Nouveau - Jun 2016 - [Bug 96306] New: BUG: KASAN: slab-out-of-bounds in OUT_RINGp (via nvc0_fbcon_imageblit)

https://bugs.freedesktop.org/show_bug.cgi?id=96306

            Bug ID: 96306
           Summary: BUG: KASAN: slab-out-of-bounds in OUT_RINGp (via
                    nvc0_fbcon_imageblit)
           Product: xorg
           Version: unspecified
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Driver/nouveau
          Assignee: nouveau at lists.freedesktop.org
          Reporter: peter at lekensteyn.nl
        QA Contact: xorg-team at lists.x.org

Created attachment 124231
  --> https://bugs.freedesktop.org/attachment.cgi?id=124231&action=edit
dmesg output for v4.7-rc1 containing the KASAN report

Previously reported by others to mailing lists (with no replies):

[4.4-rc1] nouveau: BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40
https://lists.freedesktop.org/archives/dri-devel/2015-November/095100.html

[3.10] BUG: drm, nouveau: slab-out-of-bounds read access in
nv50_fbcon_imageblit()
https://lists.freedesktop.org/archives/dri-devel/2016-May/108270.html


Hardware:
Optimus laptop with inteldrmfb being the primary framebuffer, an external
monitor is connected to DP-1 on the Nvidia card (GTX 965M, 10de:13d9).

Steps to reproduce the out-of-bounds issue in my environment:
 0. Avoid continuously triggering the error: dmesg -D
 1. modprobe nouveau runpm=0 (or be sure to wake the device before using
con2fbmap, there is a nasty (unrelated) deadlock in there due to recursive
console_lockup.)
 2. con2fbmap 1 2 (bind console 2 to nouveaufb (1)). This invokes
ioctl(/dev/fb0, FBIOPUT_CON2FBMAP, (u32[2]){2, 1})).
 3. If you are not there already, switch to tty2 on the nouveau display.
 4. Press Enter until you are at the last line of the console (or past it, I
forgot).
 5. Go to a different tty (e.g. the Intel one) and notice the KASAN report in
dmesg.

Attached is yet another log (looks similar to the other ones) for v4.7-rc1
(with two unrelated patchsets applied on top).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20160601/2e251877/attachment.html>

https://bugs.freedesktop.org/show_bug.cgi?id=96306

Peter Wu <peter at lekensteyn.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
                 CC|                            |peter at lekensteyn.nl
             Status|NEW                         |RESOLVED

--- Comment #1 from Peter Wu <peter at lekensteyn.nl> ---
Fixed since v4.7-rc3 with:

commit f045f459d925138fe7d6193a8c86406bda7e49da
Author: Ben Skeggs <bskeggs at redhat.com>
Date:   Thu Jun 2 12:23:31 2016 +1000

    drm/nouveau/fbcon: fix out-of-bounds memory accesses

    Reported by KASAN.

    Signed-off-by: Ben Skeggs <bskeggs at redhat.com>
    Cc: stable at vger.kernel.org

Confirmed that is does no longer occur in v4.7-rc6-74-g076501f.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.freedesktop.org/archives/nouveau/attachments/20160707/ab1a626e/attachment.html>