[drm/vmwgfx] invalid read access at vmw_du_primary_plane_atomic_check()
Tetsuo Handa
penguin-kernel at i-love.sakura.ne.jp
Fri Aug 4 04:37:08 UTC 2017
Code added by commit 060e2ad57041b42c ("drm/vmwgfx: Add and connect plane helper
functions") is hitting KASAN error shown below. I guess that either *vcs is
invalid or vcs->is_implicit is off-by-one.
----------
[ 19.654429] Linux agpgart interface v0.103
[ 19.657444] agpgart-intel 0000:00:00.0: Intel 440BX Chipset
[ 19.661704] agpgart-intel 0000:00:00.0: AGP aperture is 256M @ 0x0
[ 19.694269] [drm] DMA map mode: Using physical TTM page addresses.
[ 19.696460] [drm] Capabilities:
[ 19.697595] [drm] Rect copy.
[ 19.698678] [drm] Cursor.
[ 19.699661] [drm] Cursor bypass.
[ 19.700835] [drm] Cursor bypass 2.
[ 19.702044] [drm] 8bit emulation.
[ 19.703331] [drm] Alpha cursor.
[ 19.704446] [drm] Extended Fifo.
[ 19.705537] [drm] Multimon.
[ 19.706546] [drm] Pitchlock.
[ 19.707671] [drm] Irq mask.
[ 19.708676] [drm] Display Topology.
[ 19.710023] [drm] GMR.
[ 19.710972] [drm] Traces.
[ 19.711971] [drm] GMR2.
[ 19.712897] [drm] Screen Object 2.
[ 19.714082] [drm] Command Buffers.
[ 19.715315] [drm] Max GMR ids is 64
[ 19.716496] [drm] Max number of GMR pages is 196608
[ 19.718127] [drm] Max dedicated hypervisor surface memory is 786432 kiB
[ 19.720173] [drm] Maximum display memory size is 32768 kiB
[ 19.721999] [drm] VRAM at 0xe8000000 size is 32768 kiB
[ 19.723672] [drm] MMIO at 0xfe000000 size is 2048 kiB
[ 19.725354] [drm] global init.
[ 19.727593] [TTM] Zone kernel: Available graphics memory: 1588976 kiB
[ 19.729694] [TTM] Initializing pool allocator
[ 19.731319] [TTM] Initializing DMA pool allocator
[ 19.734882] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[ 19.736920] [drm] No driver support for vblank timestamp query.
[ 19.756622] [drm] Screen Objects Display Unit initialized
[ 19.759163] [drm] width 1280
[ 19.760211] [drm] height 768
[ 19.761238] [drm] bpp 32
[ 19.788213] [drm] Fifo max 0x00200000 min 0x00001000 cap 0x0000077f
[ 19.791354] [drm] Using command buffers with DMA pool.
[ 19.793213] [drm] DX: no.
[ 19.794084] [drm] Atomic: yes
[ 19.860077] fbcon: svgadrmfb (fb0) is primary device
[ 19.885281] Console: switching to colour frame buffer device 160x48
[ 19.896566] ==================================================================
[ 19.897136] BUG: KASAN: slab-out-of-bounds in vmw_du_primary_plane_atomic_check+0x26b/0x360
[ 19.897136] Read of size 1 at addr ffff880118a69fe8 by task swapper/0/1
[ 19.897136]
[ 19.897136] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.13.0-rc3-next-20170801 #140
[ 19.897136] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 19.897136] Call Trace:
[ 19.897136] dump_stack+0x86/0xc9
[ 19.897136] print_address_description+0xcb/0x250
[ 19.897136] kasan_report+0x24d/0x360
[ 19.897136] ? vmw_du_primary_plane_atomic_check+0x26b/0x360
[ 19.897136] __asan_load1+0x47/0x50
[ 19.897136] vmw_du_primary_plane_atomic_check+0x26b/0x360 /* vmw_du_primary_plane_atomic_check at drivers/gpu/drm/vmwgfx/vmwgfx_kms.c:487 */
[ 19.897136] ? wait_for_completion+0x200/0x200
[ 19.897136] ? vmw_du_cursor_plane_atomic_update+0x520/0x520
[ 19.897136] ? __radix_tree_lookup+0x21/0x170
[ 19.897136] ? __drm_mode_object_find+0x5a/0xc0
[ 19.897136] ? drm_atomic_helper_check_modeset+0xd80/0x1350
[ 19.897136] drm_atomic_helper_check_planes+0x1a7/0x3c0 /* drm_atomic_helper_check_planes at drivers/gpu/drm/drm_atomic_helper.c:737 */
[ 19.897136] drm_atomic_helper_check+0x32/0x90 /* drm_atomic_helper_check at drivers/gpu/drm/drm_atomic_helper.c:795 */
[ 19.897136] vmw_kms_atomic_check_modeset+0x186/0x1a0 /* vmw_kms_atomic_check_modeset at drivers/gpu/drm/vmwgfx/vmwgfx_kms.c:1566 */
[ 19.897136] drm_atomic_check_only+0x8cd/0xa70 /* drm_atomic_check_only at drivers/gpu/drm/drm_atomic.c:1666 */
[ 19.897136] ? drm_atomic_legacy_backoff+0xe0/0xe0
[ 19.897136] ? drm_atomic_helper_disable_plane+0xf0/0xf0
[ 19.897136] ? drm_atomic_helper_best_encoder+0x70/0x70
[ 19.897136] drm_atomic_commit+0x24/0x80 /* drm_atomic_commit at drivers/gpu/drm/drm_atomic.c:1702 */
[ 19.897136] drm_atomic_helper_set_config+0x7e/0xa0 /* drm_atomic_helper_set_config at drivers/gpu/drm/drm_atomic_helper.c:2607 */
[ 19.897136] ? ww_mutex_lock+0x43/0x70
[ 19.897136] vmw_kms_set_config+0x44/0x50 /* vmw_kms_set_config at drivers/gpu/drm/vmwgfx/vmwgfx_kms.c:2849 */
[ 19.897136] vmwgfx_set_config_internal.constprop.4+0x122/0x2d0 /* vmwgfx_set_config_internal at drivers/gpu/drm/vmwgfx/vmwgfx_fb.c:444 */
[ 19.897136] vmw_fb_set_par+0x528/0xb00 /* vmw_fb_set_par at drivers/gpu/drm/vmwgfx/vmwgfx_fb.c:636 */
[ 19.897136] ? find_held_lock+0x117/0x150
[ 19.897136] ? vmw_fb_kms_detach+0x300/0x300
[ 19.897136] ? lock_downgrade+0x2d0/0x2d0
[ 19.897136] ? __mutex_unlock_slowpath+0xd4/0x3e0
[ 19.897136] ? wait_for_completion+0x200/0x200
[ 19.897136] ? init_timer_key+0x5f/0x70
[ 19.897136] vmw_fb_init+0x839/0x920 /* vmw_fb_init at drivers/gpu/drm/vmwgfx/vmwgfx_fb.c:704 */
[ 19.897136] ? vmw_fb_init+0x839/0x920
[ 19.999867] tsc: Refined TSC clocksource calibration: 1995.458 MHz
[ 20.000169] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x3986d7607fe, max_idle_ns: 881590663232 ns
[ 20.000311] ? vmw_fb_set_par+0xb00/0xb00
[ 20.000311] ? _raw_spin_unlock+0x22/0x30
[ 20.000311] ? ttm_read_unlock+0x48/0x50
[ 20.000311] vmw_driver_load+0x1937/0x1b10 /* vmw_driver_load at drivers/gpu/drm/vmwgfx/vmwgfx_drv.c:920 */
[ 20.000311] ? vmw_svga_enable+0x30/0x30
[ 20.000311] ? trace_hardirqs_on_caller+0x187/0x260
[ 20.000311] ? kasan_slab_free+0x88/0xc0
[ 20.000311] ? drm_dev_register+0x197/0x310
[ 20.000311] drm_dev_register+0x1ed/0x310 /* drm_dev_register at drivers/gpu/drm/drm_drv.c:802 */
[ 20.000311] drm_get_pci_dev+0xe9/0x250
[ 20.000311] ? vmw_remove+0x40/0x40
[ 20.000311] vmw_probe+0x10/0x20
[ 20.000311] local_pci_probe+0x75/0xd0
[ 20.000311] pci_device_probe+0x2a4/0x300
[ 20.000311] ? pci_device_remove+0xf0/0xf0
[ 20.000311] ? do_raw_spin_unlock+0x86/0x120
[ 20.000311] ? _raw_spin_unlock+0x22/0x30
[ 20.000311] driver_probe_device+0x3e2/0x660
[ 20.000311] ? driver_probe_device+0x660/0x660
[ 20.000311] __driver_attach+0x11c/0x120
[ 20.000311] bus_for_each_dev+0xea/0x150
[ 20.000311] ? subsys_dev_iter_exit+0x10/0x10
[ 20.000311] ? do_raw_spin_unlock+0x86/0x120
[ 20.000311] driver_attach+0x26/0x30
[ 20.000311] bus_add_driver+0x26b/0x3b0
[ 20.000311] driver_register+0xce/0x190
[ 20.000311] __pci_register_driver+0xaf/0xc0
[ 20.000311] ? ttm_init+0x5d/0x5d
[ 20.000311] ? set_debug_rodata+0x12/0x12
[ 20.000311] vmwgfx_init+0x28/0x48
[ 20.000311] do_one_initcall+0x9a/0x204
[ 20.000311] ? initcall_blacklisted+0x150/0x150
[ 20.000311] ? lock_downgrade+0x250/0x2d0
[ 20.000311] ? set_debug_rodata+0x12/0x12
[ 20.000311] kernel_init_freeable+0x35f/0x41c
[ 20.000311] ? start_kernel+0x569/0x569
[ 20.000311] ? lock_downgrade+0x2d0/0x2d0
[ 20.000311] ? finish_task_switch+0xd8/0x310
[ 20.000311] ? finish_task_switch+0x8a/0x310
[ 20.000311] ? rest_init+0xf0/0xf0
[ 20.000311] kernel_init+0xe/0x113
[ 20.000311] ? rest_init+0xf0/0xf0
[ 20.000311] ret_from_fork+0x2a/0x40
[ 20.000311]
[ 20.000311] Allocated by task 1:
[ 20.000311] save_stack_trace+0x16/0x20
[ 20.000311] save_stack+0x46/0xd0
[ 20.000311] kasan_kmalloc+0xad/0xe0
[ 20.000311] drm_atomic_helper_connector_duplicate_state+0x5d/0x90 /* drm_atomic_helper_connector_duplicate_state at include/linux/slab.h:393 */
[ 20.000311] drm_atomic_get_connector_state+0x171/0x290 /* drm_atomic_get_connector_state at drivers/gpu/drm/drm_atomic.c:1106 */
[ 20.000311] __drm_atomic_helper_set_config+0x503/0x660 /* update_output_state at drivers/gpu/drm/drm_atomic_helper.c:2541 (inlined by) __drm_atomic_helper_set_config at drivers/gpu/drm/drm_atomic_helper.c:2683 */
[ 20.000311] drm_atomic_helper_set_config+0x51/0xa0 /* drm_atomic_helper_set_config at drivers/gpu/drm/drm_atomic_helper.c:2600 */
[ 20.000311] vmw_kms_set_config+0x44/0x50 /* vmw_kms_set_config at drivers/gpu/drm/vmwgfx/vmwgfx_kms.c:2849 */
[ 20.000311] vmwgfx_set_config_internal.constprop.4+0x122/0x2d0 /* vmwgfx_set_config_internal at drivers/gpu/drm/vmwgfx/vmwgfx_fb.c:444 */
[ 20.000311] vmw_fb_set_par+0x528/0xb00
[ 20.000311] fbcon_init+0x95b/0xa20
[ 20.000311] visual_init+0x197/0x260
[ 20.000311] do_bind_con_driver+0x2c9/0x570
[ 20.000311] do_take_over_console+0x1c8/0x240
[ 20.000311] do_fbcon_takeover+0x8f/0x110
[ 20.000311] fbcon_event_notify+0xa40/0xb90
[ 20.000311] notifier_call_chain+0x6b/0xa0
[ 20.000311] __blocking_notifier_call_chain+0x5c/0x80
[ 20.000311] blocking_notifier_call_chain+0x11/0x20
[ 20.000311] fb_notifier_call_chain+0x16/0x20
[ 20.000311] register_framebuffer+0x403/0x590
[ 20.000311] vmw_fb_init+0x826/0x920
[ 20.000311] vmw_driver_load+0x1937/0x1b10
[ 20.000311] drm_dev_register+0x1ed/0x310
[ 20.000311] drm_get_pci_dev+0xe9/0x250
[ 20.000311] vmw_probe+0x10/0x20
[ 20.000311] local_pci_probe+0x75/0xd0
[ 20.000311] pci_device_probe+0x2a4/0x300
[ 20.000311] driver_probe_device+0x3e2/0x660
[ 20.000311] __driver_attach+0x11c/0x120
[ 20.000311] bus_for_each_dev+0xea/0x150
[ 20.000311] driver_attach+0x26/0x30
[ 20.000311] bus_add_driver+0x26b/0x3b0
[ 20.000311] driver_register+0xce/0x190
[ 20.000311] __pci_register_driver+0xaf/0xc0
[ 20.000311] vmwgfx_init+0x28/0x48
[ 20.000311] do_one_initcall+0x9a/0x204
[ 20.000311] kernel_init_freeable+0x35f/0x41c
[ 20.000311] kernel_init+0xe/0x113
[ 20.000311] ret_from_fork+0x2a/0x40
[ 20.000311]
[ 20.000311] Freed by task 1:
[ 20.000311] save_stack_trace+0x16/0x20
[ 20.000311] save_stack+0x46/0xd0
[ 20.000311] kasan_slab_free+0x72/0xc0
[ 20.000311] kfree+0xc1/0x1c0
[ 20.000311] acpi_ds_call_control_method+0x175/0x259
[ 20.000311] acpi_ps_parse_aml+0x115/0x445
[ 20.000311] acpi_ps_execute_method+0x251/0x298
[ 20.000311] acpi_ns_evaluate+0x34f/0x42f
[ 20.000311] acpi_evaluate_object+0x247/0x401
[ 20.000311] acpi_evaluate_integer+0xb8/0x130
[ 20.000311] acpi_bus_get_status+0xc4/0x100
[ 20.000311] acpi_bus_attach+0xa7/0x430
[ 20.000311] acpi_bus_attach+0x154/0x430
[ 20.000311] acpi_bus_attach+0x154/0x430
[ 20.000311] acpi_bus_attach+0x154/0x430
[ 20.000311] acpi_bus_attach+0x154/0x430
[ 20.000311] acpi_bus_scan+0x7e/0xe0
[ 20.000311] acpi_scan_init+0x18b/0x386
[ 20.000311] acpi_init+0x424/0x4b2
[ 20.000311] do_one_initcall+0x9a/0x204
[ 20.000311] kernel_init_freeable+0x35f/0x41c
[ 20.000311] kernel_init+0xe/0x113
[ 20.000311] ret_from_fork+0x2a/0x40
[ 20.000311]
[ 20.000311] The buggy address belongs to the object at ffff880118a69f88
[ 20.000311] which belongs to the cache kmalloc-96 of size 96
[ 20.000311] The buggy address is located 0 bytes to the right of
[ 20.000311] 96-byte region [ffff880118a69f88, ffff880118a69fe8)
[ 20.000311] The buggy address belongs to the page:
[ 20.000311] page:ffffea0004629a00 count:1 mapcount:0 mapping: (null) index:0xffff880118a68fc8 compound_mapcount: 0
[ 20.000311] flags: 0x2fffff80008100(slab|head)
[ 20.000311] raw: 002fffff80008100 0000000000000000 ffff880118a68fc8 0000000100240019
[ 20.000311] raw: ffffea0004627820 ffff8801194077c0 ffff880119410a00 0000000000000000
[ 20.000311] page dumped because: kasan: bad access detected
[ 20.000311]
[ 20.000311] Memory state around the buggy address:
[ 20.000311] ffff880118a69e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 20.000311] ffff880118a69f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 20.000311] >ffff880118a69f80: fc 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
[ 20.000311] ^
[ 20.000311] ffff880118a6a000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 20.000311] ffff880118a6a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 20.000311] ==================================================================
[ 20.000311] Disabling lock debugging due to kernel taint
[ 20.580502] clocksource: Switched to clocksource tsc
[ 20.582360] [drm] Initialized vmwgfx 2.13.0 20170607 for 0000:00:0f.0 on minor 0
----------
More information about the dri-devel
mailing list