bugzilla-daemon at freedesktop.org
2016-Jun-01 11:44 UTC
[Nouveau] [Bug 96306] New: BUG: KASAN: slab-out-of-bounds in OUT_RINGp (via nvc0_fbcon_imageblit)
https://bugs.freedesktop.org/show_bug.cgi?id=96306 Bug ID: 96306 Summary: BUG: KASAN: slab-out-of-bounds in OUT_RINGp (via nvc0_fbcon_imageblit) Product: xorg Version: unspecified Hardware: x86-64 (AMD64) OS: Linux (All) Status: NEW Severity: normal Priority: medium Component: Driver/nouveau Assignee: nouveau at lists.freedesktop.org Reporter: peter at lekensteyn.nl QA Contact: xorg-team at lists.x.org Created attachment 124231 --> https://bugs.freedesktop.org/attachment.cgi?id=124231&action=edit dmesg output for v4.7-rc1 containing the KASAN report Previously reported by others to mailing lists (with no replies): [4.4-rc1] nouveau: BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 https://lists.freedesktop.org/archives/dri-devel/2015-November/095100.html [3.10] BUG: drm, nouveau: slab-out-of-bounds read access in nv50_fbcon_imageblit() https://lists.freedesktop.org/archives/dri-devel/2016-May/108270.html Hardware: Optimus laptop with inteldrmfb being the primary framebuffer, an external monitor is connected to DP-1 on the Nvidia card (GTX 965M, 10de:13d9). Steps to reproduce the out-of-bounds issue in my environment: 0. Avoid continuously triggering the error: dmesg -D 1. modprobe nouveau runpm=0 (or be sure to wake the device before using con2fbmap, there is a nasty (unrelated) deadlock in there due to recursive console_lockup.) 2. con2fbmap 1 2 (bind console 2 to nouveaufb (1)). This invokes ioctl(/dev/fb0, FBIOPUT_CON2FBMAP, (u32[2]){2, 1})). 3. If you are not there already, switch to tty2 on the nouveau display. 4. Press Enter until you are at the last line of the console (or past it, I forgot). 5. Go to a different tty (e.g. the Intel one) and notice the KASAN report in dmesg. Attached is yet another log (looks similar to the other ones) for v4.7-rc1 (with two unrelated patchsets applied on top). -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20160601/2e251877/attachment.html>
bugzilla-daemon at freedesktop.org
2016-Jul-07 21:59 UTC
[Nouveau] [Bug 96306] BUG: KASAN: slab-out-of-bounds in OUT_RINGp (via nvc0_fbcon_imageblit)
https://bugs.freedesktop.org/show_bug.cgi?id=96306 Peter Wu <peter at lekensteyn.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED CC| |peter at lekensteyn.nl Status|NEW |RESOLVED --- Comment #1 from Peter Wu <peter at lekensteyn.nl> --- Fixed since v4.7-rc3 with: commit f045f459d925138fe7d6193a8c86406bda7e49da Author: Ben Skeggs <bskeggs at redhat.com> Date: Thu Jun 2 12:23:31 2016 +1000 drm/nouveau/fbcon: fix out-of-bounds memory accesses Reported by KASAN. Signed-off-by: Ben Skeggs <bskeggs at redhat.com> Cc: stable at vger.kernel.org Confirmed that is does no longer occur in v4.7-rc6-74-g076501f. -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/nouveau/attachments/20160707/ab1a626e/attachment.html>
Apparently Analagous Threads
- nouveau: BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40
- NV30 (FX 5200 Ultra) OUT_RINGp and initial four GEM objects are mapped to the GART instead of System RAM - is that proper?
- upstream boot error: KASAN: slab-out-of-bounds Write in virtio_gpu_object_create
- upstream boot error: KASAN: slab-out-of-bounds Write in virtio_gpu_object_create
- upstream boot error: KASAN: slab-out-of-bounds Write in virtio_gpu_object_create