2022-05-14 03:29:48

by kernel test robot

[permalink] [raw]
Subject: [dma] a9290ca07a: BUG:KASAN:slab-out-of-bounds_in__dma_fence_unwrap_merge



Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: a9290ca07a36882b114c3cd9bbd8f66ed47508bd ("[PATCH 4/5] dma-buf: generalize dma_fence unwrap & merging v2")
url: https://github.com/intel-lab-lkp/linux/commits/Christian-K-nig/dma-buf-cleanup-dma_fence_unwrap-selftest-v2/20220506-221317
base: git://anongit.freedesktop.org/drm/drm drm-next
patch link: https://lore.kernel.org/dri-devel/[email protected]

in testcase: igt
version: igt-x86_64-eddc67c5-1_20220430
with following parameters:

group: group-04
ucode: 0xc2



on test machine: 20 threads 1 sockets Commet Lake with 16G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>


kern :err : [ 35.911985] BUG: KASAN: slab-out-of-bounds in __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130)
kern :err : [ 35.920255] Write of size 8 at addr ffff888105400508 by task api_intel_bb/1309

kern :err : [ 35.930379] CPU: 4 PID: 1309 Comm: api_intel_bb Not tainted 5.18.0-rc5-01118-ga9290ca07a36 #1
kern :err : [ 35.939601] Hardware name: Intel Corporation CometLake Client Platform/CometLake S UDIMM (ERB/CRB), BIOS CMLSFWR1.R00.2212.D00.2104290922 04/29/2021
kern :err : [ 35.953601] Call Trace:
kern :err : [ 35.956758] <TASK>
kern :err : [ 35.959564] ? __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130)
kern :err : [ 35.965157] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
kern :err : [ 35.969534] print_address_description+0x1f/0x200
kern :err : [ 35.975983] ? __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130)
kern :err : [ 35.981562] print_report.cold (mm/kasan/report.c:430)
kern :err : [ 35.986277] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
kern :err : [ 35.991606] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
kern :err : [ 35.995892] ? __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130)
kern :err : [ 36.001474] __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130)
kern :err : [ 36.006878] sync_file_merge+0xf7/0x240
kern :err : [ 36.012465] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
kern :err : [ 36.017088] ? sync_file_create (drivers/dma-buf/sync_file.c:159)
kern :err : [ 36.021798] ? __fget_files (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2293 include/linux/atomic/atomic-arch-fallback.h:2318 include/linux/atomic/atomic-long.h:491 include/linux/atomic/atomic-instrumented.h:1846 fs/file.c:903 fs/file.c:934)
kern :err : [ 36.026342] sync_file_ioctl (drivers/dma-buf/sync_file.c:235 drivers/dma-buf/sync_file.c:360)
kern :err : [ 36.030966] ? sync_file_ioctl_fence_info (drivers/dma-buf/sync_file.c:355)
kern :err : [ 36.036717] ? task_work_run (kernel/task_work.c:167 (discriminator 1))
kern :err : [ 36.041254] __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856)
kern :err : [ 36.045884] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
kern :err : [ 36.050166] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
kern :err : [ 36.055922] RIP: 0033:0x7fd878745e57
kern :err : [ 36.060203] Code: 00 00 90 48 8b 05 39 a0 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 a0 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 00 add %al,(%rax)
2: 90 nop
3: 48 8b 05 39 a0 0c 00 mov 0xca039(%rip),%rax # 0xca043
a: 64 c7 00 26 00 00 00 movl $0x26,%fs:(%rax)
11: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
18: c3 retq
19: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
20: 00 00 00
23: b8 10 00 00 00 mov $0x10,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d 09 a0 0c 00 mov 0xca009(%rip),%rcx # 0xca043
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W

Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d 09 a0 0c 00 mov 0xca009(%rip),%rcx # 0xca019
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
kern :err : [ 36.079659] RSP: 002b:00007ffe4d4d2e88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
kern :err : [ 36.087937] RAX: ffffffffffffffda RBX: 00005558619a1940 RCX: 00007fd878745e57
kern :err : [ 36.095770] RDX: 00007ffe4d4d2e90 RSI: 00000000c0303e03 RDI: 0000000000000008
kern :err : [ 36.103613] RBP: 0000000000000006 R08: 000000000000000f R09: 00005558619a4c30
kern :err : [ 36.111444] R10: 0000000000000006 R11: 0000000000000246 R12: 00005558619a1a00
kern :err : [ 36.119279] R13: 00005558619a46e0 R14: 00007ffe4d4d2ef0 R15: 0000000000000000
kern :err : [ 36.127113] </TASK>

kern :err : [ 36.132209] Allocated by task 1309:
kern :warn : [ 36.136405] kasan_save_stack (mm/kasan/common.c:39)
kern :warn : [ 36.140943] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524)
kern :warn : [ 36.145395] __dma_fence_unwrap_merge (include/linux/slab.h:621 drivers/dma-buf/dma-fence-unwrap.c:81)
kern :warn : [ 36.150800] sync_file_merge+0xf7/0x240
kern :warn : [ 36.156386] sync_file_ioctl (drivers/dma-buf/sync_file.c:235 drivers/dma-buf/sync_file.c:360)
kern :warn : [ 36.161010] __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856)
kern :warn : [ 36.165643] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
kern :warn : [ 36.169921] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)

kern :err : [ 36.177867] The buggy address belongs to the object at ffff888105400500
which belongs to the cache kmalloc-8 of size 8
kern :err : [ 36.191437] The buggy address is located 0 bytes to the right of
8-byte region [ffff888105400500, ffff888105400508)

kern :err : [ 36.206942] The buggy address belongs to the physical page:
kern :warn : [ 36.213220] page:00000000c4ee5dee refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881054008c0 pfn:0x105400
kern :warn : [ 36.224636] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
kern :warn : [ 36.232305] raw: 0017ffffc0000200 ffffea0004155e80 dead000000000002 ffff888100042280
kern :warn : [ 36.240745] raw: ffff8881054008c0 0000000080660035 00000001ffffffff 0000000000000000
kern :warn : [ 36.249190] page dumped because: kasan: bad access detected

kern :err : [ 36.257659] Memory state around the buggy address:
kern :err : [ 36.263155] ffff888105400400: fc fc fa fc fc fc fc fb fc fc fc fc fb fc fc fc
kern :err : [ 36.271079] ffff888105400480: fc fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc
kern :err : [ 36.279001] >ffff888105400500: 00 fc fc fc fc fb fc fc fc fc fa fc fc fc fc fb
kern :err : [ 36.286921] ^
kern :err : [ 36.291117] ffff888105400580: fc fc fc fc fb fc fc fc fc fb fc fc fc fc fb fc
kern :err : [ 36.299043] ffff888105400600: fc fc fc fa fc fc fc fc fb fc fc fc fc fb fc fc
kern :err : [ 36.306970] ==================================================================
kern :warn : [ 36.314953] Disabling lock debugging due to kernel taint
user :info : [ 36.321624] [IGT] api_intel_bb: exiting, ret=0
kern :info : [ 36.381966] Console: switching to colour frame buffer device 160x64
kern :info : [ 36.448188] Console: switching to colour dummy device 80x25
user :info : [ 36.454538] [IGT] api_intel_bb: executing
user :info : [ 36.459757] [IGT] api_intel_bb: starting subtest blit-noreloc-keep-cache-random
user :info : [ 36.471434] [IGT] api_intel_bb: exiting, ret=0
kern :info : [ 36.531917] Console: switching to colour frame buffer device 160x64
kern :info : [ 36.598425] Console: switching to colour dummy device 80x25
user :info : [ 36.604786] [IGT] api_intel_bb: executing
user :info : [ 36.609923] [IGT] api_intel_bb: starting subtest blit-noreloc-purge-cache
user :info : [ 36.621155] [IGT] api_intel_bb: exiting, ret=0
kern :info : [ 36.681867] Console: switching to colour frame buffer device 160x64
kern :info : [ 36.748514] Console: switching to colour dummy device 80x25
user :info : [ 36.755092] [IGT] api_intel_bb: executing
user :info : [ 36.760433] [IGT] api_intel_bb: starting subtest blit-noreloc-purge-cache-random
user :info : [ 36.772151] [IGT] api_intel_bb: exiting, ret=0
kern :info : [ 36.831817] Console: switching to colour frame buffer device 160x64
kern :info : [ 36.897995] Console: switching to colour dummy device 80x25
user :info : [ 36.904350] [IGT] api_intel_bb: executing
user :info : [ 36.909457] [IGT] api_intel_bb: starting subtest blit-reloc-keep-cache
user :info : [ 36.921693] [IGT] api_intel_bb: exiting, ret=0
kern :info : [ 36.981895] Console: switching to colour frame buffer device 160x64
kern :info : [ 37.047892] Console: switching to colour dummy device 80x25
user :info : [ 37.054232] [IGT] api_intel_bb: executing
user :info : [ 37.059343] [IGT] api_intel_bb: starting subtest blit-reloc-purge-cache
user :info : [ 37.071548] [IGT] api_intel_bb: exiting, ret=0
kern :info : [ 37.131724] Console: switching to colour frame buffer device 160x64
kern :info : [ 37.197818] Console: switching to colour dummy device 80x25
user :info : [ 37.204190] [IGT] api_intel_bb: executing
user :info : [ 37.209296] [IGT] api_intel_bb: starting subtest delta-check
user :info : [ 37.216856] [IGT] api_intel_bb: exiting, ret=0
user :notice: [ 37.245164] result_service: raw_upload, RESULT_MNT: /internal-lkp-server/result, RESULT_ROOT: /internal-lkp-server/result/igt/group-04-ucode=0xc2/lkp-cml-d02/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3-func/gcc-11/a9290ca07a36882b114c3cd9bbd8f66ed47508bd/1, TMP_RESULT_ROOT: /tmp/lkp/result

user :notice: [ 37.276355] run-job /lkp/jobs/scheduled/lkp-cml-d02/igt-group-04-ucode=0xc2-debian-10.4-x86_64-20200603.cgz-a9290ca07a36882b114c3cd9bbd8f66ed47508bd-20220511-19224-132epq3-1.yaml

kern :info : [ 37.281678] Console: switching to colour frame buffer device 160x64
kern :info : [ 37.366074] Console: switching to colour dummy device 80x25
user :info : [ 37.372429] [IGT] api_intel_bb: executing
user :info : [ 37.377548] [IGT] api_intel_bb: starting subtest destroy-bb
user :info : [ 37.388923] [IGT] api_intel_bb: exiting, ret=0
kern :info : [ 37.431625] Console: switching to colour frame buffer device 160x64
kern :info : [ 37.497522] Console: switching to colour dummy device 80x25
user :info : [ 37.503871] [IGT] api_intel_bb: executing
user :info : [ 37.508999] [IGT] api_intel_bb: starting subtest full-batch
user :info : [ 37.516733] [IGT] api_intel_bb: exiting, ret=0
kern :info : [ 37.564907] Console: switching to colour frame buffer device 160x64
kern :info : [ 37.630954] Console: switching to colour dummy device 80x25
user :info : [ 37.637306] [IGT] api_intel_bb: executing
user :info : [ 37.642423] [IGT] api_intel_bb: starting subtest intel-bb-blit-none
user :notice: [ 38.035871] /usr/bin/wget -q --timeout=1800 --tries=1 --local-encoding=UTF-8 http://internal-lkp-server:80/~lkp/cgi-bin/lkp-jobfile-append-var?job_file=/lkp/jobs/scheduled/lkp-cml-d02/igt-group-04-ucode=0xc2-debian-10.4-x86_64-20200603.cgz-a9290ca07a36882b114c3cd9bbd8f66ed47508bd-20220511-19224-132epq3-1.yaml&job_state=running -O /dev/null

user :notice: [ 38.069080] target ucode: 0xc2

user :notice: [ 38.075557] current_version: c2, target_version: c2



To reproduce:

git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



--
0-DAY CI Kernel Test Service
https://01.org/lkp



Attachments:
(No filename) (13.06 kB)
config-5.18.0-rc5-01118-ga9290ca07a36 (168.69 kB)
job-script (5.45 kB)
kmsg.xz (48.10 kB)
igt (155.97 kB)
job.yaml (4.33 kB)
reproduce (17.34 kB)
Download all attachments