bugzilla-daemon at freedesktop.org
2017-Apr-15 19:48 UTC
[Nouveau] [Bug 100691] New: [4.10] BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
https://bugs.freedesktop.org/show_bug.cgi?id=100691 Bug ID: 100691 Summary: [4.10] BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 Product: xorg Version: git Hardware: x86-64 (AMD64) OS: Linux (All) Status: NEW Severity: normal Priority: medium Component: Driver/nouveau Assignee: nouveau at lists.freedesktop.org Reporter: peter at lekensteyn.nl QA Contact: xorg-team at lists.x.org Created attachment 130857 --> https://bugs.freedesktop.org/attachment.cgi?id=130857&action=edit dmesg for 4.10.9 with KASAN with files + lines added Since upgrading from kernel 4.9.9 to 4.10.5 (and 4.10.9), I ended up with clear signs of memory corruption that finished with two kernel panics. The second trace seems related to bug 100431. When trying to reproduce it with 4.10.9, I failed to reproduce those issues, but instead I found this one. It seems to happen when I try to open a new window in KDE Plasma on Arch Linux (though I am not sure of the exact trigger). =================================================================BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 at addr ffff880739ecbfb0 (drivers/gpu/drm/drm_irq.c:743) Read of size 4 by task swapper/4/0 CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.10.9kasan #10 Hardware name: Notebook P65_P67RGRERA/P65_P67RGRERA, BIOS 1.05.16 05/16/2016 Call Trace: <IRQ> dump_stack+0x68/0x96 (lib/dump_stack.c:27) kasan_object_err+0x21/0x70 (mm/kasan/report.c:159) kasan_report.part.1+0x213/0x4e0 ? drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 (drivers/gpu/drm/drm_irq.c:743) __asan_report_load4_noabort+0x2e/0x30 (mm/kasan/report.c:331) drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 (drivers/gpu/drm/drm_irq.c:743) ? drm_irq_install+0x570/0x570 (drivers/gpu/drm/drm_irq.c:459) ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780) ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190) ? try_to_wake_up+0xc6/0xd00 (kernel/sched/core.c:2010) ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270) ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270) ? migrate_swap_stop+0x790/0x790 (kernel/sched/core.c:1291) ? drm_handle_vblank+0x1c1/0x7d0 (drivers/gpu/drm/drm_irq.c:1704) nouveau_display_vblstamp+0x16d/0x2a0 [nouveau] (drivers/gpu/drm/nouveau/nouveau_display.c:159) drm_get_last_vbltimestamp+0xcb/0x160 (drivers/gpu/drm/drm_irq.c:878) ? get_drm_timestamp+0x40/0x40 (drivers/gpu/drm/drm_irq.c:848) ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780) ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190) ? nouveau_fence_wait_uevent_handler+0xc9/0x140 [nouveau] (drivers/gpu/drm/nouveau/nouveau_fence.c:148) drm_update_vblank_count+0x16a/0x870 (drivers/gpu/drm/drm_irq.c:150) ? store_vblank+0x2c0/0x2c0 (drivers/gpu/drm/drm_irq.c:79) drm_handle_vblank+0x14a/0x7d0 (drivers/gpu/drm/drm_irq.c:1704) ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780) ? drm_crtc_wait_one_vblank+0x90/0x90 (drivers/gpu/drm/drm_irq.c:1252) ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270) ? cpuacct_charge+0x240/0x400 (kernel/sched/cpuacct.c:349) drm_crtc_handle_vblank+0x63/0x90 (drivers/gpu/drm/drm_irq.c:1755) ? find_next_bit+0x18/0x20 (lib/find_bit.c:63) nouveau_display_vblank_handler+0x15/0x20 [nouveau] (drivers/gpu/drm/nouveau/nouveau_display.c:50) nvif_notify+0x25f/0x570 [nouveau] (drivers/gpu/drm/nouveau/nvif/notify.c:113) ? nvif_notify_get+0x160/0x160 [nouveau] (drivers/gpu/drm/nouveau/nvif/notify.c:83) ? nv50_disp_vblank_fini_+0x57/0x80 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:102) ? nvkm_disp_vblank_fini+0x5f/0x90 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:41) ? nvkm_client_driver_init+0x100/0x100 [nouveau] (drivers/gpu/drm/nouveau/nouveau_nvif.c:110) nvkm_client_ntfy+0xc9/0x100 [nouveau] (drivers/gpu/drm/nouveau/nouveau_nvif.c:81) nvkm_client_notify+0xea/0x140 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/client.c:46) ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190) nvkm_notify_send+0x224/0x520 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/notify.c:92) nvkm_event_send+0x208/0x270 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/event.c:54) nvkm_disp_vblank+0x74/0x90 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:85) ? nvkm_disp_dtor+0x540/0x540 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:247) gf119_disp_intr+0x1d6/0x690 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/gf119.c:447) nv50_disp_intr_+0x4a/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:116) nvkm_disp_intr+0x53/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:204) nvkm_engine_intr+0x57/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/engine.c:71) nvkm_subdev_intr+0x54/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/subdev.c:88) nvkm_mc_intr+0x23a/0x4b0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:79) ? nvkm_mc_intr_rearm+0xa0/0xa0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:62) ? nv40_pci_wr08+0x68/0xa0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/nv40.c:35) ? nvkm_pci_wr08+0x57/0x90 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:39) nvkm_pci_intr+0xcc/0x170 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:70) ? nvkm_pci_fini+0xd0/0xd0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84) ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270) ? nvkm_pci_fini+0xd0/0xd0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84) __handle_irq_event_percpu+0xe1/0x630 (kernel/irq/handle.c:136) handle_irq_event_percpu+0x69/0x130 (kernel/irq/handle.c:181) ? __handle_irq_event_percpu+0x630/0x630 (kernel/irq/handle.c:136) ? handle_edge_irq+0x30/0x850 (kernel/irq/chip.c:622) handle_irq_event+0xa7/0x140 (kernel/irq/handle.c:195) handle_edge_irq+0x1cd/0x850 (kernel/irq/chip.c:622) handle_irq+0x105/0x2a0 (arch/x86/kernel/irq_64.c:69) ? __local_bh_enable+0x37/0x60 (kernel/softirq.c:139) do_IRQ+0x7d/0x1a0 (arch/x86/kernel/irq.c:213) common_interrupt+0x90/0x90 (arch/x86/entry/entry_64.S:452) RIP: 0010:cpuidle_enter_state+0x10d/0x7d0 (drivers/cpuidle/cpuidle.c:188) RSP: 0018:ffff88077228fdc0 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff1e RAX: 0000000000000003 RBX: ffff8807761297b8 RCX: 000000000000001f RDX: 0000000000000004 RSI: 1ffff100eec23d1b RDI: ffffffff839ec680 RBP: ffff88077228fe18 R08: 0000000000012314 R09: ffffffff83a10980 R10: ffff88077611dfc4 R11: ffff88077611dfe4 R12: 0000000000000008 R13: ffffffff83a10c98 R14: 000000001e85c873 R15: 0000000000000300 </IRQ> ? set_cpu_sd_state_idle+0x145/0x230 (kernel/sched/fair.c:8557) cpuidle_enter+0x17/0x20 (drivers/cpuidle/cpuidle.c:282) call_cpuidle+0x47/0xc0 (kernel/sched/idle.c:103) ? cpuidle_select+0x59/0x80 (drivers/cpuidle/cpuidle.c:266) ? rcu_idle_enter+0x7e/0xa0 (kernel/rcu/tree.c:749) do_idle+0x22c/0x2e0 (kernel/sched/idle.c:209) cpu_startup_entry+0x1d/0x20 (kernel/sched/idle.c:326) start_secondary+0x298/0x360 (arch/x86/kernel/smpboot.c:224) ? set_cpu_sibling_map+0x1a40/0x1a40 (arch/x86/kernel/smpboot.c:525) start_cpu+0x14/0x14 (arch/x86/kernel/head_64.S:301) Object at ffff880739ecbf00, in cache kmalloc-1024 size: 1024 Allocated: PID = 535 save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56) save_stack+0x46/0xd0 (mm/kasan/kasan.c:493) kasan_kmalloc+0xad/0xe0 (mm/kasan/kasan.c:585) kmem_cache_alloc_trace+0xf1/0x280 (mm/slub.c:2739) nv50_head_atomic_duplicate_state+0x72/0x700 [nouveau] (drivers/gpu/drm/nouveau/nv50_display.c:2323) drm_atomic_get_crtc_state+0x1be/0x3d0 (drivers/gpu/drm/drm_atomic.c:264) drm_atomic_get_plane_state+0x2a5/0x3e0 (drivers/gpu/drm/drm_atomic.c:679) drm_atomic_helper_update_plane+0x10b/0x3b0 (drivers/gpu/drm/drm_atomic_helper.c:2089) __setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457) drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599) drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675) drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733) drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657) nouveau_drm_ioctl+0xf9/0x1e0 [nouveau] (drivers/gpu/drm/nouveau/nouveau_drm.c:925) do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624) SyS_ioctl+0x79/0x90 (fs/ioctl.c:689) entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188) Freed: PID = 535 save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56) save_stack+0x46/0xd0 (mm/kasan/kasan.c:493) kasan_slab_free+0x73/0xc0 (mm/kasan/kasan.c:560) kfree+0xd9/0x2a0 (mm/slub.c:3862) nv50_head_atomic_destroy_state+0x1d/0x20 [nouveau] (drivers/gpu/drm/nouveau/nv50_display.c:2315) drm_atomic_state_default_clear+0x372/0x930 (drivers/gpu/drm/drm_atomic.c:141) nv50_disp_atomic_state_clear+0x124/0x1b0 [nouveau] (drivers/gpu/drm/nouveau/nv50_display.c:4301) drm_atomic_state_clear+0x80/0xb0 (drivers/gpu/drm/drm_atomic.c:210) __drm_atomic_state_free+0x3a/0xe0 (drivers/gpu/drm/drm_atomic.c:229) drm_atomic_helper_update_plane+0x2b3/0x3b0 (drivers/gpu/drm/drm_atomic_helper.c:2089) __setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457) drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599) drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675) drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733) drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657) nouveau_drm_ioctl+0xf9/0x1e0 [nouveau] (drivers/gpu/drm/nouveau/nouveau_drm.c:925) do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624) SyS_ioctl+0x79/0x90 (fs/ioctl.c:689) entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188) Memory state around the buggy address: ffff880739ecbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880739ecbf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb>ffff880739ecbf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb^ ffff880739ecc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880739ecc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================= -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20170415/597dbd0e/attachment-0001.html>
bugzilla-daemon at freedesktop.org
2019-Dec-04 09:27 UTC
[Nouveau] [Bug 100691] [4.10] BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
https://bugs.freedesktop.org/show_bug.cgi?id=100691 Martin Peres <martin.peres at free.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |MOVED --- Comment #1 from Martin Peres <martin.peres at free.fr> --- -- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/driver/xf86-video-nouveau/issues/343. -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20191204/1a334226/attachment.html>