Page 1 of 1

PAX: size overflow detected in function qxlfb_framebuffer_dirty

PostPosted: Fri Sep 02, 2016 3:11 pm
by fx3
Hello,

with 4.7.2.201608312326 I'm getting kernel panic on boot with VM guests under Qemu/KVM. It seems to be related to qxl driver - if I blacklist it, it boots just fine. I've managed to capture crash via serial console:

Code: Select all
[   67.266773] PAX: size overflow detected in function qxlfb_framebuffer_dirty drivers/gpu/drm/qxl/qxl_fb.c:207 cicus.183_84 min, count: 46, decl: width; num: 0; context: fb_image;
[   67.266777] CPU: 1 PID: 112 Comm: kworker/1:2 Not tainted 4.7.2.201608312326-1-grsec #1
[   67.266778] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.9.3-20160701_074356-anatol 04/01/2014
[   67.266784] Workqueue: events ffffffffc03ff270
[   67.266788]  66fe7d2000000002 66fe7d202f85e968 0000000000000286 0000000000000000
[   67.266790]  ffffc9000090bc80 ffffffffad335493 0000000000000000 66fe7d202f85e968
[   67.266791]  ffffffffc03c8e3c 00000000000000cf ffffc9000090bcb0 ffffffffad1f1c9c
[   67.266792] Call Trace:
[   67.266803]  [<ffffffffad335493>] dump_stack+0x76/0xd3
[   67.266812]  [<ffffffffad1f1c9c>] report_size_overflow+0x6c/0x90
[   67.266819]  [<ffffffffc03d014d>] qxlfb_framebuffer_dirty+0x26d/0x2b0 [qxl]
[   67.266826]  [<ffffffffad0ae290>] ? set_next_entity+0x50/0xa40
[   67.266828]  [<ffffffffad0b3259>] ? put_prev_entity+0x39/0x960
[   67.266834]  [<ffffffffad0569e6>] ? native_pax_close_kernel+0x26/0x50
[   67.266835]  [<ffffffffad056fb0>] ? native_load_tls+0x40/0x60
[   67.266843]  [<ffffffffc03ff2ff>] drm_fb_helper_dirty_work+0x8f/0xd0 [drm_kms_helper]
[   67.266846]  [<ffffffffad093e44>] process_one_work+0x184/0x3e0
[   67.266848]  [<ffffffffad0940f8>] worker_thread+0x58/0x4e0
[   67.266850]  [<ffffffffad0940a0>] ? process_one_work+0x3e0/0x3e0
[   67.266852]  [<ffffffffad09aefa>] kthread+0xea/0x120
[   67.266855]  [<ffffffffad6b144e>] ret_from_fork+0x1e/0x50
[   67.266857]  [<ffffffffad09ae10>] ? kthread_worker_fn+0x1c0/0x1c0
[   67.266935] BUG: unable to handle kernel paging request at ffffffffffffffd8
[   67.266938] IP: [<ffffffffad09b471>] kthread_data+0x11/0x30
[   67.266940] PGD 2daf0067 PUD 2daf3067 PMD 0
[   67.266942] Oops: 0000 [#1] PREEMPT SMP
[   67.266980] Modules linked in: qxl ttm drm_kms_helper drm syscopyarea sysfillrect sysimgblt fb_sys_fops ip6table_filter ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_raw ip6table_mangle ip6_tables xt_tcpudp xt_multiport xt_conntrack iptable_filter iptable_nat nfnetlink_log nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nfnetlink nf_conntrack iptable_raw iptable_mangle iTCO_wdt iTCO_vendor_support joydev mousedev ppdev evdev crc32c_intel acpi_cpufreq input_leds psmouse led_class tpm_tis shpchp parport_pc mac_hid lpc_ich i2c_i801 tpm parport intel_agp intel_gtt serio_raw pcspkr button qemu_fw_cfg sch_fq_codel ip_tables x_tables ext4 crc16 jbd2 mbcache hid_generic usbhid hid sr_mod cdrom ahci uhci_hcd libahci atkbd libps2 virtio_balloon virtio_blk virtio_console virtio_net ehci_pci libata ehci_hcd scsi_mod i8042 virtio_pci virtio_ring serio usbcore usb_common virtio
[   67.266988] CPU: 1 PID: 112 Comm: kworker/1:2 Not tainted 4.7.2.201608312326-1-grsec #1
[   67.266989] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.9.3-20160701_074356-anatol 04/01/2014
[   67.267001] task: ffff88013b2c4080 ti: ffff88013b2c4b08 task.ti: ffff88013b2c4b08
[   67.267004] RIP: 0010:[<ffffffffad09b471>]  [<ffffffffad09b471>] kthread_data+0x11/0x30
[   67.267005] RSP: 0000:ffffc9000090bb58  EFLAGS: 00010002
[   67.267006] RAX: 0000000000000000 RBX: ffff88013b2c4080 RCX: 0000000000000001
[   67.267007] RDX: ffff88013c004220 RSI: 00000000ffffffff RDI: ffff88013b2c4080
[   67.267008] RBP: ffffc9000090bb68 R08: 0000000000000030 R09: 0000000000000001
[   67.267009] R10: 0000000000000000 R11: 0000000000017fd0 R12: 0000000000011640
[   67.267010] R13: ffff88013b2c4638 R14: ffff88013fd11640 R15: ffff88013b2c4080
[   67.267011] FS:  0000000000000000(0000) GS:ffff88013fd00000(0000) knlGS:0000000000000000
[   67.267012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   67.267013] CR2: 0000040000000028 CR3: 000000002d9e9000 CR4: 00000000000006f0
[   67.267018] Stack:
[   67.267020]  ffffffffad094a60 ffff88013fd11640 ffffc9000090bbb8 ffffffffad6ac266
[   67.267021]  ffff88013b2c4080 ffff8800379b6208 ffff88013b2c4080 ffff88013b2c4b08
[   67.267023]  ffff88013b2c4830 ffffc9000090bc10 ffffc9000090b730 ffffc9000090b730
[   67.267023] Call Trace:
[   67.267026]  [<ffffffffad094a60>] ? wq_worker_sleeping+0x10/0xb0
[   67.267031]  [<ffffffffad6ac266>] __schedule+0x566/0x770
[   67.267033]  [<ffffffffad6ac4a7>] schedule+0x37/0xa0
[   67.267036]  [<ffffffffad0781b5>] do_exit+0x835/0xb90
[   67.267039]  [<ffffffffad0785b7>] do_group_exit+0x37/0xc0
[   67.267041]  [<ffffffffad1f1ca8>] report_size_overflow+0x78/0x90
[   67.267045]  [<ffffffffc03d014d>] qxlfb_framebuffer_dirty+0x26d/0x2b0 [qxl]
[   67.267047]  [<ffffffffad0ae290>] ? set_next_entity+0x50/0xa40
[   67.267049]  [<ffffffffad0b3259>] ? put_prev_entity+0x39/0x960
[   67.267052]  [<ffffffffad0569e6>] ? native_pax_close_kernel+0x26/0x50
[   67.267053]  [<ffffffffad056fb0>] ? native_load_tls+0x40/0x60
[   67.267057]  [<ffffffffc03ff2ff>] drm_fb_helper_dirty_work+0x8f/0xd0 [drm_kms_helper]
[   67.267059]  [<ffffffffad093e44>] process_one_work+0x184/0x3e0
[   67.267061]  [<ffffffffad0940f8>] worker_thread+0x58/0x4e0
[   67.267063]  [<ffffffffad0940a0>] ? process_one_work+0x3e0/0x3e0
[   67.267065]  [<ffffffffad09aefa>] kthread+0xea/0x120
[   67.267066]  [<ffffffffad6b144e>] ret_from_fork+0x1e/0x50
[   67.267068]  [<ffffffffad09ae10>] ? kthread_worker_fn+0x1c0/0x1c0
[   67.267089] Code: e8 66 0f 1f 84 00 00 00 00 00 cc cc cc cc cc cc cc b8 31 04 36 76 00 00 00 00 55 48 89 e5 53 48 89 fb 48 8b 83 58 05 00 00 5b 5d <48> 8b 40 d8 48 0f ba 2c 24 3f c3 0f 1f 40 00 cc cc cc cc cc cc
[   67.267091] RIP  [<ffffffffad09b471>] kthread_data+0x11/0x30
[   67.267091]  RSP <ffffc9000090bb58>
[   67.267092] CR2: ffffffffffffffd8
[   67.267095] ---[ end trace 9379a49a32c8fd06 ]---
[   67.267097] Kernel panic - not syncing: grsec: halting the system due to suspicious kernel crash caused by root
[   67.276292] Kernel Offset: 0x2c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   67.473675] ---[ end Kernel panic - not syncing: grsec: halting the system due to suspicious kernel crash caused by root



Just on the sidenote - I'm getting scarry looking errors also with vanilla 4.7.2, but kernel does not crash:
Code: Select all
[    5.841427] [drm] Device Version 0.0
[    5.841435] [drm] Compression level 0 log level 0
[    5.841437] [drm] Currently using mode #0, list at 0x488
[    5.841439] [drm] 12286 io pages at offset 0x1000000
[    5.841440] [drm] 16777216 byte draw area at offset 0x0
[    5.841442] [drm] RAM header offset: 0x3ffe000
[    5.841444] [drm] rom modes offset 0x488 for 128 modes
[    5.845193] [TTM] Zone  kernel: Available graphics memory: 1509644 kiB
[    5.845198] [TTM] Initializing pool allocator
[    5.845206] [TTM] Initializing DMA pool allocator
[    5.845221] [drm] qxl: 16M of VRAM memory size
[    5.845222] [drm] qxl: 63M of IO pages memory ready (VRAM domain)
[    5.845224] [drm] qxl: 64M of Surface memory size
[    5.857878] [drm] main mem slot 1 [f4000000,3ffe000]
[    5.857888] [drm] surface mem slot 2 [f8000000,4000000]
[    5.861496] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    5.861499] [drm] No driver support for vblank timestamp query.
[    5.862114] [drm] fb mappable at 0xF4000000, size 3145728
[    5.862117] [drm] fb: depth 24, pitch 4096, width 1024, height 768
[    5.862122] checking generic (f4000000 130000) vs hw (f4000000 1000000)
[    5.862123] fb: switching to qxldrmfb from VESA VGA
[    5.862166] Console: switching to colour dummy device 80x25
[    5.862345] fbcon: qxldrmfb (fb0) is primary device
[    5.876861] Console: switching to colour frame buffer device 128x48
[    5.882593] qxl 0000:00:01.0: fb0: qxldrmfb frame buffer device
[    5.903787] [drm] Initialized qxl 0.1.0 20120117 for 0000:00:01.0 on minor 0
[    6.260842] [TTM] Buffer eviction failed
[    6.260901] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[    6.260955] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[    6.693365] f 4026531841#14: failed to wait on release 1 after spincount 301
[    6.693441] [TTM] Buffer eviction failed
[    6.693497] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[    6.693549] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[    7.190312] [TTM] Buffer eviction failed
[    7.190365] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[    7.190417] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[    7.562545] [TTM] Buffer eviction failed
[    7.563540] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[    7.564204] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[    7.741391] [TTM] Buffer eviction failed
[    7.742288] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[    7.742933] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[    7.805545] [TTM] Buffer eviction failed
[    7.806380] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[    7.806813] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[    7.829647] [TTM] Buffer eviction failed
[    7.829660] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[    7.829671] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[    9.709543] [TTM] Buffer eviction failed
[    9.710057] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[    9.710389] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[    9.851880] [TTM] Buffer eviction failed
[    9.852488] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[    9.853019] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[   10.480022] [TTM] Buffer eviction failed
[   10.480531] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[   10.480917] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO

Re: PAX: size overflow detected in function qxlfb_framebuffer_dirty

PostPosted: Fri Sep 02, 2016 3:41 pm
by ephox
Hi,

Could you please apply this patch and send me the results from dmesg:
Code: Select all
--- drivers/gpu/drm/qxl/qxl_fb.c.orig   2016-09-02 21:39:22.337171889 +0200
+++ drivers/gpu/drm/qxl/qxl_fb.c        2016-09-02 21:40:11.713174754 +0200
@@ -204,6 +204,7 @@
                   clips->y1, clips->y2);
        image->dx = clips->x1;
        image->dy = clips->y1;
+       printk(KERN_ERR "PAX: x2: %hx x1: %hx\n", clips->x2, clips->x1);
        image->width = clips->x2 - clips->x1;
        image->height = clips->y2 - clips->y1;
        image->fg_color = 0xffffffff; /* unused, just to avoid uninitialized

Re: PAX: size overflow detected in function qxlfb_framebuffer_dirty

PostPosted: Sun Sep 04, 2016 9:17 am
by fx3
Code: Select all
[    8.389254] fbcon: qxldrmfb (fb0) is primary device
[    8.407137] Console: switching to colour frame buffer device 128x48
[    8.407255] PAX: x2: 400 x1: 0
[    8.407505] PAX: x2: 400 x1: 0
[    8.407682] PAX: x2: 400 x1: 0
[    8.407854] PAX: x2: 400 x1: 0
[    8.408033] PAX: x2: 400 x1: 0
[    8.408203] PAX: x2: 400 x1: 0
[    8.408374] PAX: x2: 400 x1: 0
[    8.408555] PAX: x2: 400 x1: 0
[    8.408725] PAX: x2: 400 x1: 0
[    8.408895] PAX: x2: 400 x1: 0
[    8.409068] PAX: x2: 400 x1: 0
[    8.409239] PAX: x2: 400 x1: 0
[    8.409489] PAX: x2: 400 x1: 0
[    8.409691] PAX: x2: 400 x1: 0
[    8.409893] PAX: x2: 0 x1: ffff
[    8.409895] PAX: size overflow detected in function qxlfb_framebuffer_dirty drivers/gpu/drm/qxl/qxl_fb.c:208 cicus.183_90 min, count: 46, decl: width; num: 0; context: fb_image;
[    8.409900] CPU: 0 PID: 34 Comm: kworker/0:1 Not tainted 4.7.2.201608312326-99-grsec #1
[    8.409901] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.9.3-20160701_074356-anatol 04/01/2014
[    8.409908] Workqueue: events ffffffffc0384270
[    8.409912]  eb50af0800000002 eb50af08cdc96756 0000000000000286 0000000000000000
[    8.409914]  ffffc90000743c88 ffffffffb5335493 ffffffffb6108887 eb50af08cdc96756
[    8.409916]  ffffffffc035ce3c 00000000000000d0 ffffc90000743cb8 ffffffffb51f1c9c
[    8.409917] Call Trace:
[    8.409929]  [<ffffffffb5335493>] dump_stack+0x76/0xd3
[    8.409938]  [<ffffffffb51f1c9c>] report_size_overflow+0x6c/0x90
[    8.409958]  [<ffffffffc0364168>] qxlfb_framebuffer_dirty+0x288/0x2c0 [qxl]
[    8.409965]  [<ffffffffb50ae290>] ? set_next_entity+0x50/0xa40
[    8.409968]  [<ffffffffb50b3259>] ? put_prev_entity+0x39/0x960
[    8.409974]  [<ffffffffb50569e6>] ? native_pax_close_kernel+0x26/0x50
[    8.409975]  [<ffffffffb5056fb0>] ? native_load_tls+0x40/0x60
[    8.409988]  [<ffffffffc03842ff>] drm_fb_helper_dirty_work+0x8f/0xd0 [drm_kms_helper]
[    8.409991]  [<ffffffffb5093e44>] process_one_work+0x184/0x3e0
[    8.409993]  [<ffffffffb50940f8>] worker_thread+0x58/0x4e0
[    8.409995]  [<ffffffffb50940a0>] ? process_one_work+0x3e0/0x3e0
[    8.409997]  [<ffffffffb509aefa>] kthread+0xea/0x120
[    8.410000]  [<ffffffffb56b144e>] ret_from_fork+0x1e/0x50
[    8.410001]  [<ffffffffb509ae10>] ? kthread_worker_fn+0x1c0/0x1c0
[    8.410083] BUG: unable to handle kernel paging request at ffffffffffffffd8
[    8.410085] IP: [<ffffffffb509b471>] kthread_data+0x11/0x30
[    8.410088] PGD 35af0067 PUD 35af3067 PMD 0
[    8.410089] Oops: 0000 [#1] PREEMPT SMP
[    8.410123] Modules linked in: qxl(+) ttm drm_kms_helper joydev mousedev drm syscopyarea iTCO_wdt crc32c_intel sysfillrect iTCO_vendor_support ppdev sysimgblt fb_sys_fops evdev input_leds shpchp led_class lpc_ich i2c_i801 acpi_cpufreq mac_hid psmouse intel_agp serio_raw pcspkr intel_gtt parport_pc tpm_tis qemu_fw_cfg parport tpm button sch_fq_codel ip_tables x_tables ext4 crc16 jbd2 mbcache hid_generic usbhid hid sr_mod cdrom virtio_balloon ahci virtio_blk libahci virtio_console atkbd libps2 virtio_net uhci_hcd ehci_pci libata ehci_hcd virtio_pci virtio_ring scsi_mod virtio usbcore usb_common i8042 serio
[    8.410124] CPU: 0 PID: 34 Comm: kworker/0:1 Not tainted 4.7.2.201608312326-99-grsec #1
[    8.410125] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.9.3-20160701_074356-anatol 04/01/2014
[    8.410138] task: ffff88013b4e8ac0 ti: ffff88013b4e9548 task.ti: ffff88013b4e9548
[    8.410141] RIP: 0010:[<ffffffffb509b471>]  [<ffffffffb509b471>] kthread_data+0x11/0x30
[    8.410142] RSP: 0000:ffffc90000743b60  EFLAGS: 00010002
[    8.410143] RAX: 0000000000000000 RBX: ffff88013b4e8ac0 RCX: 0000000000000000
[    8.410144] RDX: ffff88013c004220 RSI: 00000000ffffffff RDI: ffff88013b4e8ac0
[    8.410145] RBP: ffffc90000743b70 R08: 000000000000017c R09: 0000000000000000
[    8.410146] R10: 0000000000000000 R11: 000000000007d7e1 R12: 0000000000011640
[    8.410147] R13: ffff88013b4e9078 R14: ffff88013fc11640 R15: ffff88013b4e8ac0
[    8.410149] FS:  0000000000000000(0000) GS:ffff88013fc00000(0000) knlGS:0000000000000000
[    8.410150] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    8.410151] CR2: 0000040000000028 CR3: 00000000359e7000 CR4: 00000000000006f0
[    8.410156] Stack:
[    8.410158]  ffffffffb5094a60 ffff88013fc11640 ffffc90000743bc0 ffffffffb56ac266
[    8.410160]  ffff88013b4e8ac0 ffff8800375eb1a0 ffff88013b4e8ac0 ffff88013b4e9548
[    8.410161]  ffff88013b4e9270 ffffc90000743c18 ffffc90000743738 ffffc90000743738
[    8.410162] Call Trace:
[    8.410164]  [<ffffffffb5094a60>] ? wq_worker_sleeping+0x10/0xb0
[    8.410169]  [<ffffffffb56ac266>] __schedule+0x566/0x770
[    8.410171]  [<ffffffffb56ac4a7>] schedule+0x37/0xa0
[    8.410175]  [<ffffffffb50781b5>] do_exit+0x835/0xb90
[    8.410177]  [<ffffffffb50785b7>] do_group_exit+0x37/0xc0
[    8.410179]  [<ffffffffb51f1ca8>] report_size_overflow+0x78/0x90
[    8.410190]  [<ffffffffc0364168>] qxlfb_framebuffer_dirty+0x288/0x2c0 [qxl]
[    8.410192]  [<ffffffffb50ae290>] ? set_next_entity+0x50/0xa40
[    8.410194]  [<ffffffffb50b3259>] ? put_prev_entity+0x39/0x960
[    8.410196]  [<ffffffffb50569e6>] ? native_pax_close_kernel+0x26/0x50
[    8.410198]  [<ffffffffb5056fb0>] ? native_load_tls+0x40/0x60
[    8.410202]  [<ffffffffc03842ff>] drm_fb_helper_dirty_work+0x8f/0xd0 [drm_kms_helper]
[    8.410204]  [<ffffffffb5093e44>] process_one_work+0x184/0x3e0
[    8.410206]  [<ffffffffb50940f8>] worker_thread+0x58/0x4e0
[    8.410208]  [<ffffffffb50940a0>] ? process_one_work+0x3e0/0x3e0
[    8.410210]  [<ffffffffb509aefa>] kthread+0xea/0x120
[    8.410212]  [<ffffffffb56b144e>] ret_from_fork+0x1e/0x50
[    8.410213]  [<ffffffffb509ae10>] ? kthread_worker_fn+0x1c0/0x1c0
[    8.410234] Code: e8 66 0f 1f 84 00 00 00 00 00 cc cc cc cc cc cc cc b8 31 04 36 76 00 00 00 00 55 48 89 e5 53 48 89 fb 48 8b 83 58 05 00 00 5b 5d <48> 8b 40 d8 48 0f ba 2c 24 3f c3 0f 1f 40 00 cc cc cc cc cc cc
[    8.410236] RIP  [<ffffffffb509b471>] kthread_data+0x11/0x30
[    8.410237]  RSP <ffffc90000743b60>
[    8.410237] CR2: ffffffffffffffd8
[    8.410240] ---[ end trace 3a5df150738184bb ]---
[    8.410243] Kernel panic - not syncing: grsec: halting the system due to suspicious kernel crash caused by root
[    8.410362] Kernel Offset: 0x34000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)

Re: PAX: size overflow detected in function qxlfb_framebuffer_dirty

PostPosted: Mon Sep 05, 2016 12:05 pm
by ephox
Thanks for the report. I think this may be an upstream bug (integer underflow), please report it to the kernel developers.