VMware Communities
cynar
Enthusiast
Enthusiast
‎05-01-2023 01:25 AM

Linux VMware vmwgfx DRM driver (for Mesa svga3d) triggers kernel use-after-free warning (security?)

The Linux VMware vmwgfx DRM driver used in conjunction with the Mesa svga3d driver triggers a use-after-free kernel warning.

Below find my kernel stack trace, but please also refer to the very high number of incidents discoverable through https://retrace.fedoraproject.org/faf/problems/?component_names=&associate=__None&daterange=2023-04-... - in this list, search for "vmw_": this will massively under-report, as my crash function is "drm_gem_handle_delete", but quite obviously the flow is through "vmw_bo_unref_ioctl".

[ 77.493589] ------------[ cut here ]------------
[ 77.493593] refcount_t: underflow; use-after-free.
[ 77.493621] WARNING: CPU: 9 PID: 1197 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110
[ 77.493628] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq snd_seq_device snd_timer snd soundcore rfkill qrtr vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock sunrpc intel_rapl_msr binfmt_misc intel_rapl_common rapl vmw_balloon pktcdvd pcspkr vmw_vmci i2c_piix4 joydev loop zram crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic nvme vmwgfx ghash_clmulni_intel nvme_core sha512_ssse3 nvme_common vmxnet3 drm_ttm_helper ttm serio_raw ata_generic pata_acpi ip6_tables ip_tables fuse
[ 77.493659] CPU: 9 PID: 1197 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
[ 77.493661] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 77.493662] RIP: 0010:refcount_warn_saturate+0xba/0x110
[ 77.493665] Code: 01 01 e8 e9 eb 92 ff 0f 0b c3 cc cc cc cc 80 3d 93 b3 ae 01 00 75 85 48 c7 c7 a8 9d 8d 8c c6 05 83 b3 ae 01 01 e8 c6 eb 92 ff <0f> 0b c3 cc cc cc cc 80 3d 71 b3 ae 01 00 0f 85 5e ff ff ff 48 c7
[ 77.493666] RSP: 0018:ffffb9df418c7c60 EFLAGS: 00010282
[ 77.493667] RAX: 0000000000000000 RBX: ffff9808f4136600 RCX: 0000000000000000
[ 77.493668] RDX: 0000000000000002 RSI: 0000000000000027 RDI: 00000000ffffffff
[ 77.493669] RBP: ffff980889e68800 R08: 0000000000000000 R09: ffffb9df418c7af0
[ 77.493670] R10: 0000000000000003 R11: ffff980baddfffe8 R12: 00000000000000bb
[ 77.493671] R13: ffff980889e68858 R14: ffff980889e68840 R15: 00000000000000bb
[ 77.493672] FS: 00007f0916a2a980(0000) GS:ffff980bae040000(0000) knlGS:0000000000000000
[ 77.493673] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 77.493674] CR2: 00007f1f1c0f1ca0 CR3: 00000001222ac005 CR4: 0000000000770ee0
[ 77.493696] PKRU: 55555554
[ 77.493697] Call Trace:
[ 77.493699] <TASK>
[ 77.493700] drm_gem_handle_delete+0x8c/0xd0
[ 77.493707] ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx]
[ 77.493725] vmw_bo_unref_ioctl+0xf/0x20 [vmwgfx]
[ 77.493738] drm_ioctl_kernel+0xc6/0x170
[ 77.493741] drm_ioctl+0x235/0x410
[ 77.493742] ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx]
[ 77.493752] ? __pfx_drm_ioctl+0x10/0x10
[ 77.493754] vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
[ 77.493765] __x64_sys_ioctl+0x8d/0xd0
[ 77.493769] do_syscall_64+0x59/0x90
[ 77.493773] ? __pfx_drm_ioctl+0x10/0x10
[ 77.493774] ? vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
[ 77.493783] ? __x64_sys_ioctl+0xa8/0xd0
[ 77.493785] ? syscall_exit_to_user_mode+0x17/0x40
[ 77.493786] ? do_syscall_64+0x68/0x90
[ 77.493787] ? do_syscall_64+0x68/0x90
[ 77.493788] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 77.493791] RIP: 0033:0x7f0916d28edd
[ 77.493803] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[ 77.493804] RSP: 002b:00007ffe0ae70f70 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 77.493805] RAX: ffffffffffffffda RBX: 00007f0884962320 RCX: 00007f0916d28edd
[ 77.493806] RDX: 00007ffe0ae71010 RSI: 0000000040086442 RDI: 0000000000000018
[ 77.493806] RBP: 00007ffe0ae70fc0 R08: 00007f08847e8b20 R09: 0000000000000000
[ 77.493807] R10: 00007ffe0af28080 R11: 0000000000000246 R12: 00007ffe0ae71010
[ 77.493808] R13: 0000000040086442 R14: 0000000000000018 R15: 00007f0884962858
[ 77.493809] </TASK>
[ 77.493809] ---[ end trace 0000000000000000 ]---

Reproducing system:

Install the distribution, start KDE -> much more often than not (if not every single time) get problem in the 

Reply
0 Kudos
15 Replies
cynar
Enthusiast
Enthusiast
‎05-01-2023 01:47 AM

Note that a use-after-free always leaves a bad taste, as those issues tend to offer an avenue for (memory-based security) attacks on systems.

Reply
0 Kudos
Technogeezer
Immortal
Immortal
‎05-01-2023 12:06 PM

Have you reported this to Fedora so that they can work with Linux and/or VMware developers to address this? Most recent linux kernels are getting these vmwgfx driver modules from the Linux source tree (not from the open-vm-tools packages), so a defect may need to go upstream to the Linux kernel developers. 

 

- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides
Reply
0 Kudos
cynar
Enthusiast
Enthusiast
‎05-01-2023 11:10 PM

I appreciate where you are coming from.

Truth to be told, I see two major core components in play here:

  • the Linux kernel with the various VMware vmw* modules
  • Mesa with the (VMware) svga3d driver

From a VMware customer's point of view, I am paying VMware to maintain those components, to take ownership of problems exposed in or through these components, to take care of the VMware reputation by addressing technical challenges.

Fedora Linux as an organization bundles what VMware have (kindly) pushed out, has an upstream-first policy (as opposed to, say, Ubuntu), tries, AFAICS, to hold accountable the owner (see above) of the components for identifying any challenges.

I do understand that this posting here is totally void of any technical content - but, as a customer of VMware, I hope I made clear my expectations with respect to ownership and responsibilities.

Reply
0 Kudos
wila
Immortal
Immortal
‎05-02-2023 02:59 PM

Hi,

Point taken. Pardon me for jumping in.

For your information, the Community Forum is not an official support-forum and is not actively monitored by VMware Support or Product Managers.

This is a community based forum where VMware Workstation users help other users.

So most of the time -like now- you get an answer from a volunteer.

As a side note there are VMware employees who keep an eye on the forums and try to help out, but they might not see every post and most - if not all of them - are doing so in their own free time.

To get official support please go to: Workstation Support and open a ticket at Get Support

This is one of those things you might want to make sure it has a ticket open.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
cynar
Enthusiast
Enthusiast
‎05-02-2023 10:14 PM

@wila wrote:

Point taken. Pardon me for jumping in.

Many thanks for your response - and I hope I didn't come across too harshly :slightly_smiling_face:

I myself have been singing the "community-based forum" song ever since NNTP was a thing, so I am somewhat aware of the various factors that come into play here (sadly so).

Reply
0 Kudos
cynar
Enthusiast
Enthusiast
‎05-11-2023 02:34 AM

FWIW, a real use after free: BUG: KFENCE: use-after-free read in drm_gem_handle_delete+0x4b/0xd0

I am under the impression that this is the VMware stack, all the way up and down, on Fedora 38 (with very up-to-date mesa).

***************

[17468.742850] ------------[ cut here ]------------
[17468.742856] refcount_t: addition on 0; use-after-free.
[17468.742888] WARNING: CPU: 14 PID: 2357 at lib/refcount.c:25 refcount_warn_saturate+0xe1/0x110
[17468.742899] Modules linked in: xt_mark xt_comment tun xt_nat veth xt_conntrack xt_MASQUERADE nf_conntrack_netlink xt_addrtype nft_compat br_netfilter bridge stp llc overlay snd_seq_dummy snd_hrtimer snd_seq snd_seq_device snd_timer snd soundcore nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink qrtr vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock sunrpc binfmt_misc intel_rapl_msr intel_rapl_common rapl vmw_balloon pcspkr pktcdvd vmw_vmci i2c_piix4 joydev loop zram crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic nvme ghash_clmulni_intel vmwgfx sha512_ssse3 nvme_core vmxnet3 nvme_common drm_ttm_helper ttm serio_raw ata_generic pata_acpi ip6_tables ip_tables fuse
[17468.743014] CPU: 14 PID: 2357 Comm: Renderer Tainted: G W 6.2.14-300.fc38.x86_64 #1
[17468.743016] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[17468.743018] RIP: 0010:refcount_warn_saturate+0xe1/0x110
[17468.743022] Code: eb 92 ff 0f 0b c3 cc cc cc cc 80 3d 91 b3 ae 01 00 0f 85 5e ff ff ff 48 c7 c7 38 9e 8d a7 c6 05 7d b3 ae 01 01 e8 bf eb 92 ff <0f> 0b c3 cc cc cc cc 48 c7 c7 90 9e 8d a7 c6 05 61 b3 ae 01 01 e8
[17468.743023] RSP: 0018:ffffac3b522f7a88 EFLAGS: 00010286
[17468.743025] RAX: 0000000000000000 RBX: ffff8f2e69d8b200 RCX: 0000000000000000
[17468.743027] RDX: 0000000000000003 RSI: 0000000000000027 RDI: 00000000ffffffff
[17468.743028] RBP: ffff8f2de8753e40 R08: 0000000000000000 R09: ffffac3b522f7918
[17468.743029] R10: 0000000000000003 R11: ffff8f30addfffe8 R12: 0000000000000001
[17468.743030] R13: ffffac3b522f7ad8 R14: ffffac3b522f7ae0 R15: ffffac3b522f7ad8
[17468.743031] FS: 00007f22f79ff6c0(0000) GS:ffff8f30ae180000(0000) knlGS:0000000000000000
[17468.743033] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[17468.743034] CR2: 00007f22c28e3000 CR3: 000000015fc96002 CR4: 0000000000770ee0
[17468.743062] PKRU: 55555554
[17468.743063] Call Trace:
[17468.743066] <TASK>
[17468.743067] objects_lookup+0x8d/0xd0
[17468.743076] drm_gem_object_lookup+0x3a/0x60
[17468.743079] vmw_user_bo_lookup+0x11/0x70 [vmwgfx]
[17468.743140] vmw_translate_mob_ptr+0x56/0x170 [vmwgfx]
[17468.743153] vmw_cmd_res_switch_backup+0xa3/0xd0 [vmwgfx]
[17468.743165] vmw_execbuf_process+0x54b/0x1160 [vmwgfx]
[17468.743179] ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx]
[17468.743191] vmw_execbuf_ioctl+0x151/0x280 [vmwgfx]
[17468.743204] ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx]
[17468.743216] drm_ioctl_kernel+0xc6/0x170
[17468.743219] drm_ioctl+0x235/0x410
[17468.743221] ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx]
[17468.743234] ? __pfx_drm_ioctl+0x10/0x10
[17468.743236] vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
[17468.743252] __x64_sys_ioctl+0x8d/0xd0
[17468.743274] do_syscall_64+0x59/0x90
[17468.743280] ? do_syscall_64+0x68/0x90
[17468.743281] ? syscall_exit_to_user_mode+0x17/0x40
[17468.743283] ? do_syscall_64+0x68/0x90
[17468.743285] ? do_syscall_64+0x68/0x90
[17468.743286] ? do_syscall_64+0x68/0x90
[17468.743288] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[17468.743291] RIP: 0033:0x7f2327528edd
[17468.743374] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[17468.743376] RSP: 002b:00007f22f79fcdf0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[17468.743378] RAX: ffffffffffffffda RBX: 0000000000000028 RCX: 00007f2327528edd
[17468.743379] RDX: 00007f22f79fceb0 RSI: 000000004028644c RDI: 0000000000000029
[17468.743380] RBP: 00007f22f79fce40 R08: 000000000000b3f0 R09: 00007f22f79fcf48
[17468.743381] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f22f79fceb0
[17468.743382] R13: 000000004028644c R14: 0000000000000029 R15: 00007f22f79fcf48
[17468.743385] </TASK>
[17468.743386] ---[ end trace 0000000000000000 ]---
[17468.942740] ------------[ cut here ]------------
[17468.942746] refcount_t: saturated; leaking memory.
[17468.942762] WARNING: CPU: 14 PID: 2357 at lib/refcount.c:22 refcount_warn_saturate+0x51/0x110
[17468.942774] Modules linked in: xt_mark xt_comment tun xt_nat veth xt_conntrack xt_MASQUERADE nf_conntrack_netlink xt_addrtype nft_compat br_netfilter bridge stp llc overlay snd_seq_dummy snd_hrtimer snd_seq snd_seq_device snd_timer snd soundcore nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink qrtr vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock sunrpc binfmt_misc intel_rapl_msr intel_rapl_common rapl vmw_balloon pcspkr pktcdvd vmw_vmci i2c_piix4 joydev loop zram crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic nvme ghash_clmulni_intel vmwgfx sha512_ssse3 nvme_core vmxnet3 nvme_common drm_ttm_helper ttm serio_raw ata_generic pata_acpi ip6_tables ip_tables fuse
[17468.942841] CPU: 14 PID: 2357 Comm: Renderer Tainted: G W 6.2.14-300.fc38.x86_64 #1
[17468.942845] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[17468.942846] RIP: 0010:refcount_warn_saturate+0x51/0x110
[17468.942850] Code: 84 bc 00 00 00 c3 cc cc cc cc 85 f6 74 46 80 3d 1e b4 ae 01 00 75 ee 48 c7 c7 10 9e 8d a7 c6 05 0e b4 ae 01 01 e8 4f ec 92 ff <0f> 0b c3 cc cc cc cc 80 3d f7 b3 ae 01 00 75 cb 48 c7 c7 c0 9e 8d
[17468.942853] RSP: 0018:ffffac3b522f79e8 EFLAGS: 00010286
[17468.942855] RAX: 0000000000000000 RBX: ffff8f2d8ce5ae00 RCX: 0000000000000000
[17468.942857] RDX: 0000000000000003 RSI: 0000000000000027 RDI: 00000000ffffffff
[17468.942858] RBP: ffff8f2de8753e40 R08: 0000000000000000 R09: ffffac3b522f7878
[17468.942859] R10: 0000000000000003 R11: ffff8f30addfffe8 R12: 0000000000000001
[17468.942860] R13: ffffac3b522f7a38 R14: ffffac3b522f7a38 R15: ffffac3b522f7a34
[17468.942862] FS: 00007f22f79ff6c0(0000) GS:ffff8f30ae180000(0000) knlGS:0000000000000000
[17468.942864] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[17468.942865] CR2: 00007f22d47bb000 CR3: 000000015fc96002 CR4: 0000000000770ee0
[17468.942948] PKRU: 55555554
[17468.942950] Call Trace:
[17468.942952] <TASK>
[17468.942953] objects_lookup+0xc3/0xd0
[17468.942960] drm_gem_object_lookup+0x3a/0x60
[17468.942963] vmw_user_bo_lookup+0x11/0x70 [vmwgfx]
[17468.942986] vmw_translate_mob_ptr+0x56/0x170 [vmwgfx]
[17468.942999] vmw_cmd_res_switch_backup+0xa3/0xd0 [vmwgfx]
[17468.943011] vmw_execbuf_process+0x54b/0x1160 [vmwgfx]
[17468.943024] ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx]
[17468.943036] vmw_execbuf_ioctl+0x151/0x280 [vmwgfx]
[17468.943048] ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx]
[17468.943059] drm_ioctl_kernel+0xc6/0x170
[17468.943063] drm_ioctl+0x235/0x410
[17468.943065] ? __pfx_vmw_execbuf_ioctl+0x10/0x10 [vmwgfx]
[17468.943077] ? __pfx_drm_ioctl+0x10/0x10
[17468.943079] vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
[17468.943094] __x64_sys_ioctl+0x8d/0xd0
[17468.943099] do_syscall_64+0x59/0x90
[17468.943104] ? do_syscall_64+0x68/0x90
[17468.943106] ? syscall_exit_to_user_mode+0x17/0x40
[17468.943108] ? do_syscall_64+0x68/0x90
[17468.943109] ? do_syscall_64+0x68/0x90
[17468.943110] ? syscall_exit_to_user_mode+0x17/0x40
[17468.943112] ? do_syscall_64+0x68/0x90
[17468.943113] ? lapic_next_deadline+0x28/0x30
[17468.943144] ? clockevents_program_event+0x86/0xf0
[17468.943149] ? hrtimer_interrupt+0x127/0x240
[17468.943152] ? sched_clock_cpu+0xb/0xc0
[17468.943155] ? __irq_exit_rcu+0x3d/0x140
[17468.943159] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[17468.943163] RIP: 0033:0x7f2327528edd
[17468.943187] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[17468.943189] RSP: 002b:00007f22f79fc690 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[17468.943191] RAX: ffffffffffffffda RBX: 0000000000000028 RCX: 00007f2327528edd
[17468.943192] RDX: 00007f22f79fc750 RSI: 000000004028644c RDI: 0000000000000029
[17468.943193] RBP: 00007f22f79fc6e0 R08: 00000000000003d8 R09: 00007f22f79fc7e8
[17468.943194] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f22f79fc750
[17468.943194] R13: 000000004028644c R14: 0000000000000029 R15: 00007f22f79fc7e8
[17468.943196] </TASK>
[17468.943197] ---[ end trace 0000000000000000 ]---
[17490.879236] ==================================================================
[17490.879242] BUG: KFENCE: use-after-free read in drm_gem_handle_delete+0x4b/0xd0

[17490.879250] Use-after-free read at 0x00000000e28982f2 (in kfence-#229):
[17490.879253] drm_gem_handle_delete+0x4b/0xd0
[17490.879255] vmw_bo_unref_ioctl+0xf/0x20 [vmwgfx]
[17490.879279] drm_ioctl_kernel+0xc6/0x170
[17490.879281] drm_ioctl+0x235/0x410
[17490.879283] vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
[17490.879298] __x64_sys_ioctl+0x8d/0xd0
[17490.879302] do_syscall_64+0x59/0x90
[17490.879306] entry_SYSCALL_64_after_hwframe+0x72/0xdc

[17490.879310] kfence-#229: 0x000000002d4c52cb-0x00000000b9fb100f, size=512, cache=kmalloc-512

[17490.879312] allocated by task 2357 on cpu 14 at 17468.655415s:
[17490.879347] __kmem_cache_alloc_node+0x2ab/0x2f0
[17490.879349] kmalloc_trace+0x26/0x90
[17490.879352] vmw_bo_create+0x3c/0xa0 [vmwgfx]
[17490.879368] vmw_gem_object_create_ioctl+0x6b/0x120 [vmwgfx]
[17490.879439] drm_ioctl_kernel+0xc6/0x170
[17490.879441] drm_ioctl+0x235/0x410
[17490.879443] vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
[17490.879458] __x64_sys_ioctl+0x8d/0xd0
[17490.879459] do_syscall_64+0x59/0x90
[17490.879461] entry_SYSCALL_64_after_hwframe+0x72/0xdc

[17490.879464] freed by task 2357 on cpu 2 at 17490.879219s:
[17490.879496] ttm_bo_vm_close+0x12/0x20 [ttm]
[17490.879504] remove_vma+0x25/0x50
[17490.879506] do_mas_align_munmap+0x2dc/0x4b0
[17490.879509] do_mas_munmap+0xd2/0x120
[17490.879510] __vm_munmap+0xba/0x170
[17490.879511] __x64_sys_munmap+0x17/0x20
[17490.879512] do_syscall_64+0x59/0x90
[17490.879514] entry_SYSCALL_64_after_hwframe+0x72/0xdc

[17490.879517] CPU: 2 PID: 2357 Comm: Renderer Tainted: G W 6.2.14-300.fc38.x86_64 #1
[17490.879520] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[17490.879521] ==================================================================

 

Reply
0 Kudos
wila
Immortal
Immortal
‎05-11-2023 03:38 AM

Hi,

You never mentioned if you opened a support ticket for this..

Let me mention the product manager here ( Hey @Mikero have a look into this please) who can then see if someone is following up on this already.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
Mikero
Community Manager
Community Manager
‎05-11-2023 09:57 AM

Thanks Wil for the tag, and thanks @cynar for reporting, I have brought it to the attention of our vmwgfx team.

-
Michael Roy - PM/PMM: Fusion & Workstation
Reply
cynar
Enthusiast
Enthusiast
‎05-11-2023 11:55 AM

Alas, I have no support contract with VMware, so no support ticket from my end (this is VMware Workstation 17.0.2 purchased through the US online store)

Reply
0 Kudos
cynar
Enthusiast
Enthusiast
‎05-11-2023 12:05 PM

@Mikero wrote:

Thanks Wil for the tag, and thanks @cynar for reporting, I have brought it to the attention of our vmwgfx team.

Many thanks for the feedback.

I can only suggest that someone from the vmwgfx team look into the Fedora ABRT analytics, digging a bit for backtraces which point towards the VMware stack.

Just to provide additional context:

On my end, I get the warnings very regularly with the Fedora 38 KDE spin running X11 on an external 4K screen (and a Tiger Lake 11800H CPU). The above kernel bug was the first time that I ever noticed it.

From a general stability point of view, the system remains alive, although Firefox definitely has rendering artifacts. What the root cause of that is, I have no idea. That virtual machine is generally used for software development, so there is Visual Studio Code inside and Jetbrains IntelliJ.

 

Reply
0 Kudos
Mikero
Community Manager
Community Manager
‎05-11-2023 12:10 PM

Got a quick answer on this... Seems that was fixed in:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/gpu/drm/vmwgfx?id=...

and

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/gpu/drm/vmwgfx?id=...

-
Michael Roy - PM/PMM: Fusion & Workstation
Reply
0 Kudos
cynar
Enthusiast
Enthusiast
‎05-11-2023 12:53 PM

@Mikero wrote:

Got a quick answer on this... Seems that was fixed in:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/gpu/drm/vmwgfx?id=...

and

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/gpu/drm/vmwgfx?id=...

I very much appreciate the very quick and very specific response - alas, it seems as if those commits might not fully address the challenge.

https://gitlab.com/cki-project/kernel-ark is the source code for Fedora kernel builds. According to

  • git tag --contains 1a6897921f52ceb2c8665ef826e405bd96385159
  • git tag --contains a950b989ea29ab3b38ea7f6e3d2540700a3c54e8

those commits made it at least into the "upstream" Linux v6.2 kernel release

Fedora 38 has only ever been shipping Linux 6.2 kernels, so I have always been running with those fixes included - and hence it is surprising that I get the kernel diagnostics (right now I am on a Fedora Linux 38 6.2.14 distro kernel - all my system software is distro software)

Reply
0 Kudos
cynar
Enthusiast
Enthusiast
‎05-11-2023 11:22 PM

Just to add some context and an indication of the extent of the challenges, the output of "journalctl | grep 'kernel: vmw_generic_ioctl'" on the VM in question is below.

That's 41 entries over the course of two weeks, all on Fedora 38 with a Linux 6.2+ kernel.

I picked the search term as it seems to be the entrypoint into the trouble and seems to match "per incident" pretty well.

Almost every cold virtual machine boot to the KDE desktop seem to trigger something, perhaps with the odd other incident sprinkled in occasionally.

Apr 26 08:00:56 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 27 07:17:02 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 27 07:19:20 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 28 11:03:37 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 28 11:05:51 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 28 11:20:06 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 28 12:59:20 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 28 20:33:59 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 29 07:57:27 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 30 06:59:19 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 30 09:56:27 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
Apr 30 10:16:09 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 01 09:46:58 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 01 10:45:38 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 02 05:47:06 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 02 19:56:28 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 03 06:40:39 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 03 06:46:05 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 03 08:47:52 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 03 09:26:15 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 04 06:25:22 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 04 07:13:01 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 05 06:49:56 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 06 08:09:45 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 06 08:17:14 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 06 19:28:54 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 08 06:47:32 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 09 06:02:04 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 09 06:04:18 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 09 07:43:41 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 09 07:43:42 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 10 06:40:07 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 10 06:48:43 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 10 14:25:38 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 11 05:37:59 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 11 05:42:20 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 11 10:32:03 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 11 10:32:03 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 11 10:32:25 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 11 10:32:25 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]
May 12 08:09:22 fedora kernel: vmw_generic_ioctl+0xa4/0x110 [vmwgfx]

 

Reply
0 Kudos
cynar
Enthusiast
Enthusiast
‎05-12-2023 12:12 AM

... and as for reproduction, it seems as if "sddm" (as the greeter / login screen) triggers the problem in the majority of the cases, see below.

Most likely a reproducer would then be downloading the Fedora 38 KDE spin from Fedora KDE Plasma Desktop | The Fedora Project and simply running that with 1/16 CPUs and 16 GB of memory.

Apr 27 07:19:20 fedora kernel: CPU: 14 PID: 1565 Comm: sddm-greeter Not tainted 6.2.12-300.fc38.x86_64 #1
Apr 28 11:03:37 fedora kernel: CPU: 12 PID: 1221 Comm: sddm-greeter Not tainted 6.2.12-300.fc38.x86_64 #1
Apr 28 11:05:51 fedora kernel: CPU: 8 PID: 1189 Comm: sddm-greeter Not tainted 6.2.12-300.fc38.x86_64 #1
Apr 28 11:20:06 fedora kernel: CPU: 13 PID: 1245 Comm: sddm-greeter Not tainted 6.2.12-300.fc38.x86_64 #1
Apr 28 12:59:20 fedora kernel: CPU: 2 PID: 1180 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
Apr 28 20:33:59 fedora kernel: CPU: 6 PID: 1185 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
Apr 29 07:57:27 fedora kernel: CPU: 5 PID: 1247 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
Apr 30 06:59:19 fedora kernel: CPU: 13 PID: 1203 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
Apr 30 09:56:27 fedora kernel: CPU: 6 PID: 1200 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
Apr 30 10:16:09 fedora kernel: CPU: 3 PID: 1237 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
May 01 09:46:58 fedora kernel: CPU: 9 PID: 1197 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
May 01 10:45:38 fedora kernel: CPU: 0 PID: 1189 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
May 02 05:47:06 fedora kernel: CPU: 13 PID: 1197 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
May 02 19:56:28 fedora kernel: CPU: 0 PID: 1243 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
May 03 06:40:39 fedora kernel: CPU: 0 PID: 1235 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
May 03 06:46:05 fedora kernel: CPU: 6 PID: 1186 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
May 03 08:47:52 fedora kernel: CPU: 5 PID: 1191 Comm: sddm-greeter Not tainted 6.2.13-300.fc38.x86_64 #1
May 03 09:26:15 fedora kernel: CPU: 14 PID: 1194 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 04 06:25:22 fedora kernel: CPU: 0 PID: 1246 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 04 07:13:01 fedora kernel: CPU: 6 PID: 1194 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 05 06:49:56 fedora kernel: CPU: 5 PID: 1230 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 06 08:09:45 fedora kernel: CPU: 2 PID: 1232 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 06 08:17:14 fedora kernel: CPU: 8 PID: 1189 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 06 19:28:54 fedora kernel: CPU: 15 PID: 1226 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 08 06:47:32 fedora kernel: CPU: 10 PID: 1198 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 09 06:02:04 fedora kernel: CPU: 11 PID: 1229 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 09 06:04:18 fedora kernel: CPU: 4 PID: 1186 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 09 07:43:41 fedora kernel: CPU: 5 PID: 3194 Comm: Renderer Tainted: G W 6.2.14-300.fc38.x86_64 #1
May 09 07:43:42 fedora kernel: CPU: 0 PID: 3194 Comm: Renderer Tainted: G W 6.2.14-300.fc38.x86_64 #1
May 10 06:40:07 fedora kernel: CPU: 14 PID: 1241 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 10 06:48:43 fedora kernel: CPU: 8 PID: 1189 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 10 14:25:38 fedora kernel: CPU: 11 PID: 1221 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 11 05:37:59 fedora kernel: CPU: 12 PID: 1227 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 11 05:42:20 fedora kernel: CPU: 13 PID: 1184 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 11 10:32:03 fedora kernel: CPU: 14 PID: 2357 Comm: Renderer Tainted: G W 6.2.14-300.fc38.x86_64 #1
May 11 10:32:03 fedora kernel: CPU: 14 PID: 2357 Comm: Renderer Tainted: G W 6.2.14-300.fc38.x86_64 #1
May 11 10:32:25 fedora kernel: CPU: 2 PID: 2357 Comm: Renderer Tainted: G W 6.2.14-300.fc38.x86_64 #1
May 12 08:09:22 fedora kernel: CPU: 1 PID: 1234 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1
May 12 09:05:20 fedora kernel: CPU: 2 PID: 1225 Comm: sddm-greeter Not tainted 6.2.14-300.fc38.x86_64 #1

 

Reply
0 Kudos
nightstrike
Contributor
Contributor
‎09-27-2023 03:21 PM

FWIW, I see this in a similar configuration:

Fedora 38 VM under VMWare Fusion 13.0.2 running KDE X11 and having it fail in sddm-greeter on boot.

 

Spoiler
[   24.853843] ------------[ cut here ]------------
[   24.853847] refcount_t: underflow; use-after-free.
[   24.853852] WARNING: CPU: 1 PID: 982 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148
[   24.853863] Modules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink qrtr vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock sunrpc vfat fat snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer pktcdvd snd soundcore vmw_vmci joydev loop zram nvme crct10dif_ce polyval_ce polyval_generic ghash_ce sha3_ce sha512_ce sha512_arm64 nvme_core nvme_common e1000e vmwgfx drm_ttm_helper uhci_hcd ttm fuse
[   24.853927] CPU: 1 PID: 982 Comm: sddm-greeter Not tainted 6.5.5-200.fc38.aarch64 #1
[   24.853928] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.20904234.BA64.2212051119 12/05/2022
[   24.853929] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[   24.853931] pc : refcount_warn_saturate+0xf4/0x148
[   24.853932] lr : refcount_warn_saturate+0xf4/0x148
[   24.853933] sp : ffff8000874bb9c0
[   24.853934] x29: ffff8000874bb9c0 x28: 0000000000000008 x27: ffff8000874bbb38
[   24.853937] x26: ffff0000859f9200 x25: ffff80007ba476d0 x24: 00000000000000ac
[   24.853938] x23: ffff0000859f9248 x22: ffff0000859f9260 x21: 00000000000000ac
[   24.853939] x20: ffff0000895205b0 x19: ffff00008b22b800 x18: 0000000000000000
[   24.853940] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe53500e0
[   24.853942] x14: 0000000000000000 x13: 2e656572662d7265 x12: 7466612d65737520
[   24.853943] x11: 00000000ffffdfff x10: ffff800082bdddb8 x9 : ffff80008018d15c
[   24.853944] x8 : 000000000002ffe8 x7 : c0000000ffffdfff x6 : 00000000000affa8
[   24.853945] x5 : ffff0001fec6e708 x4 : 0000000000000000 x3 : ffff80017c943000
[   24.853948] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000a1312200
[   24.853949] Call trace:
[   24.853950]  refcount_warn_saturate+0xf4/0x148
[   24.853951]  drm_gem_object_handle_put_unlocked+0xa8/0x118
[   24.853953]  drm_gem_handle_delete+0x9c/0xf8
[   24.853954]  vmw_bo_unref_ioctl+0x20/0x38 [vmwgfx]
[   24.853970]  drm_ioctl_kernel+0xcc/0x170
[   24.853971]  drm_ioctl+0x228/0x450
[   24.853971]  vmw_generic_ioctl+0xc0/0x158 [vmwgfx]
[   24.853983]  vmw_unlocked_ioctl+0x20/0x38 [vmwgfx]
[   24.853992]  __arm64_sys_ioctl+0xb4/0x100
[   24.853995]  invoke_syscall+0x78/0x100
[   24.853996]  el0_svc_common.constprop.0+0x4c/0xf8
[   24.853997]  do_el0_svc+0x34/0x50
[   24.853998]  el0_svc+0x34/0x108
[   24.854000]  el0t_64_sync_handler+0x120/0x130
[   24.854002]  el0t_64_sync+0x194/0x198
[   24.854003] ---[ end trace 0000000000000000 ]---

Linux fedora 6.5.5-200.fc38.aarch64 #1 SMP PREEMPT_DYNAMIC Sun Sep 24 16:14:15 UTC 2023 aarch64 GNU/Linux

Reply
0 Kudos