Bug 96306

Created attachment 124231 [details]
dmesg output for v4.7-rc1 containing the KASAN report

Previously reported by others to mailing lists (with no replies):

[4.4-rc1] nouveau: BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40
https://lists.freedesktop.org/archives/dri-devel/2015-November/095100.html

[3.10] BUG: drm, nouveau: slab-out-of-bounds read access in nv50_fbcon_imageblit()
https://lists.freedesktop.org/archives/dri-devel/2016-May/108270.html


Hardware:
Optimus laptop with inteldrmfb being the primary framebuffer, an external monitor is connected to DP-1 on the Nvidia card (GTX 965M, 10de:13d9).

Steps to reproduce the out-of-bounds issue in my environment:
 0. Avoid continuously triggering the error: dmesg -D
 1. modprobe nouveau runpm=0 (or be sure to wake the device before using con2fbmap, there is a nasty (unrelated) deadlock in there due to recursive console_lockup.)
 2. con2fbmap 1 2 (bind console 2 to nouveaufb (1)). This invokes ioctl(/dev/fb0, FBIOPUT_CON2FBMAP, (u32[2]){2, 1})).
 3. If you are not there already, switch to tty2 on the nouveau display.
 4. Press Enter until you are at the last line of the console (or past it, I forgot).
 5. Go to a different tty (e.g. the Intel one) and notice the KASAN report in dmesg.

Attached is yet another log (looks similar to the other ones) for v4.7-rc1 (with two unrelated patchsets applied on top).