Created attachment 130857 [details] dmesg for 4.10.9 with KASAN with files + lines added Since upgrading from kernel 4.9.9 to 4.10.5 (and 4.10.9), I ended up with clear signs of memory corruption that finished with two kernel panics. The second trace seems related to bug 100431. When trying to reproduce it with 4.10.9, I failed to reproduce those issues, but instead I found this one. It seems to happen when I try to open a new window in KDE Plasma on Arch Linux (though I am not sure of the exact trigger). ================================================================== BUG: KASAN: use-after-free in drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 at addr ffff880739ecbfb0 (drivers/gpu/drm/drm_irq.c:743) Read of size 4 by task swapper/4/0 CPU: 4 PID: 0 Comm: swapper/4 Not tainted 4.10.9kasan #10 Hardware name: Notebook P65_P67RGRERA/P65_P67RGRERA, BIOS 1.05.16 05/16/2016 Call Trace: <IRQ> dump_stack+0x68/0x96 (lib/dump_stack.c:27) kasan_object_err+0x21/0x70 (mm/kasan/report.c:159) kasan_report.part.1+0x213/0x4e0 ? drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 (drivers/gpu/drm/drm_irq.c:743) __asan_report_load4_noabort+0x2e/0x30 (mm/kasan/report.c:331) drm_calc_vbltimestamp_from_scanoutpos+0x625/0x740 (drivers/gpu/drm/drm_irq.c:743) ? drm_irq_install+0x570/0x570 (drivers/gpu/drm/drm_irq.c:459) ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780) ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190) ? try_to_wake_up+0xc6/0xd00 (kernel/sched/core.c:2010) ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270) ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270) ? migrate_swap_stop+0x790/0x790 (kernel/sched/core.c:1291) ? drm_handle_vblank+0x1c1/0x7d0 (drivers/gpu/drm/drm_irq.c:1704) nouveau_display_vblstamp+0x16d/0x2a0 [nouveau] (drivers/gpu/drm/nouveau/nouveau_display.c:159) drm_get_last_vbltimestamp+0xcb/0x160 (drivers/gpu/drm/drm_irq.c:878) ? get_drm_timestamp+0x40/0x40 (drivers/gpu/drm/drm_irq.c:848) ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780) ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190) ? nouveau_fence_wait_uevent_handler+0xc9/0x140 [nouveau] (drivers/gpu/drm/nouveau/nouveau_fence.c:148) drm_update_vblank_count+0x16a/0x870 (drivers/gpu/drm/drm_irq.c:150) ? store_vblank+0x2c0/0x2c0 (drivers/gpu/drm/drm_irq.c:79) drm_handle_vblank+0x14a/0x7d0 (drivers/gpu/drm/drm_irq.c:1704) ? trace_hardirqs_off+0xd/0x10 (kernel/locking/lockdep.c:2780) ? drm_crtc_wait_one_vblank+0x90/0x90 (drivers/gpu/drm/drm_irq.c:1252) ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270) ? cpuacct_charge+0x240/0x400 (kernel/sched/cpuacct.c:349) drm_crtc_handle_vblank+0x63/0x90 (drivers/gpu/drm/drm_irq.c:1755) ? find_next_bit+0x18/0x20 (lib/find_bit.c:63) nouveau_display_vblank_handler+0x15/0x20 [nouveau] (drivers/gpu/drm/nouveau/nouveau_display.c:50) nvif_notify+0x25f/0x570 [nouveau] (drivers/gpu/drm/nouveau/nvif/notify.c:113) ? nvif_notify_get+0x160/0x160 [nouveau] (drivers/gpu/drm/nouveau/nvif/notify.c:83) ? nv50_disp_vblank_fini_+0x57/0x80 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:102) ? nvkm_disp_vblank_fini+0x5f/0x90 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:41) ? nvkm_client_driver_init+0x100/0x100 [nouveau] (drivers/gpu/drm/nouveau/nouveau_nvif.c:110) nvkm_client_ntfy+0xc9/0x100 [nouveau] (drivers/gpu/drm/nouveau/nouveau_nvif.c:81) nvkm_client_notify+0xea/0x140 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/client.c:46) ? _raw_spin_unlock_irqrestore+0x4b/0x50 (kernel/locking/spinlock.c:190) nvkm_notify_send+0x224/0x520 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/notify.c:92) nvkm_event_send+0x208/0x270 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/event.c:54) nvkm_disp_vblank+0x74/0x90 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:85) ? nvkm_disp_dtor+0x540/0x540 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:247) gf119_disp_intr+0x1d6/0x690 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/gf119.c:447) nv50_disp_intr_+0x4a/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/nv50.c:116) nvkm_disp_intr+0x53/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/engine/disp/base.c:204) nvkm_engine_intr+0x57/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/engine.c:71) nvkm_subdev_intr+0x54/0x70 [nouveau] (drivers/gpu/drm/nouveau/nvkm/core/subdev.c:88) nvkm_mc_intr+0x23a/0x4b0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:79) ? nvkm_mc_intr_rearm+0xa0/0xa0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/mc/base.c:62) ? nv40_pci_wr08+0x68/0xa0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/nv40.c:35) ? nvkm_pci_wr08+0x57/0x90 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:39) nvkm_pci_intr+0xcc/0x170 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:70) ? nvkm_pci_fini+0xd0/0xd0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84) ? debug_check_no_locks_freed+0x280/0x280 (kernel/locking/lockdep.c:4270) ? nvkm_pci_fini+0xd0/0xd0 [nouveau] (drivers/gpu/drm/nouveau/nvkm/subdev/pci/base.c:84) __handle_irq_event_percpu+0xe1/0x630 (kernel/irq/handle.c:136) handle_irq_event_percpu+0x69/0x130 (kernel/irq/handle.c:181) ? __handle_irq_event_percpu+0x630/0x630 (kernel/irq/handle.c:136) ? handle_edge_irq+0x30/0x850 (kernel/irq/chip.c:622) handle_irq_event+0xa7/0x140 (kernel/irq/handle.c:195) handle_edge_irq+0x1cd/0x850 (kernel/irq/chip.c:622) handle_irq+0x105/0x2a0 (arch/x86/kernel/irq_64.c:69) ? __local_bh_enable+0x37/0x60 (kernel/softirq.c:139) do_IRQ+0x7d/0x1a0 (arch/x86/kernel/irq.c:213) common_interrupt+0x90/0x90 (arch/x86/entry/entry_64.S:452) RIP: 0010:cpuidle_enter_state+0x10d/0x7d0 (drivers/cpuidle/cpuidle.c:188) RSP: 0018:ffff88077228fdc0 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff1e RAX: 0000000000000003 RBX: ffff8807761297b8 RCX: 000000000000001f RDX: 0000000000000004 RSI: 1ffff100eec23d1b RDI: ffffffff839ec680 RBP: ffff88077228fe18 R08: 0000000000012314 R09: ffffffff83a10980 R10: ffff88077611dfc4 R11: ffff88077611dfe4 R12: 0000000000000008 R13: ffffffff83a10c98 R14: 000000001e85c873 R15: 0000000000000300 </IRQ> ? set_cpu_sd_state_idle+0x145/0x230 (kernel/sched/fair.c:8557) cpuidle_enter+0x17/0x20 (drivers/cpuidle/cpuidle.c:282) call_cpuidle+0x47/0xc0 (kernel/sched/idle.c:103) ? cpuidle_select+0x59/0x80 (drivers/cpuidle/cpuidle.c:266) ? rcu_idle_enter+0x7e/0xa0 (kernel/rcu/tree.c:749) do_idle+0x22c/0x2e0 (kernel/sched/idle.c:209) cpu_startup_entry+0x1d/0x20 (kernel/sched/idle.c:326) start_secondary+0x298/0x360 (arch/x86/kernel/smpboot.c:224) ? set_cpu_sibling_map+0x1a40/0x1a40 (arch/x86/kernel/smpboot.c:525) start_cpu+0x14/0x14 (arch/x86/kernel/head_64.S:301) Object at ffff880739ecbf00, in cache kmalloc-1024 size: 1024 Allocated: PID = 535 save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56) save_stack+0x46/0xd0 (mm/kasan/kasan.c:493) kasan_kmalloc+0xad/0xe0 (mm/kasan/kasan.c:585) kmem_cache_alloc_trace+0xf1/0x280 (mm/slub.c:2739) nv50_head_atomic_duplicate_state+0x72/0x700 [nouveau] (drivers/gpu/drm/nouveau/nv50_display.c:2323) drm_atomic_get_crtc_state+0x1be/0x3d0 (drivers/gpu/drm/drm_atomic.c:264) drm_atomic_get_plane_state+0x2a5/0x3e0 (drivers/gpu/drm/drm_atomic.c:679) drm_atomic_helper_update_plane+0x10b/0x3b0 (drivers/gpu/drm/drm_atomic_helper.c:2089) __setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457) drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599) drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675) drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733) drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657) nouveau_drm_ioctl+0xf9/0x1e0 [nouveau] (drivers/gpu/drm/nouveau/nouveau_drm.c:925) do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624) SyS_ioctl+0x79/0x90 (fs/ioctl.c:689) entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188) Freed: PID = 535 save_stack_trace+0x1b/0x20 (arch/x86/kernel/stacktrace.c:56) save_stack+0x46/0xd0 (mm/kasan/kasan.c:493) kasan_slab_free+0x73/0xc0 (mm/kasan/kasan.c:560) kfree+0xd9/0x2a0 (mm/slub.c:3862) nv50_head_atomic_destroy_state+0x1d/0x20 [nouveau] (drivers/gpu/drm/nouveau/nv50_display.c:2315) drm_atomic_state_default_clear+0x372/0x930 (drivers/gpu/drm/drm_atomic.c:141) nv50_disp_atomic_state_clear+0x124/0x1b0 [nouveau] (drivers/gpu/drm/nouveau/nv50_display.c:4301) drm_atomic_state_clear+0x80/0xb0 (drivers/gpu/drm/drm_atomic.c:210) __drm_atomic_state_free+0x3a/0xe0 (drivers/gpu/drm/drm_atomic.c:229) drm_atomic_helper_update_plane+0x2b3/0x3b0 (drivers/gpu/drm/drm_atomic_helper.c:2089) __setplane_internal+0x417/0x950 (drivers/gpu/drm/drm_plane.c:457) drm_mode_cursor_universal+0x397/0xb30 (drivers/gpu/drm/drm_plane.c:599) drm_mode_cursor_common+0x173/0x750 (drivers/gpu/drm/drm_plane.c:675) drm_mode_cursor_ioctl+0x90/0xb0 (drivers/gpu/drm/drm_plane.c:733) drm_ioctl+0x4b0/0xba0 (drivers/gpu/drm/drm_ioctl.c:657) nouveau_drm_ioctl+0xf9/0x1e0 [nouveau] (drivers/gpu/drm/nouveau/nouveau_drm.c:925) do_vfs_ioctl+0x184/0xff0 (fs/ioctl.c:624) SyS_ioctl+0x79/0x90 (fs/ioctl.c:689) entry_SYSCALL_64_fastpath+0x18/0xad (arch/x86/entry/entry_64.S:188) Memory state around the buggy address: ffff880739ecbe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff880739ecbf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff880739ecbf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880739ecc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880739ecc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/driver/xf86-video-nouveau/issues/343.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.