[3.1.4] mm slub memory corruption in drm_vblank_cleanup

David Rientjes rientjes at google.com
Thu Dec 15 01:28:24 PST 2011 

On Tue, 13 Dec 2011, batouzo wrote:

> Hello, we where building 3.1.4 kernel when we noticed BUG()s on bootup.
> 
> After some debugging it seems to be use after freed memory corruption
> caused by radeon driver.

That's not what's indicated here, this is the poison value being 
overwritten and detected on free.

> With radeon + kms the bug happens around 1 in 3 boot ups, right after
> the radeon is enabled (with slub debugging) or later with no debug (few
> seconds later or on shutdown esp. in rmmod).
> 
> When disabling radeon and KMS the bug was not seen;
> 
> 
> Allocated in drm_vblank_init+0x139/0x260 [drm] + Freed in
> drm_vblank_cleanup+0x78/0x90 [drm]
> Allocated in drm_vblank_init+0xbe/0x260 [drm] + Freed in
> drm_vblank_cleanup+0x48/0x90 [drm]
> 
> It is Amd Bulldozer computer, with Radeon card:
> 01:00.0 VGA compatible controller: ATI Technologies Inc Cedar PRO
> [Radeon HD 5450]
> 
> Debian stable. Builded with make-kpkg using gcc 4.4.5
> 
>    messages: http://pastebin.com/NXN5EPtG
> config used: http://pastebin.com/AeVxEX7c
> 
> Interesting part of the messages linked above is:
> 
> 
> [   94.401991] fb0: radeondrmfb frame buffer device
> [   94.401992] drm: registered panic notifier
> [   94.402033] [drm] Initialized radeon 2.11.0 20080528 for 0000:01:00.0
> on minor 0
> [   94.402921]
> =============================================================================
> [   94.402961] BUG kmalloc-16: Poison overwritten
> [   94.402982]
> -----------------------------------------------------------------------------
> [   94.402983]
> [   94.403025] INFO: 0xffff880137dbbc38-0xffff880137dbbc3b. First byte
> 0x0 instead of 0x6b
> [   94.403066] INFO: Allocated in drm_vblank_init+0x139/0x260 [drm]
> age=253 cpu=3 pid=535
> [   94.403103]  set_track+0x58/0x100
> [   94.403119]  alloc_debug_processing+0x160/0x170
> [   94.403140]  __slab_alloc+0x26d/0x440
> [   94.403160]  drm_vblank_init+0x139/0x260 [drm]
> [   94.403182]  drm_debugfs_create_files+0xcb/0x1a0 [drm]
> [   94.403208]  drm_vblank_init+0x139/0x260 [drm]
> [   94.403228]  __kmalloc+0x100/0x180
> [   94.403247]  drm_vblank_init+0x139/0x260 [drm]
> [   94.403276]  radeon_irq_kms_init+0x6d/0x160 [radeon]
> [   94.403303]  evergreen_init+0x11c/0x2a0 [radeon]
> [   94.403337]  radeon_device_init+0x3c9/0x470 [radeon]
> [   94.403367]  radeon_driver_load_kms+0xad/0x160 [radeon]
> [   94.403394]  drm_get_pci_dev+0x198/0x2c0 [drm]
> [   94.403416]  local_pci_probe+0x55/0xd0
> [   94.403433]  pci_device_probe+0x10a/0x130
> [   94.403453]  driver_sysfs_add+0x72/0xa0
> [   94.403474] INFO: Freed in drm_vblank_cleanup+0x78/0x90 [drm] age=235
> cpu=0 pid=535
> [   94.403508]  set_track+0x58/0x100
> [   94.403524]  free_debug_processing+0x1f3/0x240
> [   94.403545]  __slab_free+0x1a6/0x2b0
> [   94.403562]  native_read_tsc+0x2/0x20
> [   94.403580]  delay_tsc+0x42/0x80
> [   94.403598]  drm_vblank_cleanup+0x78/0x90 [drm]
> [   94.403625]  radeon_irq_kms_fini+0xd/0x60 [radeon]
> [   94.403651]  evergreen_init+0x289/0x2a0 [radeon]
> [   94.403677]  radeon_device_init+0x3c9/0x470 [radeon]
> [   94.403704]  radeon_driver_load_kms+0xad/0x160 [radeon]
> [   94.403731]  drm_get_pci_dev+0x198/0x2c0 [drm]
> [   94.403751]  local_pci_probe+0x55/0xd0
> [   94.403772]  pci_device_probe+0x10a/0x130
> [   94.403791]  driver_sysfs_add+0x72/0xa0
> [   94.404806]  driver_probe_device+0x8e/0x1b0
> [   94.405782]  __driver_attach+0x93/0xa0
> [   94.406031] INFO: Slab 0xffffea0004df6e80 objects=23 used=23 fp=0x
>        (null) flags=0x200000000004080
> [   94.406031] INFO: Object 0xffff880137dbbc38 @offset=7224
> fp=0xffff880137dbb830
> [   94.406031]
> [   94.406031] Bytes b4 0xffff880137dbbc28:  06 0e ff ff 00 00 00 00 5a
> 5a 5a 5a 5a 5a 5a 5a ..??????....ZZZZZZZZ
> [   94.406031]   Object 0xffff880137dbbc38:  00 00 00 00 6b 6b 6b 6b 6b
> 6b 6b 6b 6b 6b 6b a5 ....kkkkkkkkkkk???
> [   94.406031]  Redzone 0xffff880137dbbc48:  bb bb bb bb bb bb bb bb
>                      ????????????????????????
> [   94.406031]  Padding 0xffff880137dbbd88:  5a 5a 5a 5a 5a 5a 5a 5a
>                      ZZZZZZZZ
> [   94.406031] Pid: 466, comm: udevd Not tainted 3.1.4-norm007+dbg #1
> [   94.406031] Call Trace:
> [   94.406031]  [] ? check_bytes_and_report+0x110/0x150
> [   94.406031]  [] ? check_object+0x1fe/0x250
> [   94.406031]  [] ? shmem_symlink+0xd4/0x220
> [   94.406031]  [] ? shmem_symlink+0xd4/0x220
> [   94.406031]  [] ? alloc_debug_processing+0xee/0x170
> [   94.406031]  [] ? __slab_alloc+0x26d/0x440
> [   94.406031]  [] ? shmem_symlink+0xd4/0x220
> [   94.406031]  [] ? inode_init_always+0xfc/0x1b0
> [   94.406031]  [] ? alloc_inode+0x32/0x90
> [   94.406031]  [] ? shmem_symlink+0xd4/0x220
> [   94.406031]  [] ? __kmalloc_track_caller+0xf8/0x180
> [   94.406031]  [] ? kmemdup+0x27/0x60
> [   94.406031]  [] ? shmem_symlink+0xd4/0x220
> [   94.406031]  [] ? vfs_symlink+0x87/0xa0
> [   94.406031]  [] ? sys_symlinkat+0xdc/0xf0
> [   94.406031]  [] ? system_call_fastpath+0x16/0x1b
> [   94.406031] FIX kmalloc-16: Restoring
> 0xffff880137dbbc38-0xffff880137dbbc3b=0x6b

Looks like ->vblank_inmodeset.  Adding David and dri-devel to cc.

More information about the dri-devel mailing list