PAX: size overflow detected in function qxlfb_framebuffer_dirty
Posted: Fri Sep 02, 2016 3:11 pm
Hello,
with 4.7.2.201608312326 I'm getting kernel panic on boot with VM guests under Qemu/KVM. It seems to be related to qxl driver - if I blacklist it, it boots just fine. I've managed to capture crash via serial console:
Just on the sidenote - I'm getting scarry looking errors also with vanilla 4.7.2, but kernel does not crash:
with 4.7.2.201608312326 I'm getting kernel panic on boot with VM guests under Qemu/KVM. It seems to be related to qxl driver - if I blacklist it, it boots just fine. I've managed to capture crash via serial console:
- Code: Select all
[ 67.266773] PAX: size overflow detected in function qxlfb_framebuffer_dirty drivers/gpu/drm/qxl/qxl_fb.c:207 cicus.183_84 min, count: 46, decl: width; num: 0; context: fb_image;
[ 67.266777] CPU: 1 PID: 112 Comm: kworker/1:2 Not tainted 4.7.2.201608312326-1-grsec #1
[ 67.266778] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.9.3-20160701_074356-anatol 04/01/2014
[ 67.266784] Workqueue: events ffffffffc03ff270
[ 67.266788] 66fe7d2000000002 66fe7d202f85e968 0000000000000286 0000000000000000
[ 67.266790] ffffc9000090bc80 ffffffffad335493 0000000000000000 66fe7d202f85e968
[ 67.266791] ffffffffc03c8e3c 00000000000000cf ffffc9000090bcb0 ffffffffad1f1c9c
[ 67.266792] Call Trace:
[ 67.266803] [<ffffffffad335493>] dump_stack+0x76/0xd3
[ 67.266812] [<ffffffffad1f1c9c>] report_size_overflow+0x6c/0x90
[ 67.266819] [<ffffffffc03d014d>] qxlfb_framebuffer_dirty+0x26d/0x2b0 [qxl]
[ 67.266826] [<ffffffffad0ae290>] ? set_next_entity+0x50/0xa40
[ 67.266828] [<ffffffffad0b3259>] ? put_prev_entity+0x39/0x960
[ 67.266834] [<ffffffffad0569e6>] ? native_pax_close_kernel+0x26/0x50
[ 67.266835] [<ffffffffad056fb0>] ? native_load_tls+0x40/0x60
[ 67.266843] [<ffffffffc03ff2ff>] drm_fb_helper_dirty_work+0x8f/0xd0 [drm_kms_helper]
[ 67.266846] [<ffffffffad093e44>] process_one_work+0x184/0x3e0
[ 67.266848] [<ffffffffad0940f8>] worker_thread+0x58/0x4e0
[ 67.266850] [<ffffffffad0940a0>] ? process_one_work+0x3e0/0x3e0
[ 67.266852] [<ffffffffad09aefa>] kthread+0xea/0x120
[ 67.266855] [<ffffffffad6b144e>] ret_from_fork+0x1e/0x50
[ 67.266857] [<ffffffffad09ae10>] ? kthread_worker_fn+0x1c0/0x1c0
[ 67.266935] BUG: unable to handle kernel paging request at ffffffffffffffd8
[ 67.266938] IP: [<ffffffffad09b471>] kthread_data+0x11/0x30
[ 67.266940] PGD 2daf0067 PUD 2daf3067 PMD 0
[ 67.266942] Oops: 0000 [#1] PREEMPT SMP
[ 67.266980] Modules linked in: qxl ttm drm_kms_helper drm syscopyarea sysfillrect sysimgblt fb_sys_fops ip6table_filter ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_raw ip6table_mangle ip6_tables xt_tcpudp xt_multiport xt_conntrack iptable_filter iptable_nat nfnetlink_log nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nfnetlink nf_conntrack iptable_raw iptable_mangle iTCO_wdt iTCO_vendor_support joydev mousedev ppdev evdev crc32c_intel acpi_cpufreq input_leds psmouse led_class tpm_tis shpchp parport_pc mac_hid lpc_ich i2c_i801 tpm parport intel_agp intel_gtt serio_raw pcspkr button qemu_fw_cfg sch_fq_codel ip_tables x_tables ext4 crc16 jbd2 mbcache hid_generic usbhid hid sr_mod cdrom ahci uhci_hcd libahci atkbd libps2 virtio_balloon virtio_blk virtio_console virtio_net ehci_pci libata ehci_hcd scsi_mod i8042 virtio_pci virtio_ring serio usbcore usb_common virtio
[ 67.266988] CPU: 1 PID: 112 Comm: kworker/1:2 Not tainted 4.7.2.201608312326-1-grsec #1
[ 67.266989] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.9.3-20160701_074356-anatol 04/01/2014
[ 67.267001] task: ffff88013b2c4080 ti: ffff88013b2c4b08 task.ti: ffff88013b2c4b08
[ 67.267004] RIP: 0010:[<ffffffffad09b471>] [<ffffffffad09b471>] kthread_data+0x11/0x30
[ 67.267005] RSP: 0000:ffffc9000090bb58 EFLAGS: 00010002
[ 67.267006] RAX: 0000000000000000 RBX: ffff88013b2c4080 RCX: 0000000000000001
[ 67.267007] RDX: ffff88013c004220 RSI: 00000000ffffffff RDI: ffff88013b2c4080
[ 67.267008] RBP: ffffc9000090bb68 R08: 0000000000000030 R09: 0000000000000001
[ 67.267009] R10: 0000000000000000 R11: 0000000000017fd0 R12: 0000000000011640
[ 67.267010] R13: ffff88013b2c4638 R14: ffff88013fd11640 R15: ffff88013b2c4080
[ 67.267011] FS: 0000000000000000(0000) GS:ffff88013fd00000(0000) knlGS:0000000000000000
[ 67.267012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 67.267013] CR2: 0000040000000028 CR3: 000000002d9e9000 CR4: 00000000000006f0
[ 67.267018] Stack:
[ 67.267020] ffffffffad094a60 ffff88013fd11640 ffffc9000090bbb8 ffffffffad6ac266
[ 67.267021] ffff88013b2c4080 ffff8800379b6208 ffff88013b2c4080 ffff88013b2c4b08
[ 67.267023] ffff88013b2c4830 ffffc9000090bc10 ffffc9000090b730 ffffc9000090b730
[ 67.267023] Call Trace:
[ 67.267026] [<ffffffffad094a60>] ? wq_worker_sleeping+0x10/0xb0
[ 67.267031] [<ffffffffad6ac266>] __schedule+0x566/0x770
[ 67.267033] [<ffffffffad6ac4a7>] schedule+0x37/0xa0
[ 67.267036] [<ffffffffad0781b5>] do_exit+0x835/0xb90
[ 67.267039] [<ffffffffad0785b7>] do_group_exit+0x37/0xc0
[ 67.267041] [<ffffffffad1f1ca8>] report_size_overflow+0x78/0x90
[ 67.267045] [<ffffffffc03d014d>] qxlfb_framebuffer_dirty+0x26d/0x2b0 [qxl]
[ 67.267047] [<ffffffffad0ae290>] ? set_next_entity+0x50/0xa40
[ 67.267049] [<ffffffffad0b3259>] ? put_prev_entity+0x39/0x960
[ 67.267052] [<ffffffffad0569e6>] ? native_pax_close_kernel+0x26/0x50
[ 67.267053] [<ffffffffad056fb0>] ? native_load_tls+0x40/0x60
[ 67.267057] [<ffffffffc03ff2ff>] drm_fb_helper_dirty_work+0x8f/0xd0 [drm_kms_helper]
[ 67.267059] [<ffffffffad093e44>] process_one_work+0x184/0x3e0
[ 67.267061] [<ffffffffad0940f8>] worker_thread+0x58/0x4e0
[ 67.267063] [<ffffffffad0940a0>] ? process_one_work+0x3e0/0x3e0
[ 67.267065] [<ffffffffad09aefa>] kthread+0xea/0x120
[ 67.267066] [<ffffffffad6b144e>] ret_from_fork+0x1e/0x50
[ 67.267068] [<ffffffffad09ae10>] ? kthread_worker_fn+0x1c0/0x1c0
[ 67.267089] Code: e8 66 0f 1f 84 00 00 00 00 00 cc cc cc cc cc cc cc b8 31 04 36 76 00 00 00 00 55 48 89 e5 53 48 89 fb 48 8b 83 58 05 00 00 5b 5d <48> 8b 40 d8 48 0f ba 2c 24 3f c3 0f 1f 40 00 cc cc cc cc cc cc
[ 67.267091] RIP [<ffffffffad09b471>] kthread_data+0x11/0x30
[ 67.267091] RSP <ffffc9000090bb58>
[ 67.267092] CR2: ffffffffffffffd8
[ 67.267095] ---[ end trace 9379a49a32c8fd06 ]---
[ 67.267097] Kernel panic - not syncing: grsec: halting the system due to suspicious kernel crash caused by root
[ 67.276292] Kernel Offset: 0x2c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 67.473675] ---[ end Kernel panic - not syncing: grsec: halting the system due to suspicious kernel crash caused by root
Just on the sidenote - I'm getting scarry looking errors also with vanilla 4.7.2, but kernel does not crash:
- Code: Select all
[ 5.841427] [drm] Device Version 0.0
[ 5.841435] [drm] Compression level 0 log level 0
[ 5.841437] [drm] Currently using mode #0, list at 0x488
[ 5.841439] [drm] 12286 io pages at offset 0x1000000
[ 5.841440] [drm] 16777216 byte draw area at offset 0x0
[ 5.841442] [drm] RAM header offset: 0x3ffe000
[ 5.841444] [drm] rom modes offset 0x488 for 128 modes
[ 5.845193] [TTM] Zone kernel: Available graphics memory: 1509644 kiB
[ 5.845198] [TTM] Initializing pool allocator
[ 5.845206] [TTM] Initializing DMA pool allocator
[ 5.845221] [drm] qxl: 16M of VRAM memory size
[ 5.845222] [drm] qxl: 63M of IO pages memory ready (VRAM domain)
[ 5.845224] [drm] qxl: 64M of Surface memory size
[ 5.857878] [drm] main mem slot 1 [f4000000,3ffe000]
[ 5.857888] [drm] surface mem slot 2 [f8000000,4000000]
[ 5.861496] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[ 5.861499] [drm] No driver support for vblank timestamp query.
[ 5.862114] [drm] fb mappable at 0xF4000000, size 3145728
[ 5.862117] [drm] fb: depth 24, pitch 4096, width 1024, height 768
[ 5.862122] checking generic (f4000000 130000) vs hw (f4000000 1000000)
[ 5.862123] fb: switching to qxldrmfb from VESA VGA
[ 5.862166] Console: switching to colour dummy device 80x25
[ 5.862345] fbcon: qxldrmfb (fb0) is primary device
[ 5.876861] Console: switching to colour frame buffer device 128x48
[ 5.882593] qxl 0000:00:01.0: fb0: qxldrmfb frame buffer device
[ 5.903787] [drm] Initialized qxl 0.1.0 20120117 for 0000:00:01.0 on minor 0
[ 6.260842] [TTM] Buffer eviction failed
[ 6.260901] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 6.260955] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[ 6.693365] f 4026531841#14: failed to wait on release 1 after spincount 301
[ 6.693441] [TTM] Buffer eviction failed
[ 6.693497] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 6.693549] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[ 7.190312] [TTM] Buffer eviction failed
[ 7.190365] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 7.190417] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[ 7.562545] [TTM] Buffer eviction failed
[ 7.563540] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 7.564204] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[ 7.741391] [TTM] Buffer eviction failed
[ 7.742288] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 7.742933] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[ 7.805545] [TTM] Buffer eviction failed
[ 7.806380] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 7.806813] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[ 7.829647] [TTM] Buffer eviction failed
[ 7.829660] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 7.829671] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[ 9.709543] [TTM] Buffer eviction failed
[ 9.710057] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 9.710389] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[ 9.851880] [TTM] Buffer eviction failed
[ 9.852488] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 9.853019] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
[ 10.480022] [TTM] Buffer eviction failed
[ 10.480531] qxl 0000:00:01.0: object_init failed for (4026540032, 0x00000001)
[ 10.480917] [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO