Bug 99952

Summary: Use after free in intel_audo_lpe_teardown
Product: DRI Reporter: Chris Wilson <chris>
Component: DRM/IntelAssignee: Pierre Bossart <pierre-louis.bossart>
Status: CLOSED FIXED QA Contact: Intel GFX Bugs mailing list <intel-gfx-bugs>
Severity: normal    
Priority: medium CC: intel-gfx-bugs
Version: XOrg git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: BSW/CHT i915 features: display/audio

Description Chris Wilson 2017-02-24 22:52:59 UTC 
[   26.691040] BUG: KASAN: use-after-free in intel_lpe_audio_teardown+0x78/0xb0 [i915] at addr ffff880235a50fa0
[   26.691228] Read of size 8 by task drv_selftest/396
[   26.691390] CPU: 0 PID: 396 Comm: drv_selftest Not tainted 4.10.0+ #442
[   26.691547] Hardware name:                  /        , BIOS PYBSWCEL.86A.0027.2015.0507.1758 05/07/2015
[   26.691704] Call Trace:
[   26.691872]  dump_stack+0x4d/0x63
[   26.692037]  kasan_object_err+0x1c/0x70
[   26.692222]  kasan_report_error+0x1f1/0x4f0
[   26.692406]  ? kfree+0x7e/0x130
[   26.692570]  ? kfree_const+0x1c/0x20
[   26.692758]  kasan_report+0x34/0x40
[   26.692940]  ? online_show+0x30/0x60
[   26.693762]  ? intel_lpe_audio_teardown+0x78/0xb0 [i915]
[   26.693947]  __asan_load8+0x5e/0x70
[   26.694770]  intel_lpe_audio_teardown+0x78/0xb0 [i915]
[   26.695569]  intel_audio_deinit+0x28/0x80 [i915]
[   26.696311]  i915_driver_unload+0xe1/0x340 [i915]
[   26.697146]  ? i915_driver_load+0x1cb0/0x1cb0 [i915]
[   26.697442]  ? kernfs_find_ns+0x96/0x130
[   26.698278]  i915_pci_remove+0x23/0x30 [i915]
[   26.698579]  pci_device_remove+0x5c/0x100
[   26.698877]  device_release_driver_internal+0x1d3/0x2e0
[   26.699177]  driver_detach+0x6e/0xd0
[   26.699481]  bus_remove_driver+0x88/0x150
[   26.699775]  driver_unregister+0x3e/0x60
[   26.700072]  pci_unregister_driver+0x2b/0x100
[   26.701008]  i915_exit+0x1a/0x71 [i915]
[   26.701306]  SyS_delete_module+0x262/0x2b0
[   26.701609]  ? free_module+0x3d0/0x3d0
[   26.701900]  ? mem_cgroup_handle_over_high+0x1c/0xd0
[   26.702203]  ? exit_to_usermode_loop+0x3a/0xa0
[   26.702496]  entry_SYSCALL_64_fastpath+0x17/0x98
[   26.702781] RIP: 0033:0x7ff9007a5ec7
[   26.703033] RSP: 002b:00007ffd5a3fbc38 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
[   26.703414] RAX: ffffffffffffffda RBX: 000055c01afcb0c0 RCX: 00007ff9007a5ec7
[   26.703688] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055c01afca6b8
[   26.703953] RBP: 00007ff900a52440 R08: 0000000000000000 R09: 00007ffd5a3fbc68
[   26.704212] R10: 0000000000000062 R11: 0000000000000206 R12: 0000000000000000
[   26.704476] R13: 000055c01afc9440 R14: 0000000000000033 R15: 00007ffd5a3fac10
[   26.704750] Object at ffff880235a50d80, in cache kmalloc-1024 size: 1024
[   26.705016] Allocated:
[   26.705251] PID = 214
[   26.705505]  save_stack_trace+0x16/0x20
[   26.705767]  save_stack+0x46/0xd0
[   26.706050]  kasan_kmalloc+0xad/0xe0
[   26.706328]  __kmalloc+0x101/0x190
[   26.706612]  platform_device_alloc+0x27/0x90
[   26.706908]  platform_device_register_full+0x36/0x220
[   26.707848]  intel_lpe_audio_init+0x444/0x5b0 [i915]
[   26.708746]  intel_audio_init+0xd/0x40 [i915]
[   26.709573]  i915_driver_load+0x1352/0x1cb0 [i915]
[   26.710407]  i915_pci_probe+0x65/0xe0 [i915]
[   26.710718]  pci_device_probe+0xda/0x140
[   26.711003]  driver_probe_device+0x400/0x660
[   26.711292]  __driver_attach+0x115/0x120
[   26.711576]  bus_for_each_dev+0xe3/0x140
[   26.711862]  driver_attach+0x26/0x30
[   26.712147]  bus_add_driver+0x268/0x3b0
[   26.712435]  driver_register+0xce/0x190
[   26.712730]  __pci_register_driver+0xab/0xc0
[   26.713008]  0xffffffffa02a8063
[   26.713288]  do_one_initcall+0x8b/0x1e0
[   26.713579]  do_init_module+0x102/0x2ec
[   26.713860]  load_module+0x39a4/0x4430
[   26.714166]  SYSC_finit_module+0x169/0x1a0
[   26.714456]  SyS_finit_module+0x9/0x10
[   26.714738]  entry_SYSCALL_64_fastpath+0x17/0x98
[   26.715005] Freed:
[   26.715231] PID = 396
[   26.715486]  save_stack_trace+0x16/0x20
[   26.715746]  save_stack+0x46/0xd0
[   26.716045]  kasan_slab_free+0x73/0xc0
[   26.716327]  kfree+0x7e/0x130
[   26.716602]  platform_device_release+0x76/0x80
[   26.716887]  device_release+0x45/0xe0
[   26.717173]  kobject_release+0x99/0x1e0
[   26.717481]  kobject_put+0x30/0x60
[   26.717759]  put_device+0x12/0x20
[   26.718041]  platform_device_unregister+0x1b/0x20
[   26.718975]  intel_lpe_audio_teardown+0x5c/0xb0 [i915]
[   26.719875]  intel_audio_deinit+0x28/0x80 [i915]
[   26.720698]  i915_driver_unload+0xe1/0x340 [i915]
[   26.721528]  i915_pci_remove+0x23/0x30 [i915]
[   26.721832]  pci_device_remove+0x5c/0x100
[   26.722121]  device_release_driver_internal+0x1d3/0x2e0
[   26.722412]  driver_detach+0x6e/0xd0
[   26.722694]  bus_remove_driver+0x88/0x150
[   26.722984]  driver_unregister+0x3e/0x60
[   26.723287]  pci_unregister_driver+0x2b/0x100
[   26.724219]  i915_exit+0x1a/0x71 [i915]
[   26.724507]  SyS_delete_module+0x262/0x2b0
[   26.724787]  entry_SYSCALL_64_fastpath+0x17/0x98
[   26.725051] Memory state around the buggy address:
[   26.725310]  ffff880235a50e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.725687]  ffff880235a50f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.726092] >ffff880235a50f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.726457]                                ^
[   26.726705]  ffff880235a51000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   26.727102]  ffff880235a51080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Comment 1 Chris Wilson 2017-02-24 22:58:46 UTC 
Bisect commit eef57324d926f0d8c7a40069e7d26e0cb0651b47
Author: Jerome Anand <jerome.anand@intel.com>
Date:   Wed Jan 25 04:27:49 2017 +0530

    drm/i915: setup bridge for HDMI LPE audio driver
    
    Enable support for HDMI LPE audio mode on Baytrail and
    Cherrytrail when HDaudio controller is not detected
    
    Setup minimum required resources during i915_driver_load:
    1. Create a platform device to share MMIO/IRQ resources
    2. Make the platform device child of i915 device for runtime PM.
    3. Create IRQ chip to forward HDMI LPE audio irqs.
    
    HDMI LPE audio driver (a standalone sound driver) probes the
    LPE audio device and creates a new sound card.
    
    Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Signed-off-by: Jerome Anand <jerome.anand@intel.com>
    Acked-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
Comment 2 Pierre Bossart 2017-02-27 14:49:13 UTC 
thanks for bisecting. I can't see any obvious issues so it'll have to be a debug session. would you mind sharing your setup (KConfig options and commands)?
Comment 3 Chris Wilson 2017-02-27 14:59:04 UTC 
diff --git a/drivers/gpu/drm/i915/intel_lpe_audio.c b/drivers/gpu/drm/i915/intel_lpe_audio.c
index 7a5b41b1c024..8d800aa60163 100644
--- a/drivers/gpu/drm/i915/intel_lpe_audio.c
+++ b/drivers/gpu/drm/i915/intel_lpe_audio.c
@@ -131,8 +131,8 @@ lpe_audio_platdev_create(struct drm_i915_private *dev_priv)
 
 static void lpe_audio_platdev_destroy(struct drm_i915_private *dev_priv)
 {
-       platform_device_unregister(dev_priv->lpe_audio.platdev);
        kfree(dev_priv->lpe_audio.platdev->dev.dma_mask);
+       platform_device_unregister(dev_priv->lpe_audio.platdev);
 }
 
 static void lpe_audio_irq_unmask(struct irq_data *d)

as platdev is freed by the unregister as kasan says.
Comment 4 Chris Wilson 2017-04-12 21:56:32 UTC 
commit 48ae80741da4b8a26b6df0f765713912bc7cc480
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Wed Apr 12 09:02:51 2017 +0100

    drm/i915: Fix use after free in lpe_audio_platdev_destroy()

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.