Skip to content

BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710 [amdgpu]

System information

System:
  Host: el-ryzerino Kernel: 6.7.4-200.fc39.x86_64 arch: x86_64 bits: 64
    compiler: gcc v: 2.40-14.fc39 Desktop: GNOME v: 45.3 tk: GTK v: 3.24.41
    wm: gnome-shell dm: GDM Distro: Fedora release 39 (Thirty Nine)
CPU:
  Info: 16-core model: AMD Ryzen 9 5950X bits: 64 type: MT MCP arch: Zen 3+
    rev: 2 cache: L1: 1024 KiB L2: 8 MiB L3: 64 MiB
  Speed (MHz): avg: 3400 min/max: 2200/5083 boost: enabled cores: 1: 3400
    2: 3400 3: 3400 4: 3400 5: 3400 6: 3400 7: 3400 8: 3400 9: 3400 10: 3400
    11: 3400 12: 3400 13: 3400 14: 3400 15: 3400 16: 3400 17: 3400 18: 3400
    19: 3400 20: 3400 21: 3400 22: 3400 23: 3400 24: 3400 25: 3400 26: 3400
    27: 3400 28: 3400 29: 3400 30: 3400 31: 3400 32: 3400 bogomips: 217189
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Graphics:
  Device-1: AMD Navi 31 [Radeon RX 7900 XT/7900 XTX] vendor: ASRock
    driver: amdgpu v: kernel arch: RDNA-3 pcie: speed: 16 GT/s lanes: 16 ports:
    active: DP-4,HDMI-A-1 empty: DP-1, DP-2, DP-3, DP-5 bus-ID: 0e:00.0
    chip-ID: 1002:744c
  Display: server: X.Org v: 1.20.14 with: Xwayland v: 23.2.4
    compositor: gnome-shell driver: X: loaded: amdgpu
    unloaded: fbdev,modesetting,radeon,vesa dri: radeonsi gpu: amdgpu
    display-ID: :0 screens: 1
  Screen-1: 0 s-res: 4480x1440 s-dpi: 96
  Monitor-1: DP-4 mapped: DisplayPort-3 pos: right model: HP Z24n G2
    res: 1920x1200 dpi: 94 diag: 611mm (24.1")
  Monitor-2: HDMI-A-1 mapped: HDMI-A-0 pos: primary,left model: XG27WQ
    res: 2560x1440 dpi: 109 diag: 703mm (27.7")
  API: EGL v: 1.5 platforms: device: 0 drv: radeonsi device: 1 drv: swrast
    surfaceless: drv: radeonsi x11: drv: radeonsi inactive: gbm,wayland
  API: OpenGL v: 4.6 compat-v: 4.5 vendor: amd mesa v: 23.3.5 glx-v: 1.4
    direct-render: yes renderer: AMD Radeon RX 7900 GRE (radeonsi navi31 LLVM
    17.0.6 DRM 3.57 6.7.4-200.fc39.x86_64) device-ID: 1002:744c
  API: Vulkan v: 1.3.268 surfaces: xcb,xlib device: 0 type: discrete-gpu
    driver: mesa radv device-ID: 1002:744c device: 1 type: cpu
    driver: mesa llvmpipe device-ID: 10005:0000
  • OS: "Fedora Linux 39 (Workstation Edition)
  • GPU: 0e:00.0 VGA compatible controller [0300]: Advanced Micro Devices, Inc. [AMD/ATI] Navi 31 [Radeon RX 7900 XT/7900 XTX] [1002:744c] (rev ce)

It is a RX 7900 GRE

  • Kernel version: Linux el-ryzerino 6.7.4-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Feb 5 22:21:14 UTC 2024 x86_64 GNU/Linux
  • Mesa version: OpenGL version string: 4.6 (Compatibility Profile) Mesa 23.3.5
  • Desktop manager and compositor: Gnome 45

Describe the issue

I noticed an error in dmesg after waking up from suspend. I am not entirely sure what caused it.

Log files as attachment

[34258.413097] ==================================================================
[34258.413099] BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x1ce/0x710 [amdgpu]

[34258.413269] Use-after-free read at 0x000000008d0cefe0 (in kfence-#98):
[34258.413270]  amdgpu_bo_move+0x1ce/0x710 [amdgpu]
[34258.413413]  ttm_bo_handle_move_mem+0xbb/0x170 [ttm]
[34258.413417]  ttm_bo_validate+0xe5/0x180 [ttm]
[34258.413422]  amdgpu_cs_bo_validate+0x9c/0x2e0 [amdgpu]
[34258.413565]  amdgpu_vm_validate_pt_bos+0xbd/0x380 [amdgpu]
[34258.413709]  amdgpu_cs_parser_bos.isra.0+0x490/0x820 [amdgpu]
[34258.413845]  amdgpu_cs_ioctl+0xa2d/0x1a30 [amdgpu]
[34258.413975]  drm_ioctl_kernel+0xd6/0x180
[34258.413978]  drm_ioctl+0x26d/0x4b0
[34258.413979]  amdgpu_drm_ioctl+0x4e/0x90 [amdgpu]
[34258.414104]  __x64_sys_ioctl+0x97/0xd0
[34258.414107]  do_syscall_64+0x64/0xe0
[34258.414109]  entry_SYSCALL_64_after_hwframe+0x6e/0x76

[34258.414112] kfence-#98: 0x00000000dfd76b32-0x00000000f369dda2, size=240, cache=kmalloc-256

[34258.414113] allocated by task 193187 on cpu 17 at 34251.126096s:
[34258.414265]  __kmem_cache_alloc_node+0x2a7/0x2e0
[34258.414267]  kmalloc_trace+0x2a/0xa0
[34258.414269]  amdgpu_gtt_mgr_new+0x40/0x140 [amdgpu]
[34258.414403]  ttm_resource_alloc+0x3b/0x80 [ttm]
[34258.414407]  ttm_bo_mem_space+0x88/0x230 [ttm]
[34258.414411]  ttm_mem_evict_first+0x1c6/0x530 [ttm]
[34258.414415]  ttm_resource_manager_evict_all+0xa7/0x1d0 [ttm]
[34258.414419]  amdgpu_device_prepare+0x4e/0xd0 [amdgpu]
[34258.414546]  pci_pm_prepare+0x34/0x70
[34258.414547]  dpm_prepare+0x269/0x440
[34258.414549]  dpm_suspend_start+0x1e/0x90
[34258.414551]  suspend_devices_and_enter+0x16a/0x970
[34258.414552]  pm_suspend+0x25e/0x590
[34258.414553]  state_store+0x6c/0xd0
[34258.414555]  kernfs_fop_write_iter+0x136/0x1d0
[34258.414556]  vfs_write+0x23d/0x400
[34258.414558]  ksys_write+0x6f/0xf0
[34258.414559]  do_syscall_64+0x64/0xe0
[34258.414560]  entry_SYSCALL_64_after_hwframe+0x6e/0x76

[34258.414562] freed by task 53793 on cpu 27 at 34258.413092s:
[34258.414961]  ttm_resource_free+0x6b/0x80 [ttm]
[34258.414965]  ttm_bo_move_accel_cleanup+0xc8/0x2a0 [ttm]
[34258.414969]  amdgpu_bo_move+0x5d0/0x710 [amdgpu]
[34258.415099]  ttm_bo_handle_move_mem+0xbb/0x170 [ttm]
[34258.415103]  ttm_bo_validate+0xe5/0x180 [ttm]
[34258.415107]  amdgpu_cs_bo_validate+0x9c/0x2e0 [amdgpu]
[34258.415239]  amdgpu_vm_validate_pt_bos+0xbd/0x380 [amdgpu]
[34258.415374]  amdgpu_cs_parser_bos.isra.0+0x490/0x820 [amdgpu]
[34258.415505]  amdgpu_cs_ioctl+0xa2d/0x1a30 [amdgpu]
[34258.415637]  drm_ioctl_kernel+0xd6/0x180
[34258.415638]  drm_ioctl+0x26d/0x4b0
[34258.415639]  amdgpu_drm_ioctl+0x4e/0x90 [amdgpu]
[34258.415766]  __x64_sys_ioctl+0x97/0xd0
[34258.415768]  do_syscall_64+0x64/0xe0
[34258.415769]  entry_SYSCALL_64_after_hwframe+0x6e/0x76

[34258.415771] CPU: 27 PID: 53793 Comm: firefox:cs0 Not tainted 6.7.4-200.fc39.x86_64 #1
[34258.415773] Hardware name: To Be Filled By O.E.M. B550 Taichi/B550 Taichi, BIOS P3.40 01/18/2024
[34258.415774] ==================================================================
Edited by Martin Wolf