[3.1.4] mm slub memory corruption in drm_vblank_cleanup
From: batouzo
Date: Tue Dec 13 2011 - 10:20:30 EST
Hello, we where building 3.1.4 kernel when we noticed BUG()s on bootup.
After some debugging it seems to be use after freed memory corruption
caused by radeon driver.
With radeon + kms the bug happens around 1 in 3 boot ups, right after
the radeon is enabled (with slub debugging) or later with no debug (few
seconds later or on shutdown esp. in rmmod).
When disabling radeon and KMS the bug was not seen;
Allocated in drm_vblank_init+0x139/0x260 [drm] + Freed in
drm_vblank_cleanup+0x78/0x90 [drm]
Allocated in drm_vblank_init+0xbe/0x260 [drm] + Freed in
drm_vblank_cleanup+0x48/0x90 [drm]
It is Amd Bulldozer computer, with Radeon card:
01:00.0 VGA compatible controller: ATI Technologies Inc Cedar PRO
[Radeon HD 5450]
Debian stable. Builded with make-kpkg using gcc 4.4.5
messages: http://pastebin.com/NXN5EPtG
config used: http://pastebin.com/AeVxEX7c
Interesting part of the messages linked above is:
[ 94.401991] fb0: radeondrmfb frame buffer device
[ 94.401992] drm: registered panic notifier
[ 94.402033] [drm] Initialized radeon 2.11.0 20080528 for 0000:01:00.0
on minor 0
[ 94.402921]
=============================================================================
[ 94.402961] BUG kmalloc-16: Poison overwritten
[ 94.402982]
-----------------------------------------------------------------------------
[ 94.402983]
[ 94.403025] INFO: 0xffff880137dbbc38-0xffff880137dbbc3b. First byte
0x0 instead of 0x6b
[ 94.403066] INFO: Allocated in drm_vblank_init+0x139/0x260 [drm]
age=253 cpu=3 pid=535
[ 94.403103] set_track+0x58/0x100
[ 94.403119] alloc_debug_processing+0x160/0x170
[ 94.403140] __slab_alloc+0x26d/0x440
[ 94.403160] drm_vblank_init+0x139/0x260 [drm]
[ 94.403182] drm_debugfs_create_files+0xcb/0x1a0 [drm]
[ 94.403208] drm_vblank_init+0x139/0x260 [drm]
[ 94.403228] __kmalloc+0x100/0x180
[ 94.403247] drm_vblank_init+0x139/0x260 [drm]
[ 94.403276] radeon_irq_kms_init+0x6d/0x160 [radeon]
[ 94.403303] evergreen_init+0x11c/0x2a0 [radeon]
[ 94.403337] radeon_device_init+0x3c9/0x470 [radeon]
[ 94.403367] radeon_driver_load_kms+0xad/0x160 [radeon]
[ 94.403394] drm_get_pci_dev+0x198/0x2c0 [drm]
[ 94.403416] local_pci_probe+0x55/0xd0
[ 94.403433] pci_device_probe+0x10a/0x130
[ 94.403453] driver_sysfs_add+0x72/0xa0
[ 94.403474] INFO: Freed in drm_vblank_cleanup+0x78/0x90 [drm] age=235
cpu=0 pid=535
[ 94.403508] set_track+0x58/0x100
[ 94.403524] free_debug_processing+0x1f3/0x240
[ 94.403545] __slab_free+0x1a6/0x2b0
[ 94.403562] native_read_tsc+0x2/0x20
[ 94.403580] delay_tsc+0x42/0x80
[ 94.403598] drm_vblank_cleanup+0x78/0x90 [drm]
[ 94.403625] radeon_irq_kms_fini+0xd/0x60 [radeon]
[ 94.403651] evergreen_init+0x289/0x2a0 [radeon]
[ 94.403677] radeon_device_init+0x3c9/0x470 [radeon]
[ 94.403704] radeon_driver_load_kms+0xad/0x160 [radeon]
[ 94.403731] drm_get_pci_dev+0x198/0x2c0 [drm]
[ 94.403751] local_pci_probe+0x55/0xd0
[ 94.403772] pci_device_probe+0x10a/0x130
[ 94.403791] driver_sysfs_add+0x72/0xa0
[ 94.404806] driver_probe_device+0x8e/0x1b0
[ 94.405782] __driver_attach+0x93/0xa0
[ 94.406031] INFO: Slab 0xffffea0004df6e80 objects=23 used=23 fp=0x
(null) flags=0x200000000004080
[ 94.406031] INFO: Object 0xffff880137dbbc38 @offset=7224
fp=0xffff880137dbb830
[ 94.406031]
[ 94.406031] Bytes b4 0xffff880137dbbc28: 06 0e ff ff 00 00 00 00 5a
5a 5a 5a 5a 5a 5a 5a ..ïï....ZZZZZZZZ
[ 94.406031] Object 0xffff880137dbbc38: 00 00 00 00 6b 6b 6b 6b 6b
6b 6b 6b 6b 6b 6b a5 ....kkkkkkkkkkkï
[ 94.406031] Redzone 0xffff880137dbbc48: bb bb bb bb bb bb bb bb
ïïïïïïïï
[ 94.406031] Padding 0xffff880137dbbd88: 5a 5a 5a 5a 5a 5a 5a 5a
ZZZZZZZZ
[ 94.406031] Pid: 466, comm: udevd Not tainted 3.1.4-norm007+dbg #1
[ 94.406031] Call Trace:
[ 94.406031] [] ? check_bytes_and_report+0x110/0x150
[ 94.406031] [] ? check_object+0x1fe/0x250
[ 94.406031] [] ? shmem_symlink+0xd4/0x220
[ 94.406031] [] ? shmem_symlink+0xd4/0x220
[ 94.406031] [] ? alloc_debug_processing+0xee/0x170
[ 94.406031] [] ? __slab_alloc+0x26d/0x440
[ 94.406031] [] ? shmem_symlink+0xd4/0x220
[ 94.406031] [] ? inode_init_always+0xfc/0x1b0
[ 94.406031] [] ? alloc_inode+0x32/0x90
[ 94.406031] [] ? shmem_symlink+0xd4/0x220
[ 94.406031] [] ? __kmalloc_track_caller+0xf8/0x180
[ 94.406031] [] ? kmemdup+0x27/0x60
[ 94.406031] [] ? shmem_symlink+0xd4/0x220
[ 94.406031] [] ? vfs_symlink+0x87/0xa0
[ 94.406031] [] ? sys_symlinkat+0xdc/0xf0
[ 94.406031] [] ? system_call_fastpath+0x16/0x1b
[ 94.406031] FIX kmalloc-16: Restoring
0xffff880137dbbc38-0xffff880137dbbc3b=0x6b
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/