KASAN: use-after-free in i915_fence_release+0xa8/0x140 [i915]
With GUC enabled, I'm getting the following report after playing a video using accelerated decoding (Firefox, Gnome 43, Wayland)
$ cat /proc/cmdline
rw mitigations=off fbcon=font:TER16x32 msr.allow_writes=on splash i915.fastboot=1 quiet rd.systemd.show_status=auto rd.udev.log-priority=3 kfence.sample_interval=100 pstore_blk.blkdev=/dev/nvme0n1p7 pstore_blk.kmsg_size=64 i915.enable_guc=3This is happening with 6.1.7 + latest stable queue patches (8cc4ecfc43df81a2314864a3697c651aa8dc2eda)
==================================================================
BUG: KASAN: use-after-free in i915_fence_release+0xa8/0x140 [i915]
Read of size 4 at addr ffff8881244904a0 by task kworker/u16:7/579
CPU: 5 PID: 579 Comm: kworker/u16:7 Tainted: G S U T 6.1.8-kasan-0.2 #5 4d5690555f5354e97e60f53985a6260919194c32
Hardware name: Dell Inc. XPS 13 9300/0PP9G2, BIOS 1.15.0 09/13/2022
Workqueue: i915 __i915_gem_free_work [i915]
Call Trace:
<TASK>
dump_stack_lvl+0x48/0x5c
print_report+0x181/0x4a4
? __virt_addr_valid+0xd9/0x160
? i915_fence_release+0xa8/0x140 [i915 573cb86fec0d4c93d1127db13ddba3e41045b664]
kasan_report+0xce/0x150
? i915_fence_release+0xa8/0x140 [i915 573cb86fec0d4c93d1127db13ddba3e41045b664]
? i915_fence_release+0xa8/0x140 [i915 573cb86fec0d4c93d1127db13ddba3e41045b664]
? dma_resv_list_free.part.0+0x8c/0xc0
? i915_gem_flush_free_objects+0xb4/0xd0 [i915 573cb86fec0d4c93d1127db13ddba3e41045b664]
? process_one_work+0x3cd/0x6a0
? worker_thread+0x94/0x620
? process_one_work+0x6a0/0x6a0
? kthread+0x15b/0x190
? kthread_complete_and_exit+0x30/0x30
? ret_from_fork+0x1f/0x30
</TASK>
Allocated by task 6211:
kasan_save_stack+0x38/0x60
kasan_set_track+0x25/0x30
__kasan_kmalloc+0xa5/0xb0
guc_create_virtual+0x3f/0x630 [i915]
i915_gem_create_context+0x52d/0xd90 [i915]
i915_gem_context_lookup+0x225/0x2e0 [i915]
i915_gem_do_execbuffer+0x912/0x3700 [i915]
i915_gem_execbuffer2_ioctl+0x156/0x3a0 [i915]
drm_ioctl_kernel+0x161/0x240
drm_ioctl+0x293/0x5d0
__x64_sys_ioctl+0xc2/0xf0
do_syscall_64+0x59/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 11:
kasan_save_stack+0x38/0x60
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2e/0x40
____kasan_slab_free+0x165/0x1c0
slab_free_freelist_hook+0xcd/0x180
__kmem_cache_free+0x18c/0x2c0
intel_guc_deregister_done_process_msg+0x1ce/0x210 [i915]
ct_incoming_request_worker_func+0x2cb/0x360 [i915]
process_one_work+0x3cd/0x6a0
worker_thread+0x94/0x620
kthread+0x15b/0x190
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888124490000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 1184 bytes inside of
8192-byte region [ffff888124490000, ffff888124492000)
The buggy address belongs to the physical page:
page:00000000124044c7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x124490
head:00000000124044c7 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x2ffff0000010200(slab|head|node=0|zone=2|lastcpupid=0xffff)
raw: 02ffff0000010200 0000000000000000 dead000000000122 ffff888100043180
raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888124490380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888124490400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888124490480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888124490500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888124490580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================Resolving a few symbols:
? i915_fence_release+0xa8/0x140 [i915 573cb86fec0d4c93d1127db13ddba3e41045b664]
i915_fence_release at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/i915_request.c:169
kasan_report+0xce/0x150
? i915_fence_release+0xa8/0x140 [i915 573cb86fec0d4c93d1127db13ddba3e41045b664]
i915_fence_release at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/i915_request.c:169
? i915_fence_release+0xa8/0x140 [i915 573cb86fec0d4c93d1127db13ddba3e41045b664]
i915_fence_release at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/i915_request.c:169
? dma_resv_list_free.part.0+0x8c/0xc0
kref_put at include/linux/kref.h:66
(inlined by) dma_fence_put at include/linux/dma-fence.h:276
(inlined by) dma_fence_put at include/linux/dma-fence.h:273
(inlined by) dma_resv_list_free at drivers/dma-buf/dma-resv.c:124
? i915_gem_flush_free_objects+0xb4/0xd0 [i915 573cb86fec0d4c93d1127db13ddba3e41045b664]
Allocated by task 6211:
kasan_save_stack+0x38/0x60
kasan_set_track+0x25/0x30
__kasan_kmalloc+0xa5/0xb0
guc_create_virtual+0x3f/0x630 [i915]
guc_create_virtual at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c:5075
i915_gem_create_context+0x52d/0xd90 [i915]
user_engines at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gem/i915_gem_context.c:1202
(inlined by) i915_gem_create_context at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gem/i915_gem_context.c:1629
i915_gem_context_lookup+0x225/0x2e0 [i915]
finalize_create_context_locked at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gem/i915_gem_context.c:2202
(inlined by) i915_gem_context_lookup at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gem/i915_gem_context.c:2242
(inlined by) i915_gem_context_lookup at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gem/i915_gem_context.c:2225
i915_gem_do_execbuffer+0x912/0x3700 [i915]
eb_select_context at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:817
(inlined by) i915_gem_do_execbuffer at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:3426
i915_gem_execbuffer2_ioctl+0x156/0x3a0 [i915]
i915_gem_execbuffer2_ioctl at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:3588
Freed by task 11:
kasan_save_stack+0x38/0x60
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2e/0x40
____kasan_slab_free+0x165/0x1c0
slab_free_freelist_hook+0xcd/0x180
__kmem_cache_free+0x18c/0x2c0
intel_guc_deregister_done_process_msg+0x1ce/0x210 [i915]
intel_guc_deregister_done_process_msg at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c:4321
ct_incoming_request_worker_func+0x2cb/0x360 [i915]
ct_process_request at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gt/uc/intel_guc_ct.c:1010
(inlined by) ct_process_incoming_requests at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gt/uc/intel_guc_ct.c:1071
(inlined by) ct_incoming_request_worker_func at /home/arch/linux/src/archlinux-linux/drivers/gpu/drm/i915/gt/uc/intel_guc_ct.c:1088