[KASAN] DRM-Tip 5.14.0 use-after-free in xcs_sanitize
KASAN run of recent DRM-Tip exposed use_after_free in xcs_sanitize on following hosts:
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-bwr-2160/igt@i915_module_load@reload-with-fault-injection.html
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-byt-clapper/igt@i915_module_load@reload-with-fault-injection.html
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-byt-squawks/igt@i915_module_load@reload-with-fault-injection.html
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-elk-e7500/igt@i915_module_load@reload-with-fault-injection.html
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-hsw-4770/igt@i915_module_load@reload-with-fault-injection.html
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-ilk-650/igt@i915_module_load@reload-with-fault-injection.html
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-ivb-3770/igt@i915_module_load@reload-with-fault-injection.html
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-snb-2520m/igt@i915_module_load@reload-with-fault-injection.html
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-snb-2600/igt@i915_module_load@reload-with-fault-injection.html
Short log:
<7> [314.706962] i915 0000:00:02.0: [drm:intel_atomic_commit_tail [i915]] [CRTC:39:pipe A]
<7> [314.929772] i915 0000:00:02.0: [drm:drm_client_release] drm_fb_helper
<3> [315.057714] ==================================================================
<3> [315.058007] BUG: KASAN: use-after-free in xcs_sanitize+0x4a/0x110 [i915]
<3> [315.058612] Write of size 4096 at addr ffff888022db6000 by task i915_module_loa/1046
<3> [315.058770]
<3> [315.058813] CPU: 1 PID: 1046 Comm: i915_module_loa Tainted: G U 5.14.0-g8c3cd60dcfa8-kasan_280+ #1
<3> [315.059011] Hardware name: Dell Inc. OptiPlex 745 /0GW726, BIOS 2.3.1 05/21/2007
<3> [315.059208] Call Trace:
<3> [315.059271] dump_stack_lvl+0x56/0x7b
<3> [315.059364] print_address_description.constprop.10+0x41/0x60
<3> [315.059490] ? xcs_sanitize+0x4a/0x110 [i915]
<3> [315.060079] ? xcs_sanitize+0x4a/0x110 [i915]
<3> [315.060609] kasan_report.cold.15+0x83/0xdf
<3> [315.060720] ? xcs_sanitize+0x4a/0x110 [i915]
<3> [315.061251] kasan_check_range+0x1c1/0x1e0
<3> [315.061354] memset+0x1f/0x40
<3> [315.061433] xcs_sanitize+0x4a/0x110 [i915]
<3> [315.061981] gt_sanitize+0x2b2/0x680 [i915]
<3> [315.062498] ? __pm_runtime_suspend+0x183/0x2e0
<3> [315.062619] intel_gt_suspend_late+0x126/0x2c0 [i915]
<3> [315.063158] i915_gem_suspend_late+0x9d/0x450 [i915]
<3> [315.063698] ? intel_wakeref_auto+0x3ba/0x520 [i915]
<3> [315.064193] ? i915_gem_suspend+0x180/0x180 [i915]
<3> [315.064746] ? preempt_schedule_common+0x37/0xc0
<3> [315.064873] i915_gem_driver_remove+0x25/0x1f0 [i915]
<3> [315.065449] i915_driver_remove+0xb2/0xe0 [i915]
<3> [315.065954] i915_pci_remove+0x34/0x70 [i915]
<3> [315.066444] pci_device_remove+0xa3/0x1f0
<3> [315.066553] device_release_driver_internal+0x1e0/0x4a0
<3> [315.066680] driver_detach+0xbc/0x180
<3> [315.066779] bus_remove_driver+0x15b/0x2d0
<3> [315.066882] pci_unregister_driver+0x28/0x220
<3> [315.066998] i915_exit+0xb7/0x30b [i915]
<3> [315.067568] __x64_sys_delete_module+0x257/0x370
<3> [315.067682] ? __ia32_sys_delete_module+0x370/0x370
<3> [315.067809] ? lockdep_hardirqs_on+0xbf/0x130
<3> [315.067914] do_syscall_64+0x3a/0xb0
<3> [315.068002] entry_SYSCALL_64_after_hwframe+0x44/0xae
<3> [315.068112] RIP: 0033:0x7efe27e42bcb
<3> [315.068196] Code: 73 01 c3 48 8b 0d c5 82 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 95 82 0c 00 f7 d8 64 89 01 48
<3> [315.068536] RSP: 002b:00007ffd331acf98 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
<3> [315.068694] RAX: ffffffffffffffda RBX: 000056288f3ee6f0 RCX: 00007efe27e42bcb
<3> [315.068833] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000056288f3ee758
<3> [315.068970] RBP: 00007efe27fd7022 R08: 0000000000000000 R09: 00007efe27f0c1a0
<3> [315.069107] R10: 000056288f3b9010 R11: 0000000000000206 R12: 0000000000000000
<3> [315.069244] R13: 00007ffd331ad690 R14: 0000000000000000 R15: 0000000000000000
<3> [315.069425]
<3> [315.069467] The buggy address belongs to the page:
<4> [315.069565] page:ffffea00008b6d80 refcount:0 mapcount:0 mapping:0000000000000000 index:0x2 pfn:0x22db6
<4> [315.069578] flags: 0x4000000000000000(zone=1)
<4> [315.069594] raw: 4000000000000000 ffffea00008b6dc8 ffffea00008c1bc8 0000000000000000
<4> [315.069606] raw: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
<4> [315.069614] page dumped because: kasan: bad access detected
<3> [315.069622]
<3> [315.069664] Memory state around the buggy address:
<3> [315.069763] ffff888022db5f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
<3> [315.069907] ffff888022db5f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
<3> [315.070050] >ffff888022db6000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
<3> [315.070192] ^
<3> [315.070266] ffff888022db6080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
<3> [315.070411] ffff888022db6100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
<3> [315.070553] ==================================================================
<4> [315.070694] Disabling lock debugging due to kernel taint