[KASAN] DRM-Tip 5.14-rc7 use-after-free in engine_dump_request
Recent DRM-Tip 5.14-rc7 KASAN run on CI had hit on IVB platform.
Short log:
<3> [93.118431] ==================================================================
<3> [93.118813] BUG: KASAN: use-after-free in engine_dump_request+0x8ca/0x9b0 [i915]
<3> [93.119024] Read of size 8 at addr ffff888012243748 by task gem_exec_schedu/1229
<3> [93.119083]
<3> [93.119100] CPU: 0 PID: 1229 Comm: gem_exec_schedu Not tainted 5.14.0-rc7-g329f62b04cd6-kasan_277+ #1
<3> [93.119172] Hardware name: Hewlett-Packard HP Pro 3500 Series/2ABF, BIOS 8.11 10/24/2012
<3> [93.119235] Call Trace:
<3> [93.119260] dump_stack_lvl+0x56/0x7b
<3> [93.119301] print_address_description.constprop.10+0x41/0x60
<3> [93.119351] ? engine_dump_request+0x8ca/0x9b0 [i915]
<3> [93.119519] ? engine_dump_request+0x8ca/0x9b0 [i915]
<3> [93.119700] kasan_report.cold.15+0x83/0xdf
<3> [93.119756] ? engine_dump_request+0x8ca/0x9b0 [i915]
<3> [93.119923] engine_dump_request+0x8ca/0x9b0 [i915]
<3> [93.120086] ? intel_engine_execlist_find_hung_request+0x488/0x700 [i915]
<3> [93.120267] intel_engine_dump+0x766/0xee0 [i915]
<3> [93.120435] ? intel_engine_execlist_find_hung_request+0x700/0x700 [i915]
<3> [93.120627] ? seq_vprintf+0x1a0/0x1a0
<3> [93.120705] ? intel_gt_get_awake_time+0x14a/0x210 [i915]
<3> [93.120885] i915_engine_info+0x27a/0x360 [i915]
<3> [93.121046] ? i915_wa_registers+0x260/0x260 [i915]
<3> [93.121205] ? __drm_puts_seq_file+0x40/0x40
<3> [93.121244] ? __drm_printfn_coredump+0x280/0x280
<3> [93.121297] seq_read_iter+0x3f8/0x1010
<3> [93.121343] ? lock_downgrade+0x6e0/0x6e0
<3> [93.121384] seq_read+0x358/0x4f0
<3> [93.121414] ? rwlock_bug.part.2+0x90/0x90
<3> [93.121453] ? seq_read_iter+0x1010/0x1010
<3> [93.121505] ? debugfs_file_get+0x121/0x3a0
<3> [93.121550] ? kmem_cache_free+0x409/0x600
<3> [93.121591] full_proxy_read+0xee/0x180
<3> [93.121626] ? do_sys_openat2+0x27e/0x5d0
<3> [93.121680] vfs_read+0x126/0x490
<3> [93.121730] ksys_read+0xec/0x1c0
<3> [93.121761] ? vfs_write+0x930/0x930
<3> [93.121798] ? syscall_enter_from_user_mode+0x1c/0x40
<3> [93.121846] do_syscall_64+0x3a/0xb0
<3> [93.121880] entry_SYSCALL_64_after_hwframe+0x44/0xae
<3> [93.121928] RIP: 0033:0x7fa031a0434e
<3> [93.121959] Code: 00 00 00 00 48 8b 15 71 8c 20 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 0f 1f 40 00 8b 05 ba d0 20 00 85 c0 75 16 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 5a f3 c3 0f 1f 84 00 00 00 00 00 41 54 55 49
<3> [93.122093] RSP: 002b:00007ffcc419d888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
<3> [93.122155] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa031a0434e
<3> [93.122209] RDX: 000000000000003f RSI: 0000563ac4d61d00 RDI: 000000000000000a
<3> [93.122262] RBP: 000000000000003f R08: 0000000000000000 R09: 0000000000000034
<3> [93.122316] R10: 0000000000000000 R11: 0000000000000246 R12: 0000563ac4d61d00
<3> [93.122370] R13: 000000000000000a R14: 0000000000000000 R15: 0000563ac4d61d00
<3> [93.122442]
<3> [93.122458] Allocated by task 1229:
<4> [93.122488] kasan_save_stack+0x19/0x40
<4> [93.122493] __kasan_slab_alloc+0x68/0x80
<4> [93.122497] kmem_cache_alloc+0x1d9/0x780
<4> [93.122501] i915_vma_instance+0x212/0x1970 [i915]
<4> [93.122662] eb_lookup_vmas+0xe18/0x2370 [i915]
<4> [93.122816] i915_gem_do_execbuffer+0x1189/0x43c0 [i915]
<4> [93.122956] i915_gem_execbuffer2_ioctl+0x2bf/0x810 [i915]
<4> [93.123095] drm_ioctl_kernel+0x1f7/0x3e0
<4> [93.123100] drm_ioctl+0x42b/0x8a0
<4> [93.123104] __x64_sys_ioctl+0x10d/0x170
<4> [93.123110] do_syscall_64+0x3a/0xb0
<4> [93.123114] entry_SYSCALL_64_after_hwframe+0x44/0xae
<3> [93.123119]
<3> [93.123136] Freed by task 157:
<4> [93.123163] kasan_save_stack+0x19/0x40
<4> [93.123167] kasan_set_track+0x1c/0x30
<4> [93.123171] kasan_set_free_info+0x20/0x30
<4> [93.123175] __kasan_slab_free+0xec/0x130
<4> [93.123180] kmem_cache_free+0x118/0x600
<4> [93.123183] __i915_gem_free_object+0x1a3/0x8a0 [i915]
<4> [93.123323] i915_gem_flush_free_objects+0xe5/0x130 [i915]
<4> [93.123463] process_one_work+0x8d5/0x1520
<4> [93.123468] worker_thread+0x82/0xbf0
<4> [93.123472] kthread+0x379/0x450
<4> [93.123476] ret_from_fork+0x22/0x30
<3> [93.123481]
<3> [93.123497] The buggy address belongs to the object at ffff888012243740
which belongs to the cache i915_vma of size 960
<3> [93.123585] The buggy address is located 8 bytes inside of
960-byte region [ffff888012243740, ffff888012243b00)
<3> [93.123682] The buggy address belongs to the page:
<4> [93.123722] page:ffffea0000489000 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888012245840 pfn:0x12240
<4> [93.123727] head:ffffea0000489000 order:3 compound_mapcount:0 compound_pincount:0
<4> [93.123731] flags: 0x4000000000010200(slab|head|zone=1)
<4> [93.123750] raw: 4000000000010200 ffffea00007a4208 ffff8880127e1b88 ffff888010d35bc0
<4> [93.123754] raw: ffff888012245840 000000000017000d 00000001ffffffff 0000000000000000
<4> [93.123758] page dumped because: kasan: bad access detected
<3> [93.123761]
<3> [93.123777] Memory state around the buggy address:
<3> [93.123815] ffff888012243600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
<3> [93.123877] ffff888012243680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
<3> [93.123933] >ffff888012243700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
<3> [93.123988] ^
<3> [93.124032] ffff888012243780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
<3> [93.124088] ffff888012243800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
<3> [93.124143] ==================================================================
Full log: