* 2.6.39-rc6, nouveau: unload trips on freed memory (SLUB poison)
@ 2011-05-05 20:19 Bruno Prémont
2011-05-07 12:45 ` Bruno Prémont
0 siblings, 1 reply; 4+ messages in thread
From: Bruno Prémont @ 2011-05-05 20:19 UTC (permalink / raw)
To: dri-devel, nouveau; +Cc: Ben Skeggs
With 2.6.39-rc6 I'm hitting the following (relevant part from objdump of
drm_mm.o at bottom).
Some part of node passed to drm_mm_remove_node() is being use after free
and hits SLUB poison.
Bruno
[ 328.447498] drm: unregistered panic notifier
[ 328.447648] [drm] nouveau 0000:02:00.0: 0xAFD8: Parsing digital output script table
[ 328.448642] [drm] nouveau 0000:02:00.0: Restoring VGA fonts
[ 328.450949] [drm:drm_mm_takedown] *ERROR* Memory manager not clean. Delaying takedown
[ 328.451141] BUG: unable to handle kernel paging request at 6b6b6b6f
[ 328.451275] IP: [<c124d39a>] drm_mm_remove_node+0x5a/0xc0
[ 328.451391] *pde = 00000000
[ 328.451479] Oops: 0002 [#1]
previous Oops was complaint about CAP_SYS_ADMIN versus CAP_SYSLOG
[ 328.451566] last sysfs file: /sys/devices/platform/w83627hf.656/temp3_input
[ 328.451625] Modules linked in: nouveau(-) ttm drm_kms_helper video nfs lockd nfs_acl sunrpc snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm pcspkr snd_timer snd snd_page_alloc
[ 328.452361]
[ 328.452410] Pid: 1740, comm: rmmod Tainted: G W 2.6.39-rc6-jupiter-00001-g443badf-dirty #11 NVIDIA Corporation. nFORCE-MCP/MS-6373
[ 328.452594] EIP: 0060:[<c124d39a>] EFLAGS: 00010202 CPU: 0
[ 328.452650] EIP is at drm_mm_remove_node+0x5a/0xc0
[ 328.452703] EAX: da4dd240 EBX: dcf44be0 ECX: dcf44bd0 EDX: dcf44bd8
[ 328.452759] ESI: 6b6b6b6b EDI: 6b6b6b6b EBP: dd64fdb8 ESP: dd64fdac
[ 328.452815] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 328.452870] Process rmmod (pid: 1740, ti=dd64e000 task=dd7fe120 task.ti=dd64e000)
[ 328.452931] Stack:
[ 328.452978] da4dd240 dcf44bd0 da4dd150 dd64fdc8 c124d417 dbebfb04 00000000 dd64fdd4
[ 328.453360] deb9f281 00000090 dd64fde0 deb99853 dbebfad0 dd64fdf0 deb99b5e dbf00148
[ 328.453717] dbebfad0 dd64fe18 deb9beed 00000000 00000000 def5e632 00004d98 00000000
[ 328.454099] Call Trace:
[ 328.454153] [<c124d417>] drm_mm_put_block+0x17/0x50
[ 328.454223] [<deb9f281>] ttm_bo_man_put_node+0x11/0x20 [ttm]
[ 328.454283] [<deb99853>] ttm_bo_mem_put+0x23/0x30 [ttm]
[ 328.454364] [<deb99b5e>] ttm_bo_cleanup_memtype_use+0x2e/0x60 [ttm]
[ 328.454425] [<deb9beed>] ttm_bo_release+0x17d/0x1b0 [ttm]
[ 328.454516] [<def5e632>] ? nouveau_gpuobj_takedown+0x92/0x100 [nouveau]
[ 328.454578] [<deb9bd70>] ? ttm_bo_create+0xf0/0xf0 [ttm]
[ 328.454639] [<c11bd8ec>] kref_put+0x2c/0x60
[ 328.454697] [<deb99aa8>] ttm_bo_unref+0x18/0x20 [ttm]
[ 328.454762] [<def5dd77>] nouveau_mem_vram_fini+0x37/0xa0 [nouveau]
[ 328.454829] [<def59c85>] nouveau_unload+0xd5/0x150 [nouveau]
[ 328.454888] [<c1248e03>] drm_put_dev+0xb3/0x1c0
[ 328.454953] [<def59010>] nouveau_pci_remove+0x10/0x20 [nouveau]
[ 328.455010] [<c11d0baf>] pci_device_remove+0x3f/0xf0
[ 328.455070] [<c12611cb>] __device_release_driver+0x4b/0xa0
[ 328.455126] [<c1261297>] driver_detach+0x77/0x80
[ 328.455181] [<c126057b>] bus_remove_driver+0x5b/0xa0
[ 328.455236] [<c1261ae6>] driver_unregister+0x46/0x80
[ 328.455314] [<c110087f>] ? sysfs_remove_file+0xf/0x20
[ 328.455369] [<c11d0e4a>] pci_unregister_driver+0x2a/0x70
[ 328.455438] [<c124acaf>] drm_pci_exit+0x7f/0x90
[ 328.455506] [<defd5f17>] nouveau_exit+0x1b/0x22 [nouveau]
[ 328.455564] [<c105cdbb>] sys_delete_module+0x19b/0x1f0
[ 328.455622] [<c10a42d2>] ? do_munmap+0x212/0x2f0
[ 328.455678] [<c13971d7>] sysenter_do_call+0x12/0x26
[ 328.455731] Code: 8b 70 08 8b 58 0c 89 5e 04 89 33 c7 40 08 00 01 10 00 c7 40 0c 00 02 20 00 0f b6 5a 10 f6 c3 01 74 57 8b 7a 08 8b 72 0c 8d 5a 08
[ 328.457446] 77 04 89 3e 8b 31 89 5e 04 89 72 08 89 4a 0c 89 19 8b 08 8b
[ 328.458342] EIP: [<c124d39a>] drm_mm_remove_node+0x5a/0xc0 SS:ESP 0068:dd64fdac
[ 328.458481] CR2: 000000006b6b6b6f
[ 328.459085] ---[ end trace cb7019e5756bd7f0 ]---
[ 502.313511] =============================================================================
[ 502.313597] BUG kmalloc-96: Poison overwritten
[ 502.313650] -----------------------------------------------------------------------------
[ 502.313653]
[ 502.313774] INFO: 0xdcf44bd0-0xdcf44bd7. First byte 0xd0 instead of 0x6b
[ 502.313832] INFO: Slab 0xddfce880 objects=36 used=26 fp=0xdcf44bd0 flags=0x400000c0
[ 502.313895] INFO: Object 0xdcf44bd0 @offset=3024 fp=0xdcf44e00
[ 502.313897]
[ 502.313995] Bytes b4 0xdcf44bc0: cc cc cc cc d0 4b f4 dc 5a 5a 5a 5a 5a 5a 5a 5a <CC><CC><CC><CC><D0>K<F4><DC>ZZZZZZZZ
[ 502.314708] Object 0xdcf44bd0: d0 4b f4 dc d0 4b f4 dc 6b 6b 6b 6b 6b 6b 6b 6b <D0>K<F4><DC><D0>K<F4><DC>kkkkkkkk
[ 502.315417] Object 0xdcf44be0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 502.316134] Object 0xdcf44bf0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 502.316852] Object 0xdcf44c00: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 502.317570] Object 0xdcf44c10: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 502.318286] Object 0xdcf44c20: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk<A5>
[ 502.319014] Redzone 0xdcf44c30: bb bb bb bb <BB><BB><BB><BB>
[ 502.319724] Padding 0xdcf44c38: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
[ 502.320004] Pid: 1750, comm: agetty Tainted: G D W 2.6.39-rc6-jupiter-00001-g443badf-dirty #11
[ 502.320004] Call Trace:
[ 502.320004] [<c10afe33>] print_trailer+0xe3/0x130
[ 502.320004] [<c10b0244>] check_bytes_and_report+0xc4/0x100
[ 502.320004] [<c10b1277>] check_object+0x1c7/0x210
[ 502.320004] [<c10b1752>] alloc_debug_processing+0xc2/0x140
[ 502.320004] [<c10b1942>] T.1001+0x172/0x1a0
[ 502.320004] [<c10f8b31>] ? __proc_create+0x81/0x110
[ 502.320004] [<c10f8b31>] ? __proc_create+0x81/0x110
[ 502.320004] [<c10b1d60>] __kmalloc+0x180/0x1a0
[ 502.320004] [<c10f8b31>] ? __proc_create+0x81/0x110
[ 502.320004] [<c10f8b31>] __proc_create+0x81/0x110
[ 502.320004] [<c10f92f3>] proc_mkdir_mode+0x23/0x50
[ 502.320004] [<c10f932f>] proc_mkdir+0xf/0x20
[ 502.320004] [<c106a229>] register_handler_proc+0xd9/0xf0
[ 502.320004] [<c1068063>] __setup_irq+0x1e3/0x330
[ 502.320004] [<c10b1b0c>] ? kmem_cache_alloc_trace+0x9c/0xf0
[ 502.320004] [<c10688eb>] ? request_threaded_irq+0x7b/0x120
[ 502.320004] [<c1237b60>] ? serial8250_handle_port+0x2c0/0x2c0
[ 502.320004] [<c106892e>] request_threaded_irq+0xbe/0x120
[ 502.320004] [<c1236681>] serial8250_startup+0x5c1/0x600
[ 502.320004] [<c1233114>] uart_startup+0x44/0x130
[ 502.320004] [<c12332f5>] uart_open+0xf5/0x180
[ 502.320004] [<c121ea9a>] tty_open+0x1fa/0x490
[ 502.320004] [<c10bbff6>] chrdev_open+0xa6/0x190
[ 502.320004] [<c10b7733>] __dentry_open+0x103/0x2a0
[ 502.320004] [<c10b79b6>] nameidata_to_filp+0x66/0x80
[ 502.320004] [<c10bbf50>] ? register_chrdev_region+0xa0/0xa0
[ 502.320004] [<c10c3150>] do_last+0x1a0/0x700
[ 502.320004] [<c10c42c2>] path_openat+0x92/0x320
[ 502.320004] [<c10b02b8>] ? init_object+0x38/0x70
[ 502.320004] [<c10c4630>] do_filp_open+0x30/0x80
[ 502.320004] [<c10ce572>] ? alloc_fd+0x62/0xe0
[ 502.320004] [<c10c2741>] ? getname_flags+0x61/0xe0
[ 502.320004] [<c10b87ed>] do_sys_open+0xed/0x1e0
[ 502.320004] [<c10b8949>] sys_open+0x29/0x40
[ 502.320004] [<c13971d7>] sysenter_do_call+0x12/0x26
[ 502.320004] FIX kmalloc-96: Restoring 0xdcf44bd0-0xdcf44bd7=0x6b
[ 502.320004]
[ 502.320004] FIX kmalloc-96: Marking all objects used
00000720 <drm_mm_remove_node>:
/**
* Remove a memory node from the allocator.
*/
void drm_mm_remove_node(struct drm_mm_node *node)
{
720: 55 push %ebp
struct drm_mm *mm = node->mm;
721: 8b 48 1c mov 0x1c(%eax),%ecx
/**
* Remove a memory node from the allocator.
*/
void drm_mm_remove_node(struct drm_mm_node *node)
{
724: 89 e5 mov %esp,%ebp
726: 57 push %edi
727: 56 push %esi
728: 53 push %ebx
struct drm_mm *mm = node->mm;
struct drm_mm_node *prev_node;
BUG_ON(node->scanned_block || node->scanned_prev_free
729: 0f b6 58 10 movzbl 0x10(%eax),%ebx
72d: f6 c3 0e test $0xe,%bl
730: 0f 85 9d 00 00 00 jne 7d3 <drm_mm_remove_node+0xb3>
|| node->scanned_next_free);
prev_node =
list_entry(node->node_list.prev, struct drm_mm_node, node_list);
if (node->hole_follows) {
736: 83 e3 01 and $0x1,%ebx
BUG_ON(node->scanned_block || node->scanned_prev_free
|| node->scanned_next_free);
prev_node =
list_entry(node->node_list.prev, struct drm_mm_node, node_list);
739: 8b 50 04 mov 0x4(%eax),%edx
if (node->hole_follows) {
73c: 74 72 je 7b0 <drm_mm_remove_node+0x90>
}
static inline unsigned long drm_mm_hole_node_end(struct drm_mm_node *hole_node)
{
struct drm_mm_node *next_node =
list_entry(hole_node->node_list.next, struct drm_mm_node,
73e: 8b 30 mov (%eax),%esi
prev_node =
list_entry(node->node_list.prev, struct drm_mm_node, node_list);
if (node->hole_follows) {
BUG_ON(drm_mm_hole_node_start(node)
740: 8b 58 18 mov 0x18(%eax),%ebx
743: 03 58 14 add 0x14(%eax),%ebx
}
static inline unsigned long drm_mm_hole_node_end(struct drm_mm_node *hole_node)
{
struct drm_mm_node *next_node =
list_entry(hole_node->node_list.next, struct drm_mm_node,
746: 3b 5e 14 cmp 0x14(%esi),%ebx
749: 0f 84 88 00 00 00 je 7d7 <drm_mm_remove_node+0xb7>
__list_del(entry->prev, entry->next);
}
static inline void list_del(struct list_head *entry)
{
__list_del(entry->prev, entry->next);
74f: 8b 70 08 mov 0x8(%eax),%esi
752: 8b 58 0c mov 0xc(%eax),%ebx
* This is only for internal list manipulation where we know
* the prev/next entries already!
*/
static inline void __list_del(struct list_head * prev, struct list_head * next)
{
next->prev = prev;
755: 89 5e 04 mov %ebx,0x4(%esi)
prev->next = next;
758: 89 33 mov %esi,(%ebx)
}
static inline void list_del(struct list_head *entry)
{
__list_del(entry->prev, entry->next);
entry->next = LIST_POISON1;
75a: c7 40 08 00 01 10 00 movl $0x100100,0x8(%eax)
entry->prev = LIST_POISON2;
761: c7 40 0c 00 02 20 00 movl $0x200200,0xc(%eax)
list_del(&node->hole_stack);
} else
BUG_ON(drm_mm_hole_node_start(node)
!= drm_mm_hole_node_end(node));
if (!prev_node->hole_follows) {
768: 0f b6 5a 10 movzbl 0x10(%edx),%ebx
76c: f6 c3 01 test $0x1,%bl
76f: 74 57 je 7c8 <drm_mm_remove_node+0xa8>
* in an undefined state.
*/
#ifndef CONFIG_DEBUG_LIST
static inline void __list_del_entry(struct list_head *entry)
{
__list_del(entry->prev, entry->next);
771: 8b 7a 08 mov 0x8(%edx),%edi
774: 8b 72 0c mov 0xc(%edx),%esi
prev_node->hole_follows = 1;
list_add(&prev_node->hole_stack, &mm->hole_stack);
} else
list_move(&prev_node->hole_stack, &mm->hole_stack);
777: 8d 5a 08 lea 0x8(%edx),%ebx
* This is only for internal list manipulation where we know
* the prev/next entries already!
*/
static inline void __list_del(struct list_head * prev, struct list_head * next)
{
next->prev = prev;
77a: 89 77 04 mov %esi,0x4(%edi)
prev->next = next;
77d: 89 3e mov %edi,(%esi)
* Insert a new entry after the specified head.
* This is good for implementing stacks.
*/
static inline void list_add(struct list_head *new, struct list_head *head)
{
__list_add(new, head, head->next);
77f: 8b 31 mov (%ecx),%esi
#ifndef CONFIG_DEBUG_LIST
static inline void __list_add(struct list_head *new,
struct list_head *prev,
struct list_head *next)
{
next->prev = new;
781: 89 5e 04 mov %ebx,0x4(%esi)
new->next = next;
784: 89 72 08 mov %esi,0x8(%edx)
new->prev = prev;
787: 89 4a 0c mov %ecx,0xc(%edx)
prev->next = new;
78a: 89 19 mov %ebx,(%ecx)
__list_del(entry->prev, entry->next);
}
static inline void list_del(struct list_head *entry)
{
__list_del(entry->prev, entry->next);
78c: 8b 08 mov (%eax),%ecx
78e: 8b 50 04 mov 0x4(%eax),%edx
* This is only for internal list manipulation where we know
* the prev/next entries already!
*/
static inline void __list_del(struct list_head * prev, struct list_head * next)
{
next->prev = prev;
791: 89 51 04 mov %edx,0x4(%ecx)
prev->next = next;
794: 89 0a mov %ecx,(%edx)
list_del(&node->node_list);
node->allocated = 0;
}
796: 5b pop %ebx
797: 5e pop %esi
}
static inline void list_del(struct list_head *entry)
{
__list_del(entry->prev, entry->next);
entry->next = LIST_POISON1;
798: c7 00 00 01 10 00 movl $0x100100,(%eax)
entry->prev = LIST_POISON2;
79e: c7 40 04 00 02 20 00 movl $0x200200,0x4(%eax)
list_add(&prev_node->hole_stack, &mm->hole_stack);
} else
list_move(&prev_node->hole_stack, &mm->hole_stack);
list_del(&node->node_list);
node->allocated = 0;
7a5: 80 60 10 df andb $0xdf,0x10(%eax)
}
7a9: 5f pop %edi
7aa: c9 leave
7ab: c3 ret
7ac: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
}
static inline unsigned long drm_mm_hole_node_end(struct drm_mm_node *hole_node)
{
struct drm_mm_node *next_node =
list_entry(hole_node->node_list.next, struct drm_mm_node,
7b0: 8b 30 mov (%eax),%esi
if (node->hole_follows) {
BUG_ON(drm_mm_hole_node_start(node)
== drm_mm_hole_node_end(node));
list_del(&node->hole_stack);
} else
BUG_ON(drm_mm_hole_node_start(node)
7b2: 8b 58 18 mov 0x18(%eax),%ebx
7b5: 03 58 14 add 0x14(%eax),%ebx
}
static inline unsigned long drm_mm_hole_node_end(struct drm_mm_node *hole_node)
{
struct drm_mm_node *next_node =
list_entry(hole_node->node_list.next, struct drm_mm_node,
7b8: 3b 5e 14 cmp 0x14(%esi),%ebx
7bb: 74 ab je 768 <drm_mm_remove_node+0x48>
if (node->hole_follows) {
BUG_ON(drm_mm_hole_node_start(node)
== drm_mm_hole_node_end(node));
list_del(&node->hole_stack);
} else
BUG_ON(drm_mm_hole_node_start(node)
7bd: 0f 0b ud2a
7bf: eb fe jmp 7bf <drm_mm_remove_node+0x9f>
7c1: 8d b4 26 00 00 00 00 lea 0x0(%esi,%eiz,1),%esi
!= drm_mm_hole_node_end(node));
if (!prev_node->hole_follows) {
prev_node->hole_follows = 1;
7c8: 83 cb 01 or $0x1,%ebx
7cb: 88 5a 10 mov %bl,0x10(%edx)
list_add(&prev_node->hole_stack, &mm->hole_stack);
7ce: 8d 5a 08 lea 0x8(%edx),%ebx
7d1: eb ac jmp 77f <drm_mm_remove_node+0x5f>
void drm_mm_remove_node(struct drm_mm_node *node)
{
struct drm_mm *mm = node->mm;
struct drm_mm_node *prev_node;
BUG_ON(node->scanned_block || node->scanned_prev_free
7d3: 0f 0b ud2a
7d5: eb fe jmp 7d5 <drm_mm_remove_node+0xb5>
prev_node =
list_entry(node->node_list.prev, struct drm_mm_node, node_list);
if (node->hole_follows) {
BUG_ON(drm_mm_hole_node_start(node)
7d7: 0f 0b ud2a
7d9: eb fe jmp 7d9 <drm_mm_remove_node+0xb9>
7db: 90 nop
7dc: 8d 74 26 00 lea 0x0(%esi,%eiz,1),%esi
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: 2.6.39-rc6, nouveau: unload trips on freed memory (SLUB poison)
2011-05-05 20:19 2.6.39-rc6, nouveau: unload trips on freed memory (SLUB poison) Bruno Prémont
@ 2011-05-07 12:45 ` Bruno Prémont
[not found] ` <20110507144519.12cb3d4f-hY15tx4IgV39zxVx7UNMDg@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Bruno Prémont @ 2011-05-07 12:45 UTC (permalink / raw)
To: Daniel Vetter; +Cc: nouveau, Dave, Ben Skeggs, dri-devel
On Thu, 05 May 2011 Bruno Prémont <bonbons@linux-vserver.org> wrote:
> With 2.6.39-rc6 I'm hitting the following (relevant part from objdump of
> drm_mm.o at bottom).
> Some part of node passed to drm_mm_remove_node() is being use after free
> and hits SLUB poison.
>
> Bruno
>
>
> [ 328.447498] drm: unregistered panic notifier
> [ 328.447648] [drm] nouveau 0000:02:00.0: 0xAFD8: Parsing digital output script table
> [ 328.448642] [drm] nouveau 0000:02:00.0: Restoring VGA fonts
> [ 328.450949] [drm:drm_mm_takedown] *ERROR* Memory manager not clean. Delaying takedown
Here is the trace to the erroring drm_mm_takedown() call:
[ 95.486464] [drm:drm_mm_takedown] *ERROR* Memory manager not clean. Delaying takedown
[ 95.486585] ------------[ cut here ]------------
[ 95.486640] kernel BUG at /usr/src/linux-2.6/drivers/gpu/drm/drm_mm.c:628!
[ 95.486697] invalid opcode: 0000 [#1]
[ 95.486805] last sysfs file: /sys/devices/platform/w83627hf.656/temp3_input
[ 95.486862] Modules linked in: nouveau(-) fbcon tileblit font ttm bitblit softcursor drm_kms_helper drm fb fbdev i2c_algo_bit cfbcopyarea video cfbimgblt cfbfillrect nfs lockd nfs_acl sunrpc snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_timer snd snd_page_alloc pcspkr
[ 95.488061]
[ 95.488121] Pid: 1714, comm: rmmod Tainted: G W 2.6.39-rc6-jupiter-00001-g443badf-dirty #13 NVIDIA Corporation. nFORCE-MCP/MS-6373
[ 95.488306] EIP: 0060:[<deb52e0c>] EFLAGS: 00010292 CPU: 0
[ 95.488397] EIP is at drm_mm_takedown+0x7c/0x80 [drm]
[ 95.488451] EAX: 0000005f EBX: da148620 ECX: fffffed5 EDX: 00000000
[ 95.488508] ESI: da148620 EDI: 00000090 EBP: dbc47e18 ESP: dbc47e04
[ 95.488563] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 95.488631] Process rmmod (pid: 1714, ti=dbc46000 task=dd446470 task.ti=dbc46000)
[ 95.488693] Stack:
[ 95.488740] deb62a24 deb5c8ab da148620 da0001e8 00000090 dbc47e28 dec5934b da000148
[ 95.489099] da0001d8 dbc47e44 dec550eb dbc47e44 def998cb da204820 da000000 da000000
[ 95.489469] dbc47e64 def6dc51 deb5c280 da000148 da204830 da204820 dd5270c0 dd5271d8
[ 95.489839] Call Trace:
[ 95.489907] [<dec5934b>] ttm_bo_man_takedown+0x2b/0x50 [ttm]
[ 95.489968] [<dec550eb>] ttm_bo_clean_mm+0x5b/0xa0 [ttm]
[ 95.490063] [<def998cb>] ? nv10_fb_takedown+0x2b/0x50 [nouveau]
[ 95.490130] [<def6dc51>] nouveau_unload+0xa1/0x150 [nouveau]
[ 95.490198] [<deb4ec33>] drm_put_dev+0xb3/0x1c0 [drm]
[ 95.490263] [<def6d010>] nouveau_pci_remove+0x10/0x20 [nouveau]
[ 95.490325] [<c11d0baf>] pci_device_remove+0x3f/0xf0
[ 95.490384] [<c123b6ab>] __device_release_driver+0x4b/0xa0
[ 95.490424] [<c123b777>] driver_detach+0x77/0x80
[ 95.490424] [<c123aa5b>] bus_remove_driver+0x5b/0xa0
[ 95.490424] [<c123bfc6>] driver_unregister+0x46/0x80
[ 95.490424] [<c110087f>] ? sysfs_remove_file+0xf/0x20
[ 95.490424] [<c11d0e4a>] pci_unregister_driver+0x2a/0x70
[ 95.490424] [<deb50adf>] drm_pci_exit+0x7f/0x90 [drm]
[ 95.490424] [<defe9f17>] nouveau_exit+0x1b/0x22 [nouveau]
[ 95.490424] [<c105cdbb>] sys_delete_module+0x19b/0x1f0
[ 95.490424] [<c10a42d2>] ? do_munmap+0x212/0x2f0
[ 95.490424] [<c1370bd7>] sysenter_do_call+0x12/0x26
[ 95.490424] Code: 75 d5 85 c9 75 0d 83 c4 08 5b 5e 5f c9 c3 8b 4e 30 eb ef 0f 0b eb fe c7 44 24 04 ab c8 b5 de c7 04 24 24 2a b6 de e8 75 bc 81 e2 <0f> 0b eb fe 55 89 e5 56 53 8b 58 1c ff 4b 48 0f b6 50 10 f6 c2
[ 95.490424] EIP: [<deb52e0c>] drm_mm_takedown+0x7c/0x80 [drm] SS:ESP 0068:dbc47e04
[ 95.494410] ---[ end trace ea6b63472f535569 ]---
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] drm/nouveau: release vga_ram allocation before tearing down mm's
[not found] ` <20110507144519.12cb3d4f-hY15tx4IgV39zxVx7UNMDg@public.gmane.org>
@ 2011-05-07 16:03 ` Daniel Vetter
[not found] ` <1304784207-18456-1-git-send-email-daniel.vetter-/w4YWyX8dFk@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Daniel Vetter @ 2011-05-07 16:03 UTC (permalink / raw)
To: Ben Skeggs
Cc: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
bonbons-ud5FBsm0p/xEiooADzr8i9i2O/JbrIOy,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
Otherwise we have a use-after free.
Tested-and-Reported-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
drivers/gpu/drm/nouveau/nouveau_mem.c | 2 --
drivers/gpu/drm/nouveau/nouveau_state.c | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_mem.c b/drivers/gpu/drm/nouveau/nouveau_mem.c
index 5045f8b..c3e953b 100644
--- a/drivers/gpu/drm/nouveau/nouveau_mem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_mem.c
@@ -152,8 +152,6 @@ nouveau_mem_vram_fini(struct drm_device *dev)
{
struct drm_nouveau_private *dev_priv = dev->dev_private;
- nouveau_bo_ref(NULL, &dev_priv->vga_ram);
-
ttm_bo_device_release(&dev_priv->ttm.bdev);
nouveau_ttm_global_release(dev_priv);
diff --git a/drivers/gpu/drm/nouveau/nouveau_state.c b/drivers/gpu/drm/nouveau/nouveau_state.c
index a30adec..1fe6503 100644
--- a/drivers/gpu/drm/nouveau/nouveau_state.c
+++ b/drivers/gpu/drm/nouveau/nouveau_state.c
@@ -768,6 +768,8 @@ static void nouveau_card_takedown(struct drm_device *dev)
engine->mc.takedown(dev);
engine->display.late_takedown(dev);
+ nouveau_bo_ref(NULL, &dev_priv->vga_ram);
+
mutex_lock(&dev->struct_mutex);
ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_VRAM);
ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_TT);
--
1.7.5.1
_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] drm/nouveau: release vga_ram allocation before tearing down mm's
[not found] ` <1304784207-18456-1-git-send-email-daniel.vetter-/w4YWyX8dFk@public.gmane.org>
@ 2011-05-08 22:39 ` Ben Skeggs
0 siblings, 0 replies; 4+ messages in thread
From: Ben Skeggs @ 2011-05-08 22:39 UTC (permalink / raw)
To: Daniel Vetter
Cc: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW,
bonbons-ud5FBsm0p/xEiooADzr8i9i2O/JbrIOy,
dri-devel-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW
On Sat, 2011-05-07 at 18:03 +0200, Daniel Vetter wrote:
> Otherwise we have a use-after free.
>
> Tested-and-Reported-by: Bruno Prémont <bonbons@linux-vserver.org>
> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Ah, we actually have a patch in the nouveau git tree fixing this
already.
I'll get this upstream ASAP.
Ben.
> ---
> drivers/gpu/drm/nouveau/nouveau_mem.c | 2 --
> drivers/gpu/drm/nouveau/nouveau_state.c | 2 ++
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/nouveau/nouveau_mem.c b/drivers/gpu/drm/nouveau/nouveau_mem.c
> index 5045f8b..c3e953b 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_mem.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_mem.c
> @@ -152,8 +152,6 @@ nouveau_mem_vram_fini(struct drm_device *dev)
> {
> struct drm_nouveau_private *dev_priv = dev->dev_private;
>
> - nouveau_bo_ref(NULL, &dev_priv->vga_ram);
> -
> ttm_bo_device_release(&dev_priv->ttm.bdev);
>
> nouveau_ttm_global_release(dev_priv);
> diff --git a/drivers/gpu/drm/nouveau/nouveau_state.c b/drivers/gpu/drm/nouveau/nouveau_state.c
> index a30adec..1fe6503 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_state.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_state.c
> @@ -768,6 +768,8 @@ static void nouveau_card_takedown(struct drm_device *dev)
> engine->mc.takedown(dev);
> engine->display.late_takedown(dev);
>
> + nouveau_bo_ref(NULL, &dev_priv->vga_ram);
> +
> mutex_lock(&dev->struct_mutex);
> ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_VRAM);
> ttm_bo_clean_mm(&dev_priv->ttm.bdev, TTM_PL_TT);
_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-05-08 22:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-05 20:19 2.6.39-rc6, nouveau: unload trips on freed memory (SLUB poison) Bruno Prémont
2011-05-07 12:45 ` Bruno Prémont
[not found] ` <20110507144519.12cb3d4f-hY15tx4IgV39zxVx7UNMDg@public.gmane.org>
2011-05-07 16:03 ` [PATCH] drm/nouveau: release vga_ram allocation before tearing down mm's Daniel Vetter
[not found] ` <1304784207-18456-1-git-send-email-daniel.vetter-/w4YWyX8dFk@public.gmane.org>
2011-05-08 22:39 ` Ben Skeggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.