From: bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ@public.gmane.org
To: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
Subject: [Bug 100691] New: [4.10] BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
Date: Sat, 15 Apr 2017 19:48:24 +0000 [thread overview]
Message-ID: <bug-100691-8800@http.bugs.freedesktop.org/> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 10733 bytes --]
https://bugs.freedesktop.org/show_bug.cgi?id=100691
Bug ID: 100691
Summary: [4.10] BUG: KASAN: use-after-free in
drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
Product: xorg
Version: git
Hardware: x86-64 (AMD64)
OS: Linux (All)
Status: NEW
Severity: normal
Priority: medium
Component: Driver/nouveau
Assignee: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
Reporter: peter-VTkQYDcBqhK7DlmcbJSQ7g@public.gmane.org
QA Contact: xorg-team-go0+a7rfsptAfugRpC6u6w@public.gmane.org
Created attachment 130857
--> https://bugs.freedesktop.org/attachment.cgi?id=130857&action=edit
dmesg for 4.10.9 with KASAN with files + lines added
Since upgrading from kernel 4.9.9 to 4.10.5 (and 4.10.9), I ended up with clear
signs of memory corruption that finished with two kernel panics. The second
trace seems related to bug 100431.
When trying to reproduce it with 4.10.9, I failed to reproduce those issues,
but instead I found this one. It seems to happen when I try to open a new
window in KDE Plasma on Arch Linux (though I am not sure of the exact trigger).
==================================================================
BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
at addr ffff880739ecbfb0 (drivers/gpu/drm/drm_irq.c:743)
Read of size 4 by task swapper/4/0
CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.10.9kasan #10
Hardware name: Notebook P65_P67RGRERA/P65_P67RGRERA,
BIOS 1.05.16 05/16/2016
Call Trace:
<IRQ>
dump_stack+0x68/0x96 (lib/dump_stack.c:27)
kasan_object_err+0x21/0x70 (mm/kasan/report.c:159)
kasan_report.part.1+0x213/0x4e0
? drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
(drivers/gpu/drm/drm_irq.c:743)
__asan_report_load4_noabort+0x2e/0x30 (mm/kasan/report.c:331)
drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740
(drivers/gpu/drm/drm_irq.c:743)
? drm_irq_install+0x570/0x570 (drivers/gpu/drm/drm_irq.c:459)
? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780)
? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190)
? try_to_wake_up+0xc6/0xd00 (kernel/sched/core.c:2010)
? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
? migrate_swap_stop+0x790/0x790 (kernel/sched/core.c:1291)
? drm_handle_vblank+0x1c1/0x7d0 (drivers/gpu/drm/drm_irq.c:1704)
nouveau_display_vblstamp+0x16d/0x2a0 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_display.c:159)
drm_get_last_vbltimestamp+0xcb/0x160 (drivers/gpu/drm/drm_irq.c:878)
? get_drm_timestamp+0x40/0x40 (drivers/gpu/drm/drm_irq.c:848)
? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780)
? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190)
? nouveau_fence_wait_uevent_handler+0xc9/0x140 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_fence.c:148)
drm_update_vblank_count+0x16a/0x870 (drivers/gpu/drm/drm_irq.c:150)
? store_vblank+0x2c0/0x2c0 (drivers/gpu/drm/drm_irq.c:79)
drm_handle_vblank+0x14a/0x7d0 (drivers/gpu/drm/drm_irq.c:1704)
? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780)
? drm_crtc_wait_one_vblank+0x90/0x90 (drivers/gpu/drm/drm_irq.c:1252)
? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
? cpuacct_charge+0x240/0x400 (kernel/sched/cpuacct.c:349)
drm_crtc_handle_vblank+0x63/0x90 (drivers/gpu/drm/drm_irq.c:1755)
? find_next_bit+0x18/0x20 (lib/find_bit.c:63)
nouveau_display_vblank_handler+0x15/0x20 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_display.c:50)
nvif_notify+0x25f/0x570 [nouveau] (drivers/gpu/drm/nouveau/nvif/notify.c:113)
? nvif_notify_get+0x160/0x160 [nouveau]
(drivers/gpu/drm/nouveau/nvif/notify.c:83)
? nv50_disp_vblank_fini_+0x57/0x80 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:102)
? nvkm_disp_vblank_fini+0x5f/0x90 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:41)
? nvkm_client_driver_init+0x100/0x100 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_nvif.c:110)
nvkm_client_ntfy+0xc9/0x100 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_nvif.c:81)
nvkm_client_notify+0xea/0x140 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/client.c:46)
? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190)
nvkm_notify_send+0x224/0x520 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/notify.c:92)
nvkm_event_send+0x208/0x270 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/event.c:54)
nvkm_disp_vblank+0x74/0x90 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:85)
? nvkm_disp_dtor+0x540/0x540 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:247)
gf119_disp_intr+0x1d6/0x690 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/gf119.c:447)
nv50_disp_intr_+0x4a/0x70 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:116)
nvkm_disp_intr+0x53/0x70 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:204)
nvkm_engine_intr+0x57/0x70 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/engine.c:71)
nvkm_subdev_intr+0x54/0x70 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/core/subdev.c:88)
nvkm_mc_intr+0x23a/0x4b0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:79)
? nvkm_mc_intr_rearm+0xa0/0xa0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:62)
? nv40_pci_wr08+0x68/0xa0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/nv40.c:35)
? nvkm_pci_wr08+0x57/0x90 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:39)
nvkm_pci_intr+0xcc/0x170 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:70)
? nvkm_pci_fini+0xd0/0xd0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84)
? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
? nvkm_pci_fini+0xd0/0xd0 [nouveau]
(drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84)
__handle_irq_event_percpu+0xe1/0x630 (kernel/irq/handle.c:136)
handle_irq_event_percpu+0x69/0x130 (kernel/irq/handle.c:181)
? __handle_irq_event_percpu+0x630/0x630 (kernel/irq/handle.c:136)
? handle_edge_irq+0x30/0x850 (kernel/irq/chip.c:622)
handle_irq_event+0xa7/0x140 (kernel/irq/handle.c:195)
handle_edge_irq+0x1cd/0x850 (kernel/irq/chip.c:622)
handle_irq+0x105/0x2a0 (arch/x86/kernel/irq_64.c:69)
? __local_bh_enable+0x37/0x60 (kernel/softirq.c:139)
do_IRQ+0x7d/0x1a0 (arch/x86/kernel/irq.c:213)
common_interrupt+0x90/0x90 (arch/x86/entry/entry_64.S:452)
RIP: 0010:cpuidle_enter_state+0x10d/0x7d0 (drivers/cpuidle/cpuidle.c:188)
RSP: 0018:ffff88077228fdc0 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff1e
RAX: 0000000000000003 RBX: ffff8807761297b8 RCX: 000000000000001f
RDX: 0000000000000004 RSI: 1ffff100eec23d1b RDI: ffffffff839ec680
RBP: ffff88077228fe18 R08: 0000000000012314 R09: ffffffff83a10980
R10: ffff88077611dfc4 R11: ffff88077611dfe4 R12: 0000000000000008
R13: ffffffff83a10c98 R14: 000000001e85c873 R15: 0000000000000300
</IRQ>
? set_cpu_sd_state_idle+0x145/0x230 (kernel/sched/fair.c:8557)
cpuidle_enter+0x17/0x20 (drivers/cpuidle/cpuidle.c:282)
call_cpuidle+0x47/0xc0 (kernel/sched/idle.c:103)
? cpuidle_select+0x59/0x80 (drivers/cpuidle/cpuidle.c:266)
? rcu_idle_enter+0x7e/0xa0 (kernel/rcu/tree.c:749)
do_idle+0x22c/0x2e0 (kernel/sched/idle.c:209)
cpu_startup_entry+0x1d/0x20 (kernel/sched/idle.c:326)
start_secondary+0x298/0x360 (arch/x86/kernel/smpboot.c:224)
? set_cpu_sibling_map+0x1a40/0x1a40 (arch/x86/kernel/smpboot.c:525)
start_cpu+0x14/0x14 (arch/x86/kernel/head_64.S:301)
Object at ffff880739ecbf00, in cache kmalloc-1024 size: 1024
Allocated:
PID = 535
save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56)
save_stack+0x46/0xd0 (mm/kasan/kasan.c:493)
kasan_kmalloc+0xad/0xe0 (mm/kasan/kasan.c:585)
kmem_cache_alloc_trace+0xf1/0x280 (mm/slub.c:2739)
nv50_head_atomic_duplicate_state+0x72/0x700 [nouveau]
(drivers/gpu/drm/nouveau/nv50_display.c:2323)
drm_atomic_get_crtc_state+0x1be/0x3d0 (drivers/gpu/drm/drm_atomic.c:264)
drm_atomic_get_plane_state+0x2a5/0x3e0 (drivers/gpu/drm/drm_atomic.c:679)
drm_atomic_helper_update_plane+0x10b/0x3b0
(drivers/gpu/drm/drm_atomic_helper.c:2089)
__setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457)
drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599)
drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675)
drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733)
drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657)
nouveau_drm_ioctl+0xf9/0x1e0 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_drm.c:925)
do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624)
SyS_ioctl+0x79/0x90 (fs/ioctl.c:689)
entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188)
Freed:
PID = 535
save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56)
save_stack+0x46/0xd0 (mm/kasan/kasan.c:493)
kasan_slab_free+0x73/0xc0 (mm/kasan/kasan.c:560)
kfree+0xd9/0x2a0 (mm/slub.c:3862)
nv50_head_atomic_destroy_state+0x1d/0x20 [nouveau]
(drivers/gpu/drm/nouveau/nv50_display.c:2315)
drm_atomic_state_default_clear+0x372/0x930 (drivers/gpu/drm/drm_atomic.c:141)
nv50_disp_atomic_state_clear+0x124/0x1b0 [nouveau]
(drivers/gpu/drm/nouveau/nv50_display.c:4301)
drm_atomic_state_clear+0x80/0xb0 (drivers/gpu/drm/drm_atomic.c:210)
__drm_atomic_state_free+0x3a/0xe0 (drivers/gpu/drm/drm_atomic.c:229)
drm_atomic_helper_update_plane+0x2b3/0x3b0
(drivers/gpu/drm/drm_atomic_helper.c:2089)
__setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457)
drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599)
drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675)
drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733)
drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657)
nouveau_drm_ioctl+0xf9/0x1e0 [nouveau]
(drivers/gpu/drm/nouveau/nouveau_drm.c:925)
do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624)
SyS_ioctl+0x79/0x90 (fs/ioctl.c:689)
entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188)
Memory state around the buggy address:
ffff880739ecbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880739ecbf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880739ecbf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff880739ecc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff880739ecc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
--
You are receiving this mail because:
You are the assignee for the bug.
[-- Attachment #1.2: Type: text/html, Size: 12445 bytes --]
[-- Attachment #2: Type: text/plain, Size: 154 bytes --]
_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau
next reply other threads:[~2017-04-15 19:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-15 19:48 bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ [this message]
[not found] ` <bug-100691-8800-V0hAGp6uBxMKqLRl/0Ahz6D7qz1kEfGD2LY78lusg7I@public.gmane.org/>
2019-12-04 9:27 ` [Bug 100691] [4.10] BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-100691-8800@http.bugs.freedesktop.org/ \
--to=bugzilla-daemon-cc+yj3umiyqdupfqwhejaq@public.gmane.org \
--cc=nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.