Bug 100691

Summary:

[4.10] BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740

Product:

xorg

Reporter:

Peter Wu <peter>

Component:

Driver/nouveau

Assignee:

Nouveau Project <nouveau>

Status:

RESOLVED MOVED

QA Contact:

Xorg Project Team <xorg-team>

Severity:

normal

Priority:

medium

Version:

git

Hardware:

x86-64 (AMD64)

OS:

Linux (All)

Whiteboard:

i915 platform:

i915 features:

Attachments:

Description	Flags
dmesg for 4.10.9 with KASAN with files + lines added	none

Description Peter Wu 2017-04-15 19:48:24 UTC

Created attachment 130857 [details]
dmesg for 4.10.9 with KASAN with files + lines added

Since upgrading from kernel 4.9.9 to 4.10.5 (and 4.10.9), I ended up with clear signs of memory corruption that finished with two kernel panics. The second trace seems related to bug 100431.

When trying to reproduce it with 4.10.9, I failed to reproduce those issues, but instead I found this one. It seems to happen when I try to open a new window in KDE Plasma on Arch Linux (though I am not sure of the exact trigger).

==================================================================
BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 at addr ffff880739ecbfb0 (drivers/gpu/drm/drm_irq.c:743)
Read of size 4 by task swapper/4/0
CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.10.9kasan #10
Hardware name: Notebook                         P65_P67RGRERA/P65_P67RGRERA, BIOS 1.05.16 05/16/2016
Call Trace:
 <IRQ>
 dump_stack+0x68/0x96 (lib/dump_stack.c:27)
 kasan_object_err+0x21/0x70 (mm/kasan/report.c:159)
 kasan_report.part.1+0x213/0x4e0
 ? drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 (drivers/gpu/drm/drm_irq.c:743)
 __asan_report_load4_noabort+0x2e/0x30 (mm/kasan/report.c:331)
 drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 (drivers/gpu/drm/drm_irq.c:743)
 ? drm_irq_install+0x570/0x570 (drivers/gpu/drm/drm_irq.c:459)
 ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780)
 ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190)
 ? try_to_wake_up+0xc6/0xd00 (kernel/sched/core.c:2010)
 ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
 ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
 ? migrate_swap_stop+0x790/0x790 (kernel/sched/core.c:1291)
 ? drm_handle_vblank+0x1c1/0x7d0 (drivers/gpu/drm/drm_irq.c:1704)
 nouveau_display_vblstamp+0x16d/0x2a0 [nouveau] (drivers/gpu/drm/nouveau/nouveau_display.c:159)
 drm_get_last_vbltimestamp+0xcb/0x160 (drivers/gpu/drm/drm_irq.c:878)
 ? get_drm_timestamp+0x40/0x40 (drivers/gpu/drm/drm_irq.c:848)
 ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780)
 ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190)
 ? nouveau_fence_wait_uevent_handler+0xc9/0x140 [nouveau] (drivers/gpu/drm/nouveau/nouveau_fence.c:148)
 drm_update_vblank_count+0x16a/0x870 (drivers/gpu/drm/drm_irq.c:150)
 ? store_vblank+0x2c0/0x2c0 (drivers/gpu/drm/drm_irq.c:79)
 drm_handle_vblank+0x14a/0x7d0 (drivers/gpu/drm/drm_irq.c:1704)
 ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780)
 ? drm_crtc_wait_one_vblank+0x90/0x90 (drivers/gpu/drm/drm_irq.c:1252)
 ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
 ? cpuacct_charge+0x240/0x400 (kernel/sched/cpuacct.c:349)
 drm_crtc_handle_vblank+0x63/0x90 (drivers/gpu/drm/drm_irq.c:1755)
 ? find_next_bit+0x18/0x20 (lib/find_bit.c:63)
 nouveau_display_vblank_handler+0x15/0x20 [nouveau] (drivers/gpu/drm/nouveau/nouveau_display.c:50)
 nvif_notify+0x25f/0x570 [nouveau] (drivers/gpu/drm/nouveau/nvif/notify.c:113)
 ? nvif_notify_get+0x160/0x160 [nouveau] (drivers/gpu/drm/nouveau/nvif/notify.c:83)
 ? nv50_disp_vblank_fini_+0x57/0x80 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:102)
 ? nvkm_disp_vblank_fini+0x5f/0x90 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:41)
 ? nvkm_client_driver_init+0x100/0x100 [nouveau] (drivers/gpu/drm/nouveau/nouveau_nvif.c:110)
 nvkm_client_ntfy+0xc9/0x100 [nouveau] (drivers/gpu/drm/nouveau/nouveau_nvif.c:81)
 nvkm_client_notify+0xea/0x140 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/client.c:46)
 ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190)
 nvkm_notify_send+0x224/0x520 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/notify.c:92)
 nvkm_event_send+0x208/0x270 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/event.c:54)
 nvkm_disp_vblank+0x74/0x90 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:85)
 ? nvkm_disp_dtor+0x540/0x540 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:247)
 gf119_disp_intr+0x1d6/0x690 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/gf119.c:447)
 nv50_disp_intr_+0x4a/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:116)
 nvkm_disp_intr+0x53/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:204)
 nvkm_engine_intr+0x57/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/engine.c:71)
 nvkm_subdev_intr+0x54/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/subdev.c:88)
 nvkm_mc_intr+0x23a/0x4b0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:79)
 ? nvkm_mc_intr_rearm+0xa0/0xa0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:62)
 ? nv40_pci_wr08+0x68/0xa0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/nv40.c:35)
 ? nvkm_pci_wr08+0x57/0x90 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:39)
 nvkm_pci_intr+0xcc/0x170 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:70)
 ? nvkm_pci_fini+0xd0/0xd0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84)
 ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270)
 ? nvkm_pci_fini+0xd0/0xd0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84)
 __handle_irq_event_percpu+0xe1/0x630 (kernel/irq/handle.c:136)
 handle_irq_event_percpu+0x69/0x130 (kernel/irq/handle.c:181)
 ? __handle_irq_event_percpu+0x630/0x630 (kernel/irq/handle.c:136)
 ? handle_edge_irq+0x30/0x850 (kernel/irq/chip.c:622)
 handle_irq_event+0xa7/0x140 (kernel/irq/handle.c:195)
 handle_edge_irq+0x1cd/0x850 (kernel/irq/chip.c:622)
 handle_irq+0x105/0x2a0 (arch/x86/kernel/irq_64.c:69)
 ? __local_bh_enable+0x37/0x60 (kernel/softirq.c:139)
 do_IRQ+0x7d/0x1a0 (arch/x86/kernel/irq.c:213)
 common_interrupt+0x90/0x90 (arch/x86/entry/entry_64.S:452)
RIP: 0010:cpuidle_enter_state+0x10d/0x7d0 (drivers/cpuidle/cpuidle.c:188)
RSP: 0018:ffff88077228fdc0 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff1e
RAX: 0000000000000003 RBX: ffff8807761297b8 RCX: 000000000000001f
RDX: 0000000000000004 RSI: 1ffff100eec23d1b RDI: ffffffff839ec680
RBP: ffff88077228fe18 R08: 0000000000012314 R09: ffffffff83a10980
R10: ffff88077611dfc4 R11: ffff88077611dfe4 R12: 0000000000000008
R13: ffffffff83a10c98 R14: 000000001e85c873 R15: 0000000000000300
 </IRQ>
 ? set_cpu_sd_state_idle+0x145/0x230 (kernel/sched/fair.c:8557)
 cpuidle_enter+0x17/0x20 (drivers/cpuidle/cpuidle.c:282)
 call_cpuidle+0x47/0xc0 (kernel/sched/idle.c:103)
 ? cpuidle_select+0x59/0x80 (drivers/cpuidle/cpuidle.c:266)
 ? rcu_idle_enter+0x7e/0xa0 (kernel/rcu/tree.c:749)
 do_idle+0x22c/0x2e0 (kernel/sched/idle.c:209)
 cpu_startup_entry+0x1d/0x20 (kernel/sched/idle.c:326)
 start_secondary+0x298/0x360 (arch/x86/kernel/smpboot.c:224)
 ? set_cpu_sibling_map+0x1a40/0x1a40 (arch/x86/kernel/smpboot.c:525)
 start_cpu+0x14/0x14 (arch/x86/kernel/head_64.S:301)
Object at ffff880739ecbf00, in cache kmalloc-1024 size: 1024
Allocated:
PID = 535
 save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56)
 save_stack+0x46/0xd0 (mm/kasan/kasan.c:493)
 kasan_kmalloc+0xad/0xe0 (mm/kasan/kasan.c:585)
 kmem_cache_alloc_trace+0xf1/0x280 (mm/slub.c:2739)
 nv50_head_atomic_duplicate_state+0x72/0x700 [nouveau] (drivers/gpu/drm/nouveau/nv50_display.c:2323)
 drm_atomic_get_crtc_state+0x1be/0x3d0 (drivers/gpu/drm/drm_atomic.c:264)
 drm_atomic_get_plane_state+0x2a5/0x3e0 (drivers/gpu/drm/drm_atomic.c:679)
 drm_atomic_helper_update_plane+0x10b/0x3b0 (drivers/gpu/drm/drm_atomic_helper.c:2089)
 __setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457)
 drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599)
 drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675)
 drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733)
 drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657)
 nouveau_drm_ioctl+0xf9/0x1e0 [nouveau] (drivers/gpu/drm/nouveau/nouveau_drm.c:925)
 do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624)
 SyS_ioctl+0x79/0x90 (fs/ioctl.c:689)
 entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188)
Freed:
PID = 535
 save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56)
 save_stack+0x46/0xd0 (mm/kasan/kasan.c:493)
 kasan_slab_free+0x73/0xc0 (mm/kasan/kasan.c:560)
 kfree+0xd9/0x2a0 (mm/slub.c:3862)
 nv50_head_atomic_destroy_state+0x1d/0x20 [nouveau] (drivers/gpu/drm/nouveau/nv50_display.c:2315)
 drm_atomic_state_default_clear+0x372/0x930 (drivers/gpu/drm/drm_atomic.c:141)
 nv50_disp_atomic_state_clear+0x124/0x1b0 [nouveau] (drivers/gpu/drm/nouveau/nv50_display.c:4301)
 drm_atomic_state_clear+0x80/0xb0 (drivers/gpu/drm/drm_atomic.c:210)
 __drm_atomic_state_free+0x3a/0xe0 (drivers/gpu/drm/drm_atomic.c:229)
 drm_atomic_helper_update_plane+0x2b3/0x3b0 (drivers/gpu/drm/drm_atomic_helper.c:2089)
 __setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457)
 drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599)
 drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675)
 drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733)
 drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657)
 nouveau_drm_ioctl+0xf9/0x1e0 [nouveau] (drivers/gpu/drm/nouveau/nouveau_drm.c:925)
 do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624)
 SyS_ioctl+0x79/0x90 (fs/ioctl.c:689)
 entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188)
Memory state around the buggy address:
 ffff880739ecbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880739ecbf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880739ecbf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff880739ecc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880739ecc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Comment 1 Martin Peres 2019-12-04 09:27:10 UTC

-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/driver/xf86-video-nouveau/issues/343.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.