[Nouveau] nouveau: refcount_t splat on 4.15-rc1 on nv50

Adam Borowski kilobyte at angband.pl
Sat Dec 2 18:03:16 UTC 2017 

Hi guys!
I'm getting the following warn on 4.15-rc1, on GTX 560 Ti:

[    9.430433] nouveau 0000:01:00.0: NVIDIA GF114 (0ce000a1)
...
[    9.585172] nouveau 0000:01:00.0: bios: version 70.24.2e.00.02
...
[    9.772204] nouveau 0000:01:00.0: fb: 1024 MiB GDDR5
[    9.777342] ------------[ cut here ]------------
[    9.782106] refcount_t: increment on 0; use-after-free.
[    9.787522] WARNING: CPU: 0 PID: 3 at lib/refcount.c:153 refcount_inc+0x30/0x50
[    9.795060] Modules linked in: sha256_generic cfg80211(+) rfkill snd_usb_audio snd_usbmidi_lib nouveau(+) video ttm
[    9.805756] CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.15.0-rc1-debug-ubsan-00020-gf4707a916107 #1
[    9.815215] Hardware name: System manufacturer System Product Name/M4A77T, BIOS 2401    05/18/2011
[    9.824420] Workqueue: events work_for_cpu_fn
[    9.828915] task: ffff880226110c80 task.stack: ffffc90000c80000
[    9.830647] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[    9.841681] RIP: 0010:refcount_inc+0x30/0x50
[    9.846093] RSP: 0018:ffffc90000c83808 EFLAGS: 00010296
[    9.851458] RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
[    9.858763] RDX: 0000000000000001 RSI: 0000000000000082 RDI: ffffffff8378eb8c
[    9.866051] RBP: ffff88021f103fd0 R08: 0000000000000199 R09: ffff8800000bd500
[    9.873330] R10: 0000000000000000 R11: ffffffff82289a80 R12: 0000000000000000
[    9.880621] R13: ffff8802103a69e0 R14: ffff88021f103fe0 R15: ffff88021f103fe0
[    9.887909] FS:  0000000000000000(0000) GS:ffff88022fc00000(0000) knlGS:0000000000000000
[    9.896230] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    9.902117] CR2: 0000560476ba0000 CR3: 0000000225232000 CR4: 00000000000006f0
[    9.909417] Call Trace:
[    9.912106]  nv50_instobj_acquire+0x123/0x1c0 [nouveau]
[    9.917565]  ? nvbios_rd08+0x1b/0x70 [nouveau]
[    9.922239]  nvkm_instobj_new+0x1e3/0x520 [nouveau]
[    9.927353]  ? nvbios_rd08+0x1b/0x70 [nouveau]
[    9.932017]  ? nvbios_pll_parse+0x8d7/0xcf0 [nouveau]
[    9.937218]  ? kmem_cache_alloc+0x1f0/0x2d0
[    9.941624]  nvkm_memory_new+0x4b/0xc0 [nouveau]
[    9.946461]  ? nvkm_longopt+0x17/0x60 [nouveau]
[    9.951208]  gf100_fb_oneinit+0x7b/0x1c0 [nouveau]
[    9.956218]  nvkm_fb_oneinit+0x89/0x2e0 [nouveau]
[    9.961144]  nvkm_subdev_init+0x92/0x600 [nouveau]
[    9.966085]  ? ktime_get+0x64/0x110
[    9.969815]  nvkm_device_init+0x169/0x2a0 [nouveau]
[    9.974922]  nvkm_udevice_init+0x7e/0xf0 [nouveau]
[    9.979924]  nvkm_object_init+0x6a/0x2e0 [nouveau]
[    9.984932]  nvkm_ioctl_new+0x198/0x430 [nouveau]
[    9.989846]  ? nvif_vmm_init+0x340/0x340 [nouveau]
[    9.994864]  ? nvkm_udevice_rd08+0x90/0x90 [nouveau]
[   10.000056]  nvkm_ioctl+0x21e/0x5a0 [nouveau]
[   10.004548]  ? yield_to+0x2b2/0x370
[   10.008257]  nvif_object_init+0xef/0x1b0 [nouveau]
[   10.013281]  nvif_device_init+0x9/0x40 [nouveau]
[   10.018136]  nouveau_cli_init+0x234/0x12f0 [nouveau]
[   10.023253]  ? idr_alloc_cyclic+0x6c/0x110
[   10.027487]  ? _cond_resched+0x1d/0x80
[   10.031366]  ? kmem_cache_alloc+0x1f0/0x2d0
[   10.035790]  nouveau_drm_load+0x71/0xec0 [nouveau]
[   10.040735]  drm_dev_register+0x1b4/0x330
[   10.044872]  ? pci_enable_device_flags+0x155/0x200
[   10.049806]  drm_get_pci_dev+0xde/0x2c0
[   10.053874]  nouveau_drm_probe+0x1b9/0x240 [nouveau]
[   10.058986]  ? __pm_runtime_resume+0x68/0xb0
[   10.063409]  local_pci_probe+0x5e/0xf0
[   10.067300]  work_for_cpu_fn+0x10/0x30
[   10.071183]  process_one_work+0x21a/0x670
[   10.075325]  worker_thread+0x256/0x500
[   10.079208]  ? manage_workers+0x1e0/0x1e0
[   10.083362]  kthread+0x169/0x220
[   10.086730]  ? kthread_create_worker_on_cpu+0x40/0x40
[   10.091933]  ret_from_fork+0x1f/0x30
[   10.095655] Code: ff 84 c0 74 02 5b c3 0f b6 1d 59 b2 a6 01 80 fb 01 77 1c 83 e3 01 75 ed 48 c7 c7 c8 f1 3f 82 c6 05 41 b2 a6 01 01 e8 50 02 8d ff <0f> ff 5b c3 0f b6 f3 48 c7 c7 00 16 c7 82 e8 dd 81 0d 00 eb d3 
[   10.114909] ---[ end trace 08f29138ff4259e6 ]---
[   10.119703] hpet1: lost 21 rtc interrupts
[   10.125534] ------------[ cut here ]------------
[   10.130326] refcount_t: underflow; use-after-free.
[   10.135292] WARNING: CPU: 0 PID: 3 at lib/refcount.c:281 refcount_dec_not_one+0x68/0x90
[   10.143540] Modules linked in: sha256_generic cfg80211 rfkill snd_usb_audio snd_usbmidi_lib nouveau(+) video ttm
[   10.153956] CPU: 0 PID: 3 Comm: kworker/0:0 Tainted: G        W        4.15.0-rc1-debug-ubsan-00020-gf4707a916107 #1
[   10.164719] Hardware name: System manufacturer System Product Name/M4A77T, BIOS 2401    05/18/2011
[   10.173929] Workqueue: events work_for_cpu_fn
[   10.178423] task: ffff880226110c80 task.stack: ffffc90000c80000
[   10.184488] RIP: 0010:refcount_dec_not_one+0x68/0x90
[   10.189580] RSP: 0018:ffffc90000c837f0 EFLAGS: 00010286
[   10.194946] RAX: 0000000000000026 RBX: 0000000000000000 RCX: 0000000000000000
[   10.202232] RDX: 0000000000000001 RSI: 0000000000000092 RDI: ffffffff8378eb8c
[   10.209512] RBP: ffff8802103a69e0 R08: 0000000000000199 R09: ffff8800000b9040
[   10.216801] R10: 0000000000000000 R11: ffffffff82289a80 R12: ffff8802103a69e0
[   10.224090] R13: ffffffffa025dc20 R14: ffff88021f103f80 R15: ffffffffa0368e60
[   10.231362] FS:  0000000000000000(0000) GS:ffff88022fc00000(0000) knlGS:0000000000000000
[   10.239679] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   10.245569] CR2: 0000560476ba0000 CR3: 0000000225232000 CR4: 00000000000006f0
[   10.252862] Call Trace:
[   10.255433]  refcount_dec_and_mutex_lock+0x18/0x70
[   10.260450]  nv50_instobj_release+0x69/0x1a0 [nouveau]
[   10.265834]  nvkm_instobj_new+0x219/0x520 [nouveau]
[   10.270935]  ? nvbios_rd08+0x1b/0x70 [nouveau]
[   10.275598]  ? nvbios_pll_parse+0x8d7/0xcf0 [nouveau]
[   10.280807]  ? kmem_cache_alloc+0x1f0/0x2d0
[   10.285205]  nvkm_memory_new+0x4b/0xc0 [nouveau]
[   10.290042]  ? nvkm_longopt+0x17/0x60 [nouveau]
[   10.294808]  gf100_fb_oneinit+0x7b/0x1c0 [nouveau]
[   10.299818]  nvkm_fb_oneinit+0x89/0x2e0 [nouveau]
[   10.304733]  nvkm_subdev_init+0x92/0x600 [nouveau]
[   10.309667]  ? ktime_get+0x64/0x110
[   10.313394]  nvkm_device_init+0x169/0x2a0 [nouveau]
[   10.318512]  nvkm_udevice_init+0x7e/0xf0 [nouveau]
[   10.323524]  nvkm_object_init+0x6a/0x2e0 [nouveau]
[   10.328539]  nvkm_ioctl_new+0x198/0x430 [nouveau]
[   10.333464]  ? nvif_vmm_init+0x340/0x340 [nouveau]
[   10.338506]  ? nvkm_udevice_rd08+0x90/0x90 [nouveau]
[   10.343691]  nvkm_ioctl+0x21e/0x5a0 [nouveau]
[   10.348190]  ? yield_to+0x2b2/0x370
[   10.351891]  nvif_object_init+0xef/0x1b0 [nouveau]
[   10.356914]  nvif_device_init+0x9/0x40 [nouveau]
[   10.361761]  nouveau_cli_init+0x234/0x12f0 [nouveau]
[   10.366876]  ? idr_alloc_cyclic+0x6c/0x110
[   10.371120]  ? _cond_resched+0x1d/0x80
[   10.375000]  ? kmem_cache_alloc+0x1f0/0x2d0
[   10.379405]  nouveau_drm_load+0x71/0xec0 [nouveau]
[   10.384340]  drm_dev_register+0x1b4/0x330
[   10.388488]  ? pci_enable_device_flags+0x155/0x200
[   10.393411]  drm_get_pci_dev+0xde/0x2c0
[   10.397482]  nouveau_drm_probe+0x1b9/0x240 [nouveau]
[   10.402583]  ? __pm_runtime_resume+0x68/0xb0
[   10.407001]  local_pci_probe+0x5e/0xf0
[   10.410890]  work_for_cpu_fn+0x10/0x30
[   10.414780]  process_one_work+0x21a/0x670
[   10.418925]  worker_thread+0x256/0x500
[   10.422816]  ? manage_workers+0x1e0/0x1e0
[   10.426967]  kthread+0x169/0x220
[   10.430328]  ? kthread_create_worker_on_cpu+0x40/0x40
[   10.435524]  ret_from_fork+0x1f/0x30
[   10.439246] Code: da eb ea 31 c0 eb eb 0f b6 1d ce b0 a6 01 80 fb 01 77 2c 83 e3 01 75 d5 48 c7 c7 f8 f1 3f 82 c6 05 b6 b0 a6 01 01 e8 c8 00 8d ff <0f> ff eb be 31 f6 48 c7 c7 a0 14 c7 82 e8 a6 7d 0d 00 eb 91 0f 
[   10.458480] ---[ end trace 08f29138ff4259e7 ]---

Appears to be benign: no obvious breakage afterwards.

I did not yet bisect -- would you want me to?


Meow!
-- 
< darkling> When all you have is a hammock, every problem looks like a nap.

More information about the Nouveau mailing list