Framebuffer memory corruption bug

Thu Jun 7 19:00:24 EDT 2012

On 07/06/12 23:07, Simon Arlott wrote:
> I'm not sure what's going on here, but the address ranges here are
> suspicious:
> 
> frame buffer	0x49385000 to 0x497ea000
> problem memory	0xc9479ee8 to 0xc9479fff
> 		0xc9479a30 to 0xc9479a33
> 		0xc9473ee8 to 0xc9473fff
> 		0xc946bee8 to 0xc946bfff
> 		0xc9459ee8 to 0xc9459fff
> 		0xc947df80 to 0xc947dfff
> 
> Ignoring the top 2 bits, these address ranges overlap.
> 
> I see the logo and some junk on the display. It looks like there's some
> issue with the memory aliasing causing the framebuffer to overwrite
> kernel memory and then memleak to overwrite the video buffer...

I've tracked this down to the merge of 3.5 but git isn't doing a sane
bisect between rpi-3.4-20120529-2229-linear and rpi-3.5-20120529-2242-linear
so I can't find the cause of the problem. I can't see many changes in
drivers/video but there are some major changes in arch/arm/mm/ that
might be relevant.

> [   11.918501] calling  bcm2708_fb_driver_init+0x0/0xc @ 1
> [   11.924255] bus: 'platform': add driver bcm2708_fb
> [   11.929530] bus: 'platform': driver_probe_device: matched device display.0 with driver bcm2708_fb
> [   11.938699] bus: 'platform': really_probe: probing driver bcm2708_fb with device display.0
> [   11.947955] cma: dma_alloc_from_contiguous(cma ca9292a0, count 1, align 0)
> [   11.956141] cma: dma_alloc_from_contiguous(): returned c157c800
> [   11.962278] bcm2708_fb display.0: registering framebuffer (1920x1200 at 16)
> [   11.969673] device: 'fb0': device_add
> [   11.983352] device: 'vtcon1': device_add
> [   12.007898] bcm2708_fb display.0: fb->fb.fix.smem_start=49385000 fbinfo->pitch=3840 fb->fb.fix.smem_len=4608000 fb->fb.screen_size=4608000
> [   12.021681] bcm2708_fb display.0: fb->fb.screen_base=d1000000
> [   12.056138] Console: switching to colour frame buffer device 240x75
> [   12.112937] driver: 'display.0': driver_bound: bound to device 'bcm2708_fb'
> [   12.119942] bus: 'platform': really_probe: bound device display.0 to driver bcm2708_fb
> [   12.130474] =============================================================================
> [   12.138665] BUG dentry (Not tainted): Padding overwritten. 0xc9479ee8-0xc9479fff
> [   12.146052] -----------------------------------------------------------------------------
> [   12.146052] 
> [   12.155700] INFO: Slab 0xc1544f00 objects=23 used=23 fp=0x  (null) flags=0x4080
> [   12.163053] [<c000dda0>] (unwind_backtrace+0x0/0xe0) from [<c0080ba4>] (slab_err+0x48/0x5c)
> [   12.171413] [<c0080ba4>] (slab_err+0x48/0x5c) from [<c008163c>] (slab_pad_check.part.33+0xb8/0xfc)
> [   12.180375] [<c008163c>] (slab_pad_check.part.33+0xb8/0xfc) from [<c0081750>] (check_slab+0xd0/0xe4)
> [   12.189525] [<c0081750>] (check_slab+0xd0/0xe4) from [<c01471e8>] (alloc_debug_processing+0x18/0x150)
> [   12.198751] [<c01471e8>] (alloc_debug_processing+0x18/0x150) from [<c0147ec8>] (__slab_alloc.isra.43.constprop.47+0x544/0x5a0)
> [   12.210146] [<c0147ec8>] (__slab_alloc.isra.43.constprop.47+0x544/0x5a0) from [<c0082b7c>] (kmem_cache_alloc+0x60/0x138)
> [   12.221020] [<c0082b7c>] (kmem_cache_alloc+0x60/0x138) from [<c009d528>] (__d_alloc+0x1c/0x140)
> [   12.229720] [<c009d528>] (__d_alloc+0x1c/0x140) from [<c009d678>] (d_alloc+0x10/0x54)
> [   12.237563] [<c009d678>] (d_alloc+0x10/0x54) from [<c00928f0>] (__lookup_hash+0x84/0xe0)
> [   12.245663] [<c00928f0>] (__lookup_hash+0x84/0xe0) from [<c01480c0>] (lookup_slow+0x44/0xa4)
> [   12.254109] [<c01480c0>] (lookup_slow+0x44/0xa4) from [<c00952c8>] (do_last.isra.36+0x148/0x738)
> [   12.262901] [<c00952c8>] (do_last.isra.36+0x148/0x738) from [<c009596c>] (path_openat+0xb4/0x388)
> [   12.271775] [<c009596c>] (path_openat+0xb4/0x388) from [<c0095c6c>] (do_filp_open+0x2c/0x78)
> [   12.280216] [<c0095c6c>] (do_filp_open+0x2c/0x78) from [<c008eb94>] (open_exec+0x18/0xa0)
> [   12.288397] [<c008eb94>] (open_exec+0x18/0xa0) from [<c008fb58>] (do_execve+0x300/0x4f4)
> [   12.296494] [<c008fb58>] (do_execve+0x300/0x4f4) from [<c000bdd0>] (kernel_execve+0x34/0x80)
> [   12.304940] [<c000bdd0>] (kernel_execve+0x34/0x80) from [<c00293fc>] (____call_usermodehelper+0x128/0x144)
> [   12.314596] [<c00293fc>] (____call_usermodehelper+0x128/0x144) from [<c0009e08>] (kernel_thread_exit+0x0/0x8)
> [   12.324504] Padding c9479ee8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.333193] Padding c9479ef8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.341879] Padding c9479f08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.350566] Padding c9479f18: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.359253] Padding c9479f28: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.367941] Padding c9479f38: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.376628] Padding c9479f48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.385315] Padding c9479f58: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.394002] Padding c9479f68: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.402688] Padding c9479f78: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.411377] Padding c9479f88: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.420063] Padding c9479f98: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.428752] Padding c9479fa8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.437439] Padding c9479fb8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.446125] Padding c9479fc8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.454812] Padding c9479fd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.463499] Padding c9479fe8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> [   12.472185] Padding c9479ff8: 00 00 00 00 00 00 00 00                          ........

-- 
Simon Arlott