2.6.39-rc6, nouveau: unload trips on freed memory (SLUB poison)

Bruno Prémont bonbons at linux-vserver.org
Sat May 7 05:45:19 PDT 2011 

On Thu, 05 May 2011 Bruno Prémont <bonbons at linux-vserver.org> wrote:
> With 2.6.39-rc6 I'm hitting the following (relevant part from objdump of
> drm_mm.o at bottom).
> Some part of node passed to drm_mm_remove_node() is being use after free
> and hits SLUB poison.
> 
> Bruno
> 
> 
> [  328.447498] drm: unregistered panic notifier
> [  328.447648] [drm] nouveau 0000:02:00.0: 0xAFD8: Parsing digital output script table
> [  328.448642] [drm] nouveau 0000:02:00.0: Restoring VGA fonts
> [  328.450949] [drm:drm_mm_takedown] *ERROR* Memory manager not clean. Delaying takedown

Here is the trace to the erroring drm_mm_takedown() call:

[   95.486464] [drm:drm_mm_takedown] *ERROR* Memory manager not clean. Delaying takedown
[   95.486585] ------------[ cut here ]------------
[   95.486640] kernel BUG at /usr/src/linux-2.6/drivers/gpu/drm/drm_mm.c:628!
[   95.486697] invalid opcode: 0000 [#1] 
[   95.486805] last sysfs file: /sys/devices/platform/w83627hf.656/temp3_input
[   95.486862] Modules linked in: nouveau(-) fbcon tileblit font ttm bitblit softcursor drm_kms_helper drm fb fbdev i2c_algo_bit cfbcopyarea video cfbimgblt cfbfillrect nfs lockd nfs_acl sunrpc snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_timer snd snd_page_alloc pcspkr
[   95.488061] 
[   95.488121] Pid: 1714, comm: rmmod Tainted: G        W   2.6.39-rc6-jupiter-00001-g443badf-dirty #13 NVIDIA Corporation. nFORCE-MCP/MS-6373
[   95.488306] EIP: 0060:[<deb52e0c>] EFLAGS: 00010292 CPU: 0
[   95.488397] EIP is at drm_mm_takedown+0x7c/0x80 [drm]
[   95.488451] EAX: 0000005f EBX: da148620 ECX: fffffed5 EDX: 00000000
[   95.488508] ESI: da148620 EDI: 00000090 EBP: dbc47e18 ESP: dbc47e04
[   95.488563]  DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[   95.488631] Process rmmod (pid: 1714, ti=dbc46000 task=dd446470 task.ti=dbc46000)
[   95.488693] Stack:
[   95.488740]  deb62a24 deb5c8ab da148620 da0001e8 00000090 dbc47e28 dec5934b da000148
[   95.489099]  da0001d8 dbc47e44 dec550eb dbc47e44 def998cb da204820 da000000 da000000
[   95.489469]  dbc47e64 def6dc51 deb5c280 da000148 da204830 da204820 dd5270c0 dd5271d8
[   95.489839] Call Trace:
[   95.489907]  [<dec5934b>] ttm_bo_man_takedown+0x2b/0x50 [ttm]
[   95.489968]  [<dec550eb>] ttm_bo_clean_mm+0x5b/0xa0 [ttm]
[   95.490063]  [<def998cb>] ? nv10_fb_takedown+0x2b/0x50 [nouveau]
[   95.490130]  [<def6dc51>] nouveau_unload+0xa1/0x150 [nouveau]
[   95.490198]  [<deb4ec33>] drm_put_dev+0xb3/0x1c0 [drm]
[   95.490263]  [<def6d010>] nouveau_pci_remove+0x10/0x20 [nouveau]
[   95.490325]  [<c11d0baf>] pci_device_remove+0x3f/0xf0
[   95.490384]  [<c123b6ab>] __device_release_driver+0x4b/0xa0
[   95.490424]  [<c123b777>] driver_detach+0x77/0x80
[   95.490424]  [<c123aa5b>] bus_remove_driver+0x5b/0xa0
[   95.490424]  [<c123bfc6>] driver_unregister+0x46/0x80
[   95.490424]  [<c110087f>] ? sysfs_remove_file+0xf/0x20
[   95.490424]  [<c11d0e4a>] pci_unregister_driver+0x2a/0x70
[   95.490424]  [<deb50adf>] drm_pci_exit+0x7f/0x90 [drm]
[   95.490424]  [<defe9f17>] nouveau_exit+0x1b/0x22 [nouveau]
[   95.490424]  [<c105cdbb>] sys_delete_module+0x19b/0x1f0
[   95.490424]  [<c10a42d2>] ? do_munmap+0x212/0x2f0
[   95.490424]  [<c1370bd7>] sysenter_do_call+0x12/0x26
[   95.490424] Code: 75 d5 85 c9 75 0d 83 c4 08 5b 5e 5f c9 c3 8b 4e 30 eb ef 0f 0b eb fe c7 44 24 04 ab c8 b5 de c7 04 24 24 2a b6 de e8 75 bc 81 e2 <0f> 0b eb fe 55 89 e5 56 53 8b 58 1c ff 4b 48 0f b6 50 10 f6 c2 
[   95.490424] EIP: [<deb52e0c>] drm_mm_takedown+0x7c/0x80 [drm] SS:ESP 0068:dbc47e04
[   95.494410] ---[ end trace ea6b63472f535569 ]---

More information about the dri-devel mailing list