[drm/i915] c88473878d BUG: KASAN: use-after-free in fat_fill_super+0x62b0/0x6b10 at addr ffff88000d9f99f9
2:19 p.m.
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
git://anongit.freedesktop.org/drm-intel drm-intel-next-queued
commit c88473878d47131ccfc67a00ba688d4d7d0f4519
Author: Chris Wilson <chris(a)chris-wilson.co.uk>
AuthorDate: Fri Jan 27 16:55:30 2017 +0000
Commit: Chris Wilson <chris(a)chris-wilson.co.uk>
CommitDate: Tue Jan 31 11:16:07 2017 +0000
drm/i915: Treat stolen memory as DMA addresses
The conversion of stolen to use phys_addr_t (from essentially u32)
sparked an interesting discussion. We treat stolen memory as only
accessible from the GPU (the DMA device) - an attempt to use it from the
CPU will generate a MCE on gen6 onwards, although it is in theory a
physical address that can be dereferenced from the CPU as demonstrated
by earlier generations. As such, using phys_addr_t has the wrong
connotations and as we pass the address into the DMA device via
dma_addr_t (through the scatterlists used to program the GTT entries),
we should treat it as dma_addr_t throughout.
Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk>
Cc: Paulo Zanoni <paulo.r.zanoni(a)intel.com>
Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com>
Link:
http://patchwork.freedesktop.org/patch/msgid/20170127165531.28135-1-chris...
Reviewed-by: Paulo Zanoni <paulo.r.zanoni(a)intel.com>
4703b0472e drm/i915: Be defensive when cleaning up i915_gem_internal pages
c88473878d drm/i915: Treat stolen memory as DMA addresses
+-----------------------------------------------------------------------+------------+------------+
| | 4703b0472e |
c88473878d |
+-----------------------------------------------------------------------+------------+------------+
| boot_successes | 2 | 0
|
| boot_failures | 944 | 560
|
| WARNING:at_drivers/gpu/drm/drm_mode_config.c:#drm_mode_config_cleanup | 944 | 558
|
| BUG:kernel_hang_in_test_stage | 5 |
|
| invoked_oom-killer:gfp_mask=0x | 4 | 16
|
| Mem-Info | 4 | 17
|
| Out_of_memory:Kill_process | 4 | 15
|
| Kernel_panic-not_syncing:Out_of_memory_and_no_killable_processes | 0 | 2
|
| BUG:KASAN:use-after-free_in | 0 | 31
|
| calltrace:SyS_mount | 0 | 33
|
| BUG:Double_free_or_freeing_an_invalid_pointer | 0 | 23
|
| calltrace:bochs_init | 0 | 21
|
| BUG:KASAN:slab-out-of-bounds | 0 | 3
|
| general_protection_fault:#[##]PREEMPT_KASAN | 0 | 8
|
| Kernel_panic-not_syncing:Fatal_exception | 0 | 10
|
| BUG:unable_to_handle_kernel | 0 | 2
|
| Oops | 0 | 2
|
+-----------------------------------------------------------------------+------------+------------+
[ 85.599787] [TTM] Initializing pool allocator
[ 85.600692] [TTM] Initializing DMA pool allocator
[ 85.607038] bochsdrmfb: enable CONFIG_FB_LITTLE_ENDIAN to support this framebuffer
[ 85.608486] [drm] Initialized bochs-drm 1.0.0 20130925 for 0000:00:02.0 on minor 1
[ 85.611084] ------------[ cut here ]------------
[ 85.612491] WARNING: CPU: 0 PID: 1 at drivers/gpu/drm/drm_mode_config.c:453
drm_mode_config_cleanup+0x7e5/0xa20
[ 85.614348] CPU: 0 PID: 1 Comm: swapper Not tainted 4.10.0-rc3-00629-gc884738 #1
[ 85.615668] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.9.3-20161025_171302-gandalf 04/01/2014
[ 85.617279] Call Trace:
[ 85.617907] dump_stack+0x1e/0x2e
[ 85.618552] __warn+0x3b9/0x420
[ 85.619176] warn_slowpath_null+0x2c/0x40
[ 85.619907] drm_mode_config_cleanup+0x7e5/0xa20
[ 85.620709] ? synchronize_srcu+0x1e/0x40
[ 85.621461] ? drm_mode_config_init+0x1820/0x1820
[ 85.622280] bochs_kms_fini+0xeb/0x150
[ 85.622977] bochs_unload+0x40/0xa0
[ 85.623645] ? bochs_pci_probe+0x440/0x440
[ 85.624384] drm_dev_unregister+0x386/0x420
[ 85.625142] drm_put_dev+0xaa/0xf0
[ 85.625792] bochs_pci_remove+0x37/0x50
[ 85.626509] pci_device_remove+0x2ca/0x520
[ 85.627253] ? driver_sysfs_add+0x1ca/0x430
[ 85.628022] ? pci_dev_put+0xb0/0xb0
[ 85.628705] driver_probe_device+0xf62/0x1910
[ 85.629483] ? pci_device_remove+0x520/0x520
[ 85.630250] __driver_attach+0x548/0x620
[ 85.630971] ? driver_probe_device+0x1910/0x1910
[ 85.631785] bus_for_each_dev+0x1e9/0x390
[ 85.632517] ? ftrace_likely_update+0xf8/0x120
[ 85.633298] ? bus_remove_file+0x110/0x110
[ 85.634572] ? _raw_spin_unlock+0x5d/0xf0
[ 85.635349] ? klist_add_tail+0x170/0x1e0
[ 85.636079] driver_attach+0x3d/0x50
[ 85.636746] bus_add_driver+0x7f0/0xce0
[ 85.637460] ? pci_device_remove+0x520/0x520
[ 85.638236] driver_register+0x326/0x840
[ 85.638957] __pci_register_driver+0x140/0x1a0
[ 85.639739] drm_pci_init+0x441/0x540
[ 85.640429] ? ast_init+0x168/0x168
[ 85.641112] bochs_init+0x1c/0x1e
[ 85.641748] do_one_initcall+0x203/0x4d5
[ 85.642470] ? start_kernel+0xc20/0xc20
[ 85.643207] kernel_init_freeable+0x311/0x539
[ 85.643980] ? rest_init+0x290/0x290
[ 85.644669] kernel_init+0x15/0x450
[ 85.645345] ? rest_init+0x290/0x290
[ 85.646019] ret_from_fork+0x2a/0x40
[ 85.646695] ---[ end trace 08b290464f685b02 ]---
[ 85.647882] [TTM] Finalizing pool allocator
...
/etc/rcS.d/S03udev: line 72: can't create /proc/sys/kernel/hotplug: nonexistent
directory
[ 168.009132] ==================================================================
[ 168.010459] BUG: KASAN: use-after-free in fat_fill_super+0x62b0/0x6b10 at addr
ffff88000d9f99f9
[ 168.011955] Read of size 1 by task mount/732
[ 168.012715] CPU: 0 PID: 732 Comm: mount Tainted: G W
4.10.0-rc3-00629-gc884738 #1
[ 168.014144] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.9.3-20161025_171302-gandalf 04/01/2014
[ 168.015818] Call Trace:
[ 168.016395] dump_stack+0x1e/0x2e
[ 168.017044] kasan_object_err+0x1c/0x90
[ 168.017752] kasan_report+0x30f/0x650
[ 168.018496] ? __might_sleep+0x183/0x200
[ 168.019216] ? fat_fill_super+0x62b0/0x6b10
[ 168.019980] ? fat_fh_to_dentry_nostale+0x260/0x260
[ 168.020848] ? __wait_on_buffer+0xe5/0x110
[ 168.021579] __asan_report_load1_noabort+0x14/0x20
[ 168.022471] fat_fill_super+0x62b0/0x6b10
[ 168.023198] ? ftrace_likely_update+0x120/0x120
[ 168.024042] ? fat_sync_inode+0x20/0x20
[ 168.024747] ? num_to_str+0x2f0/0x2f0
[ 168.025454] ? snprintf+0xa5/0xd0
[ 168.026091] ? vscnprintf+0x190/0x190
[ 168.026766] ? set_blocksize+0x3cf/0x620
[ 168.027478] msdos_fill_super+0x2e/0x40
[ 168.028265] mount_bdev+0x665/0x840
[ 168.028961] ? msdos_mount+0x40/0x40
[ 168.029629] msdos_mount+0x34/0x40
[ 168.030308] mount_fs+0xff/0x8d0
[ 168.030947] vfs_kern_mount+0x23d/0x690
[ 168.031671] ? _raw_read_unlock+0x5d/0xf0
[ 168.032436] do_mount+0xcfd/0x5c10
[ 168.033095] ? check_stack_object+0x314/0x390
[ 168.033871] ? copy_mount_string+0x40/0x40
[ 168.034604] ? _copy_from_user+0x1b7/0x330
[ 168.035378] ? memdup_user+0xba/0x1d0
[ 168.036101] ? copy_mount_options+0x54c/0x840
[ 168.036912] SyS_mount+0x2d4/0x320
[ 168.037559] entry_SYSCALL_64_fastpath+0x1f/0xc1
[ 168.038423] RIP: 0033:0x7f3b0720a21a
[ 168.039114] RSP: 002b:00007ffd2e79e268 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[ 168.040491] RAX: ffffffffffffffda RBX: 0000000000008010 RCX: 00007f3b0720a21a
[ 168.041600] RDX: 0000000000691a70 RSI: 00007ffd2e79eeb7 RDI: 00007ffd2e79eeae
[ 168.042737] RBP: 0000000000000046 R08: 0000000000000000 R09: 0101010101010101
[ 168.043873] R10: 0000000000008010 R11: 0000000000000202 R12: 0000000000008010
[ 168.044985] R13: 00007f3b076d66a8 R14: 0000000000000204 R15: 0000000000469740
[ 168.046146] Object at ffff88000d9f8000, in cache kmalloc-8192 size: 8192
[ 168.047192] Allocated:
[ 168.047742] PID = 0
[ 168.048270] (stack is not available)
[ 168.048964] Freed:
[ 168.049433] PID = 730
[ 168.049939]
[ 168.049951] [<ffffffff87cc00f5>] save_stack_trace+0x15/0x20
[ 168.051273]
[ 168.051283] [<ffffffff8844e76f>] kasan_slab_free+0xaf/0x180
[ 168.052719]
[ 168.052728] [<ffffffff8844b5b7>] kfree+0x3e7/0x590
[ 168.053963]
[ 168.053973] [<ffffffff88bf7057>] fat_fill_super+0x557/0x6b10
[ 168.055375]
[ 168.055385] [<ffffffff88c0269e>] msdos_fill_super+0x2e/0x40
[ 168.056774]
[ 168.056783] [<ffffffff884e8ae5>] mount_bdev+0x665/0x840
[ 168.058103]
[ 168.058112] [<ffffffff88c02664>] msdos_mount+0x34/0x40
[ 168.059413]
[ 168.059422] [<ffffffff884e95cf>] mount_fs+0xff/0x8d0
[ 168.060689]
[ 168.060698] [<ffffffff885a093d>] vfs_kern_mount+0x23d/0x690
[ 168.062057]
[ 168.062072] [<ffffffff885aab7d>] do_mount+0xcfd/0x5c10
[ 168.063376]
[ 168.063385] [<ffffffff885b0be4>] SyS_mount+0x2d4/0x320
[ 168.064678]
[ 168.064689] [<ffffffff8cde6d7d>] entry_SYSCALL_64_fastpath+0x1f/0xc1
[ 168.066136] Memory state around the buggy address:
[ 168.066961] ffff88000d9f9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 168.068306] ffff88000d9f9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 168.069598] >ffff88000d9f9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 168.070895] ^
[ 168.072071] ffff88000d9f9a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 168.073312] ffff88000d9f9a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 168.074584] ==================================================================
git bisect start e2de845e0b84ebb7e910bb898febbf813b7df483 v4.9 --
git bisect good 50637aa7ffa614d996a004ab387ba7caf6fc95ca # 20:59 22+ 22
drm/i915: Enable support for nonblocking modeset
git bisect good 8fdded8215f460c0d56193a08fd15a8ef4dae70c # 23:04 22+ 48
drm/i915: Disable L2 cache clock gating on 830 when using the overlay
git bisect good 7b92c047bae2210874d64ae8bbb56fbd18ab6731 # 00:02 22+ 26
drm/i915: Eliminate superfluous i915_ggtt_view_rotated
git bisect good 04313b00b79405f86d815100f85c47a2ee5b8ca0 # 01:25 20+ 46
drm/i915: Don't init hpd polling for vlv and chv from runtime_suspend()
git bisect bad 1881a4234ef03751daf55b62b17e6bb0dbf7792a # 01:32 0- 48
drm/i915: Add MIPI_IO WA and program DSI regulators
git bisect good bafbcc2fd148610e897ba49a4681f088a0eb58f9 # 02:36 20+ 46
drm/i915: Disable plane gamma in SKL+ sprite planes
git bisect good 0102ba1fd8af8c2719436eaadc743f940ab525c2 # 03:36 20+ 24
drm/i915: Add early BXT sdv to the list of preproduction machines
git bisect good 4703b0472e126c715019a9671ea0fe38556114bb # 04:14 21+ 35
drm/i915: Be defensive when cleaning up i915_gem_internal pages
git bisect bad 1692cd60d999b00a0491692dab0286e6011abd36 # 04:14 0- 2156
drm/i915: Sanity check the computed size and base of stolen memory
git bisect bad c88473878d47131ccfc67a00ba688d4d7d0f4519 # 04:14 0- 541
drm/i915: Treat stolen memory as DMA addresses
# first bad commit: [c88473878d47131ccfc67a00ba688d4d7d0f4519] drm/i915: Treat stolen
memory as DMA addresses
git bisect good 4703b0472e126c715019a9671ea0fe38556114bb # 17:09 903+ 936
drm/i915: Be defensive when cleaning up i915_gem_internal pages
# extra tests with CONFIG_DEBUG_INFO_REDUCED
git bisect good c88473878d47131ccfc67a00ba688d4d7d0f4519 # 07:19 901+ 905
drm/i915: Treat stolen memory as DMA addresses
# extra tests on HEAD of linux-devel/devel-spot-201702221521
git bisect bad f4868facb7536a1b7f09767c2f8f59d69c4390a2 # 07:19 0- 19 0day
head guard for 'devel-spot-201702221521'
# extra tests on tree/branch drm-intel/drm-intel-next-queued
git bisect bad 9e89f9ee3b16cca56bed5fa45e63f422d3ac2c3a # 07:45 0- 4
drm/i915: Advance start address on crossing PML (48b ppgtt) boundary
# extra tests with first bad commit reverted
git bisect good 01220442668510bae6be6ae1ecde609d35f8f240 # 18:39 901+ 1728 Revert
"drm/i915: Treat stolen memory as DMA addresses"
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
2028
days inactive
2028
days old
0 comments
1 participants
participants (1)
-
Fengguang Wu