All of lore.kernel.org
 help / color / mirror / Atom feed
* [Bug 100691] New: [4.10] BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
@ 2017-04-15 19:48 bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ
       [not found] ` <bug-100691-8800-V0hAGp6uBxMKqLRl/0Ahz6D7qz1kEfGD2LY78lusg7I@public.gmane.org/>
  0 siblings, 1 reply; 2+ messages in thread
From: bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ @ 2017-04-15 19:48 UTC (permalink / raw)
  To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW


[-- Attachment #1.1: Type: text/plain, Size: 10733 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=100691

            Bug ID: 100691
           Summary: [4.10] BUG: KASAN: use-after-free in
                    drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
           Product: xorg
           Version: git
          Hardware: x86-64 (AMD64)
                OS: Linux (All)
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Driver/nouveau
          Assignee: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
          Reporter: peter-VTkQYDcBqhK7DlmcbJSQ7g@public.gmane.org
        QA Contact: xorg-team-go0+a7rfsptAfugRpC6u6w@public.gmane.org

Created attachment 130857
  --> https://bugs.freedesktop.org/attachment.cgi?id=130857&action=edit
dmesg for 4.10.9 with KASAN with files + lines added

Since upgrading from kernel 4.9.9 to 4.10.5 (and 4.10.9), I ended up with clear
signs of memory corruption that finished with two kernel panics. The second
trace seems related to bug 100431.

When trying to reproduce it with 4.10.9, I failed to reproduce those issues,
but instead I found this one. It seems to happen when I try to open a new
window in KDE Plasma on Arch Linux (though I am not sure of the exact trigger).

==================================================================
BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
at addr ffff880739ecbfb0 (drivers/gpu/drm/drm_irq.c:743)
Read of size 4 by task swapper/4/0
CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.10.9kasan #10
Hardware name: Notebook                         P65_P67RGRERA/P65_P67RGRERA,
BIOS 1.05.16 05/16/2016
Call Trace:
 <IRQ>
 dump_stack+0x68/0x96 (lib/dump_stack.c:27)
 kasan_object_err+0x21/0x70 (mm/kasan/report.c:159)
 kasan_report.part.1+0x213/0x4e0
 ? drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
(drivers/gpu/drm/drm_irq.c:743)
 __asan_report_load4_noabort+0x2e/0x30 (mm/kasan/report.c:331)
 drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
(drivers/gpu/drm/drm_irq.c:743)
 ? drm_irq_install+0x570/0x570 (drivers/gpu/drm/drm_irq.c:459)
 ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780)
 ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190)
 ? try_to_wake_up+0xc6/0xd00 (kernel/sched/core.c:2010)
 ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
 ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
 ? migrate_swap_stop+0x790/0x790 (kernel/sched/core.c:1291)
 ? drm_handle_vblank+0x1c1/0x7d0 (drivers/gpu/drm/drm_irq.c:1704)
 nouveau_display_vblstamp+0x16d/0x2a0 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_display.c:159)
 drm_get_last_vbltimestamp+0xcb/0x160 (drivers/gpu/drm/drm_irq.c:878)
 ? get_drm_timestamp+0x40/0x40 (drivers/gpu/drm/drm_irq.c:848)
 ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780)
 ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190)
 ? nouveau_fence_wait_uevent_handler+0xc9/0x140 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_fence.c:148)
 drm_update_vblank_count+0x16a/0x870 (drivers/gpu/drm/drm_irq.c:150)
 ? store_vblank+0x2c0/0x2c0 (drivers/gpu/drm/drm_irq.c:79)
 drm_handle_vblank+0x14a/0x7d0 (drivers/gpu/drm/drm_irq.c:1704)
 ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780)
 ? drm_crtc_wait_one_vblank+0x90/0x90 (drivers/gpu/drm/drm_irq.c:1252)
 ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
 ? cpuacct_charge+0x240/0x400 (kernel/sched/cpuacct.c:349)
 drm_crtc_handle_vblank+0x63/0x90 (drivers/gpu/drm/drm_irq.c:1755)
 ? find_next_bit+0x18/0x20 (lib/find_bit.c:63)
 nouveau_display_vblank_handler+0x15/0x20 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_display.c:50)
 nvif_notify+0x25f/0x570 [nouveau] (drivers/gpu/drm/nouveau/nvif/notify.c:113)
 ? nvif_notify_get+0x160/0x160 [nouveau]
(drivers/gpu/drm/nouveau/nvif/notify.c:83)
 ? nv50_disp_vblank_fini_+0x57/0x80 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:102)
 ? nvkm_disp_vblank_fini+0x5f/0x90 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:41)
 ? nvkm_client_driver_init+0x100/0x100 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_nvif.c:110)
 nvkm_client_ntfy+0xc9/0x100 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_nvif.c:81)
 nvkm_client_notify+0xea/0x140 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/client.c:46)
 ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190)
 nvkm_notify_send+0x224/0x520 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/notify.c:92)
 nvkm_event_send+0x208/0x270 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/event.c:54)
 nvkm_disp_vblank+0x74/0x90 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:85)
 ? nvkm_disp_dtor+0x540/0x540 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:247)
 gf119_disp_intr+0x1d6/0x690 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/gf119.c:447)
 nv50_disp_intr_+0x4a/0x70 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:116)
 nvkm_disp_intr+0x53/0x70 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:204)
 nvkm_engine_intr+0x57/0x70 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/engine.c:71)
 nvkm_subdev_intr+0x54/0x70 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/subdev.c:88)
 nvkm_mc_intr+0x23a/0x4b0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:79)
 ? nvkm_mc_intr_rearm+0xa0/0xa0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:62)
 ? nv40_pci_wr08+0x68/0xa0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/nv40.c:35)
 ? nvkm_pci_wr08+0x57/0x90 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:39)
 nvkm_pci_intr+0xcc/0x170 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:70)
 ? nvkm_pci_fini+0xd0/0xd0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84)
 ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
 ? nvkm_pci_fini+0xd0/0xd0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84)
 __handle_irq_event_percpu+0xe1/0x630 (kernel/irq/handle.c:136)
 handle_irq_event_percpu+0x69/0x130 (kernel/irq/handle.c:181)
 ? __handle_irq_event_percpu+0x630/0x630 (kernel/irq/handle.c:136)
 ? handle_edge_irq+0x30/0x850 (kernel/irq/chip.c:622)
 handle_irq_event+0xa7/0x140 (kernel/irq/handle.c:195)
 handle_edge_irq+0x1cd/0x850 (kernel/irq/chip.c:622)
 handle_irq+0x105/0x2a0 (arch/x86/kernel/irq_64.c:69)
 ? __local_bh_enable+0x37/0x60 (kernel/softirq.c:139)
 do_IRQ+0x7d/0x1a0 (arch/x86/kernel/irq.c:213)
 common_interrupt+0x90/0x90 (arch/x86/entry/entry_64.S:452)
RIP: 0010:cpuidle_enter_state+0x10d/0x7d0 (drivers/cpuidle/cpuidle.c:188)
RSP: 0018:ffff88077228fdc0 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff1e
RAX: 0000000000000003 RBX: ffff8807761297b8 RCX: 000000000000001f
RDX: 0000000000000004 RSI: 1ffff100eec23d1b RDI: ffffffff839ec680
RBP: ffff88077228fe18 R08: 0000000000012314 R09: ffffffff83a10980
R10: ffff88077611dfc4 R11: ffff88077611dfe4 R12: 0000000000000008
R13: ffffffff83a10c98 R14: 000000001e85c873 R15: 0000000000000300
 </IRQ>
 ? set_cpu_sd_state_idle+0x145/0x230 (kernel/sched/fair.c:8557)
 cpuidle_enter+0x17/0x20 (drivers/cpuidle/cpuidle.c:282)
 call_cpuidle+0x47/0xc0 (kernel/sched/idle.c:103)
 ? cpuidle_select+0x59/0x80 (drivers/cpuidle/cpuidle.c:266)
 ? rcu_idle_enter+0x7e/0xa0 (kernel/rcu/tree.c:749)
 do_idle+0x22c/0x2e0 (kernel/sched/idle.c:209)
 cpu_startup_entry+0x1d/0x20 (kernel/sched/idle.c:326)
 start_secondary+0x298/0x360 (arch/x86/kernel/smpboot.c:224)
 ? set_cpu_sibling_map+0x1a40/0x1a40 (arch/x86/kernel/smpboot.c:525)
 start_cpu+0x14/0x14 (arch/x86/kernel/head_64.S:301)
Object at ffff880739ecbf00, in cache kmalloc-1024 size: 1024
Allocated:
PID = 535
 save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56)
 save_stack+0x46/0xd0 (mm/kasan/kasan.c:493)
 kasan_kmalloc+0xad/0xe0 (mm/kasan/kasan.c:585)
 kmem_cache_alloc_trace+0xf1/0x280 (mm/slub.c:2739)
 nv50_head_atomic_duplicate_state+0x72/0x700 [nouveau]
(drivers/gpu/drm/nouveau/nv50_display.c:2323)
 drm_atomic_get_crtc_state+0x1be/0x3d0 (drivers/gpu/drm/drm_atomic.c:264)
 drm_atomic_get_plane_state+0x2a5/0x3e0 (drivers/gpu/drm/drm_atomic.c:679)
 drm_atomic_helper_update_plane+0x10b/0x3b0
(drivers/gpu/drm/drm_atomic_helper.c:2089)
 __setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457)
 drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599)
 drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675)
 drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733)
 drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657)
 nouveau_drm_ioctl+0xf9/0x1e0 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_drm.c:925)
 do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624)
 SyS_ioctl+0x79/0x90 (fs/ioctl.c:689)
 entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188)
Freed:
PID = 535
 save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56)
 save_stack+0x46/0xd0 (mm/kasan/kasan.c:493)
 kasan_slab_free+0x73/0xc0 (mm/kasan/kasan.c:560)
 kfree+0xd9/0x2a0 (mm/slub.c:3862)
 nv50_head_atomic_destroy_state+0x1d/0x20 [nouveau]
(drivers/gpu/drm/nouveau/nv50_display.c:2315)
 drm_atomic_state_default_clear+0x372/0x930 (drivers/gpu/drm/drm_atomic.c:141)
 nv50_disp_atomic_state_clear+0x124/0x1b0 [nouveau]
(drivers/gpu/drm/nouveau/nv50_display.c:4301)
 drm_atomic_state_clear+0x80/0xb0 (drivers/gpu/drm/drm_atomic.c:210)
 __drm_atomic_state_free+0x3a/0xe0 (drivers/gpu/drm/drm_atomic.c:229)
 drm_atomic_helper_update_plane+0x2b3/0x3b0
(drivers/gpu/drm/drm_atomic_helper.c:2089)
 __setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457)
 drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599)
 drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675)
 drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733)
 drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657)
 nouveau_drm_ioctl+0xf9/0x1e0 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_drm.c:925)
 do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624)
 SyS_ioctl+0x79/0x90 (fs/ioctl.c:689)
 entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188)
Memory state around the buggy address:
 ffff880739ecbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880739ecbf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880739ecbf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff880739ecc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880739ecc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 12445 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

^ permalink raw reply	[flat|nested] 2+ messages in thread
* [Bug 100691] [4.10] BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
       [not found] ` <bug-100691-8800-V0hAGp6uBxMKqLRl/0Ahz6D7qz1kEfGD2LY78lusg7I@public.gmane.org/>
@ 2019-12-04  9:27   ` bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ
  0 siblings, 0 replies; 2+ messages in thread
From: bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ @ 2019-12-04  9:27 UTC (permalink / raw)
  To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW


[-- Attachment #1.1: Type: text/plain, Size: 871 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=100691

Martin Peres <martin.peres-GANU6spQydw@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |MOVED

--- Comment #1 from Martin Peres <martin.peres-GANU6spQydw@public.gmane.org> ---
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been
closed from further activity.

You can subscribe and participate further through the new bug through this link
to our GitLab instance:
https://gitlab.freedesktop.org/xorg/driver/xf86-video-nouveau/issues/343.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2529 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-12-04  9:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-15 19:48 [Bug 100691] New: [4.10] BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ
     [not found] ` <bug-100691-8800-V0hAGp6uBxMKqLRl/0Ahz6D7qz1kEfGD2LY78lusg7I@public.gmane.org/>
2019-12-04  9:27   ` [Bug 100691] " bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.