poma
2017-Mar-25 10:47 UTC
[Nouveau] NVAC - BUG: unable to handle kernel NULL pointer dereference
With lightweight desktoping, the atomic modesetting seems far from robust. BUG: unable to handle kernel NULL pointer dereference at 0000000000000021 IP: dma_fence_wait_timeout+0x36/0xf0 ... Oops: 0000 [#1] SMP Modules linked in: ... nouveau ... CPU: 0 PID: 6895 Comm: Xorg Not tainted 4.10.5-1001.fc24.x86_64 #1 ... Call Trace: drm_atomic_helper_wait_for_fences+0x48/0x120 [drm_kms_helper] nv50_disp_atomic_commit+0x19c/0x2a0 [nouveau] drm_atomic_commit+0x4b/0x50 [drm] drm_atomic_helper_update_plane+0xec/0x150 [drm_kms_helper] __setplane_internal+0x1b4/0x280 [drm] drm_mode_cursor_universal+0x126/0x210 [drm] drm_mode_cursor_common+0x86/0x180 [drm] drm_mode_cursor_ioctl+0x50/0x70 [drm] drm_ioctl+0x21b/0x4c0 [drm] ? drm_mode_setplane+0x1a0/0x1a0 [drm] nouveau_drm_ioctl+0x74/0xc0 [nouveau] do_vfs_ioctl+0xa3/0x5f0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x1a/0xa9 ... RIP: dma_fence_wait_timeout+0x36/0xf0 RSP: ffffc1f700723a38 ... ---[ end trace a6bef2d32ed5fbbc ]--- BUG: unable to handle kernel NULL pointer dereference at 0000000000000021 IP: dma_fence_wait_timeout+0x36/0xf0 ... Oops: 0000 [#1] SMP Modules linked in: ... nouveau ... CPU: 3 PID: 30654 Comm: Xorg Tainted: G E 4.11.0-0.rc3.git0.1.fc26.x86_64 #1 ... Call Trace: drm_atomic_helper_wait_for_fences+0x73/0x110 [drm_kms_helper] nv50_disp_atomic_commit+0x28a/0x2c0 [nouveau] ? refcount_dec_and_test+0x11/0x20 drm_atomic_commit+0x4b/0x50 [drm] drm_atomic_helper_update_plane+0xf1/0x150 [drm_kms_helper] __setplane_internal+0x1fa/0x260 [drm] drm_mode_cursor_universal+0x12a/0x220 [drm] drm_mode_cursor_common+0x88/0x180 [drm] drm_mode_cursor_ioctl+0x4a/0x60 [drm] drm_ioctl+0x203/0x4d0 [drm] ? drm_mode_setplane+0x1a0/0x1a0 [drm] nouveau_drm_ioctl+0x72/0xc0 [nouveau] do_vfs_ioctl+0xa5/0x600 ? security_inode_getsecid+0x1b/0x40 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x1a/0xa9 ... RIP: dma_fence_wait_timeout+0x36/0xf0 RSP: ffffbda700723a40 ... ---[ end trace 95b0fca6a8295839 ]--- Subsequently, hardware reset is needed.
Ard Biesheuvel
2017-Mar-25 12:37 UTC
[Nouveau] NVAC - BUG: unable to handle kernel NULL pointer dereference
> On 25 Mar 2017, at 10:47, poma <pomidorabelisima at gmail.com> wrote: > > > With lightweight desktoping, > the atomic modesetting seems far from robust. > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000021 > IP: dma_fence_wait_timeout+0x36/0xf0 > ...I am seeing similar issues with v4.10 on arm64 using a gt218. Kasan tells me it is a use-after-free error of a dma_fence. Full report was sent to the mailing list> Oops: 0000 [#1] SMP > Modules linked in: ... nouveau ... > CPU: 0 PID: 6895 Comm: Xorg Not tainted 4.10.5-1001.fc24.x86_64 #1 > ... > Call Trace: > drm_atomic_helper_wait_for_fences+0x48/0x120 [drm_kms_helper] > nv50_disp_atomic_commit+0x19c/0x2a0 [nouveau] > drm_atomic_commit+0x4b/0x50 [drm] > drm_atomic_helper_update_plane+0xec/0x150 [drm_kms_helper] > __setplane_internal+0x1b4/0x280 [drm] > drm_mode_cursor_universal+0x126/0x210 [drm] > drm_mode_cursor_common+0x86/0x180 [drm] > drm_mode_cursor_ioctl+0x50/0x70 [drm] > drm_ioctl+0x21b/0x4c0 [drm] > ? drm_mode_setplane+0x1a0/0x1a0 [drm] > nouveau_drm_ioctl+0x74/0xc0 [nouveau] > do_vfs_ioctl+0xa3/0x5f0 > SyS_ioctl+0x79/0x90 > entry_SYSCALL_64_fastpath+0x1a/0xa9 > ... > RIP: dma_fence_wait_timeout+0x36/0xf0 RSP: ffffc1f700723a38 > ... > ---[ end trace a6bef2d32ed5fbbc ]--- > > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000021 > IP: dma_fence_wait_timeout+0x36/0xf0 > ... > Oops: 0000 [#1] SMP > Modules linked in: ... nouveau ... > CPU: 3 PID: 30654 Comm: Xorg Tainted: G E 4.11.0-0.rc3.git0.1.fc26.x86_64 #1 > ... > Call Trace: > drm_atomic_helper_wait_for_fences+0x73/0x110 [drm_kms_helper] > nv50_disp_atomic_commit+0x28a/0x2c0 [nouveau] > ? refcount_dec_and_test+0x11/0x20 > drm_atomic_commit+0x4b/0x50 [drm] > drm_atomic_helper_update_plane+0xf1/0x150 [drm_kms_helper] > __setplane_internal+0x1fa/0x260 [drm] > drm_mode_cursor_universal+0x12a/0x220 [drm] > drm_mode_cursor_common+0x88/0x180 [drm] > drm_mode_cursor_ioctl+0x4a/0x60 [drm] > drm_ioctl+0x203/0x4d0 [drm] > ? drm_mode_setplane+0x1a0/0x1a0 [drm] > nouveau_drm_ioctl+0x72/0xc0 [nouveau] > do_vfs_ioctl+0xa5/0x600 > ? security_inode_getsecid+0x1b/0x40 > SyS_ioctl+0x79/0x90 > entry_SYSCALL_64_fastpath+0x1a/0xa9 > ... > RIP: dma_fence_wait_timeout+0x36/0xf0 RSP: ffffbda700723a40 > ... > ---[ end trace 95b0fca6a8295839 ]--- > > > Subsequently, hardware reset is needed. > > _______________________________________________ > Nouveau mailing list > Nouveau at lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/nouveau