Created attachment 124231 [details] dmesg output for v4.7-rc1 containing the KASAN report Previously reported by others to mailing lists (with no replies): [4.4-rc1] nouveau: BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 https://lists.freedesktop.org/archives/dri-devel/2015-November/095100.html [3.10] BUG: drm, nouveau: slab-out-of-bounds read access in nv50_fbcon_imageblit() https://lists.freedesktop.org/archives/dri-devel/2016-May/108270.html Hardware: Optimus laptop with inteldrmfb being the primary framebuffer, an external monitor is connected to DP-1 on the Nvidia card (GTX 965M, 10de:13d9). Steps to reproduce the out-of-bounds issue in my environment: 0. Avoid continuously triggering the error: dmesg -D 1. modprobe nouveau runpm=0 (or be sure to wake the device before using con2fbmap, there is a nasty (unrelated) deadlock in there due to recursive console_lockup.) 2. con2fbmap 1 2 (bind console 2 to nouveaufb (1)). This invokes ioctl(/dev/fb0, FBIOPUT_CON2FBMAP, (u32[2]){2, 1})). 3. If you are not there already, switch to tty2 on the nouveau display. 4. Press Enter until you are at the last line of the console (or past it, I forgot). 5. Go to a different tty (e.g. the Intel one) and notice the KASAN report in dmesg. Attached is yet another log (looks similar to the other ones) for v4.7-rc1 (with two unrelated patchsets applied on top).
Fixed since v4.7-rc3 with: commit f045f459d925138fe7d6193a8c86406bda7e49da Author: Ben Skeggs <bskeggs@redhat.com> Date: Thu Jun 2 12:23:31 2016 +1000 drm/nouveau/fbcon: fix out-of-bounds memory accesses Reported by KASAN. Signed-off-by: Ben Skeggs <bskeggs@redhat.com> Cc: stable@vger.kernel.org Confirmed that is does no longer occur in v4.7-rc6-74-g076501f.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.