[ 1908.329674] BUG: KASAN: use-after-free in amdgpu_vm_update_directories+0x224/0x540 [amdgpu] [ 1908.329678] Read of size 8 at addr ffff8886a3737290 by task Xorg/1454 [ 1908.329684] CPU: 0 PID: 1454 Comm: Xorg Tainted: G W E 5.2.0-rc1-g04430fc3cbe3-dirty #23 [ 1908.329686] Hardware name: Gigabyte Technology Co., Ltd. X470 AORUS ULTRA GAMING/X470 AORUS ULTRA GAMING-CF, BIOS F6 01/25/2019 [ 1908.329688] Call Trace: [ 1908.329693] dump_stack+0x71/0xa0 [ 1908.329889] ? amdgpu_vm_update_directories+0x224/0x540 [amdgpu] [ 1908.329892] print_address_description+0x65/0x22e [ 1908.330086] ? amdgpu_vm_update_directories+0x224/0x540 [amdgpu] [ 1908.330280] ? amdgpu_vm_update_directories+0x224/0x540 [amdgpu] [ 1908.330282] __kasan_report.cold.3+0x1a/0x3d [ 1908.330477] ? amdgpu_vm_update_directories+0x224/0x540 [amdgpu] [ 1908.330479] kasan_report+0xe/0x20 [ 1908.330672] amdgpu_vm_update_directories+0x224/0x540 [amdgpu] [ 1908.330867] ? amdgpu_vm_map_gart+0x30/0x30 [amdgpu] [ 1908.330870] ? _raw_spin_lock+0x7a/0xd0 [ 1908.330872] ? _raw_spin_lock_irqsave+0xf0/0xf0 [ 1908.331062] ? amdgpu_mm_wreg+0xc2/0x220 [amdgpu] [ 1908.331066] ? __list_del_entry_valid+0x64/0x7c [ 1908.331259] ? amdgpu_vm_bo_update+0x80b/0xcd0 [amdgpu] [ 1908.331453] amdgpu_gem_va_ioctl+0x716/0x830 [amdgpu] [ 1908.331646] ? amdgpu_gem_metadata_ioctl+0x250/0x250 [amdgpu] [ 1908.331649] ? refcount_dec_if_one+0xb0/0xb0 [ 1908.331842] ? amdgpu_gem_object_open+0x1d5/0x230 [amdgpu] [ 1908.332042] ? amdgpu_gem_create_ioctl+0x2c8/0x3f0 [amdgpu] [ 1908.332235] ? amdgpu_gem_object_close+0x300/0x300 [amdgpu] [ 1908.332239] ? __vm_insert_mixed+0x153/0x1a0 [ 1908.332271] ? drm_dbg+0xa3/0x140 [drm] [ 1908.332468] ? amdgpu_gem_metadata_ioctl+0x250/0x250 [amdgpu] [ 1908.332500] drm_ioctl_kernel+0x14d/0x1a0 [drm] [ 1908.332532] ? drm_setversion+0x330/0x330 [drm] [ 1908.332535] ? check_stack_object+0x22/0x60 [ 1908.332567] drm_ioctl+0x333/0x560 [drm] [ 1908.332764] ? amdgpu_gem_metadata_ioctl+0x250/0x250 [amdgpu] [ 1908.332795] ? drm_version+0x150/0x150 [drm] [ 1908.332799] ? rpm_resume+0x13f/0xab0 [ 1908.332801] ? rpm_put_suppliers+0x80/0x80 [ 1908.332804] ? _raw_spin_lock_irqsave+0x8d/0xf0 [ 1908.332806] ? _raw_write_lock_irqsave+0xe0/0xe0 [ 1908.333000] amdgpu_drm_ioctl+0x76/0xd0 [amdgpu] [ 1908.333004] do_vfs_ioctl+0x137/0x8f0 [ 1908.333007] ? ioctl_preallocate+0x140/0x140 [ 1908.333010] ? __fget+0x14c/0x1b0 [ 1908.333012] ? copy_fd_bitmaps+0x110/0x110 [ 1908.333015] ? __count_memcg_events.part.50+0xd2/0x100 [ 1908.333018] ksys_ioctl+0x60/0x90 [ 1908.333021] __x64_sys_ioctl+0x3d/0x50 [ 1908.333024] do_syscall_64+0x73/0x170 [ 1908.333027] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1908.333029] RIP: 0033:0x7f72e1128427 [ 1908.333032] Code: 00 00 90 48 8b 05 69 aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 aa 0c 00 f7 d8 64 89 01 48 [ 1908.333033] RSP: 002b:00007ffec5992e18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1908.333036] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f72e1128427 [ 1908.333038] RDX: 00007ffec5992e60 RSI: 00000000c0286448 RDI: 000000000000000d [ 1908.333039] RBP: 00007ffec5992e40 R08: ffff800100c00000 R09: 000000000000000e [ 1908.333040] R10: 0000000000000035 R11: 0000000000000246 R12: 00007ffec5992e60 [ 1908.333041] R13: 00000000c0286448 R14: 000000000000000d R15: 0000000000200000 [ 1908.333045] Allocated by task 1454: [ 1908.333050] save_stack+0x19/0x80 [ 1908.333052] __kasan_kmalloc.constprop.12+0xc1/0xd0 [ 1908.333247] amdgpu_bo_do_create+0x225/0x7a0 [amdgpu] [ 1908.333442] amdgpu_bo_create+0x96/0x3f0 [amdgpu] [ 1908.333639] amdgpu_vm_update_ptes+0x42b/0xa00 [amdgpu] [ 1908.333836] amdgpu_vm_bo_update_mapping+0x159/0x1a0 [amdgpu] [ 1908.334033] amdgpu_vm_bo_update+0x5b1/0xcd0 [amdgpu] [ 1908.334229] amdgpu_gem_va_ioctl+0x804/0x830 [amdgpu] [ 1908.334260] drm_ioctl_kernel+0x14d/0x1a0 [drm] [ 1908.334291] drm_ioctl+0x333/0x560 [drm] [ 1908.334484] amdgpu_drm_ioctl+0x76/0xd0 [amdgpu] [ 1908.334486] do_vfs_ioctl+0x137/0x8f0 [ 1908.334488] ksys_ioctl+0x60/0x90 [ 1908.334490] __x64_sys_ioctl+0x3d/0x50 [ 1908.334492] do_syscall_64+0x73/0x170 [ 1908.334494] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1908.334496] Freed by task 552: [ 1908.334500] save_stack+0x19/0x80 [ 1908.334502] __kasan_slab_free+0x125/0x170 [ 1908.334504] kfree+0x90/0x1d0 [ 1908.334513] ttm_bo_release_list+0x212/0x270 [ttm] [ 1908.334522] ttm_bo_delayed_delete+0x129/0x320 [ttm] [ 1908.334530] ttm_bo_delayed_workqueue+0x17/0x50 [ttm] [ 1908.334533] process_one_work+0x382/0x6c0 [ 1908.334535] worker_thread+0x57/0x5b0 [ 1908.334537] kthread+0x1ae/0x1d0 [ 1908.334538] ret_from_fork+0x22/0x40 [ 1908.334541] The buggy address belongs to the object at ffff8886a3736e80 which belongs to the cache kmalloc-2k of size 2048 [ 1908.334545] The buggy address is located 1040 bytes inside of 2048-byte region [ffff8886a3736e80, ffff8886a3737680) [ 1908.334547] The buggy address belongs to the page: [ 1908.334550] page:ffffea001a8dcc00 refcount:1 mapcount:0 mapping:ffff88877dc0ea00 index:0x0 compound_mapcount: 0 [ 1908.334553] flags: 0x17fffc000010200(slab|head) [ 1908.334557] raw: 017fffc000010200 dead000000000100 dead000000000200 ffff88877dc0ea00 [ 1908.334559] raw: 0000000000000000 00000000000f000f 00000001ffffffff 0000000000000000 [ 1908.334560] page dumped because: kasan: bad access detected [ 1908.334562] Memory state around the buggy address: [ 1908.334565] ffff8886a3737180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1908.334567] ffff8886a3737200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1908.334570] >ffff8886a3737280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1908.334572] ^ [ 1908.334574] ffff8886a3737300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1908.334577] ffff8886a3737380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1908.334578] ================================================================== [ 1908.334580] Disabling lock debugging due to kernel taint [ 1908.334672] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 1908.334679] #PF: supervisor read access in kernel mode [ 1908.334683] #PF: error_code(0x0000) - not-present page [ 1908.334688] PGD 0 P4D 0 [ 1908.334697] Oops: 0000 [#1] SMP KASAN NOPTI [ 1908.334704] CPU: 0 PID: 1454 Comm: Xorg Tainted: G B W E 5.2.0-rc1-g04430fc3cbe3-dirty #23 [ 1908.334709] Hardware name: Gigabyte Technology Co., Ltd. X470 AORUS ULTRA GAMING/X470 AORUS ULTRA GAMING-CF, BIOS F6 01/25/2019 [ 1908.334913] RIP: 0010:amdgpu_vm_update_directories+0x24e/0x540 [amdgpu] [ 1908.334920] Code: 49 8b 9f 10 04 00 00 48 85 db 74 13 48 8d bb c8 02 00 00 e8 74 6d 35 e4 48 8b 9b c8 02 00 00 48 8d 7b 08 31 ed e8 62 6d 35 e4 <4c> 8b 73 08 49 8d be 10 04 00 00 e8 52 6d 35 e4 49 8b 86 10 04 00 [ 1908.334925] RSP: 0018:ffff8887575af708 EFLAGS: 00010246 [ 1908.334933] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffc0e3d77e [ 1908.334937] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000008 [ 1908.334942] RBP: 0000000000000000 R08: ffffed10efc440bd R09: ffffed10efc440bc [ 1908.334946] R10: ffffed10efc440bc R11: ffff88877e2205e7 R12: ffff88876e689980 [ 1908.334958] R13: ffff88876e6899a0 R14: ffff888755520b78 R15: ffff8886a3736e80 [ 1908.334964] FS: 00007f72e09e7f00(0000) GS:ffff88877e200000(0000) knlGS:0000000000000000 [ 1908.334968] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1908.334973] CR2: 0000000000000008 CR3: 000000075763a000 CR4: 00000000003406f0 [ 1908.334978] Call Trace: [ 1908.335182] ? amdgpu_vm_map_gart+0x30/0x30 [amdgpu] [ 1908.335189] ? _raw_spin_lock+0x7a/0xd0 [ 1908.335196] ? _raw_spin_lock_irqsave+0xf0/0xf0 [ 1908.335395] ? amdgpu_mm_wreg+0xc2/0x220 [amdgpu] [ 1908.335406] ? __list_del_entry_valid+0x64/0x7c [ 1908.335608] ? amdgpu_vm_bo_update+0x80b/0xcd0 [amdgpu] [ 1908.335812] amdgpu_gem_va_ioctl+0x716/0x830 [amdgpu] [ 1908.336039] ? amdgpu_gem_metadata_ioctl+0x250/0x250 [amdgpu] [ 1908.336048] ? refcount_dec_if_one+0xb0/0xb0 [ 1908.336243] ? amdgpu_gem_object_open+0x1d5/0x230 [amdgpu] [ 1908.336453] ? amdgpu_gem_create_ioctl+0x2c8/0x3f0 [amdgpu] [ 1908.336659] ? amdgpu_gem_object_close+0x300/0x300 [amdgpu] [ 1908.336670] ? __vm_insert_mixed+0x153/0x1a0 [ 1908.336708] ? drm_dbg+0xa3/0x140 [drm] [ 1908.336913] ? amdgpu_gem_metadata_ioctl+0x250/0x250 [amdgpu] [ 1908.336950] drm_ioctl_kernel+0x14d/0x1a0 [drm] [ 1908.336989] ? drm_setversion+0x330/0x330 [drm] [ 1908.336995] ? check_stack_object+0x22/0x60 [ 1908.337031] drm_ioctl+0x333/0x560 [drm] [ 1908.337236] ? amdgpu_gem_metadata_ioctl+0x250/0x250 [amdgpu] [ 1908.337273] ? drm_version+0x150/0x150 [drm] [ 1908.337282] ? rpm_resume+0x13f/0xab0 [ 1908.337289] ? rpm_put_suppliers+0x80/0x80 [ 1908.337294] ? _raw_spin_lock_irqsave+0x8d/0xf0 [ 1908.337297] ? _raw_write_lock_irqsave+0xe0/0xe0 [ 1908.337496] amdgpu_drm_ioctl+0x76/0xd0 [amdgpu] [ 1908.337504] do_vfs_ioctl+0x137/0x8f0 [ 1908.337509] ? ioctl_preallocate+0x140/0x140 [ 1908.337512] ? __fget+0x14c/0x1b0 [ 1908.337515] ? copy_fd_bitmaps+0x110/0x110 [ 1908.337519] ? __count_memcg_events.part.50+0xd2/0x100 [ 1908.337525] ksys_ioctl+0x60/0x90 [ 1908.337532] __x64_sys_ioctl+0x3d/0x50 [ 1908.337537] do_syscall_64+0x73/0x170 [ 1908.337541] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 1908.337543] RIP: 0033:0x7f72e1128427 [ 1908.337546] Code: 00 00 90 48 8b 05 69 aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 aa 0c 00 f7 d8 64 89 01 48 [ 1908.337549] RSP: 002b:00007ffec5992e18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1908.337552] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f72e1128427 [ 1908.337556] RDX: 00007ffec5992e60 RSI: 00000000c0286448 RDI: 000000000000000d [ 1908.337562] RBP: 00007ffec5992e40 R08: ffff800100c00000 R09: 000000000000000e [ 1908.337566] R10: 0000000000000035 R11: 0000000000000246 R12: 00007ffec5992e60 [ 1908.337571] R13: 00000000c0286448 R14: 000000000000000d R15: 0000000000200000 [ 1908.337576] Modules linked in: fuse(E) snd_hda_codec_realtek(E) snd_hda_codec_generic(E) ledtrig_audio(E) binfmt_misc(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) snd_hda_codec_hdmi(E) efi_pstore(E) snd_hda_intel(E) snd_hda_codec(E) joydev(E) snd_hwdep(E) snd_hda_core(E) snd_pcm(E) pcspkr(E) snd_timer(E) efivars(E) k10temp(E) ccp(E) snd(E) sg(E) sp5100_tco(E) soundcore(E) rng_core(E) wmi_bmof(E) mxm_wmi(E) pcc_cpufreq(E) evdev(E) wmi(E) button(E) acpi_cpufreq(E) parport_pc(E) ppdev(E) lp(E) parport(E) efivarfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) algif_skcipher(E) af_alg(E) dm_crypt(E) dm_mod(E) hid_generic(E) usbhid(E) hid(E) sd_mod(E) crct10dif_pclmul(E) crc32_pclmul(E) crc32c_intel(E) ghash_clmulni_intel(E) amdgpu(E) gpu_sched(E) ttm(E) aesni_intel(E) ahci(E) aes_x86_64(E) xhci_pci(E) glue_helper(E) libahci(E) drm_kms_helper(E) crypto_simd(E) cryptd(E) xhci_hcd(E) libata(E) drm(E) igb(E) i2c_piix4(E) dca(E) usbcore(E) scsi_mod(E) [ 1908.337620] i2c_algo_bit(E) gpio_amdpt(E) gpio_generic(E) [ 1908.337628] CR2: 0000000000000008 [ 1908.337631] ---[ end trace ce347a45bce0f80d ]--- [ 1908.554828] RIP: 0010:amdgpu_vm_update_directories+0x24e/0x540 [amdgpu] [ 1908.554833] Code: 49 8b 9f 10 04 00 00 48 85 db 74 13 48 8d bb c8 02 00 00 e8 74 6d 35 e4 48 8b 9b c8 02 00 00 48 8d 7b 08 31 ed e8 62 6d 35 e4 <4c> 8b 73 08 49 8d be 10 04 00 00 e8 52 6d 35 e4 49 8b 86 10 04 00 [ 1908.554835] RSP: 0018:ffff8887575af708 EFLAGS: 00010246 [ 1908.554838] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffc0e3d77e [ 1908.554840] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000008 [ 1908.554844] RBP: 0000000000000000 R08: ffffed10efc440bd R09: ffffed10efc440bc [ 1908.554846] R10: ffffed10efc440bc R11: ffff88877e2205e7 R12: ffff88876e689980 [ 1908.554848] R13: ffff88876e6899a0 R14: ffff888755520b78 R15: ffff8886a3736e80 [ 1908.554851] FS: 00007f72e09e7f00(0000) GS:ffff88877e200000(0000) knlGS:0000000000000000 [ 1908.554853] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1908.554855] CR2: 0000000000000008 CR3: 000000075763a000 CR4: 00000000003406f0