[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1029602: vmwgfx: kernel oops when using fbterm in vmware

Hi,

On Wed, Jan 25, 2023 at 06:18:35PM +0800, Keyu Tao wrote:
> Source: linux
> Severity: normal
> X-Debbugs-Cc: taoky99@outlook.com
> 
> Dear Maintainer,
> 
> It seems that fbterm triggers an out-of-bound memory write (memcpy) when vmwgfx loads.
> 
> Dmesg oops message:
> 
> [  214.780971] BUG: unable to handle page fault for address: ffffae3dc1171000
> [  214.781348] #PF: supervisor write access in kernel mode
> [  214.781691] #PF: error_code(0x0002) - not-present page
> [  214.782130] PGD 1000067 P4D 1000067 PUD 11b3067 PMD 2427067 PTE 0
> [  214.782610] Oops: 0002 [#1] SMP PTI
> [  214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted 5.10.0-21-amd64 #1 Debian 5.10.162-1
> [  214.783902] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/22/2020
> [  214.784694] Workqueue: events vmw_fb_dirty_flush [vmwgfx]
> [  214.785153] RIP: 0010:memcpy_orig+0x29/0x123
> [  214.785765] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
> [  214.787323] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202
> [  214.787721] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: 0000000000000c80
> [  214.788147] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: ffffae3dc1171000
> [  214.788553] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> [  214.788983] R10: 0000000000000000 R11: 0000000000000000 R12: ffffae3dc0e93600
> [  214.789386] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: 0000000000000c80
> [  214.790137] FS:  0000000000000000(0000) GS:ffff9f7111800000(0000) knlGS:0000000000000000
> [  214.790680] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  214.791290] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: 00000000003706f0
> [  214.791729] Call Trace:
> [  214.792302]  vmw_fb_dirty_flush+0x247/0x350 [vmwgfx]
> [  214.792777]  process_one_work+0x1b3/0x350
> [  214.793187]  worker_thread+0x53/0x3e0
> [  214.793626]  ? process_one_work+0x350/0x350
> [  214.794045]  kthread+0x118/0x140
> [  214.794448]  ? __kthread_bind_mask+0x60/0x60
> [  214.794871]  ret_from_fork+0x1f/0x30
> [  214.795260] Modules linked in: xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm irqbypass rapl overlay vmw_balloon btusb btrtl btbcm joydev btintel pcspkr serio_raw bluetooth snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi snd_seq_device jitterentropy_rng snd_pcm snd_timer drbg ansi_cprng snd ecdh_generic rfkill soundcore ecc sg vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ac evdev binfmt_misc parport_pc ppdev nfsd configfs fuse lp parport auth_rpcgss nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod
> [  214.795316]  hid_generic usbhid hid sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel sr_mod cdrom ghash_clmulni_intel ata_generic vmwgfx aesni_intel xhci_pci libaes crypto_simd ttm cryptd ata_piix glue_helper drm_kms_helper cec xhci_hcd ehci_pci drm uhci_hcd mptspi mptscsih ehci_hcd mptbase libata psmouse scsi_transport_spi usbcore e1000 usb_common scsi_mod i2c_piix4 button
> [  214.803260] CR2: ffffae3dc1171000
> [  214.803722] ---[ end trace d0b2266ea0877554 ]---
> [  214.804283] RIP: 0010:memcpy_orig+0x29/0x123
> [  214.804727] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
> [  214.806126] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202
> [  214.806585] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: 0000000000000c80
> [  214.807069] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: ffffae3dc1171000
> [  214.807549] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> [  214.808025] R10: 0000000000000000 R11: 0000000000000000 R12: ffffae3dc0e93600
> [  214.808658] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: 0000000000000c80
> [  214.809137] FS:  0000000000000000(0000) GS:ffff9f7111800000(0000) knlGS:0000000000000000
> [  214.809596] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  214.810078] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: 00000000003706f0
> 
> How to reproduce:
> 
> 1. sudo apt install fbterm
> 2. Switch to TTY (such as tty1), and run fbterm by users with read and write permission to /dev/fb0
> 3. Run fbterm, and hold Enter for a few seconds (to make it scroll)
> 4. Oops!

Can you check if you can trigger the issue with the latest 5.10.y
version, and report it upstream? (keep us please in the loop).

Regards,
Salvatore
Reply to: