[Bug 103689] New: there is an exploitable page fault that can be reliably triggered from the chromium sandbox can possibly lead to remote attackers causing a denial of service condition or possibly running system code.

[Bug 103689] New: there is an exploitable page fault that can be reliably triggered from the chromium sandbox can possibly lead to remote attackers causing a denial of service condition or possibly running system code.

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 12828 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

            Bug ID: 103689
           Summary: there is an exploitable page fault that can be
                    reliably triggered from the chromium sandbox can
                    possibly lead to remote attackers causing a denial of
                    service condition or possibly running system code.
           Product: xorg
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Driver/nouveau
          Assignee: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
          Reporter: yena0xc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
        QA Contact: xorg-team-go0+a7rfsptAfugRpC6u6w@public.gmane.org

Created attachment 135404
  --> https://bugs.freedesktop.org/attachment.cgi?id=135404&action=edit
reproduction

there is an exploitable page fault that can be reliably triggered from the
chromium sandbox can possibly lead to remote attackers causing a denial of
service condition or possibly running system code.

this was found while fuzzing the chromium browser.

in order to reproduce you should run the given html page:
https://drive.google.com/open?id=15NzlWcu0vUPLPpEDuOMCpCWjWM4QrAx3

with the default installation of ubuntu desktop (details of the ver of the
products given below..) with the Nouveau driver installed, this can be remotely
exploitable.

this issue is referenced here:
https://bugs.chromium.org/p/chromium/issues/detail?id=784062  

details:


this should effect chrom-os too,
https://chromium.googlesource.com/chromiumos/third_party/drm/+/292da616fe1f936ca78a3fa8e1b1b19883e343b6/nouveau/nouveau.h

this is the kernel stack:

comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:13 nitro kernel: [   53.352636] audit: type=1400
audit(1510305733.908:25): apparmor="DENIED" operation="connect"
profile="webbrowser-app" pid=1903 comm="webbrowser-app" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive connect"
denied_mask="send connect" addr=none peer_addr="@/tmp/ibus/dbus-3hDyoEr1"
peer="unconfined"
Nov 10 11:22:14 nitro kernel: [   53.450239] audit: type=1400
audit(1510305734.007:26): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/dev/dri/" pid=1903 comm="webbrowser-app"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:14 nitro kernel: [   53.460449] audit: type=1400
audit(1510305734.015:27): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/dev/dri/" pid=1903 comm="webbrowser-app"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:14 nitro kernel: [   53.460451] audit: type=1400
audit(1510305734.015:28): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/dev/dri/" pid=1903 comm="webbrowser-app"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:14 nitro kernel: [   53.517029] audit: type=1400
audit(1510305734.071:29): apparmor="DENIED" operation="connect"
profile="webbrowser-app" pid=1903 comm="pool" family="unix" sock_type="stream"
protocol=0 requested_mask="send receive connect" denied_mask="send connect"
addr=none peer_addr="@/tmp/ibus/dbus-3hDyoEr1" peer="unconfined"
Nov 10 11:22:14 nitro kernel: [   54.279158] audit: type=1400
audit(1510305734.830:30): apparmor="DENIED" operation="mkdir"
profile="webbrowser-app" name="/home/yn/.config/ubuntu-ui-toolkit/" pid=1903
comm="webbrowser-app" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 10 11:22:14 nitro kernel: [   54.279160] audit: type=1400
audit(1510305734.830:31): apparmor="DENIED" operation="mkdir"
profile="webbrowser-app" name="/home/yn/.config/ubuntu-ui-toolkit/" pid=1903
comm="webbrowser-app" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 10 11:22:16 nitro kernel: [   55.680138] audit: type=1400
audit(1510305736.218:32): apparmor="DENIED" operation="mkdir"
profile="webbrowser-app" name="/home/yn/.config/ubuntu-ui-toolkit/" pid=1903
comm="webbrowser-app" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 10 11:22:16 nitro kernel: [   55.680140] audit: type=1400
audit(1510305736.222:33): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/sys/bus/" pid=1903 comm="webbrowser-app"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:18 nitro kernel: [   58.301903] kauditd_printk_skb: 4 callbacks
suppressed
Nov 10 11:22:18 nitro kernel: [   58.301905] audit: type=1400
audit(1510305738.835:38): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/proc/1943/task/1943/status" pid=1903
comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:18 nitro kernel: [   58.329002] audit: type=1400
audit(1510305738.863:39): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/proc/1943/task/1943/status" pid=1903
comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:18 nitro kernel: [   58.329004] audit: type=1400
audit(1510305738.863:40): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/proc/1943/task/1943/status" pid=1903
comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:19 nitro kernel: [   58.544021] audit: type=1400
audit(1510305739.075:41): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/home/yn/sus/foo.html" pid=1903
comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Nov 10 11:22:24 nitro kernel: [   63.790188] audit: type=1400
audit(1510305744.310:42): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/home/yn/sus/foo.html" pid=1903
comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Nov 10 11:22:25 nitro kernel: [   64.498110] audit: type=1400
audit(1510305745.013:43): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/home/yn/sus/foo.html" pid=1903
comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Nov 10 11:22:25 nitro kernel: [   65.002020] audit: type=1400
audit(1510305745.516:44): apparmor="DENIED" operation="open"
profile="webbrowser-app" name="/home/yn/sus/foo.html" pid=1903
comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Nov 10 11:22:34 nitro NetworkManager[803]: <warn>  [1510305754.6049] dhcp6
(eno1): request timed out
Nov 10 11:22:34 nitro NetworkManager[803]: <info>  [1510305754.6049] dhcp6
(eno1): state changed unknown -> timeout
Nov 10 11:22:34 nitro NetworkManager[803]: <info>  [1510305754.6057] dhcp6
(eno1): canceled DHCP transaction, DHCP client pid 1617
Nov 10 11:22:34 nitro NetworkManager[803]: <info>  [1510305754.6057] dhcp6
(eno1): state changed timeout -> done
Nov 10 11:24:37 nitro kernel: [  196.887267] nouveau 0000:01:00.0: fifo: read
fault at 002b8c0000 engine 00 [PGRAPH] client 10 [] reason 02
[PAGE_NOT_PRESENT] on channel 8 [003f986000 chromium-browse[2658]]
Nov 10 11:24:37 nitro kernel: [  196.887274] nouveau 0000:01:00.0: fifo: gr
engine fault on channel 8, recovering...
Nov 10 11:24:57 nitro kernel: [  216.884429] ------------[ cut here
]------------
Nov 10 11:24:57 nitro kernel: [  216.884467] WARNING: CPU: 2 PID: 1032 at
/build/linux-hwe-lyR8gz/linux-hwe-4.10.0/drivers/gpu/drm/nouveau/nouveau_bo.c:1212
nouveau_bo_move_ntfy+0xa3/0xb0 [nouveau]
Nov 10 11:24:57 nitro kernel: [  216.884467] Modules linked in: nls_utf8 udf
crc_itu_t nls_iso8859_1 hid_multitouch intel_rapl x86_pkg_temp_thermal
intel_powerclamp joydev coretemp kvm uvcvideo videobuf2_vmalloc
videobuf2_memops videobuf2_v4l2 videobuf2_core irqbypass videodev media
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc snd_hda_codec_idt
snd_hda_codec_generic aesni_intel snd_hda_intel aes_x86_64 snd_hda_codec
crypto_simd glue_helper snd_hda_core cryptd snd_hwdep intel_cstate
intel_rapl_perf snd_pcm arc4 input_leds rt2800pci serio_raw snd_seq_midi
snd_seq_midi_event rt2800mmio rt2800lib rt2x00pci rt2x00mmio rt2x00lib mac80211
cfg80211 rtsx_pci_ms lpc_ich memstick eeprom_93cx6 snd_rawmidi snd_seq
snd_seq_device snd_timer mac_hid snd shpchp mei_me ie31200_edac mei soundcore
edac_core parport_pc ppdev lp parport autofs4
Nov 10 11:24:57 nitro kernel: [  216.884494]  uas usb_storage hid_generic
usbhid hid nouveau rtsx_pci_sdmmc mxm_wmi i2c_algo_bit ttm drm_kms_helper
syscopyarea sysfillrect ahci sysimgblt fb_sys_fops libahci r8169 drm mii
rtsx_pci video fjes wmi
Nov 10 11:24:57 nitro kernel: [  216.884504] CPU: 2 PID: 1032 Comm: Xorg Not
tainted 4.10.0-38-generic #42~16.04.1-Ubuntu
Nov 10 11:24:57 nitro kernel: [  216.884505] Hardware name: Hewlett-Packard
23-d160ej/2ADC, BIOS 8.10 09/25/2012
Nov 10 11:24:57 nitro kernel: [  216.884514] Call Trace:
Nov 10 11:24:57 nitro kernel: [  216.884518]  dump_stack+0x63/0x90
Nov 10 11:24:57 nitro kernel: [  216.884520]  __warn+0xcb/0xf0
Nov 10 11:24:57 nitro kernel: [  216.884521]  warn_slowpath_null+0x1d/0x20
Nov 10 11:24:57 nitro kernel: [  216.884541]  nouveau_bo_move_ntfy+0xa3/0xb0
[nouveau]
Nov 10 11:24:57 nitro kernel: [  216.884545] 
ttm_bo_handle_move_mem+0x26c/0x610 [ttm]
Nov 10 11:24:57 nitro kernel: [  216.884547]  ttm_bo_evict+0x13b/0x2e0 [ttm]
Nov 10 11:24:57 nitro kernel: [  216.884567]  ? nvc0_fence_sync32+0x169/0x1a0
[nouveau]
Nov 10 11:24:57 nitro kernel: [  216.884570]  ttm_mem_evict_first+0x171/0x1f0
[ttm]
Nov 10 11:24:57 nitro kernel: [  216.884572]  ttm_bo_mem_space+0x34a/0x4d0
[ttm]
Nov 10 11:24:57 nitro kernel: [  216.884575]  ttm_bo_validate+0xd5/0x150 [ttm]
Nov 10 11:24:57 nitro kernel: [  216.884577]  ttm_bo_init+0x2da/0x420 [ttm]
Nov 10 11:24:57 nitro kernel: [  216.884596]  nouveau_bo_new+0x1fb/0x310
[nouveau]
Nov 10 11:24:57 nitro kernel: [  216.884613]  ?
nv10_bo_put_tile_region+0x80/0x80 [nouveau]
Nov 10 11:24:57 nitro kernel: [  216.884631]  nouveau_gem_new+0x83/0x150
[nouveau]
Nov 10 11:24:57 nitro kernel: [  216.884649]  nouveau_gem_ioctl_new+0x88/0x140
[nouveau]
Nov 10 11:24:57 nitro kernel: [  216.884658]  drm_ioctl+0x21b/0x4d0 [drm]
Nov 10 11:24:57 nitro kernel: [  216.884676]  ? nouveau_gem_new+0x150/0x150
[nouveau]
Nov 10 11:24:57 nitro kernel: [  216.884678]  ? ep_ptable_queue_proc+0xa0/0xa0
Nov 10 11:24:57 nitro kernel: [  216.884696]  nouveau_drm_ioctl+0x68/0xc0
[nouveau]
Nov 10 11:24:57 nitro kernel: [  216.884698]  do_vfs_ioctl+0xa1/0x5f0
Nov 10 11:24:57 nitro kernel: [  216.884700]  ? __sys_recvmsg+0x80/0x90
Nov 10 11:24:57 nitro kernel: [  216.884701]  SyS_ioctl+0x79/0x90
Nov 10 11:24:57 nitro kernel: [  216.884703] 
entry_SYSCALL_64_fastpath+0x1e/0xad
Nov 10 11:24:57 nitro kernel: [  216.884704] RIP: 0033:0x7fe5c4682f07
Nov 10 11:24:57 nitro kernel: [  216.884705] RSP: 002b:00007fffb32b1638 EFLAGS:
00003246 ORIG_RAX: 0000000000000010
Nov 10 11:24:57 nitro kernel: [  216.884706] RAX: ffffffffffffffda RBX:
0000000000000000 RCX: 00007fe5c4682f07
Nov 10 11:24:57 nitro kernel: [  216.884706] RDX: 00007fffb32b1690 RSI:
00000000c0306480 RDI: 000000000000000e
Nov 10 11:24:57 nitro kernel: [  216.884707] RBP: 0000558245e6bec0 R08:
00005582457911c0 R09: 00005582457912c0
Nov 10 11:24:57 nitro kernel: [  216.884707] R10: 0000000000000020 R11:
0000000000003246 R12: 0000000000000001
Nov 10 11:24:57 nitro kernel: [  216.884708] R13: 00007fffb32af1c0 R14:
0000000000000080 R15: 0000558245e6bec0
Nov 10 11:24:57 nitro kernel: [  216.884731] ---[ end trace 50dc9d1f84044e6c
]---
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00


Chrome Version       : 62.0.3202.75 (Official Build) Built on Ubuntu
URLs (if applicable) :
Os: ubuntu 16.0.4 4.10.0-38-generic
Other browsers tested:
  Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
     Safari: ok
    Firefox: ok
       Edge: only linux

What steps will reproduce the problem?
(1) sudo apt install chromium-browser
(2) open chrome at the given html file.
(3)

What is the expected result?
error while parsing.

What happens instead?
kernel panic (pool overflow).


Please provide any additional information below. Attach a screenshot if
possible.
because the kernel will panic i cannot get an asan log from
asan-linux-release-514498.

i will note that this is a linux only problem.
additionally you may need to run this against a machine with 3rd party,
audio and graphics drivers (not on an aws box).

regards.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 15860 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] there is an exploitable page fault that can be reliably triggered from the chromium sandbox can possibly lead to remote attackers causing a denial of service condition or possibly running system code.

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 643 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

akayn <yena0xc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nouveau-PD4FTy7X32lNgt0PjOBp93rCq3LdnpKM@public.gmane.org
                   |                            |rg, yena0xc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
           Severity|normal                      |critical

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1490 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] there is an exploitable page fault that can be reliably triggered from the chromium sandbox can possibly lead to remote attackers causing a denial of service condition or possibly running system code.

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 2110 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

--- Comment #1 from Pierre Moreau <pierre.morrow-GANU6spQydw@public.gmane.org> ---
Which kernel version does your Ubuntu installation have? And with which GPU was
it?

I tried opening that page on my computer with Chromium, but it didn’t trigger a
page fault. This is what I got instead:

    [Nov12 12:40] nouveau 0000:04:00.0: Xorg[394]: fail ttm_validate
    [  +0.000006] nouveau 0000:04:00.0: Xorg[394]: validating bo list
    [  +0.000006] nouveau 0000:04:00.0: Xorg[394]: validate: -12
    [  +1.124277] nouveau 0000:04:00.0: gr: TRAP ch 10 [007fa04000 Xorg[394]]
    [  +0.000014] nouveau 0000:04:00.0: gr: SHADER a244020e, sph: 0x44020e,
stage: 0x22
    [  +5.515843] nouveau 0000:04:00.0: gr: TRAP ch 10 [007fa04000 Xorg[394]]
    [  +0.000016] nouveau 0000:04:00.0: gr: SHADER a244020e, sph: 0x44020e,
stage: 0x22
    [Nov12 12:41] nouveau 0000:04:00.0: Xorg[394]: fail ttm_validate
    [  +0.000005] nouveau 0000:04:00.0: Xorg[394]: validating bo list
    [  +0.000005] nouveau 0000:04:00.0: Xorg[394]: validate: -12
    [Nov12 12:42] nouveau 0000:04:00.0: gr: TRAP ch 10 [007fa04000 Xorg[394]]
    [  +0.000010] nouveau 0000:04:00.0: gr: SHADER a244020e, sph: 0x44020e,
stage: 0x22
    [Nov12 12:43] nouveau 0000:04:00.0: gr: TRAP ch 10 [007fa04000 Xorg[394]]
    [  +0.000009] nouveau 0000:04:00.0: gr: SHADER a244020e, sph: 0x44020e,
stage: 0x22
    [  +1.273289] nouveau 0000:04:00.0: gr: TRAP ch 10 [007fa04000 Xorg[394]]
    [  +0.000015] nouveau 0000:04:00.0: gr: SHADER a244020e, sph: 0x44020e,
stage: 0x22
    [  +0.455464] nouveau 0000:04:00.0: gr: TRAP ch 10 [007fa04000 Xorg[394]]
    [  +0.000013] nouveau 0000:04:00.0: gr: SHADER a244020e, sph: 0x44020e,
stage: 0x22
    [  +0.518625] nouveau 0000:04:00.0: gr: TRAP ch 10 [007fa04000 Xorg[394]]
    [  +0.000014] nouveau 0000:04:00.0: gr: SHADER a244020e, sph: 0x44020e,
stage: 0x22

GPU: GM206
Kernel: 4.13.12
Xorg: 1.19.5

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 3196 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] WARN on nouveau_bo_move_ntfy when allocating new bo

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 1516 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |minor
            Summary|there is an exploitable     |WARN on
                   |page fault that can be      |nouveau_bo_move_ntfy when
                   |reliably triggered from the |allocating new bo
                   |chromium sandbox can        |
                   |possibly lead to remote     |
                   |attackers causing a denial  |
                   |of service condition or     |
                   |possibly running system     |
                   |code.                       |

--- Comment #2 from Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> ---
If you're using anything but the latest software, you need to report this issue
to the people relesing the software.

This is the upstream bugtracker, which only deals in latest versions. 4.10 was
released 6+ months ago, and who knows what horrid things are in the Ubuntu
tree. Similarly, you should ensure you have the very latest mesa.

Lastly, you have provided no evidence of a page fault, just a WARN somewhere in
the code. (Which isn't great, but it's quite different.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2704 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] WARN on nouveau_bo_move_ntfy when allocating new bo

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 1336 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

--- Comment #3 from akayn <yena0xc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> ---
hello

look, the complete details about this incident including the kernel ver etc,
are given. 
this is the kernel log first it warns and then it will panic the entire system,
this is the fault:

Nov 10 11:24:37 nitro kernel: [  196.887267] nouveau 0000:01:00.0: fifo: read
fault at 002b8c0000 engine 00 [PGRAPH] client 10 [] reason 02
[PAGE_NOT_PRESENT] on channel 8 [003f986000 chromium-browse[2658]]

its clear that the driver try to read a non existing page.
i can reproduce it every single time.
if you cannot reproduce, then i would be very happy, becouse this would mean
that it is only my own personal problem and not anything generic.

i have tested it on latest ubuntu installation with your drivers, i dont know
who should i submit this bug to if not you.

what additional information should i give you?

if you cannot reproduce with chromium, you may reproduce with chromium-asan
that can be downloaded from here:

https://commondatastorage.googleapis.com/chromium-browser-asan/index.html?prefix=linux-release/

download the latest.

regards.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2214 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] kernel panic via the chromium browser

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 562 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

akayn <yena0xc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|WARN on                     |kernel panic via the
                   |nouveau_bo_move_ntfy when   |chromium browser
                   |allocating new bo           |

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1167 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] kernel panic via the chromium browser

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 432 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

akayn <yena0xc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|minor                       |critical

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1093 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] kernel panic via the chromium browser

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 381 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

--- Comment #4 from Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> ---
It's a PTE error on the GPU (which has its own MMU), not on the CPU. It's
trivial for (buggy) userspace to trigger these.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1132 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] kernel panic via the chromium browser

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 302 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

--- Comment #5 from akayn <yena0xc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> ---
additionally i will provide a better reproducer.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1042 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] kernel panic via the chromium browser

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 1246 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

--- Comment #6 from akayn <yena0xc5-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> ---
Created attachment 135431
  --> https://bugs.freedesktop.org/attachment.cgi?id=135431&action=edit
better reprodction

Nov 10 12:17:28 nitro kernel: [ 1612.249746] nouveau 0000:01:00.0: 
chromium-browse[2557]: 
fail ttm_validate
Nov 10 12:17:28 nitro kernel: [ 1612.249752] nouveau 0000:01:00.0: 
chromium-browse[2557]: validating bo list
Nov 
10 12:17:28 nitro kernel: [ 1612.249756] nouveau 0000:01:00.0: 
chromium-browse[2557]: validate: -12
Nov 10 12:17:28 nitro kernel: 
[ 1612.263405] nouveau 0000:01:00.0: gr: TRAP ch 9 
[003f8f8000 chromium-browse[2557]]
Nov 10 12:17:28 nitro kernel: 
[ 1612.263418] nouveau 0000:01:00.0: gr: GPC0/TPC0/TEX:
 80000049
Nov 10 12:17:28 nitro kernel: [ 1612.263423]
 nouveau 0000:01:00.0: gr: GPC0/TPC1/TEX: 80000049
Nov 10 12:17:28 nitro kernel:
 [ 1612.263435] nouveau 0000:01:00.0: fifo: read fault at 004f4a4000 engine 00
[PGRAPH] 
client 04 [GPC0/] reason 02 [PAGE_NOT_PRESENT] on channel 9 [003f8f8000
chromium-browse[2557]]

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2114 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] kernel panic via the chromium browser

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 5972 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

Markos Chandras <mchandras-l3A5Bk7waGM@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mchandras-l3A5Bk7waGM@public.gmane.org

--- Comment #7 from Markos Chandras <mchandras-l3A5Bk7waGM@public.gmane.org> ---
I also have this problem on openSUSE tumbleweed using the following components

kernel 4.16.5
nouveau 1.0.15
gnome 3.28

May 03 08:13:52 aegean kernel: WARNING: CPU: 7 PID: 24573 at
../drivers/gpu/drm/nouveau/nouveau_bo.c:1291 nouveau_bo_move_ntfy+0xc9/0xd0
[nouveau]
May 03 08:13:52 aegean kernel: Modules linked in: fuse nfsv3 nfs_acl nfs lockd
grace fscache af_packet xt_CHECKSUM tun devlink ipt_MASQUERADE
nf_nat_masquerade_ipv4 nf_conntrack_netlink xfrm_user xfrm_algo xt_addrtype
ip6t_rpfilter ip6t_R
May 03 08:13:52 aegean kernel:  snd_hda_codec_generic hid_generic usbhid
intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm
snd_hda_intel snd_hda_codec irqbypass crct10dif_pclmul crc32_pclmul
crc32c_intel snd_
May 03 08:13:52 aegean kernel:  vboxnetadp(O) vboxdrv(O)
May 03 08:13:52 aegean kernel: CPU: 7 PID: 24573 Comm: kworker/u16:20 Tainted:
G           O     4.16.4-1-default #1 openSUSE Tumbleweed (unreleased)
May 03 08:13:52 aegean kernel: Hardware name: Dell Inc. Precision Tower
5810/0HHV7N, BIOS A25 02/02/2018
May 03 08:13:52 aegean kernel: Workqueue: events_unbound async_run_entry_fn
May 03 08:13:52 aegean kernel: RIP: 0010:nouveau_bo_move_ntfy+0xc9/0xd0
[nouveau]
May 03 08:13:52 aegean kernel: RSP: 0018:ffffafdd41fd7b50 EFLAGS: 00010286
May 03 08:13:52 aegean kernel: RAX: 00000000fffffff0 RBX: ffff9da45e156d00 RCX:
0000000000000000
May 03 08:13:52 aegean kernel: RDX: ffff9da17788a3a8 RSI: 0000000000000296 RDI:
0000000000000296
May 03 08:13:52 aegean kernel: RBP: ffff9da424ba1000 R08: 00004f6784b8e400 R09:
0000000000000000
May 03 08:13:52 aegean kernel: R10: 0000000000000000 R11: 00000000003d0900 R12:
ffff9da424ba12f0
May 03 08:13:52 aegean kernel: R13: ffff9da14eb2de80 R14: ffffafdd41fd7d28 R15:
ffffafdd41fd7c40
May 03 08:13:52 aegean kernel: FS:  0000000000000000(0000)
GS:ffff9da46fdc0000(0000) knlGS:0000000000000000
May 03 08:13:52 aegean kernel: CS:  0010 DS: 0000 ES: 0000 CR0:
0000000080050033
May 03 08:13:52 aegean kernel: CR2: 000055a9ca2c2328 CR3: 000000010600a006 CR4:
00000000001606e0
May 03 08:13:52 aegean kernel: Call Trace:
May 03 08:13:52 aegean kernel:  ttm_bo_handle_move_mem+0x248/0x5b0 [ttm]
May 03 08:13:52 aegean kernel:  ttm_bo_evict+0x115/0x2f0 [ttm]
May 03 08:13:52 aegean kernel:  ? nv50_disp_atomic_commit_tail+0x94c/0x1150
[nouveau]
May 03 08:13:52 aegean kernel:  ? kmem_cache_alloc_node_trace+0x19c/0x580
May 03 08:13:52 aegean kernel:  ttm_mem_evict_first+0x190/0x200 [ttm]
May 03 08:13:52 aegean kernel:  ttm_bo_force_list_clean+0x7e/0x140 [ttm]
May 03 08:13:52 aegean kernel:  ? pci_pm_thaw+0x80/0x80
May 03 08:13:52 aegean kernel:  nouveau_do_suspend+0x7b/0x2a0 [nouveau]
May 03 08:13:52 aegean kernel:  pci_pm_freeze+0x55/0xc0
May 03 08:13:52 aegean kernel:  dpm_run_callback+0x4d/0x170
May 03 08:13:52 aegean kernel:  __device_suspend+0x12a/0x4a0
May 03 08:13:52 aegean kernel:  ? dpm_show_time+0xd0/0xd0
May 03 08:13:52 aegean kernel:  async_suspend+0x1a/0x90
May 03 08:13:52 aegean kernel:  async_run_entry_fn+0x37/0x140
May 03 08:13:52 aegean kernel:  process_one_work+0x1d4/0x3f0
May 03 08:13:52 aegean kernel:  worker_thread+0x2b/0x3d0
May 03 08:13:52 aegean kernel:  ? process_one_work+0x3f0/0x3f0
May 03 08:13:52 aegean kernel:  kthread+0x113/0x130
May 03 08:13:52 aegean kernel:  ? kthread_create_worker_on_cpu+0x50/0x50
May 03 08:13:52 aegean kernel:  ret_from_fork+0x3a/0x50
May 03 08:13:52 aegean kernel: Code: f0 49 39 c4 75 db e9 7a ff ff ff 48 3d 90
2a 69 c0 0f 85 6e ff ff ff 48 8b 87 f0 02 00 00 4c 8d a7 f0 02 00 00 48 8d 58
f0 eb d6 <0f> 0b eb c2 0f 1f 00 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 
May 03 08:13:52 aegean kernel: ---[ end trace 0f74df35408381b1 ]---

and the logs are then filled with

May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: TRAP ch 15 [007e922000
gnome-shell[5215]]
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: SHADER a204020e, sph:
0x04020e, stage: 0x22
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: TRAP ch 15 [007e922000
gnome-shell[5215]]
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: SHADER a204020e, sph:
0x04020e, stage: 0x22
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: TRAP ch 15 [007e922000
gnome-shell[5215]]
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: SHADER a2040a0e, sph:
0x040a0e, stage: 0x22
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: TRAP ch 15 [007e922000
gnome-shell[5215]]
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: SHADER a2040a0e, sph:
0x040a0e, stage: 0x22
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: TRAP ch 15 [007e922000
gnome-shell[5215]]
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: SHADER a2040a0e, sph:
0x040a0e, stage: 0x22
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: TRAP ch 15 [007e922000
gnome-shell[5215]]
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: SHADER a204020e, sph:
0x04020e, stage: 0x22
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: TRAP ch 15 [007e922000
gnome-shell[5215]]
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: SHADER a2040a0e, sph:
0x040a0e, stage: 0x22
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: TRAP ch 15 [007e922000
gnome-shell[5215]]
May 03 08:13:52 aegean kernel: nouveau 0000:03:00.0: gr: SHADER a204020e, sph:
0x04020e, stage: 0x22

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.

[-- Attachment #1.2: Type: text/html, Size: 7229 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 103689] kernel panic via the chromium browser

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 908 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=103689

Martin Peres <martin.peres-GANU6spQydw@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |MOVED
             Status|NEW                         |RESOLVED

--- Comment #8 from Martin Peres <martin.peres-GANU6spQydw@public.gmane.org> ---
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been
closed from further activity.

You can subscribe and participate further through the new bug through this link
to our GitLab instance:
https://gitlab.freedesktop.org/xorg/driver/xf86-video-nouveau/issues/380.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2438 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau