bugzilla-daemon at freedesktop.org
2012-Dec-10 14:55 UTC
[Nouveau] [Bug 58087] New: [-next] nouveau corrupts kernel mm allocator
https://bugs.freedesktop.org/show_bug.cgi?id=58087
Priority: medium
Bug ID: 58087
Assignee: nouveau at lists.freedesktop.org
Summary: [-next] nouveau corrupts kernel mm allocator
QA Contact: xorg-team at lists.x.org
Severity: normal
Classification: Unclassified
OS: Linux (All)
Reporter: peter at hurleysoftware.com
Hardware: x86-64 (AMD64)
Status: NEW
Version: unspecified
Component: Driver/nouveau
Product: xorg
Created attachment 71269
--> https://bugs.freedesktop.org/attachment.cgi?id=71269&action=edit
kernel log showing BUG triggered by nouveau
If nouveau_vm_new() fails in nouveau_drm_open(), the cleanup triggered corrupts
the kernel slab allocator (in this case, SLUB).
Attached is the kernel log showing the page allocation failure and the
subsequent BUG in mm/slub.c
A similar corruption had previously occurred which triggered a GP fault in the
mm allocator from the same code path. This was reported as kernel bug #51291
here
https://bugzilla.kernel.org/show_bug.cgi?id=51291
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/nouveau/attachments/20121210/3d97d2d0/attachment.html>
bugzilla-daemon at freedesktop.org
2012-Dec-10 20:29 UTC
[Nouveau] [Bug 58087] [-next] nouveau corrupts kernel mm allocator
https://bugs.freedesktop.org/show_bug.cgi?id=58087 --- Comment #1 from Marcin Slusarz <marcin.slusarz at gmail.com> --- Created attachment 71290 --> https://bugs.freedesktop.org/attachment.cgi?id=71290&action=edit fix -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.freedesktop.org/archives/nouveau/attachments/20121210/1b58c007/attachment.html>
bugzilla-daemon at freedesktop.org
2012-Dec-12 21:14 UTC
[Nouveau] [Bug 58087] [-next] nouveau corrupts kernel mm allocator
https://bugs.freedesktop.org/show_bug.cgi?id=58087 --- Comment #2 from Peter Hurley <peter at hurleysoftware.com> --- (In reply to comment #1)> Created attachment 71290 [details] [review] > fix- vm = *pvm = kzalloc(sizeof(*vm), GFP_KERNEL); + vm = kzalloc(sizeof(*vm), GFP_KERNEL); How/why *not* setting cli->base.vm to NULL fixes this? Also, this assignment idiom is common in the nouveau driver code. Is the above fix just one of many necessary? core/subdev/vm/base.c: vm = *pvm = kzalloc(sizeof(*vm), GFP_KERNEL); core/core/object.c: object = *pobject = kzalloc(size, GFP_KERNEL); core/core/ramht.c: co = ho = nouveau_ramht_hash(ramht, chid, handle); core/core/handle.c: handle = *phandle = kzalloc(sizeof(*handle), GFP_KERNEL); nouveau_abi16.c: cli->abi16 = abi16 = kzalloc(sizeof(*abi16), GFP_KERNEL); nouveau_bo.c: struct nouveau_channel *chan = chan = drm->channel; /* COMMENT: THIS ONE IS INTERESTING */ nouveau_chan.c: chan = *pchan = kzalloc(sizeof(*chan), GFP_KERNEL); nouveau_display.c: disp = drm->display = kzalloc(sizeof(*disp), GFP_KERNEL); nouveau_pm.c: pm = drm->pm = kzalloc(sizeof(*pm), GFP_KERNEL); nv04_fence.c: priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL); nv10_fence.c: fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL); nv10_fence.c: priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL); nv50_fence.c: fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL); nv50_fence.c: priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL); nv84_fence.c: fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL); nv84_fence.c: priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL); nvc0_fence.c: fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL); nvc0_fence.c: priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL); -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.freedesktop.org/archives/nouveau/attachments/20121212/c7793821/attachment.html>
bugzilla-daemon at freedesktop.org
2012-Dec-12 22:03 UTC
[Nouveau] [Bug 58087] [-next] nouveau corrupts kernel mm allocator
https://bugs.freedesktop.org/show_bug.cgi?id=58087 --- Comment #3 from Marcin Slusarz <marcin.slusarz at gmail.com> --- It's not a problem with vm allocation. The next one (vm->pgt) fails, so we free vm, leaving *pvm pointing at freed memory. When we get to nouveau_drm_open, we call nouveau_cli_destroy(cli), which tries to free cli->base.vm again. Oops. I already checked other places and some of them also have this bug. I'll post fixes in a few days. -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.freedesktop.org/archives/nouveau/attachments/20121212/7b7fa0bd/attachment.html>
bugzilla-daemon at freedesktop.org
2012-Dec-12 22:51 UTC
[Nouveau] [Bug 58087] [-next] nouveau corrupts kernel mm allocator
https://bugs.freedesktop.org/show_bug.cgi?id=58087 --- Comment #4 from Peter Hurley <peter at hurleysoftware.com> --- (In reply to comment #3)> It's not a problem with vm allocation. The next one (vm->pgt) fails, so we > free vm, leaving *pvm pointing at freed memory. When we get to > nouveau_drm_open, we call nouveau_cli_destroy(cli), which tries to free > cli->base.vm again. Oops.Thanks for the explanation. That makes sense to me now. FYI, I did also file a bug in the kernel bugzilla for the memory allocation failure itself (kernel bug 51301 here https://bugzilla.kernel.org/show_bug.cgi?id=51301). A 32k allocation on a 10gb machine shouldn't really ever fail. -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.freedesktop.org/archives/nouveau/attachments/20121212/fea61c99/attachment.html>
bugzilla-daemon at freedesktop.org
2013-Jan-05 00:52 UTC
[Nouveau] [Bug 58087] [-next] nouveau corrupts kernel mm allocator
https://bugs.freedesktop.org/show_bug.cgi?id=58087
Emil Velikov <emil.l.velikov at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.freedesktop.or
| |g/show_bug.cgi?id=58984
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/nouveau/attachments/20130105/a1970c13/attachment.html>
bugzilla-daemon at freedesktop.org
2013-Feb-02 22:55 UTC
[Nouveau] [Bug 58087] [-next] nouveau corrupts kernel mm allocator
https://bugs.freedesktop.org/show_bug.cgi?id=58087
Marcin Slusarz <marcin.slusarz at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Marcin Slusarz <marcin.slusarz at gmail.com> ---
Fixed in 3.8-rc2.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/nouveau/attachments/20130202/eb8a64e4/attachment.html>
Possibly Parallel Threads
- [PATCH 1/7] drm/nouveau: fix m2mf copy to tiled gart
- [PATCH] drm/nouveau: fix suspend bug in nvc0 fence implementation
- [PATCH 00/17] Convert TTM to the new fence interface.
- [RFC PATCH v1 00/16] Convert all ttm drivers to use the new reservation interface
- [PATCH 1/3] drm/nouveau: fix vblank interrupt being called before event is setup