Hi, On Wed, Jan 25, 2023 at 06:18:35PM +0800, Keyu Tao wrote: > Source: linux > Severity: normal > X-Debbugs-Cc: taok...@outlook.com > > Dear Maintainer, > > It seems that fbterm triggers an out-of-bound memory write (memcpy) when > vmwgfx loads. > > Dmesg oops message: > > [ 214.780971] BUG: unable to handle page fault for address: ffffae3dc1171000 > [ 214.781348] #PF: supervisor write access in kernel mode > [ 214.781691] #PF: error_code(0x0002) - not-present page > [ 214.782130] PGD 1000067 P4D 1000067 PUD 11b3067 PMD 2427067 PTE 0 > [ 214.782610] Oops: 0002 [#1] SMP PTI > [ 214.783069] CPU: 0 PID: 372 Comm: kworker/0:4 Kdump: loaded Not tainted > 5.10.0-21-amd64 #1 Debian 5.10.162-1 > [ 214.783902] Hardware name: VMware, Inc. VMware Virtual Platform/440BX > Desktop Reference Platform, BIOS 6.00 07/22/2020 > [ 214.784694] Workqueue: events vmw_fb_dirty_flush [vmwgfx] > [ 214.785153] RIP: 0010:memcpy_orig+0x29/0x123 > [ 214.785765] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 > 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 > 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83 > [ 214.787323] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202 > [ 214.787721] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: > 0000000000000c80 > [ 214.788147] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: > ffffae3dc1171000 > [ 214.788553] RBP: 0000000000000000 R08: 0000000000000000 R09: > 0000000000000000 > [ 214.788983] R10: 0000000000000000 R11: 0000000000000000 R12: > ffffae3dc0e93600 > [ 214.789386] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: > 0000000000000c80 > [ 214.790137] FS: 0000000000000000(0000) GS:ffff9f7111800000(0000) > knlGS:0000000000000000 > [ 214.790680] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 214.791290] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: > 00000000003706f0 > [ 214.791729] Call Trace: > [ 214.792302] vmw_fb_dirty_flush+0x247/0x350 [vmwgfx] > [ 214.792777] process_one_work+0x1b3/0x350 > [ 214.793187] worker_thread+0x53/0x3e0 > [ 214.793626] ? process_one_work+0x350/0x350 > [ 214.794045] kthread+0x118/0x140 > [ 214.794448] ? __kthread_bind_mask+0x60/0x60 > [ 214.794871] ret_from_fork+0x1f/0x30 > [ 214.795260] Modules linked in: xt_conntrack xt_MASQUERADE > nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter > iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter > bridge stp llc intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm > irqbypass rapl overlay vmw_balloon btusb btrtl btbcm joydev btintel pcspkr > serio_raw bluetooth snd_ens1371 snd_ac97_codec ac97_bus gameport snd_rawmidi > snd_seq_device jitterentropy_rng snd_pcm snd_timer drbg ansi_cprng snd > ecdh_generic rfkill soundcore ecc sg vsock_loopback > vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ac > evdev binfmt_misc parport_pc ppdev nfsd configfs fuse lp parport auth_rpcgss > nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 > btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq > async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 > multipath linear md_mod dm_mirror dm_region_hash dm_log dm_mod > [ 214.795316] hid_generic usbhid hid sd_mod t10_pi crc_t10dif > crct10dif_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel > sr_mod cdrom ghash_clmulni_intel ata_generic vmwgfx aesni_intel xhci_pci > libaes crypto_simd ttm cryptd ata_piix glue_helper drm_kms_helper cec > xhci_hcd ehci_pci drm uhci_hcd mptspi mptscsih ehci_hcd mptbase libata > psmouse scsi_transport_spi usbcore e1000 usb_common scsi_mod i2c_piix4 button > [ 214.803260] CR2: ffffae3dc1171000 > [ 214.803722] ---[ end trace d0b2266ea0877554 ]--- > [ 214.804283] RIP: 0010:memcpy_orig+0x29/0x123 > [ 214.804727] Code: 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 > 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 > 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83 > [ 214.806126] RSP: 0018:ffffae3dc0807e00 EFLAGS: 00010202 > [ 214.806585] RAX: ffffae3dc1170c00 RBX: ffff9f70f41c9000 RCX: > 0000000000000c80 > [ 214.807069] RDX: 0000000000000840 RSI: ffffae3dc0e93a20 RDI: > ffffae3dc1171000 > [ 214.807549] RBP: 0000000000000000 R08: 0000000000000000 R09: > 0000000000000000 > [ 214.808025] R10: 0000000000000000 R11: 0000000000000000 R12: > ffffae3dc0e93600 > [ 214.808658] R13: ffff9f70f41c94e8 R14: ffff9f70e2c56400 R15: > 0000000000000c80 > [ 214.809137] FS: 0000000000000000(0000) GS:ffff9f7111800000(0000) > knlGS:0000000000000000 > [ 214.809596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 214.810078] CR2: ffffae3dc1171000 CR3: 000000002360a003 CR4: > 00000000003706f0 > > How to reproduce: > > 1. sudo apt install fbterm > 2. Switch to TTY (such as tty1), and run fbterm by users with read and write > permission to /dev/fb0 > 3. Run fbterm, and hold Enter for a few seconds (to make it scroll) > 4. Oops!
Can you check if you can trigger the issue with the latest 5.10.y version, and report it upstream? (keep us please in the loop). Regards, Salvatore
