nouveau: BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40
From: Tommi Rantala
Date: Sun Nov 22 2015 - 15:18:28 EST
Hello,
I'm seeing this kasan report after booting with linus v4.4-rc1-290-g3ad5d7e.
BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880169e21fd0
Read of size 64 by task kworker/1:0/14
=============================================================================
BUG kmalloc-8192 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in register_framebuffer+0x466/0x550 age=30792 cpu=1 pid=1
___slab_alloc+0x53b/0x560
__slab_alloc+0x3e/0x70
kmem_cache_alloc_trace+0x20f/0x290
register_framebuffer+0x466/0x550
drm_fb_helper_initial_config+0x5a1/0x800
nouveau_fbcon_init+0x148/0x180
nouveau_drm_load+0x583/0xf30
drm_dev_register+0xb9/0xd0
drm_get_pci_dev+0x176/0x370
nouveau_drm_probe+0x2f2/0x3c0
local_pci_probe+0x75/0xd0
pci_device_probe+0x19f/0x1f0
driver_probe_device+0x208/0x6c0
__driver_attach+0xb8/0xc0
bus_for_each_dev+0xe6/0x150
driver_attach+0x26/0x30
INFO: Slab 0xffffea0005a78800 objects=3 used=3 fp=0x (null)
flags=0x200000000004080
INFO: Object 0xffff880169e20000 @offset=0 fp=0x (null)
Object ffff880169e20000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff880169e20010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
...
Object ffff880169e20fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff
ff ................
Object ffff880169e20fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Object ffff880169e20fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff
ff ................
Object ffff880169e20ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
CPU: 1 PID: 14 Comm: kworker/1:0 Tainted: G B 4.4.0-rc1+ #1
Hardware name: Dell Inc. OptiPlex 990/0D6H9T, BIOS A06 07/25/2011
Workqueue: events_power_efficient fb_flashcursor
ffffea0005a78800 ffff8801740ef7f0 ffffffff818a802e ffff880174c04e00
ffff8801740ef820 ffffffff813030e4 ffff880174c04e00 ffffea0005a78800
ffff880169e20000 ffff880169e21fd0 ffff8801740ef848 ffffffff813063ef
Call Trace:
[<ffffffff818a802e>] dump_stack+0x4b/0x6d
[<ffffffff813030e4>] print_trailer+0xf4/0x150
[<ffffffff813063ef>] object_err+0x2f/0x40
[<ffffffff8130ae7d>] kasan_report_error+0x20d/0x510
[<ffffffff810acfd7>] ? native_sched_clock+0x67/0x140
[<ffffffff8130b1b4>] kasan_report+0x34/0x40
[<ffffffff8130ac3d>] ? memcpy+0x1d/0x40
[<ffffffff8130a9da>] __asan_loadN+0x12a/0x180
[<ffffffff8130ac3d>] memcpy+0x1d/0x40
[<ffffffff82015b25>] OUT_RINGp+0x75/0x90
[<ffffffff82011572>] nvc0_fbcon_imageblit+0x462/0x6c0
[<ffffffff8200bd2d>] nouveau_fbcon_imageblit+0xfd/0x110
[<ffffffff81956a16>] soft_cursor+0x2f6/0x400
[<ffffffff81955e64>] bit_cursor+0xb14/0xb60
[<ffffffff81955350>] ? update_attr.isra.0+0xc0/0xc0
[<ffffffff8194b203>] ? fb_flashcursor+0x33/0x1b0
[<ffffffff8195987f>] ? fb_get_color_depth+0x7f/0xb0
[<ffffffff8194b0d6>] ? get_color+0xd6/0x1d0
[<ffffffff81955350>] ? update_attr.isra.0+0xc0/0xc0
[<ffffffff8194b36f>] fb_flashcursor+0x19f/0x1b0
[<ffffffff8114328e>] process_one_work+0x3fe/0xae0
[<ffffffff811431be>] ? process_one_work+0x32e/0xae0
[<ffffffff81142e90>] ? try_to_grab_pending+0x200/0x200
[<ffffffff811bfc75>] ? debug_lockdep_rcu_enabled+0x35/0x40
[<ffffffff811439fa>] worker_thread+0x8a/0x7f0
[<ffffffff81143970>] ? process_one_work+0xae0/0xae0
[<ffffffff8114e085>] kthread+0x185/0x1b0
[<ffffffff8114df00>] ? __kthread_parkme+0xe0/0xe0
[<ffffffff819a916f>] ? acpi_ps_parse_loop+0x41c/0xab8
[<ffffffff8118e136>] ? trace_hardirqs_on_caller+0x186/0x280
[<ffffffff81905d88>] ? ddebug_add_module+0x38/0x130
[<ffffffff8114df00>] ? __kthread_parkme+0xe0/0xe0
[<ffffffff82f3523f>] ret_from_fork+0x3f/0x70
[<ffffffff8114df00>] ? __kthread_parkme+0xe0/0xe0
Memory state around the buggy address:
ffff880169e21f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff880169e21f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff880169e22000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff880169e22080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880169e22100: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
==================================================================
Some nouveau messages from the boot, if this helps:
nouveau 0000:01:00.0: NVIDIA GF119 (0d90a0a1)
nouveau 0000:01:00.0: bios: version 75.19.55.00.02
nouveau 0000:01:00.0: fb: 1024 MiB DDR3
[TTM] Zone kernel: Available graphics memory: 2590256 kiB
[TTM] Zone dma32: Available graphics memory: 2097152 kiB
[TTM] Initializing pool allocator
[TTM] Initializing DMA pool allocator
nouveau 0000:01:00.0: DRM: VRAM: 1024 MiB
nouveau 0000:01:00.0: DRM: GART: 1048576 MiB
nouveau 0000:01:00.0: DRM: TMDS table version 2.0
nouveau 0000:01:00.0: DRM: DCB version 4.0
nouveau 0000:01:00.0: DRM: DCB outp 00: 02000300 00000000
nouveau 0000:01:00.0: DRM: DCB outp 01: 01000302 00020030
nouveau 0000:01:00.0: DRM: DCB outp 02: 02011362 00020010
nouveau 0000:01:00.0: DRM: DCB outp 03: 04022310 00000000
nouveau 0000:01:00.0: DRM: DCB conn 00: 00001030
nouveau 0000:01:00.0: DRM: DCB conn 01: 00002161
nouveau 0000:01:00.0: DRM: DCB conn 02: 00000200
[drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[drm] Driver supports precise vblank timestamp query.
nouveau 0000:01:00.0: DRM: MM: using COPY0 for buffer copies
nouveau 0000:01:00.0: No connectors reported connected with modes
[drm] Cannot find any crtc or sizes - going 1024x768
nouveau 0000:01:00.0: DRM: allocated 1024x768 fb: 0x60000, bo ffff880169d36e40
fbcon: nouveaufb (fb0) is primary device
Console: switching to colour frame buffer device 128x48
nouveau 0000:01:00.0: fb0: nouveaufb frame buffer device
[drm] Initialized nouveau 1.3.1 20120801 for 0000:01:00.0 on minor 0
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/