Bug 36522
Summary: | Caught 16-bit read from uninitialized memory in drm_fb_helper_setcmap | ||
---|---|---|---|
Product: | Drivers | Reporter: | Christian Casteyde (casteyde.christian) |
Component: | Video(DRI - non Intel) | Assignee: | drivers_video-dri |
Status: | CLOSED OBSOLETE | ||
Severity: | normal | CC: | alan, bastienphilbert |
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 3.11 | Subsystem: | |
Regression: | No | Bisected commit-id: | |
Attachments: |
kernel config
lspci -vnn output Cmap Fix |
Description
Christian Casteyde
2011-06-02 13:41:40 UTC
Update: this is still present in 3.0-rc2. With the following: WARNING: kmemcheck: Caught 16-bit read from uninitialized memory (ffff8801c38e0620) 48b8220600eaffff80b8220600eaffffb8b8220600eafffff0b8220600eaffff u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u ^ Pid: 2369, comm: X Not tainted 3.0.0-rc2 #8 Acer Aspire 7750G/JE70_HR RIP: 0010:[<ffffffff81361ea8>] [<ffffffff81361ea8>] drm_fb_helper_setcmap+0xb8/0x3b0 RSP: 0018:ffff8801c20f3908 EFLAGS: 00010206 RAX: 000000000000000f RBX: 0000000000000020 RCX: 0000000000000000 RDX: ffff8801c38e0400 RSI: ffff8801c38e0600 RDI: ffff8801c51fbe58 RBP: ffff8801c20f39b8 R08: 0000000000000000 R09: 0000000000000010 R10: 0000000000000000 R11: 00000000000000ff R12: 0000000000000010 R13: ffff8801c51fbeb8 R14: ffff8801c38d0800 R15: ffff8801c51fbe00 FS: 00007f52a5d7b8a0(0000) GS:ffff8801c7800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8801c673fd08 CR3: 00000001c2211000 CR4: 00000000000406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 [<ffffffff812fd839>] fb_set_cmap+0x69/0x130 [<ffffffff812fbb24>] fb_set_var+0x1a4/0x390 [<ffffffff81305e33>] fbcon_blank+0x1e3/0x2e0 [<ffffffff81359875>] do_unblank_screen+0xb5/0x1d0 [<ffffffff8134f3df>] complete_change_console+0x5f/0x100 [<ffffffff81350ea1>] vt_ioctl+0x1a21/0x1f10 [<ffffffff81346800>] tty_ioctl+0x290/0xc90 [<ffffffff81137226>] do_vfs_ioctl+0x96/0x570 [<ffffffff8113774a>] sys_ioctl+0x4a/0x80 [<ffffffff817b2e7b>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff I get this in gdb: (gdb) l *0xffffffff81361ea8 0xffffffff81361ea8 is in drm_fb_helper_setcmap (drivers/gpu/drm/drm_fb_helper.c:592). 587 hblue = *blue++; 588 589 if (transp) 590 htransp = *transp++; 591 592 rc = setcolreg(crtc, hred, hgreen, hblue, start++, info); 593 if (rc) 594 return rc; 595 } 596 crtc_funcs->load_lut(crtc); With the following: WARNING: kmemcheck: Caught 16-bit read from uninitialized memory (ffff8801c38e0420) d0ab220600eaffff08ac220600eaffff40ac220600eaffff78ac220600eaffff u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u ^ Pid: 2369, comm: X Not tainted 3.0.0-rc2 #8 Acer Aspire 7750G/JE70_HR RIP: 0010:[<ffffffff81361eb9>] [<ffffffff81361eb9>] drm_fb_helper_setcmap+0xc9/0x3b0 RSP: 0018:ffff8801c20f3908 EFLAGS: 00010206 RAX: 0000000000000010 RBX: 0000000000000020 RCX: 0000000000000000 RDX: ffff8801c38e0400 RSI: 000000000000b848 RDI: ffff8801c51fbe58 RBP: ffff8801c20f39b8 R08: 0000000000000000 R09: 0000000000000010 R10: 0000000000000000 R11: 00000000000000ff R12: 0000000000000010 R13: ffff8801c51fbeb8 R14: ffff8801c38d0800 R15: ffff8801c51fbe00 FS: 00007f52a5d7b8a0(0000) GS:ffff8801c7800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8801c673fd08 CR3: 00000001c2211000 CR4: 00000000000406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 [<ffffffff812fd839>] fb_set_cmap+0x69/0x130 [<ffffffff812fbb24>] fb_set_var+0x1a4/0x390 [<ffffffff81305e33>] fbcon_blank+0x1e3/0x2e0 [<ffffffff81359875>] do_unblank_screen+0xb5/0x1d0 [<ffffffff8134f3df>] complete_change_console+0x5f/0x100 [<ffffffff81350ea1>] vt_ioctl+0x1a21/0x1f10 [<ffffffff81346800>] tty_ioctl+0x290/0xc90 [<ffffffff81137226>] do_vfs_ioctl+0x96/0x570 [<ffffffff8113774a>] sys_ioctl+0x4a/0x80 [<ffffffff817b2e7b>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff I get: (gdb) l *0xffffffff81361eb9 0xffffffff81361eb9 is in drm_fb_helper_setcmap (drivers/gpu/drm/drm_fb_helper.c:592). 587 hblue = *blue++; 588 589 if (transp) 590 htransp = *transp++; 591 592 rc = setcolreg(crtc, hred, hgreen, hblue, start++, info); 593 if (rc) 594 return rc; 595 } 596 crtc_funcs->load_lut(crtc); and with the following: WARNING: kmemcheck: Caught 16-bit read from uninitialized memory (ffff8801c38e0220) 0000000000000000000000000000000038028ec30188ffff0100000040000000 u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u ^ Pid: 2369, comm: X Not tainted 3.0.0-rc2 #8 Acer Aspire 7750G/JE70_HR RIP: 0010:[<ffffffff81361ec5>] [<ffffffff81361ec5>] drm_fb_helper_setcmap+0xd5/0x3b0 RSP: 0018:ffff8801c20f3908 EFLAGS: 00010206 RAX: 0000000000000010 RBX: 0000000000000020 RCX: 0000000000000000 RDX: ffff8801c38e0400 RSI: ffff8801c38e0200 RDI: ffff8801c51fbe58 RBP: ffff8801c20f39b8 R08: 0000000000000000 R09: 0000000000000010 R10: 0000000000000000 R11: 000000000000abd0 R12: 0000000000000010 R13: ffff8801c51fbeb8 R14: ffff8801c38d0800 R15: ffff8801c51fbe00 FS: 00007f52a5d7b8a0(0000) GS:ffff8801c7800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8801c673fd08 CR3: 00000001c2211000 CR4: 00000000000406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 [<ffffffff812fd839>] fb_set_cmap+0x69/0x130 [<ffffffff812fbb24>] fb_set_var+0x1a4/0x390 [<ffffffff81305e33>] fbcon_blank+0x1e3/0x2e0 [<ffffffff81359875>] do_unblank_screen+0xb5/0x1d0 [<ffffffff8134f3df>] complete_change_console+0x5f/0x100 [<ffffffff81350ea1>] vt_ioctl+0x1a21/0x1f10 [<ffffffff81346800>] tty_ioctl+0x290/0xc90 [<ffffffff81137226>] do_vfs_ioctl+0x96/0x570 [<ffffffff8113774a>] sys_ioctl+0x4a/0x80 [<ffffffff817b2e7b>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff I get one more time the same callstack. disassembly: (gdb) disass 0xffffffff81361ec5 Dump of assembler code for function drm_fb_helper_setcmap: 0xffffffff81361df0 <+0>: push %rbp 0xffffffff81361df1 <+1>: mov %rsp,%rbp 0xffffffff81361df4 <+4>: push %r15 0xffffffff81361df6 <+6>: push %r14 0xffffffff81361df8 <+8>: push %r13 0xffffffff81361dfa <+10>: push %r12 0xffffffff81361dfc <+12>: push %rbx 0xffffffff81361dfd <+13>: sub $0x88,%rsp 0xffffffff81361e04 <+20>: mov %rdi,-0x50(%rbp) 0xffffffff81361e08 <+24>: mov 0x428(%rsi),%rax 0xffffffff81361e0f <+31>: mov %rax,-0x80(%rbp) 0xffffffff81361e13 <+35>: xor %eax,%eax 0xffffffff81361e15 <+37>: mov -0x80(%rbp),%rdx 0xffffffff81361e19 <+41>: mov 0x20(%rdx),%ecx 0xffffffff81361e1c <+44>: test %ecx,%ecx 0xffffffff81361e1e <+46>: jle 0xffffffff81361f60 <drm_fb_helper_setcmap+368> 0xffffffff81361e24 <+52>: movl $0x0,-0x74(%rbp) 0xffffffff81361e2b <+59>: mov %rsi,%r9 0xffffffff81361e2e <+62>: mov -0x80(%rbp),%rsi 0xffffffff81361e32 <+66>: movslq -0x74(%rbp),%rax 0xffffffff81361e36 <+70>: mov -0x50(%rbp),%rdx 0xffffffff81361e3a <+74>: lea (%rax,%rax,4),%rax 0xffffffff81361e3e <+78>: mov 0x8(%rdx),%rdx 0xffffffff81361e42 <+82>: shl $0x4,%rax 0xffffffff81361e46 <+86>: mov %rdx,-0x58(%rbp) 0xffffffff81361e4a <+90>: add 0x28(%rsi),%rax 0xffffffff81361e4e <+94>: mov -0x50(%rbp),%rdx 0xffffffff81361e52 <+98>: mov 0x20(%rax),%rax 0xffffffff81361e56 <+102>: mov -0x50(%rbp),%rsi 0xffffffff81361e5a <+106>: mov %rax,-0x70(%rbp) 0xffffffff81361e5e <+110>: mov 0x10(%rsi),%rsi 0xffffffff81361e62 <+114>: mov 0x228(%rax),%rax 0xffffffff81361e69 <+121>: mov (%rdx),%r15d 0xffffffff81361e6c <+124>: mov %rax,-0x88(%rbp) 0xffffffff81361e73 <+131>: mov 0x4(%rdx),%edx 0xffffffff81361e76 <+134>: mov -0x50(%rbp),%rax 0xffffffff81361e7a <+138>: mov %rsi,-0x60(%rbp) 0xffffffff81361e7e <+142>: mov 0x18(%rax),%rax 0xffffffff81361e82 <+146>: test %edx,%edx 0xffffffff81361e84 <+148>: mov %rax,-0x68(%rbp) 0xffffffff81361e88 <+152>: je 0xffffffff81361f2f <drm_fb_helper_setcmap+319> 0xffffffff81361e8e <+158>: mov %r9,%r14 0xffffffff81361e91 <+161>: xor %ebx,%ebx 0xffffffff81361e93 <+163>: xor %r12d,%r12d 0xffffffff81361e96 <+166>: mov %r15d,%r9d 0xffffffff81361e99 <+169>: nopl 0x0(%rax) 0xffffffff81361ea0 <+176>: mov -0x68(%rbp),%rsi 0xffffffff81361ea4 <+180>: mov -0x60(%rbp),%rdx 0xffffffff81361ea8 <+184>: movzwl (%rsi,%rbx,1),%esi 0xffffffff81361eac <+188>: mov 0x428(%r14),%r15 0xffffffff81361eb3 <+195>: mov %esi,-0x44(%rbp) 0xffffffff81361eb6 <+198>: mov %r9d,%eax 0xffffffff81361eb9 <+201>: movzwl (%rdx,%rbx,1),%r11d 0xffffffff81361ebe <+206>: mov -0x58(%rbp),%rsi 0xffffffff81361ec2 <+210>: mov (%r15),%r13 0xffffffff81361ec5 <+213>: movzwl (%rsi,%rbx,1),%esi 0xffffffff81361ec9 <+217>: cmpl $0x2,0x224(%r14) 0xffffffff81361ed1 <+225>: mov %esi,-0x48(%rbp) 0xffffffff81361ed4 <+228>: je 0xffffffff81361f78 <drm_fb_helper_setcmap+392> 0xffffffff81361eda <+234>: movzwl %r9w,%r10d 0xffffffff81361ede <+238>: cmpl $0x10,0x38(%r13) 0xffffffff81361ee3 <+243>: je 0xffffffff81362010 <drm_fb_helper_setcmap+544> 0xffffffff81361ee9 <+249>: cmpl $0x10,0x34(%r13) 0xffffffff81361eee <+254>: je 0xffffffff81361f14 <drm_fb_helper_setcmap+292> 0xffffffff81361ef0 <+256>: mov 0x40(%r15),%rax 0xffffffff81361ef4 <+260>: mov %r10d,%r8d 0xffffffff81361ef7 <+263>: mov %r9d,-0xa0(%rbp) 0xffffffff81361efe <+270>: mov -0x44(%rbp),%ecx 0xffffffff81361f01 <+273>: mov %r11d,%edx 0xffffffff81361f04 <+276>: mov -0x48(%rbp),%esi 0xffffffff81361f07 <+279>: mov -0x70(%rbp),%rdi 0xffffffff81361f0b <+283>: callq *(%rax) 0xffffffff81361f0d <+285>: mov -0xa0(%rbp),%r9d 0xffffffff81361f14 <+292>: inc %r12d 0xffffffff81361f17 <+295>: add $0x2,%rbx 0xffffffff81361f1b <+299>: inc %r9d 0xffffffff81361f1e <+302>: mov -0x50(%rbp),%rdx 0xffffffff81361f22 <+306>: cmp %r12d,0x4(%rdx) 0xffffffff81361f26 <+310>: ja 0xffffffff81361ea0 <drm_fb_helper_setcmap+176> 0xffffffff81361f2c <+316>: mov %r14,%r9 0xffffffff81361f2f <+319>: mov %r9,-0xa0(%rbp) 0xffffffff81361f36 <+326>: mov -0x70(%rbp),%rdi 0xffffffff81361f3a <+330>: mov -0x88(%rbp),%rdx 0xffffffff81361f41 <+337>: callq *0x38(%rdx) 0xffffffff81361f44 <+340>: incl -0x74(%rbp) 0xffffffff81361f47 <+343>: mov -0x80(%rbp),%rsi 0xffffffff81361f4b <+347>: mov -0x74(%rbp),%eax 0xffffffff81361f4e <+350>: mov -0xa0(%rbp),%r9 0xffffffff81361f55 <+357>: cmp %eax,0x20(%rsi) 0xffffffff81361f58 <+360>: jg 0xffffffff81361e2e <drm_fb_helper_setcmap+62> 0xffffffff81361f5e <+366>: xor %eax,%eax 0xffffffff81361f60 <+368>: add $0x88,%rsp 0xffffffff81361f67 <+375>: pop %rbx 0xffffffff81361f68 <+376>: pop %r12 0xffffffff81361f6a <+378>: pop %r13 0xffffffff81361f6c <+380>: pop %r14 0xffffffff81361f6e <+382>: pop %r15 0xffffffff81361f70 <+384>: leaveq 0xffffffff81361f71 <+385>: retq Can you post your kernel config. Which DRM driver are you using? It's a Radeon 6650M, i'm using radeon driver with kms. Created attachment 63222 [details]
kernel config
Created attachment 63232 [details]
lspci -vnn output
Update: Still present in 3.0-rc7 Update: Still present in 3.1-rc4 Update: Still present in 3.4-rc4: WARNING: kmemcheck: Caught 16-bit read from uninitialized memory (ffff8801c3e70820) 0000000000000000000000000000000000000000000000000000000000000000 u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u ^ Pid: 2439, comm: X Tainted: G W 3.4.0-rc4 #9 Acer Aspire 7750G/JE70_HR RIP: 0010:[<ffffffff81377799>] [<ffffffff81377799>] drm_fb_helper_setcmap+0x109/0x3f0 RSP: 0018:ffff8801c210f998 EFLAGS: 00010206 RAX: ffff8801c3e70800 RBX: ffff8801c3e62800 RCX: 0000000000000000 RDX: 000000000000000f RSI: ffff8801c3e70450 RDI: 00000000000000ff RBP: ffff8801c210fa68 R08: 00000000001d4af0 R09: 0000000000ffffff R10: 0000000000000000 R11: 000000000000ffff R12: 0000000000000000 R13: 0000000000000010 R14: 0000000000000010 R15: ffff8801c3e70400 FS: 00007f2d8df208c0(0000) GS:ffff8801c7e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8801c64184c0 CR3: 00000001c2151000 CR4: 00000000000407f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400 [<ffffffff81313885>] fb_set_cmap+0x65/0x140 [<ffffffff8131130f>] fb_set_var+0x1cf/0x480 [<ffffffff8131b321>] fbcon_blank+0x1e1/0x2e0 [<ffffffff8136fc19>] do_unblank_screen+0xa9/0x1d0 [<ffffffff81365174>] complete_change_console+0x64/0xf0 [<ffffffff8136648c>] vt_ioctl+0x128c/0x1380 [<ffffffff8135c438>] tty_ioctl+0x258/0xc40 [<ffffffff81145f47>] do_vfs_ioctl+0x97/0x5a0 [<ffffffff8114649a>] sys_ioctl+0x4a/0x80 [<ffffffff8180cbe2>] system_call_fastpath+0x16/0x1b [<ffffffffffffffff>] 0xffffffffffffffff which gives in gdb: (gdb) l *0xffffffff813777b7 0xffffffff813777b7 is in drm_fb_helper_setcmap (drivers/gpu/drm/drm_fb_helper.c:535). 530 531 for (j = 0; j < cmap->len; j++) { 532 u16 hred, hgreen, hblue, htransp = 0xffff; 533 534 hred = *red++; 535 hgreen = *green++; 536 hblue = *blue++; 537 538 if (transp) Update: Still present in 3.6-rc1 Update: Still present in 3.7-rc2 on Slackware 64 + xf86-video-ati-6.14.6 + libdrm-2.4.39-x86_64 Udpate: Still present in 3.8-rc2 Update: Still present in 3.11-rc7 Update: Still present in 4.7-rc6 See if the below patch fixes the issue as it seems your not allocating memory for the cmap. Created attachment 227551 [details]
Cmap Fix
No, I still have this: [ 1215.037018] WARNING: kmemcheck: Caught 16-bit read from uninitialized memory (ffff8801c307d020) [ 1215.037029] 2e032b012206070e0307373e033534262327353721171507111e031514062322 [ 1215.037038] u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u u [ 1215.037039] ^ [ 1215.037046] RIP: 0010:[<ffffffff81442b8b>] [<ffffffff81442b8b>] drm_fb_helper_setcmap+0x15b/0x420 [ 1215.037047] RSP: 0018:ffff8801b9fc7a30 EFLAGS: 00010286 [ 1215.037048] RAX: 0000000000000010 RBX: 0000000000000010 RCX: 0000000000000000 [ 1215.037049] RDX: 00000000000000ff RSI: 0000000000ffff00 RDI: ffff8801c3064390 [ 1215.037050] RBP: ffff8801b9fc7ad8 R08: ffff8801c307c840 R09: ffff8801c307d200 [ 1215.037051] R10: ffff8801c307d022 R11: 000000000000ffff R12: ffff8801c307d220 [ 1215.037051] R13: ffff8801c307d420 R14: ffff8801c307c800 R15: ffff8801c3064000 [ 1215.037053] FS: 00007f35566fd8c0(0000) GS:ffff8801c7400000(0000) knlGS:0000000000000000 [ 1215.037054] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1215.037055] CR2: ffff8801c29306c0 CR3: 00000000a8911000 CR4: 00000000000406f0 [ 1215.037058] [<ffffffff813d5009>] fb_set_cmap+0x49/0x130 [ 1215.037060] [<ffffffff813d2769>] fb_set_var+0x279/0x460 [ 1215.037063] [<ffffffff813cba4b>] fbcon_blank+0x33b/0x380 [ 1215.037066] [<ffffffff8142d966>] do_unblank_screen+0xc6/0x190 [ 1215.037069] [<ffffffff81424263>] vt_ioctl+0x533/0x1430 [ 1215.037071] [<ffffffff8141950c>] tty_ioctl+0x38c/0xe90 [ 1215.037073] [<ffffffff811aed7e>] do_vfs_ioctl+0x8e/0x670 [ 1215.037075] [<ffffffff811af39c>] SyS_ioctl+0x3c/0x70 [ 1215.037078] [<ffffffff8193fee5>] entry_SYSCALL_64_fastpath+0x18/0xa8 [ 1215.037080] [<ffffffffffffffff>] 0xffffffffffffffff Can you find out what drm driver you are currently using as all of them link to the core function that is leaking memory and knowing which drive is doing it would be very helpful. See comment #3, #4 and #5. I think i'm using radeon driver with kms since the only graphic chip I have on my laptop is a Radeon 6650M (no intel graphic in CPU, has been deactivated by vendor). Closing as too old and I do not have the hardware anymore to reproduce. |