4bd8 RCX: 00007f98ef330f07
[  386.248365] RDX: 00007f98e4cb4b50 RSI: 00000000c0186444 RDI: 000000000000000e
[  386.248369] RBP: 00007f98e4cb4b10 R08: 00007f98e4cb4c00 R09: 00007f98e4cb4bd8
[  386.248373] R10: 00007f98e4cb4c00 R11: 0000000000000246 R12: 00007f98e4cb4b50
[  386.248376] R13: 00000000c0186444 R14: 000000000000000e R15: 0000000000000000

[  386.248390] Allocated by task 17099:
[  386.248395]  kasan_kmalloc+0xa0/0xd0
[  386.248399]  kmem_cache_alloc_trace+0x12f/0x310
[  386.248482]  amdgpu_ttm_tt_create+0x47/0xc0 [amdgpu]
[  386.248492]  ttm_tt_create+0x171/0x2d0 [ttm]
[  386.248502]  ttm_bo_handle_move_mem+0x1441/0x2270 [ttm]
[  386.248511]  ttm_bo_evict+0x35a/0x960 [ttm]
[  386.248521]  ttm_mem_evict_first+0x349/0x550 [ttm]
[  386.248531]  ttm_bo_mem_space+0x78a/0xe10 [ttm]
[  386.248541]  ttm_bo_validate+0x293/0x4a0 [ttm]
[  386.248625]  amdgpu_cs_bo_validate+0x34c/0x860 [amdgpu]
[  386.248709]  amdgpu_cs_validate+0x94/0xb40 [amdgpu]
[  386.248793]  amdgpu_cs_list_validate+0x197/0x3e0 [amdgpu]
[  386.248877]  amdgpu_cs_ioctl+0x3310/0x4d80 [amdgpu]
[  386.248899]  drm_ioctl_kernel+0x135/0x1c0 [drm]
[  386.248921]  drm_ioctl+0x67a/0x980 [drm]
[  386.249002]  amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu]
[  386.249006]  do_vfs_ioctl+0x192/0xee0
[  386.249010]  SyS_ioctl+0x74/0x80
[  386.249014]  do_syscall_64+0x198/0x5c0
[  386.249019]  entry_SYSCALL_64_after_hwframe+0x42/0xb7

[  386.249024] Freed by task 17598:
[  386.249029]  __kasan_slab_free+0x136/0x180
[  386.249033]  kfree+0xf9/0x2f0
[  386.249043]  ttm_bo_pipeline_move+0x870/0xa50 [ttm]
[  386.249126]  amdgpu_move_blit.constprop.16+0x1f1/0x240 [amdgpu]
[  386.249209]  amdgpu_move_ram_vram.constprop.14+0x1df/0x270 [amdgpu]
[  386.249293]  amdgpu_bo_move+0x511/0x640 [amdgpu]
[  386.249303]  ttm_bo_handle_move_mem+0x8b3/0x2270 [ttm]
[  386.249312]  ttm_bo_validate+0x3b1/0x4a0 [ttm]
[  386.249396]  amdgpu_cs_bo_validate+0x34c/0x860 [amdgpu]
[  386.249481]  amdgpu_cs_validate+0x94/0xb40 [amdgpu]
[  386.249565]  amdgpu_cs_list_validate+0x197/0x3e0 [amdgpu]
[  386.249649]  amdgpu_cs_ioctl+0x3310/0x4d80 [amdgpu]
[  386.249671]  drm_ioctl_kernel+0x135/0x1c0 [drm]
[  386.249694]  drm_ioctl+0x67a/0x980 [drm]
[  386.249779]  amdgpu_drm_ioctl+0xcc/0x1a0 [amdgpu]
[  386.249783]  do_vfs_ioctl+0x192/0xee0
[  386.249787]  SyS_ioctl+0x74/0x80
[  386.249792]  do_syscall_64+0x198/0x5c0
[  386.249797]  entry_SYSCALL_64_after_hwframe+0x42/0xb7

[  386.249804] The buggy address belongs to the object at ffff8803dd687180
                which belongs to the cache kmalloc-256 of size 256
[  386.249810] The buggy address is located 112 bytes inside of
                256-byte region [ffff8803dd687180, ffff8803dd687280)
[  386.249814] The buggy address belongs to the page:
[  386.249819] page:ffffea000f75a180 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
[  386.249826] flags: 0x17fffc000008100(slab|head)
[  386.249832] raw: 017fffc000008100 0000000000000000 0000000000000000 0000000180190019
[  386.249838] raw: dead000000000100 dead000000000200 ffff8803ed80ee00 0000000000000000
[  386.249841] page dumped because: kasan: bad access detected

[  386.249847] Memory state around the buggy address:
[  386.249851]  ffff8803dd687080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  386.249856]  ffff8803dd687100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  386.249860] >ffff8803dd687180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  386.249864]                                                              ^
[  386.249868]  ffff8803dd687200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  386.249872]  ffff8803dd687280: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[  386.249875] ==================================================================
[  692.664488] amdgpu 0000:23:00.0: Disabling VM faults because of PRT request!

[-- Attachment #3: Type: text/plain, Size: 154 bytes --]

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: KASAN: use-after-free in amdgpu_ttm_tt_pte_flags

[Christian König]

[-- Attachment #1.1: Type: text/plain, Size: 427 bytes --]

Going to take a look on Monday.

Thanks,
Christian.

Am 08.06.2018 um 16:07 schrieb Michel Dänzer:
> KASAN picked up something during today's piglit run on
> amd-staging-drm-next, see attached. I've never seen this one before.
>
>
>
>
> _______________________________________________
> amd-gfx mailing list
> amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx


[-- Attachment #1.2: Type: text/html, Size: 1166 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: KASAN: use-after-free in amdgpu_ttm_tt_pte_flags

[Christian König]

Am 13.06.2018 um 12:55 schrieb Huang Rui:
> On Fri, Jun 08, 2018 at 08:15:26PM +0200, Christian König wrote:
>> Going to take a look on Monday.
>>
> Christian, have you looked at this issue?

Not yet, I'm still busy figuring out why restoring the resize able BAR 
config doesn't work as it should.

> If not, can I volunteer to look at it?

Sure.

>
> Michel, may I know which test of piglit trigger this issue? I tried to run
> with quick.py, but didn't reproduce it.

My guess is that it is a rare issue or otherwise I would see it on the 
sporadic piglit runs I do as well.

Christian.

>
> Thanks,
> Ray
>
>> Thanks,
>> Christian.
>>
>> Am 08.06.2018 um 16:07 schrieb Michel Dänzer:
>>> KASAN picked up something during today's piglit run on
>>> amd-staging-drm-next, see attached. I've never seen this one before.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> amd-gfx mailing list
>>> amd-gfx@lists.freedesktop.org
>>> https://lists.freedesktop.org/mailman/listinfo/amd-gfx
>> _______________________________________________
>> amd-gfx mailing list
>> amd-gfx@lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/amd-gfx

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: KASAN: use-after-free in amdgpu_ttm_tt_pte_flags

[Huang Rui]

On Fri, Jun 08, 2018 at 08:15:26PM +0200, Christian König wrote:
> Going to take a look on Monday.
> 

Christian, have you looked at this issue? If not, can I volunteer to look at
it?

Michel, may I know which test of piglit trigger this issue? I tried to run
with quick.py, but didn't reproduce it.

Thanks,
Ray

> Thanks,
> Christian.
> 
> Am 08.06.2018 um 16:07 schrieb Michel Dänzer:
> >KASAN picked up something during today's piglit run on
> >amd-staging-drm-next, see attached. I've never seen this one before.
> >
> >
> >
> >
> >_______________________________________________
> >amd-gfx mailing list
> >amd-gfx@lists.freedesktop.org
> >https://lists.freedesktop.org/mailman/listinfo/amd-gfx
> 

> _______________________________________________
> amd-gfx mailing list
> amd-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx

_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx

Re: KASAN: use-after-free in amdgpu_ttm_tt_pte_flags

[Michel Dänzer]

On 2018-06-13 12:55 PM, Huang Rui wrote:
> On Fri, Jun 08, 2018 at 08:15:26PM +0200, Christian König wrote:
>> Going to take a look on Monday.
>>
> 
> Christian, have you looked at this issue? If not, can I volunteer to look at
> it?
> 
> Michel, may I know which test of piglit trigger this issue? I tried to run
> with quick.py, but didn't reproduce it.

I'm using the gpu profile, which runs slightly fewer tests than quick.

It could be one of those issues which can only be reproduced when
running piglit after compiling LLVM etc., e.g. due to the pressure on
the kernel memory management subsystem created by the latter.

Also note that I've only ever seen this once so far.

In summary, it may be difficult to reproduce. :) Probably best to look
at the KASAN report for now.


-- 
Earthling Michel Dänzer               |               http://www.amd.com
Libre software enthusiast             |             Mesa and X developer
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx