[KASAN] DRM-Tip 5.14.0 slab-out-of-bounds in connector_bad_edid
Recent DRM-Tip 5.14.0 KASAN run exposed slab-out-of-bounds in connector_bad_edid on following hosts:
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-hsw-gt1/boot.html
- https://intel-gfx-ci.01.org/tree/drm-tip/kasan_280/fi-kbl-guc/boot.html
Short log:
<6>[ 33.316123] i915 0000:00:02.0: [drm] DRM_I915_DEBUG enabled
<6>[ 33.316130] i915 0000:00:02.0: [drm] DRM_I915_DEBUG_GEM enabled
<6>[ 33.316137] i915 0000:00:02.0: [drm] DRM_I915_DEBUG_RUNTIME_PM enabled
<3>[ 33.338284] ==================================================================
<3>[ 33.338535] BUG: KASAN: slab-out-of-bounds in connector_bad_edid+0x2fa/0x3a0
<3>[ 33.338699] Read of size 1 at addr ffff888109cb5780 by task kworker/u4:0/7
<3>[ 33.338898] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.14.0-g8c3cd60dcfa8-kasan_280+ #1
<3>[ 33.339084] Hardware name: Intel Corporation Shark Bay Client platform/WhiteTip Mountain 1, BIOS HSWLPTU1.86C.0137.R00.1403031632 03/03/2014
<3>[ 33.339350] Workqueue: events_unbound async_run_entry_fn
<3>[ 33.339485] Call Trace:
<3>[ 33.339553] dump_stack_lvl+0x56/0x7b
<3>[ 33.339653] print_address_description.constprop.10+0x41/0x60
<3>[ 33.339790] ? connector_bad_edid+0x2fa/0x3a0
<3>[ 33.339895] ? connector_bad_edid+0x2fa/0x3a0
<3>[ 33.340007] kasan_report.cold.15+0x83/0xdf
<3>[ 33.340124] ? connector_bad_edid+0x2fa/0x3a0
<3>[ 33.340242] connector_bad_edid+0x2fa/0x3a0
<3>[ 33.340354] ? drm_edid_get_monitor_name+0xf0/0xf0
<3>[ 33.340503] ? drm_edid_block_valid+0x4e0/0x4e0
<3>[ 33.340613] drm_do_get_edid+0xe5/0x480
<3>[ 33.340713] ? verify_async_put_domains_state+0x16/0x570 [i915]
<3>[ 33.341272] drm_get_edid+0x9e/0x110
<3>[ 33.341369] ? drm_do_get_edid+0x480/0x480
<3>[ 33.341486] ? intel_gmbus_is_valid_pin+0xac/0x140 [i915]
<3>[ 33.341976] ? intel_display_power_get+0x4e/0x60 [i915]
<3>[ 33.342465] intel_hdmi_set_edid+0x106/0x790 [i915]
<3>[ 33.342966] intel_hdmi_detect+0x20b/0x3b0 [i915]
<3>[ 33.343429] ? drm_modeset_lock+0xb3/0x300
<3>[ 33.343550] drm_helper_probe_detect+0x173/0x1f0
<3>[ 33.343676] drm_helper_probe_single_connector_modes+0x1064/0x18a0
<3>[ 33.343825] ? lockdep_hardirqs_on_prepare+0x400/0x400
<3>[ 33.344004] ? __mutex_lock+0x5a7/0x1370
<3>[ 33.344109] ? drm_connector_mode_valid+0x1b0/0x1b0
<3>[ 33.344312] drm_client_modeset_probe+0x43d/0x2a80
<3>[ 33.344504] ? drm_client_firmware_config.isra.9+0x1b20/0x1b20
<3>[ 33.344676] ? intel_fbdev_unregister+0xe0/0xe0 [i915]
<3>[ 33.345146] __drm_fb_helper_initial_config_and_unlock+0x11d/0x1180
<3>[ 33.345315] ? drm_fb_helper_initial_config+0x21/0x30
<3>[ 33.345454] ? drm_setup_crtcs_fb+0x620/0x620
<3>[ 33.345566] ? mark_held_locks+0xb0/0x110
<3>[ 33.345719] ? intel_fbdev_unregister+0xe0/0xe0 [i915]
<3>[ 33.346186] intel_fbdev_initial_config+0x36/0x80 [i915]
<3>[ 33.346657] async_run_entry_fn+0x90/0x4f0
<3>[ 33.346784] process_one_work+0x8d5/0x1520
<3>[ 33.346924] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
<3>[ 33.347032] ? do_raw_spin_lock+0x121/0x290
<3>[ 33.347186] worker_thread+0x82/0xbf0
<3>[ 33.347311] ? process_one_work+0x1520/0x1520
<3>[ 33.347420] kthread+0x379/0x450
<3>[ 33.347505] ? set_kthread_struct+0x100/0x100
<3>[ 33.347623] ret_from_fork+0x22/0x30
<3>[ 33.347817] Allocated by task 7:
<4>[ 33.347897] kasan_save_stack+0x19/0x40
<4>[ 33.347909] __kasan_kmalloc+0x7f/0xa0
<4>[ 33.347919] drm_do_get_edid+0x6f/0x480
<4>[ 33.347929] drm_get_edid+0x9e/0x110
<4>[ 33.347938] intel_hdmi_set_edid+0x106/0x790 [i915]
<4>[ 33.348302] intel_hdmi_detect+0x20b/0x3b0 [i915]
<4>[ 33.348659] drm_helper_probe_detect+0x173/0x1f0
<4>[ 33.348672] drm_helper_probe_single_connector_modes+0x1064/0x18a0
<4>[ 33.348684] drm_client_modeset_probe+0x43d/0x2a80
<4>[ 33.348694] __drm_fb_helper_initial_config_and_unlock+0x11d/0x1180
<4>[ 33.348707] intel_fbdev_initial_config+0x36/0x80 [i915]
<4>[ 33.349061] async_run_entry_fn+0x90/0x4f0
<4>[ 33.349074] process_one_work+0x8d5/0x1520
<4>[ 33.349084] worker_thread+0x82/0xbf0
<4>[ 33.349094] kthread+0x379/0x450
<4>[ 33.349103] ret_from_fork+0x22/0x30
<3>[ 33.349160] The buggy address belongs to the object at ffff888109cb5700
which belongs to the cache kmalloc-128 of size 128
<3>[ 33.349422] The buggy address is located 0 bytes to the right of
128-byte region [ffff888109cb5700, ffff888109cb5780)
<3>[ 33.349677] The buggy address belongs to the page:
<4>[ 33.349787] page:ffffea0004272d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x109cb4
<4>[ 33.349798] head:ffffea0004272d00 order:1 compound_mapcount:0
<4>[ 33.349807] flags: 0x8000000000010200(slab|head|zone=2)
<4>[ 33.349821] raw: 8000000000010200 ffffea00041cd588 ffffea00041c0d08 ffff8881000431c0
<4>[ 33.349831] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
<4>[ 33.349838] page dumped because: kasan: bad access detected
<3>[ 33.349891] Memory state around the buggy address:
<3>[ 33.350001] ffff888109cb5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
<3>[ 33.350162] ffff888109cb5700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
<3>[ 33.350323] >ffff888109cb5780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
<3>[ 33.350483] ^
<3>[ 33.350562] ffff888109cb5800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
<3>[ 33.350724] ffff888109cb5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
<3>[ 33.350884] ==================================================================
<4>[ 33.351045] Disabling lock debugging due to kernel taint
<7>[ 33.356673] i915 0000:00:02.0: [drm:connector_bad_edid] HDMI-A-2: EDID is invalid:
<7>[ 33.356692] [00] BAD 00 ff ff ff ff ff ff 00 05 e3 cd 0c 00 00 00 00
<7>[ 33.356697] [00] BAD 03 1b 01 03 80 3e 22 78 ea 1e c5 ae 4f 34 b1 26
<7>[ 33.356701] [00] BAD 00 50 54 2f cf 00 d1 cf b3 00 a9 c0 95 00 81 81
<7>[ 33.356705] [00] BAD 81 00 81 c0 d1 00 02 3a 80 18 71 38 2d 40 58 2c
<7>[ 33.356708] [00] BAD 35 00 e0 0e 11 00 00 1a e2 68 00 a0 a0 40 2e 60
<7>[ 33.356712] [00] BAD 30 20 36 00 80 90 21 00 00 1a 56 5e 00 a0 a0 a0
<7>[ 33.356715] [00] BAD 29 50 30 20 36 00 80 68 21 00 00 1a 00 00 00 fc
<7>[ 33.356719] [00] BAD 00 32 38 45 38 35 30 0a 20 20 20 20 20 20 01 b2
<7>[ 33.356753] i915 0000:00:02.0: [drm:intel_hdmi_set_edid [i915]] HDMI GMBUS EDID read failed, retry using GPIO bit-banging
<7>[ 33.357158] i915 0000:00:02.0: [drm:intel_gmbus_force_bit [i915]] enabling bit-banging on i915 gmbus dpc. force bit now 1
<7>[ 33.642539] i915 0000:00:02.0: [drm:connector_bad_edid] HDMI-A-2: EDID is invalid:
<7>[ 33.642560] [00] BAD 00 ff ff ff ff ff ff 00 05 e3 cd 0c 00 00 00 00
<7>[ 33.642565] [00] BAD 03 1b 01 03 80 3e 22 78 ea 1e c5 ae 4f 34 b1 26
<7>[ 33.642568] [00] BAD 00 50 54 2f cf 00 d1 cf b3 00 a9 c0 95 00 81 81
<7>[ 33.642572] [00] BAD 81 00 81 c0 d1 00 02 3a 80 18 71 38 2d 40 58 2c
<7>[ 33.642576] [00] BAD 35 00 e0 0e 11 00 00 1a e2 68 00 a0 a0 40 2e 60
<7>[ 33.642579] [00] BAD 30 20 36 00 80 90 21 00 00 1a 56 5e 00 a0 a0 a0
<7>[ 33.642583] [00] BAD 29 50 30 20 36 00 80 68 21 00 00 1a 00 00 00 fc
<7>[ 33.642586] [00] BAD 00 32 38 45 38 35 30 0a 20 20 20 20 20 20 01 b2
<7>[ 33.642617] i915 0000:00:02.0: [drm:intel_gmbus_force_bit [i915]] disabling bit-banging on i915 gmbus dpc. force bit now 0