Hi Bonaccorso,
I have tested the vanilla 5.10.165 and the 6.0.12-1 in
bullseye-backports, and they both have this bug.
I'm going to compile a mainline kernel and then report this bug. BTW,
I'm not sure... does it mean to Cc 1029...@bugs.debian.org when
reporting to upstream to "keep in the loop"?
Thank you.
On 1/28/23 23:44, Salvatore Bonaccorso wrote:
Hi,
On Wed, Jan 25, 2023 at 06:18:35PM +0800, Keyu Tao wrote:
Source: linux
Severity: normal
X-Debbugs-Cc: taok...@outlook.com
Dear Maintainer,
It seems that fbterm triggers an out-of-bound memory write (memcpy) when vmwgfx
loads.
Dmesg oops message:
[ 214.780971] BUG: unable to handle page fault for address: ffffae3dc1171000
[ 214.781348] #PF: supervisor write access in kernel mode
[ 214.781691] #PF: error_code(0x0002) - not-present page
[ 214.782130] PGD 1000067 P4D 1000067 PUD 11b3067 PMD 2427067 PTE 0
[ 214.782610] Oops: 0002 [#1] SMP PTI
[ 214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted
5.10.0-21-amd64 #1 Debian 5.10.162-1
[ 214.783902] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/22/2020
[ 214.784694] Workqueue: events vmw_fb_dirty_flush [vmwgfx]
[ 214.785153] RIP: 0010:memcpy_orig+0x29/0x123
[ 214.785765] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83
ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89
4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[ 214.787323] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202
[ 214.787721] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: 0000000000000c80
[ 214.788147] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: ffffae3dc1171000
[ 214.788553] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 214.788983] R10: 0000000000000000 R11: 0000000000000000 R12: ffffae3dc0e93600
[ 214.789386] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: 0000000000000c80
[ 214.790137] FS: 0000000000000000(0000) GS:ffff9f7111800000(0000)
knlGS:0000000000000000
[ 214.790680] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.791290] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: 00000000003706f0
[ 214.791729] Call Trace:
[ 214.792302] vmw_fb_dirty_flush+0x247/0x350 [vmwgfx]
[ 214.792777] process_one_work+0x1b3/0x350
[ 214.793187] worker_thread+0x53/0x3e0
[ 214.793626] ? process_one_work+0x350/0x350
[ 214.794045] kthread+0x118/0x140
[ 214.794448] ? __kthread_bind_mask+0x60/0x60
[ 214.794871] ret_from_fork+0x1f/0x30
[ 214.795260] Modules linked in: xt_conntrack xt_MASQUERADE
nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter
iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter
bridge stp llc intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm
irqbypass rapl overlay vmw_balloon btusb btrtl btbcm joydev btintel pcspkr
serio_raw bluetooth snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi
snd_seq_device jitterentropy_rng snd_pcm snd_timer drbg ansi_cprng snd
ecdh_generic rfkill soundcore ecc sg vsock_loopback
vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ac
evdev binfmt_misc parport_pc ppdev nfsd configfs fuse lp parport auth_rpcgss
nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2
btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq
async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath
linear md_mod dm_mirror dm_region_hash dm_log dm_mod
[ 214.795316] hid_generic usbhid hid sd_mod t10_pi crc_t10dif
crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel
sr_mod cdrom ghash_clmulni_intel ata_generic vmwgfx aesni_intel xhci_pci libaes
crypto_simd ttm cryptd ata_piix glue_helper drm_kms_helper cec xhci_hcd
ehci_pci drm uhci_hcd mptspi mptscsih ehci_hcd mptbase libata psmouse
scsi_transport_spi usbcore e1000 usb_common scsi_mod i2c_piix4 button
[ 214.803260] CR2: ffffae3dc1171000
[ 214.803722] ---[ end trace d0b2266ea0877554 ]---
[ 214.804283] RIP: 0010:memcpy_orig+0x29/0x123
[ 214.804727] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83
ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89
4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83
[ 214.806126] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202
[ 214.806585] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: 0000000000000c80
[ 214.807069] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: ffffae3dc1171000
[ 214.807549] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 214.808025] R10: 0000000000000000 R11: 0000000000000000 R12: ffffae3dc0e93600
[ 214.808658] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: 0000000000000c80
[ 214.809137] FS: 0000000000000000(0000) GS:ffff9f7111800000(0000)
knlGS:0000000000000000
[ 214.809596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 214.810078] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: 00000000003706f0
How to reproduce:
1. sudo apt install fbterm
2. Switch to TTY (such as tty1), and run fbterm by users with read and write
permission to /dev/fb0
3. Run fbterm, and hold Enter for a few seconds (to make it scroll)
4. Oops!
Can you check if you can trigger the issue with the latest 5.10.y
version, and report it upstream? (keep us please in the loop).
Regards,
Salvatore
