Bug 101659

Summary:	[EXTENDED][SKL,KBL] KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.3+0x62b/0x670
Product:	DRI	Reporter:	Martin Peres <martin.peres>
Component:	DRM/Intel	Assignee:	Maarten Lankhorst <bugs>
Status:	CLOSED FIXED	QA Contact:	Intel GFX Bugs mailing list <intel-gfx-bugs>
Severity:	critical
Priority:	highest	CC:	gary.c.wang, intel-gfx-bugs
Version:	DRI git
Hardware:	Other
OS:	All
Whiteboard:	ReadyForDev
i915 platform:	KBL, SKL	i915 features:	display/color management

Description Martin Peres 2017-06-30 08:20:30 UTC

This bug is triggered by IGT's igt@kms_pipe_color@ctm-0-25-pipe0 on kbl-7700k, skl-6100u, and skl-6700k when running a couple of days old drm-tip.

[ 6426.201216] ==================================================================
[ 6426.208870] BUG: KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.3+0x62b/0x670 [i915]
[ 6426.217327] Read of size 2 at addr ffff8801e92f5318 by task kms_pipe_color/12456

[ 6426.226444] CPU: 0 PID: 12456 Comm: kms_pipe_color Tainted: G     U  W       4.12.0-rc7-CI-CI_DRM_450+ #1
[ 6426.226451] Hardware name: Gigabyte Technology Co., Ltd. Z170X-UD5/Z170X-UD5-CF, BIOS F22 03/06/2017
[ 6426.226458] Call Trace:
[ 6426.226470]  dump_stack+0x67/0x99
[ 6426.226483]  print_address_description+0x77/0x290
[ 6426.226589]  ? bdw_load_gamma_lut.isra.3+0x62b/0x670 [i915]
[ 6426.226600]  kasan_report+0x269/0x350
[ 6426.226700]  ? gen8_write32+0x5b0/0x5b0 [i915]
[ 6426.226714]  __asan_report_load2_noabort+0x14/0x20
[ 6426.226816]  bdw_load_gamma_lut.isra.3+0x62b/0x670 [i915]
[ 6426.226924]  broadwell_load_luts+0x2ed/0x630 [i915]
[ 6426.227033]  intel_color_load_luts+0x69/0x90 [i915]
[ 6426.227135]  intel_begin_crtc_commit+0x253/0x890 [i915]
[ 6426.227153]  drm_atomic_helper_commit_planes_on_crtc+0x15a/0x970
[ 6426.227257]  ? intel_pre_plane_update+0x41d/0x710 [i915]
[ 6426.227268]  ? try_to_wake_up+0x797/0x1320
[ 6426.227376]  intel_update_crtc+0x1a9/0x390 [i915]
[ 6426.227483]  skl_update_crtcs+0x6bd/0xca0 [i915]
[ 6426.227596]  ? intel_update_crtcs+0x260/0x260 [i915]
[ 6426.227707]  intel_atomic_commit_tail+0xb1c/0x3c50 [i915]
[ 6426.227821]  ? skl_update_crtcs+0xca0/0xca0 [i915]
[ 6426.227832]  ? trace_hardirqs_on_caller+0x287/0x590
[ 6426.227845]  ? register_lock_class+0x1330/0x1330
[ 6426.227948]  ? intel_atomic_commit_ready+0x10a/0x158 [i915]
[ 6426.227964]  ? __lock_is_held+0x116/0x1d0
[ 6426.227989]  ? __might_sleep+0x95/0x190
[ 6426.228094]  intel_atomic_commit+0x9c0/0xfb0 [i915]
[ 6426.228205]  ? intel_atomic_commit_tail+0x3c50/0x3c50 [i915]
[ 6426.228217]  ? drm_atomic_legacy_backoff+0x1e0/0x1e0
[ 6426.228226]  ? drm_atomic_crtc_set_property+0x458/0x5c0
[ 6426.228235]  ? drm_property_blob_get+0xd/0x20
[ 6426.228246]  ? drm_atomic_set_mode_prop_for_crtc+0x200/0x200
[ 6426.228350]  ? intel_atomic_commit_tail+0x3c50/0x3c50 [i915]
[ 6426.228362]  drm_atomic_commit+0xc4/0xf0
[ 6426.228374]  drm_atomic_helper_crtc_set_property+0xfc/0x170
[ 6426.228388]  drm_mode_crtc_set_obj_prop+0x73/0xb0
[ 6426.228402]  drm_mode_obj_set_property_ioctl+0x36e/0x5a0
[ 6426.228414]  ? lock_acquire+0x390/0x390
[ 6426.228423]  ? __might_fault+0xc6/0x1b0
[ 6426.228435]  ? drm_mode_obj_find_prop_id+0x190/0x190
[ 6426.228453]  drm_ioctl+0x4ba/0xaa0
[ 6426.228463]  ? drm_mode_obj_find_prop_id+0x190/0x190
[ 6426.228479]  ? drm_getunique+0x270/0x270
[ 6426.228491]  ? _raw_spin_unlock+0x2c/0x50
[ 6426.228501]  ? __handle_mm_fault+0x1447/0x2b90
[ 6426.228515]  ? vm_insert_page+0x790/0x790
[ 6426.228533]  do_vfs_ioctl+0x17f/0xfa0
[ 6426.228548]  ? ioctl_preallocate+0x1d0/0x1d0
[ 6426.228558]  ? __do_page_fault+0x49b/0xa70
[ 6426.228569]  ? lock_acquire+0x390/0x390
[ 6426.228592]  ? __this_cpu_preempt_check+0x13/0x20
[ 6426.228602]  ? trace_hardirqs_on_caller+0x287/0x590
[ 6426.228615]  SyS_ioctl+0x3c/0x70
[ 6426.228631]  entry_SYSCALL_64_fastpath+0x1c/0xb1
[ 6426.228642] RIP: 0033:0x7f4062b35587
[ 6426.228649] RSP: 002b:00007ffc80ce26b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 6426.228664] RAX: ffffffffffffffda RBX: 00007ffc80ce40e8 RCX: 00007f4062b35587
[ 6426.228671] RDX: 00007ffc80ce26f0 RSI: 00000000c01864ba RDI: 0000000000000003
[ 6426.228679] RBP: ffffffff81209956 R08: 0000000000000061 R09: 0000000000000000
[ 6426.228686] R10: 0000000000000073 R11: 0000000000000246 R12: ffff8801ea09ff98
[ 6426.228693] R13: ffffffff81cb7c63 R14: ffff8801ea09ff70 R15: 00007ffc80ce40e8
[ 6426.228704]  ? __this_cpu_preempt_check+0x13/0x20
[ 6426.228714]  ? trace_hardirqs_off_caller+0x1d6/0x2c0

[ 6426.230331] Allocated by task 12456:
[ 6426.234104]  save_stack_trace+0x16/0x20
[ 6426.234110]  kasan_kmalloc+0xee/0x180
[ 6426.234117]  __kmalloc+0x135/0x370
[ 6426.234124]  drm_property_create_blob.part.1+0x28/0x2b0
[ 6426.234131]  drm_mode_createblob_ioctl+0xc9/0x380
[ 6426.234137]  drm_ioctl+0x4ba/0xaa0
[ 6426.234143]  do_vfs_ioctl+0x17f/0xfa0
[ 6426.234149]  SyS_ioctl+0x3c/0x70
[ 6426.234155]  entry_SYSCALL_64_fastpath+0x1c/0xb1

[ 6426.235728] Freed by task 11419:
[ 6426.239013]  save_stack_trace+0x16/0x20
[ 6426.239018]  kasan_slab_free+0xad/0x180
[ 6426.239023]  kfree+0xf1/0x310
[ 6426.239077]  i915_ppgtt_release+0x126/0x380 [i915]
[ 6426.239129]  i915_gem_context_free+0x5bf/0x750 [i915]
[ 6426.239182]  contexts_free+0x68/0xd0 [i915]
[ 6426.239234]  contexts_free_worker+0x24/0x40 [i915]
[ 6426.239241]  process_one_work+0x66f/0x1410
[ 6426.239246]  worker_thread+0xe1/0xe90
[ 6426.239251]  kthread+0x304/0x410
[ 6426.239256]  ret_from_fork+0x27/0x40

[ 6426.240788] The buggy address belongs to the object at ffff8801e92f42c8
                which belongs to the cache kmalloc-8192 of size 8192
[ 6426.253760] The buggy address is located 4176 bytes inside of
                8192-byte region [ffff8801e92f42c8, ffff8801e92f62c8)
[ 6426.265920] The buggy address belongs to the page:
[ 6426.270782] page:ffffea0007a4bc00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
[ 6426.280784] flags: 0x8000000000008100(slab|head)
[ 6426.285481] raw: 8000000000008100 0000000000000000 0000000000000000 0000000100030003
[ 6426.293358] raw: ffffea00041c9e20 ffff8801f5802fe0 ffff8801f5811700 0000000000000000
[ 6426.301262] page dumped because: kasan: bad access detected

[ 6426.308464] Memory state around the buggy address:
[ 6426.313351]  ffff8801e92f5200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 6426.320702]  ffff8801e92f5280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 6426.328058] >ffff8801e92f5300: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 6426.335426]                             ^
[ 6426.339535]  ffff8801e92f5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 6426.346883]  ffff8801e92f5400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 6426.354240] ==================================================================
[ 6426.361609] Disabling lock debugging due to kernel taint

Comment 1 Martin Peres 2017-06-30 08:20:57 UTC

Full logs: https://intel-gfx-ci.01.org/CI/kasan/skl-6700k:igt@kms_pipe_color@ctm-0-25-pipe0.html

Comment 2 Martin Peres 2017-06-30 08:23:16 UTC

Bumping the importance because it is potentially usable by ill-intended people.

Comment 3 Maarten Lankhorst 2017-07-24 09:20:23 UTC

I like KASAN bugs, easy to fix those. :)

https://patchwork.freedesktop.org/series/27783/

Comment 4 Jani Saarinen 2017-08-04 10:46:59 UTC

Fix landed.

Comment 5 Martin Peres 2017-08-04 10:50:01 UTC

Thanks Jani!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.