Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: a9290ca07a36882b114c3cd9bbd8f66ed47508bd ("[PATCH 4/5] dma-buf: generalize dma_fence unwrap & merging v2") url: https://github.com/intel-lab-lkp/linux/commits/Christian-K-nig/dma-buf-clean... base: git://anongit.freedesktop.org/drm/drm drm-next patch link: https://lore.kernel.org/dri-devel/20220506141009.18047-4-christian.koenig@am...
in testcase: igt version: igt-x86_64-eddc67c5-1_20220430 with following parameters:
group: group-04 ucode: 0xc2
on test machine: 20 threads 1 sockets Commet Lake with 16G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag Reported-by: kernel test robot oliver.sang@intel.com
kern :err : [ 35.911985] BUG: KASAN: slab-out-of-bounds in __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) kern :err : [ 35.920255] Write of size 8 at addr ffff888105400508 by task api_intel_bb/1309
kern :err : [ 35.930379] CPU: 4 PID: 1309 Comm: api_intel_bb Not tainted 5.18.0-rc5-01118-ga9290ca07a36 #1 kern :err : [ 35.939601] Hardware name: Intel Corporation CometLake Client Platform/CometLake S UDIMM (ERB/CRB), BIOS CMLSFWR1.R00.2212.D00.2104290922 04/29/2021 kern :err : [ 35.953601] Call Trace: kern :err : [ 35.956758] <TASK> kern :err : [ 35.959564] ? __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) kern :err : [ 35.965157] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) kern :err : [ 35.969534] print_address_description+0x1f/0x200 kern :err : [ 35.975983] ? __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) kern :err : [ 35.981562] print_report.cold (mm/kasan/report.c:430) kern :err : [ 35.986277] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) kern :err : [ 35.991606] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) kern :err : [ 35.995892] ? __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) kern :err : [ 36.001474] __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) kern :err : [ 36.006878] sync_file_merge+0xf7/0x240 kern :err : [ 36.012465] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) kern :err : [ 36.017088] ? sync_file_create (drivers/dma-buf/sync_file.c:159) kern :err : [ 36.021798] ? __fget_files (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2293 include/linux/atomic/atomic-arch-fallback.h:2318 include/linux/atomic/atomic-long.h:491 include/linux/atomic/atomic-instrumented.h:1846 fs/file.c:903 fs/file.c:934) kern :err : [ 36.026342] sync_file_ioctl (drivers/dma-buf/sync_file.c:235 drivers/dma-buf/sync_file.c:360) kern :err : [ 36.030966] ? sync_file_ioctl_fence_info (drivers/dma-buf/sync_file.c:355) kern :err : [ 36.036717] ? task_work_run (kernel/task_work.c:167 (discriminator 1)) kern :err : [ 36.041254] __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856) kern :err : [ 36.045884] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) kern :err : [ 36.050166] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) kern :err : [ 36.055922] RIP: 0033:0x7fd878745e57 kern :err : [ 36.060203] Code: 00 00 90 48 8b 05 39 a0 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 a0 0c 00 f7 d8 64 89 01 48 All code ======== 0: 00 00 add %al,(%rax) 2: 90 nop 3: 48 8b 05 39 a0 0c 00 mov 0xca039(%rip),%rax # 0xca043 a: 64 c7 00 26 00 00 00 movl $0x26,%fs:(%rax) 11: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax 18: c3 retq 19: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 20: 00 00 00 23: b8 10 00 00 00 mov $0x10,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 retq 33: 48 8b 0d 09 a0 0c 00 mov 0xca009(%rip),%rcx # 0xca043 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W
Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 retq 9: 48 8b 0d 09 a0 0c 00 mov 0xca009(%rip),%rcx # 0xca019 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W kern :err : [ 36.079659] RSP: 002b:00007ffe4d4d2e88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 kern :err : [ 36.087937] RAX: ffffffffffffffda RBX: 00005558619a1940 RCX: 00007fd878745e57 kern :err : [ 36.095770] RDX: 00007ffe4d4d2e90 RSI: 00000000c0303e03 RDI: 0000000000000008 kern :err : [ 36.103613] RBP: 0000000000000006 R08: 000000000000000f R09: 00005558619a4c30 kern :err : [ 36.111444] R10: 0000000000000006 R11: 0000000000000246 R12: 00005558619a1a00 kern :err : [ 36.119279] R13: 00005558619a46e0 R14: 00007ffe4d4d2ef0 R15: 0000000000000000 kern :err : [ 36.127113] </TASK>
kern :err : [ 36.132209] Allocated by task 1309: kern :warn : [ 36.136405] kasan_save_stack (mm/kasan/common.c:39) kern :warn : [ 36.140943] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524) kern :warn : [ 36.145395] __dma_fence_unwrap_merge (include/linux/slab.h:621 drivers/dma-buf/dma-fence-unwrap.c:81) kern :warn : [ 36.150800] sync_file_merge+0xf7/0x240 kern :warn : [ 36.156386] sync_file_ioctl (drivers/dma-buf/sync_file.c:235 drivers/dma-buf/sync_file.c:360) kern :warn : [ 36.161010] __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856) kern :warn : [ 36.165643] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) kern :warn : [ 36.169921] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
kern :err : [ 36.177867] The buggy address belongs to the object at ffff888105400500 which belongs to the cache kmalloc-8 of size 8 kern :err : [ 36.191437] The buggy address is located 0 bytes to the right of 8-byte region [ffff888105400500, ffff888105400508)
kern :err : [ 36.206942] The buggy address belongs to the physical page: kern :warn : [ 36.213220] page:00000000c4ee5dee refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881054008c0 pfn:0x105400 kern :warn : [ 36.224636] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) kern :warn : [ 36.232305] raw: 0017ffffc0000200 ffffea0004155e80 dead000000000002 ffff888100042280 kern :warn : [ 36.240745] raw: ffff8881054008c0 0000000080660035 00000001ffffffff 0000000000000000 kern :warn : [ 36.249190] page dumped because: kasan: bad access detected
kern :err : [ 36.257659] Memory state around the buggy address: kern :err : [ 36.263155] ffff888105400400: fc fc fa fc fc fc fc fb fc fc fc fc fb fc fc fc kern :err : [ 36.271079] ffff888105400480: fc fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc kern :err : [ 36.279001] >ffff888105400500: 00 fc fc fc fc fb fc fc fc fc fa fc fc fc fc fb kern :err : [ 36.286921] ^ kern :err : [ 36.291117] ffff888105400580: fc fc fc fc fb fc fc fc fc fb fc fc fc fc fb fc kern :err : [ 36.299043] ffff888105400600: fc fc fc fa fc fc fc fc fb fc fc fc fc fb fc fc kern :err : [ 36.306970] ================================================================== kern :warn : [ 36.314953] Disabling lock debugging due to kernel taint user :info : [ 36.321624] [IGT] api_intel_bb: exiting, ret=0 kern :info : [ 36.381966] Console: switching to colour frame buffer device 160x64 kern :info : [ 36.448188] Console: switching to colour dummy device 80x25 user :info : [ 36.454538] [IGT] api_intel_bb: executing user :info : [ 36.459757] [IGT] api_intel_bb: starting subtest blit-noreloc-keep-cache-random user :info : [ 36.471434] [IGT] api_intel_bb: exiting, ret=0 kern :info : [ 36.531917] Console: switching to colour frame buffer device 160x64 kern :info : [ 36.598425] Console: switching to colour dummy device 80x25 user :info : [ 36.604786] [IGT] api_intel_bb: executing user :info : [ 36.609923] [IGT] api_intel_bb: starting subtest blit-noreloc-purge-cache user :info : [ 36.621155] [IGT] api_intel_bb: exiting, ret=0 kern :info : [ 36.681867] Console: switching to colour frame buffer device 160x64 kern :info : [ 36.748514] Console: switching to colour dummy device 80x25 user :info : [ 36.755092] [IGT] api_intel_bb: executing user :info : [ 36.760433] [IGT] api_intel_bb: starting subtest blit-noreloc-purge-cache-random user :info : [ 36.772151] [IGT] api_intel_bb: exiting, ret=0 kern :info : [ 36.831817] Console: switching to colour frame buffer device 160x64 kern :info : [ 36.897995] Console: switching to colour dummy device 80x25 user :info : [ 36.904350] [IGT] api_intel_bb: executing user :info : [ 36.909457] [IGT] api_intel_bb: starting subtest blit-reloc-keep-cache user :info : [ 36.921693] [IGT] api_intel_bb: exiting, ret=0 kern :info : [ 36.981895] Console: switching to colour frame buffer device 160x64 kern :info : [ 37.047892] Console: switching to colour dummy device 80x25 user :info : [ 37.054232] [IGT] api_intel_bb: executing user :info : [ 37.059343] [IGT] api_intel_bb: starting subtest blit-reloc-purge-cache user :info : [ 37.071548] [IGT] api_intel_bb: exiting, ret=0 kern :info : [ 37.131724] Console: switching to colour frame buffer device 160x64 kern :info : [ 37.197818] Console: switching to colour dummy device 80x25 user :info : [ 37.204190] [IGT] api_intel_bb: executing user :info : [ 37.209296] [IGT] api_intel_bb: starting subtest delta-check user :info : [ 37.216856] [IGT] api_intel_bb: exiting, ret=0 user :notice: [ 37.245164] result_service: raw_upload, RESULT_MNT: /internal-lkp-server/result, RESULT_ROOT: /internal-lkp-server/result/igt/group-04-ucode=0xc2/lkp-cml-d02/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3-func/gcc-11/a9290ca07a36882b114c3cd9bbd8f66ed47508bd/1, TMP_RESULT_ROOT: /tmp/lkp/result
user :notice: [ 37.276355] run-job /lkp/jobs/scheduled/lkp-cml-d02/igt-group-04-ucode=0xc2-debian-10.4-x86_64-20200603.cgz-a9290ca07a36882b114c3cd9bbd8f66ed47508bd-20220511-19224-132epq3-1.yaml
kern :info : [ 37.281678] Console: switching to colour frame buffer device 160x64 kern :info : [ 37.366074] Console: switching to colour dummy device 80x25 user :info : [ 37.372429] [IGT] api_intel_bb: executing user :info : [ 37.377548] [IGT] api_intel_bb: starting subtest destroy-bb user :info : [ 37.388923] [IGT] api_intel_bb: exiting, ret=0 kern :info : [ 37.431625] Console: switching to colour frame buffer device 160x64 kern :info : [ 37.497522] Console: switching to colour dummy device 80x25 user :info : [ 37.503871] [IGT] api_intel_bb: executing user :info : [ 37.508999] [IGT] api_intel_bb: starting subtest full-batch user :info : [ 37.516733] [IGT] api_intel_bb: exiting, ret=0 kern :info : [ 37.564907] Console: switching to colour frame buffer device 160x64 kern :info : [ 37.630954] Console: switching to colour dummy device 80x25 user :info : [ 37.637306] [IGT] api_intel_bb: executing user :info : [ 37.642423] [IGT] api_intel_bb: starting subtest intel-bb-blit-none user :notice: [ 38.035871] /usr/bin/wget -q --timeout=1800 --tries=1 --local-encoding=UTF-8 http://internal-lkp-server:80/~lkp/cgi-bin/lkp-jobfile-append-var?job_file=/... -O /dev/null
user :notice: [ 38.069080] target ucode: 0xc2
user :notice: [ 38.075557] current_version: c2, target_version: c2
To reproduce:
git clone https://github.com/intel/lkp-tests.git cd lkp-tests sudo bin/lkp install job.yaml # job file is attached in this email bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test, # please remove ~/.lkp and /lkp dir to run from a clean state.