Re: [3.1.4] mm slub memory corruption in drm_vblank_cleanup

From: David Rientjes
Date: Thu Dec 15 2011 - 04:28:32 EST

Next message: Ashish Jangam: "Re: linux-next: build failure after merge of the regmap tree"
Previous message: Uwe Kleine-König: "Re: Massive log spam loading modules on ARM after 3.2-rc5(regression)"
In reply to: batouzo: "Re: [3.1.4] mm slub memory corruption in drm_vblank_cleanup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 13 Dec 2011, batouzo wrote:

> Hello, we where building 3.1.4 kernel when we noticed BUG()s on bootup.
>
> After some debugging it seems to be use after freed memory corruption
> caused by radeon driver.

That's not what's indicated here, this is the poison value being
overwritten and detected on free.

> With radeon + kms the bug happens around 1 in 3 boot ups, right after
> the radeon is enabled (with slub debugging) or later with no debug (few
> seconds later or on shutdown esp. in rmmod).
>
> When disabling radeon and KMS the bug was not seen;
>
>
> Allocated in drm_vblank_init+0x139/0x260 [drm] + Freed in
> drm_vblank_cleanup+0x78/0x90 [drm]
> Allocated in drm_vblank_init+0xbe/0x260 [drm] + Freed in
> drm_vblank_cleanup+0x48/0x90 [drm]
>
> It is Amd Bulldozer computer, with Radeon card:
> 01:00.0 VGA compatible controller: ATI Technologies Inc Cedar PRO
> [Radeon HD 5450]
>
> Debian stable. Builded with make-kpkg using gcc 4.4.5
>
> messages: http://pastebin.com/NXN5EPtG
> config used: http://pastebin.com/AeVxEX7c
>
> Interesting part of the messages linked above is:
>
>
> [ 94.401991] fb0: radeondrmfb frame buffer device
> [ 94.401992] drm: registered panic notifier
> [ 94.402033] [drm] Initialized radeon 2.11.0 20080528 for 0000:01:00.0
> on minor 0
> [ 94.402921]
> =============================================================================
> [ 94.402961] BUG kmalloc-16: Poison overwritten
> [ 94.402982]
> -----------------------------------------------------------------------------
> [ 94.402983]
> [ 94.403025] INFO: 0xffff880137dbbc38-0xffff880137dbbc3b. First byte
> 0x0 instead of 0x6b
> [ 94.403066] INFO: Allocated in drm_vblank_init+0x139/0x260 [drm]
> age=253 cpu=3 pid=535
> [ 94.403103] set_track+0x58/0x100
> [ 94.403119] alloc_debug_processing+0x160/0x170
> [ 94.403140] __slab_alloc+0x26d/0x440
> [ 94.403160] drm_vblank_init+0x139/0x260 [drm]
> [ 94.403182] drm_debugfs_create_files+0xcb/0x1a0 [drm]
> [ 94.403208] drm_vblank_init+0x139/0x260 [drm]
> [ 94.403228] __kmalloc+0x100/0x180
> [ 94.403247] drm_vblank_init+0x139/0x260 [drm]
> [ 94.403276] radeon_irq_kms_init+0x6d/0x160 [radeon]
> [ 94.403303] evergreen_init+0x11c/0x2a0 [radeon]
> [ 94.403337] radeon_device_init+0x3c9/0x470 [radeon]
> [ 94.403367] radeon_driver_load_kms+0xad/0x160 [radeon]
> [ 94.403394] drm_get_pci_dev+0x198/0x2c0 [drm]
> [ 94.403416] local_pci_probe+0x55/0xd0
> [ 94.403433] pci_device_probe+0x10a/0x130
> [ 94.403453] driver_sysfs_add+0x72/0xa0
> [ 94.403474] INFO: Freed in drm_vblank_cleanup+0x78/0x90 [drm] age=235
> cpu=0 pid=535
> [ 94.403508] set_track+0x58/0x100
> [ 94.403524] free_debug_processing+0x1f3/0x240
> [ 94.403545] __slab_free+0x1a6/0x2b0
> [ 94.403562] native_read_tsc+0x2/0x20
> [ 94.403580] delay_tsc+0x42/0x80
> [ 94.403598] drm_vblank_cleanup+0x78/0x90 [drm]
> [ 94.403625] radeon_irq_kms_fini+0xd/0x60 [radeon]
> [ 94.403651] evergreen_init+0x289/0x2a0 [radeon]
> [ 94.403677] radeon_device_init+0x3c9/0x470 [radeon]
> [ 94.403704] radeon_driver_load_kms+0xad/0x160 [radeon]
> [ 94.403731] drm_get_pci_dev+0x198/0x2c0 [drm]
> [ 94.403751] local_pci_probe+0x55/0xd0
> [ 94.403772] pci_device_probe+0x10a/0x130
> [ 94.403791] driver_sysfs_add+0x72/0xa0
> [ 94.404806] driver_probe_device+0x8e/0x1b0
> [ 94.405782] __driver_attach+0x93/0xa0
> [ 94.406031] INFO: Slab 0xffffea0004df6e80 objects=23 used=23 fp=0x
> (null) flags=0x200000000004080
> [ 94.406031] INFO: Object 0xffff880137dbbc38 @offset=7224
> fp=0xffff880137dbb830
> [ 94.406031]
> [ 94.406031] Bytes b4 0xffff880137dbbc28: 06 0e ff ff 00 00 00 00 5a
> 5a 5a 5a 5a 5a 5a 5a ..??????....ZZZZZZZZ
> [ 94.406031] Object 0xffff880137dbbc38: 00 00 00 00 6b 6b 6b 6b 6b
> 6b 6b 6b 6b 6b 6b a5 ....kkkkkkkkkkk???
> [ 94.406031] Redzone 0xffff880137dbbc48: bb bb bb bb bb bb bb bb
> ????????????????????????
> [ 94.406031] Padding 0xffff880137dbbd88: 5a 5a 5a 5a 5a 5a 5a 5a
> ZZZZZZZZ
> [ 94.406031] Pid: 466, comm: udevd Not tainted 3.1.4-norm007+dbg #1
> [ 94.406031] Call Trace:
> [ 94.406031] [] ? check_bytes_and_report+0x110/0x150
> [ 94.406031] [] ? check_object+0x1fe/0x250
> [ 94.406031] [] ? shmem_symlink+0xd4/0x220
> [ 94.406031] [] ? shmem_symlink+0xd4/0x220
> [ 94.406031] [] ? alloc_debug_processing+0xee/0x170
> [ 94.406031] [] ? __slab_alloc+0x26d/0x440
> [ 94.406031] [] ? shmem_symlink+0xd4/0x220
> [ 94.406031] [] ? inode_init_always+0xfc/0x1b0
> [ 94.406031] [] ? alloc_inode+0x32/0x90
> [ 94.406031] [] ? shmem_symlink+0xd4/0x220
> [ 94.406031] [] ? __kmalloc_track_caller+0xf8/0x180
> [ 94.406031] [] ? kmemdup+0x27/0x60
> [ 94.406031] [] ? shmem_symlink+0xd4/0x220
> [ 94.406031] [] ? vfs_symlink+0x87/0xa0
> [ 94.406031] [] ? sys_symlinkat+0xdc/0xf0
> [ 94.406031] [] ? system_call_fastpath+0x16/0x1b
> [ 94.406031] FIX kmalloc-16: Restoring
> 0xffff880137dbbc38-0xffff880137dbbc3b=0x6b

Looks like ->vblank_inmodeset. Adding David and dri-devel to cc.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ashish Jangam: "Re: linux-next: build failure after merge of the regmap tree"
Previous message: Uwe Kleine-König: "Re: Massive log spam loading modules on ARM after 3.2-rc5(regression)"
In reply to: batouzo: "Re: [3.1.4] mm slub memory corruption in drm_vblank_cleanup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]