Bug 10580

Summary:	uvesafb is broken
Product:	Drivers	Reporter:	François Valenduc (francoisvalenduc)
Component:	Console/Framebuffers	Assignee:	Venkatesh Pallipadi (venki)
Status:	REJECTED INVALID
Severity:	normal	CC:	spock, venki
Priority:	P1
Hardware:	All
OS:	Linux
Kernel Version:	2.6.25-git	Subsystem:
Regression:	Yes	Bisected commit-id:
Attachments:	kernel configuration file output of dmesg

Description François Valenduc 2008-04-30 16:25:12 UTC

Latest working kernel version: 2.6.25-git7
Earliest failing kernel version: 2.6.25-git8
Distribution: Gentoo
Hardware Environment: Packard Bell MB86, Intel Core 2 Duo
Software Environment:
Problem Description:

uvesafb doesn't work anymore with the current git version. v86d failed with the following error:

Program v86d tried to access /dev/mem between a0000->110000.
v86d[255]: segfault at 7f1025c22000 ip 400da6 sp 7fff2dc3e1d0 error 6 in v86d[400000+17000]
uvesafb: Getting VBE info block failed (eax=0x4f00, err=-3)
uvesafb: vbe_init() failed with -22
uvesafb: probe of uvesafb.0 failed with error -22

After having tried git-bisect, it seems that the first bad commit which might cause the problem is the following:

commit e2beb3eae627211b67e456c53f946cede2ac10d7
Author: Venki Pallipadi <venkatesh.pallipadi@intel.com>
Date:   Thu Mar 6 23:01:47 2008 -0800

    devmem: add range_is_allowed() check to mmap of /dev/mem

I have tried to revert it on the current git (git16) but it's not possible to do so.

Steps to reproduce:

Comment 1 François Valenduc 2008-04-30 16:28:11 UTC

Created attachment 15990 [details]
kernel configuration file

Comment 2 François Valenduc 2008-04-30 16:29:15 UTC

Created attachment 15992 [details]
output of dmesg

Comment 3 Anonymous Emailer 2008-04-30 16:37:23 UTC

Reply-To: akpm@linux-foundation.org

(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Wed, 30 Apr 2008 16:25:13 -0700 (PDT)
bugme-daemon@bugzilla.kernel.org wrote:

> http://bugzilla.kernel.org/show_bug.cgi?id=10580
> 
>            Summary: uvesafb is broken
>            Product: Drivers
>            Version: 2.5
>      KernelVersion: 2.6.25-git
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: Console/Framebuffers
>         AssignedTo: jsimmons@infradead.org
>         ReportedBy: francois.valenduc@tvcablenet.be
> 
> 
> Latest working kernel version: 2.6.25-git7
> Earliest failing kernel version: 2.6.25-git8
> Distribution: Gentoo
> Hardware Environment: Packard Bell MB86, Intel Core 2 Duo
> Software Environment:
> Problem Description:
> 
> uvesafb doesn't work anymore with the current git version. v86d failed with
> the
> following error:
> 
> Program v86d tried to access /dev/mem between a0000->110000.
> v86d[255]: segfault at 7f1025c22000 ip 400da6 sp 7fff2dc3e1d0 error 6 in
> v86d[400000+17000]
> uvesafb: Getting VBE info block failed (eax=0x4f00, err=-3)
> uvesafb: vbe_init() failed with -22
> uvesafb: probe of uvesafb.0 failed with error -22
> 
> After having tried git-bisect, it seems that the first bad commit which might
> cause the problem is the following:
> 
> commit e2beb3eae627211b67e456c53f946cede2ac10d7
> Author: Venki Pallipadi <venkatesh.pallipadi@intel.com>
> Date:   Thu Mar 6 23:01:47 2008 -0800
> 
>     devmem: add range_is_allowed() check to mmap of /dev/mem
>
> I have tried to revert it on the current git (git16) but it's not possible to
> do so.
> 
> Steps to reproduce:

Thanks for the report - it really helps.

Was you setting of CONFIG_NONPROMISC_DEVMEM the same in both -git7 and in
-git8?

Comment 4 Venkatesh Pallipadi 2008-04-30 16:45:54 UTC

We have the range_is_allowed check with and without CONFIG_NONPROMISC_DEVMEM now!

It is needed to prevent PAT aliasing. Looks like, the driver or user app is trying to map the range a0000->110000, and atleast part of that range is
usable memory.
 BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)
 BIOS-e820: 0000000000100000 - 00000000bf6d0000 (usable)

Thats the reason why mmap is failing.

Now, we need to find who is mapping that memory and why. Looking at uvesafb.c ....

Comment 5 Venkatesh Pallipadi 2008-04-30 18:19:26 UTC

 

>-----Original Message-----
>From: Andrew Morton [mailto:akpm@linux-foundation.org] 
>Sent: Wednesday, April 30, 2008 4:37 PM
>To: francois.valenduc@tvcablenet.be
>Cc: bugme-daemon@bugzilla.kernel.org; Ingo Molnar; Pallipadi, 
>Venkatesh; linux-kernel@vger.kernel.org
>Subject: Re: [Bugme-new] [Bug 10580] New: uvesafb is broken
>
>> 
>> uvesafb doesn't work anymore with the current git version. 
>v86d failed with the
>> following error:
>> 
>> Program v86d tried to access /dev/mem between a0000->110000.
>> v86d[255]: segfault at 7f1025c22000 ip 400da6 sp 
>7fff2dc3e1d0 error 6 in
>> v86d[400000+17000]
>> uvesafb: Getting VBE info block failed (eax=0x4f00, err=-3)
>> uvesafb: vbe_init() failed with -22
>> uvesafb: probe of uvesafb.0 failed with error -22
>> 
>> After having tried git-bisect, it seems that the first bad 
>commit which might
>> cause the problem is the following:
>> 
>> commit e2beb3eae627211b67e456c53f946cede2ac10d7
>> Author: Venki Pallipadi <venkatesh.pallipadi@intel.com>
>> Date:   Thu Mar 6 23:01:47 2008 -0800
>> 
>>     devmem: add range_is_allowed() check to mmap of /dev/mem
>>
>> I have tried to revert it on the current git (git16) but 
>it's not possible to
>> do so.
>> 
>> Steps to reproduce:
>
>Thanks for the report - it really helps.
>
>Was you setting of CONFIG_NONPROMISC_DEVMEM the same in both 
>-git7 and in
>-git8?
>
>
------- Comment #4 From Venkatesh Pallipadi 2008-04-30 16:45:54 [reply]
------- 
>We have the range_is_allowed check with and without
CONFIG_NONPROMISC_DEVMEM
>now!
>
>It is needed to prevent PAT aliasing. Looks like, the driver or user
app is
>trying to map the range a0000->110000, and atleast part of that range
is
>usable memory.
> BIOS-e820: 00000000000dc000 - 0000000000100000 (reserved)
> BIOS-e820: 0000000000100000 - 00000000bf6d0000 (usable)
>
>Thats the reason why mmap is failing.
>
>Now, we need to find who is mapping that memory and why. Looking at
uvesafb.c
>....

Looked at this a bit more..
v86d emulator seems to be hardcoding
mem_bios as 0x0a0000 - 0x10ffef

And mmaping the whole address and may be doing read write in that range
during the emulation.
But, as per e820 0x100000 onwards is usable memory and may be getting
used by kernel. So, surely there is some conflict here.

I am not sure whether it is the BIOS that is giving wrong E820 info or
is it the v86d emulator making assumption about this address wrongly.
One workaround is to make upto 0x10ffef as reserved and make kernel not
use it. But, we should really know why this problem is happening in the
first place, before going the workaround route.

Thanks,
Venki

Comment 6 H. Peter Anvin 2008-05-01 13:55:03 UTC

<hpa> OK, this is *probably* a bug in the user space code
<hpa> It probably wants to map the legacy region, 0xa0000-0x100000, but it maps the wrong range
<hpa> There is no sane reason it should map 0xa0000..0x110000 that's preposterous
<hpa> An strace should verify that

Either that, or our in-kernel range check is broken.  Again, getting the strace would be highly useful.

Comment 7 Michal Januszewski 2008-05-01 14:01:20 UTC

It's a problem with the userspace helper (v86d).  I will release a fixed version in a few minutes.

Comment 8 H. Peter Anvin 2008-05-01 14:04:10 UTC

Note: there is no legitimate reason for uvesafb to map memory used by the kernel.  The only legitimate areas for it to map are:

- The low BIOS page (0-4K)
- The EBDA (find the EBDA pointer in the low BIOS page and map from it up to 640K)
- The legacy I/O region (640-1024K)

Memory in between the low BIOS page and the EBDA, and above 1024K, are used by the kernel, and attempted access are potentially disastrous.  If necessary, the userspace code can map in anonymous readonly memory to those regions.

Comment 9 François Valenduc 2008-05-01 23:30:02 UTC

The problem is indeed solved with the new version of v86d (0.1.5). 
Thanks for your help.