[Bug 58087] New: [-next] nouveau corrupts kernel mm allocator

[Bug 58087] New: [-next] nouveau corrupts kernel mm allocator

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 1295 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=58087

          Priority: medium
            Bug ID: 58087
          Assignee: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
           Summary: [-next] nouveau corrupts kernel mm allocator
        QA Contact: xorg-team-go0+a7rfsptAfugRpC6u6w@public.gmane.org
          Severity: normal
    Classification: Unclassified
                OS: Linux (All)
          Reporter: peter-WaGBZJeGNqdsbIuE7sb01tBPR1lH4CV8@public.gmane.org
          Hardware: x86-64 (AMD64)
            Status: NEW
           Version: unspecified
         Component: Driver/nouveau
           Product: xorg

Created attachment 71269
  --> https://bugs.freedesktop.org/attachment.cgi?id=71269&action=edit
kernel log showing BUG triggered by nouveau

If nouveau_vm_new() fails in nouveau_drm_open(), the cleanup triggered corrupts
the kernel slab allocator (in this case, SLUB).

Attached is the kernel log showing the page allocation failure and the
subsequent BUG in mm/slub.c

A similar corruption had previously occurred which triggered a GP fault in the
mm allocator from the same code path. This was reported as kernel bug #51291
here
https://bugzilla.kernel.org/show_bug.cgi?id=51291

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 3000 bytes --]

[-- Attachment #2: Type: text/plain, Size: 181 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 58087] [-next] nouveau corrupts kernel mm allocator

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 324 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=58087

--- Comment #1 from Marcin Slusarz <marcin.slusarz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> ---
Created attachment 71290
  --> https://bugs.freedesktop.org/attachment.cgi?id=71290&action=edit
fix

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1245 bytes --]

[-- Attachment #2: Type: text/plain, Size: 181 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 58087] [-next] nouveau corrupts kernel mm allocator

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 1930 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=58087

--- Comment #2 from Peter Hurley <peter-WaGBZJeGNqdsbIuE7sb01tBPR1lH4CV8@public.gmane.org> ---
(In reply to comment #1)
> Created attachment 71290 [details] [review]
> fix

-    vm = *pvm = kzalloc(sizeof(*vm), GFP_KERNEL);
+    vm = kzalloc(sizeof(*vm), GFP_KERNEL);

How/why *not* setting cli->base.vm to NULL fixes this?

Also, this assignment idiom is common in the nouveau driver code. Is the above
fix just one of many necessary?

core/subdev/vm/base.c:    vm = *pvm = kzalloc(sizeof(*vm), GFP_KERNEL);
core/core/object.c:    object = *pobject = kzalloc(size, GFP_KERNEL);
core/core/ramht.c:    co = ho = nouveau_ramht_hash(ramht, chid, handle);
core/core/handle.c:    handle = *phandle = kzalloc(sizeof(*handle),
GFP_KERNEL);
nouveau_abi16.c:        cli->abi16 = abi16 = kzalloc(sizeof(*abi16),
GFP_KERNEL);
nouveau_bo.c:    struct nouveau_channel *chan = chan = drm->channel;  /*
COMMENT: THIS ONE IS INTERESTING */
nouveau_chan.c:    chan = *pchan = kzalloc(sizeof(*chan), GFP_KERNEL);
nouveau_display.c:    disp = drm->display = kzalloc(sizeof(*disp), GFP_KERNEL);
nouveau_pm.c:    pm = drm->pm = kzalloc(sizeof(*pm), GFP_KERNEL);
nv04_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);
nv10_fence.c:    fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL);
nv10_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);
nv50_fence.c:    fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL);
nv50_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);
nv84_fence.c:    fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL);
nv84_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);
nvc0_fence.c:    fctx = chan->fence = kzalloc(sizeof(*fctx), GFP_KERNEL);
nvc0_fence.c:    priv = drm->fence = kzalloc(sizeof(*priv), GFP_KERNEL);

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 3024 bytes --]

[-- Attachment #2: Type: text/plain, Size: 181 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 58087] [-next] nouveau corrupts kernel mm allocator

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 560 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=58087

--- Comment #3 from Marcin Slusarz <marcin.slusarz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> ---
It's not a problem with vm allocation. The next one (vm->pgt) fails, so we free
vm, leaving *pvm pointing at freed memory. When we get to nouveau_drm_open, we
call nouveau_cli_destroy(cli), which tries to free cli->base.vm again. Oops.

I already checked other places and some of them also have this bug. I'll post
fixes in a few days.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1306 bytes --]

[-- Attachment #2: Type: text/plain, Size: 181 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 58087] [-next] nouveau corrupts kernel mm allocator

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 779 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=58087

--- Comment #4 from Peter Hurley <peter-WaGBZJeGNqdsbIuE7sb01tBPR1lH4CV8@public.gmane.org> ---
(In reply to comment #3)
> It's not a problem with vm allocation. The next one (vm->pgt) fails, so we
> free vm, leaving *pvm pointing at freed memory. When we get to
> nouveau_drm_open, we call nouveau_cli_destroy(cli), which tries to free
> cli->base.vm again. Oops.

Thanks for the explanation. That makes sense to me now.

FYI, I did also file a bug in the kernel bugzilla for the memory allocation
failure itself (kernel bug 51301 here
https://bugzilla.kernel.org/show_bug.cgi?id=51301). A 32k allocation on a 10gb
machine shouldn't really ever fail.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1860 bytes --]

[-- Attachment #2: Type: text/plain, Size: 181 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 58087] [-next] nouveau corrupts kernel mm allocator

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 490 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=58087

Emil Velikov <emil.l.velikov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugs.freedesktop.or
                   |                            |g/show_bug.cgi?id=58984

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1104 bytes --]

[-- Attachment #2: Type: text/plain, Size: 181 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 58087] [-next] nouveau corrupts kernel mm allocator

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 570 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=58087

Marcin Slusarz <marcin.slusarz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Marcin Slusarz <marcin.slusarz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> ---
Fixed in 3.8-rc2.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1970 bytes --]

[-- Attachment #2: Type: text/plain, Size: 181 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
http://lists.freedesktop.org/mailman/listinfo/nouveau