Donnie Berkholz wrote:

> You might like to follow https://bugs.freedesktop.org/show_bug.cgi?id=943.

I'm now stuck again with a strange crash.  DRI clients
such as glxgears and glxinfo crash inside malloc(),
probably due to memory corruption:

---cut---
 #0  0x006dec48 in _int_malloc () from /lib/libc.so.6
 #1  0x006e06f2 in malloc () from /lib/libc.so.6
 #2  0xf7f8165c in drmMalloc (size=512) at 
../../../../r300_driver/drm.newioctl32/libdrm32/xf86drm.c:158
 #3  0xf7f82d60 in drmMapBufs (fd=7) at 
../../../../r300_driver/drm.newioctl32/libdrm32/xf86drm.c:1150
 #4  0xf7d203e1 in radeonCreateScreen (sPriv=0x8056168) at radeon_screen.c:502
 #5  0xf7d208b0 in radeonInitDriver (sPriv=0x8056168) at radeon_screen.c:653
 #6  0xf7d1c497 in __driUtilCreateNewScreen (dpy=0x804c008, scrn=0, 
psc=0x8054ed8, modes=0x0, ddx_version=0xffffb500,
---cut---


My feeling is this corruption might be caused by the kernel
stomping over user memory somewhere within ioctl32():

---cut---
 ioctl(4, 0xc0086451, 0xffffcf44)        = 0
 ioctl(4, 0xc0086451, 0xffffcf44)        = 0
 ioctl(4, 0xc0086451, 0xffffcf44)        = 0
 mmap2(NULL, 524288, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0x80000) = 
0xffffffffefc49000
 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 4, 0x1000) = 
0xffffffffefc48000
 ioctl(4, 0xc00c6419, 0xffffcef4)        = 0
 ioctl(4, 0xc00c6419, 0xffffcef4)        = 0
 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
 +++ killed by SIGSEGV +++
---cut---

(fd 4 is the card device)

I've tracked the last to ioctl() calls to drm_ioctl32.c:drm_buf_map_32_64(),
which I've instrumented with a few printk's, like so:

---cut---
 static int
 drm_buf_map_32_64(unsigned int fd, unsigned cmd,
                   unsigned long arg, struct file *file)
 {
    DECLARE_ARG32(drm32_buf_map_t);
    DECLARE_ARG64_NOALLOC(drm_buf_map_t);
    int err = 0;
    drm32_buf_pub_t __user *list32;
    drm_buf_pub_t __IOCTL32_USER *list64;
    int i, count, tmp_count;
    u64 tmp;
    DUMMY_ARG;
    DUMMY_ARG_P;
    OLD_FS;

    printk(KERN_DEBUG "bernie: drm_buf_map_32_64: %d, %x, %lx, %p\n", fd, cmd, 
arg, file);

    if (get_user(count,& ARG32(count)) || count < 0) return -EFAULT;

    if (get_user(tmp,&ARG32(list))) return -EFAULT;
    list32 = (drm32_buf_pub_t __user *) tmp;

    printk(KERN_DEBUG "bernie: count=%d\n", count);
    K_ALLOC(list64, count * sizeof (drm_buf_pub_t));
    if (!list64) return -EFAULT;
    PUT_ARG64(list,list64);

    GET_USER(count);

    if (err) {
        K_FREE(list64);
        return -EFAULT;
    }

    SYS_IOCTL;
    if (err) {
        K_FREE(list64);
        return err;
    }

    PUT_USER(count);
    PUT_USER_P(virtual);

    GET_ARG64(tmp_count,count);
    if (count > tmp_count) count = tmp_count;

    for (i = 0 ; i < count; i ++) {
        printk(KERN_DEBUG "bernie: i=%d, idx64=%d, total64=%d, 
used64=%d,addr64=%d\n",
                i, list64[i].idx, list64[i].total, list64[i].used, 
list64[i].address);
        PUT_USER_ARG(list64[i].idx,list32[i].idx);
        PUT_USER_ARG(list64[i].total,list32[i].total);
        PUT_USER_ARG(list64[i].used,list32[i].used);
        PUT_USER_ARG_P(list64[i].address,list32[i].address);
    }
    K_FREE(list64);

    return err ? -EFAULT : 0;
 }
---cut---


And this is the dmesg output I get:

---cut---
bernie: drm_buf_map_32_64: 4, c00c6419, ffffcef4, ffff81006f76f080
bernie: count=0
SYS_IOCTL_FUNC called
bernie: drm_buf_map_32_64: 4, c00c6419, ffffcef4, ffff81006f76f080
bernie: count=32
SYS_IOCTL_FUNC called
bernie: i=0, idx64=134576296, total64=134573700, used64=-13364,addr64=134573688
bernie: i=1, idx64=-13336, total64=10282607, used64=134590276,addr64=-13160
bernie: i=2, idx64=134590276, total64=134590216, used64=16,addr64=134575272
bernie: i=3, idx64=-13272, total64=-137246631, used64=134592752,addr64=-13256
bernie: i=4, idx64=-13200, total64=-135048648, used64=0,addr64=0
bernie: i=5, idx64=-13208, total64=-13176, used64=134590312,addr64=5
bernie: i=6, idx64=134590312, total64=134573272, used64=-13160,addr64=10387328
bernie: i=7, idx64=134590312, total64=-13176, used64=134592752,addr64=-13176
bernie: i=8, idx64=4, total64=134573688, used64=0,addr64=0
bernie: i=9, idx64=-13000, total64=10301112, used64=134573272,addr64=134590312
bernie: i=10, idx64=134594655, total64=-13016, used64=-13020,addr64=-134925752
bernie: i=11, idx64=10387328, total64=0, used64=134573272,addr64=134573560
bernie: i=12, idx64=795308655, total64=794978668, used64=-134902188,addr64=6
bernie: i=13, idx64=134592696, total64=134575272, used64=6808360,addr64=7203530
bernie: i=14, idx64=0, total64=0, used64=134565472,addr64=0
bernie: i=15, idx64=134590311, total64=10390632, used64=0,addr64=-12968
bernie: i=16, idx64=134590301, total64=134590312, used64=134573296,addr64=29
bernie: i=17, idx64=-12808, total64=10295986, used64=134573272,addr64=134590312
bernie: i=18, idx64=10387328, total64=7704113, used64=-12840,addr64=72
bernie: i=19, idx64=8006848, total64=8006840, used64=-1,addr64=7999476
bernie: i=20, idx64=134576304, total64=7948829, used64=8005760,addr64=8005796
bernie: i=21, idx64=8005816, total64=21488, used64=2008,addr64=-12808
bernie: i=22, idx64=10387328, total64=134576304, used64=7999476,addr64=0
bernie: i=23, idx64=7204845, total64=10390632, used64=134573272,addr64=-12744
bernie: i=24, idx64=134573768, total64=524288, used64=8006844,addr64=0
bernie: i=25, idx64=-12744, total64=10299249, used64=521,addr64=3
bernie: i=26, idx64=7203007, total64=8005760, used64=134592792,addr64=7999476
bernie: i=27, idx64=134573272, total64=-12696, used64=7203007,addr64=134573272
bernie: i=28, idx64=64, total64=-12664, used64=-12648,addr64=134573272
bernie: i=29, idx64=16777217, total64=134575092, used64=7999476,addr64=134570408
bernie: i=30, idx64=7210738, total64=8005760, used64=512,addr64=-135269416
bernie: i=31, idx64=-12600, total64=-134736292, used64=512,addr64=0
glxgears32[4460]: segfault at 0000000000000008 rip 00000000006dec48 rsp 
00000000ffffcdec error 6
---cut---

Some of those numbers look weird to me, but I'm not sure
what the correct values should look like.  Any idea?

(I'm leaving for vacation today and won't be able to read
my mail for a few days).

-- 
  // Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/  http://www.develer.com/



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
--
_______________________________________________
Dri-devel mailing list
Dri-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dri-devel

Reply via email to