From: "Bruno Prémont" <bonbons@linux-vserver.org>
To: JosephChan@via.com.tw
Cc: akpm@linux-foundation.org, arjan@infradead.org,
linux-fbdev-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org, ScottFang@viatech.com.cn
Subject: Re: [PATCH] Fix crash in viafb due to 4k stack overflow
Date: Fri, 14 Nov 2008 10:01:56 +0100 [thread overview]
Message-ID: <20081114100156.4557760c@pluto.restena.lu> (raw)
In-Reply-To: <C80EF34A3D2E494DBAF9AC29C7AE4EB808226A07@exchtp03.taipei.via.com.tw>
Joseph,
Are you testing with 4k stacks or with 8k stacks (CONFIG_4KSTACKS)?
Note that your failure looks pretty much like the ones I mentionned in
http://lkml.org/lkml/2008/11/9/204
It looks like some kernel text/data got corrupted though I have no
idea what caused it. For me this kind of NULL pointer dereference did
happen a few times then stopped showing up (just a reboot, not kernel
change/recompile)
Bruno
On Fri, 14 Nov 2008 <JosephChan@via.com.tw> wrote:
> After testing the patch with 2.6.28-rc4 kernel, I found something
> strange in both viafb built-in and module modes. See the result on my
> EPIA-EX (CX700) below. Based on the result, it looks like something
> wrong with the new patch.
>
> Kernel 2.6.28-rc4 + viafb-fix-crash-due-to-4k-stack-overflow.patch
>
> 1. w/o patching the viafb-fix-crash-due-to-4k-stack-overflow.patch
> => System works properly without "kernel panic" issue.
>
> 2. w/ patching the viafb-fix-crash-due-to-4k-stack-overflow.patch
> => System hangs with "kernel panic" randomly after loading the viafb
> module. Such as:
> BUG: unable to handle kernel NULL pointer dereference at 000000c7
> IP: [<c03dc6ec>] rt_worker_func+0xc7/0x15d
> Last sysfs file: /sys/class/graphics/fb0/dev
> Modules linked in: viafb i2c_algo_bit via_rhine sg pata_via sd_mod
> ehci_hcd
>
> Pid: 6, comm: events/0 Not tainted (2.6.28-rc4b #1) pn test
> EIP: 0060:[<c03dc6ec>] EFLAGS: 00010286 CPU:0
> EIP is at rt_worker_func+0xc7/0x15d
> ......
> ....
> .....
>
>
> BRs,
> Joseph
>
> -----Original Message-----
> From: Joseph Chan
> Sent: Thursday, November 13, 2008 8:58 AM
> To: 'Andrew Morton'; Bruno Prémont
> Cc: arjan@infradead.org; linux-fbdev-devel@lists.sourceforge.net;
> linux-kernel@vger.kernel.org Subject: RE: [PATCH] Fix crash in viafb
> due to 4k stack overflow
>
> I will try this new patch later. :)
>
> BRs,
> Joseph Chan
>
> -----Original Message-----
> From: Andrew Morton [mailto:akpm@linux-foundation.org]
> Sent: Thursday, November 13, 2008 7:01 AM
> To: Bruno Prémont
> Cc: arjan@infradead.org; Joseph Chan;
> linux-fbdev-devel@lists.sourceforge.net; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] Fix crash in viafb due to 4k stack overflow
>
> On Mon, 10 Nov 2008 22:00:46 +0100
> Bruno Pr__mont <bonbons@linux-vserver.org> wrote:
>
> > During conversion of viafb_ioctl() I noticed the following:
> >
> > Those two cases just copy_from_user and do nothing with copied
> > data, incomplete implementation?:
> > case VIAFB_SET_PANEL_POSITION:
> > if (copy_from_user(&u.panel_pos_size_para, argp,
> > sizeof(u.panel_pos_size_para)))
> > return -EFAULT;
> > break;
> > case VIAFB_SET_PANEL_SIZE:
> > if (copy_from_user(&u.panel_pos_size_para, argp,
> > sizeof(u.panel_pos_size_para)))
> > return -EFAULT;
> > break;
> >
> > Handling of GET/SET GAMMA looks buggy:
> > In each case 256*4 bytes are allocated but only 4 bytes (size of
> > pointer) are copied to/from userspace though
> > viafb_(get|set)_gamma_table() operates on the full 256 elements...
> > case VIAFB_SET_GAMMA_LUT:
> > viafb_gamma_table = kmalloc(256 * sizeof(u32),
> > GFP_KERNEL); if (!viafb_gamma_table)
> > return -ENOMEM;
> > if (copy_from_user(viafb_gamma_table, argp,
> > sizeof(viafb_gamma_table))) {
> > kfree(viafb_gamma_table);
> > return -EFAULT;
> > }
> > viafb_set_gamma_table(viafb_bpp, viafb_gamma_table);
> > kfree(viafb_gamma_table);
> > break;
> >
> > case VIAFB_GET_GAMMA_LUT:
> > viafb_gamma_table = kmalloc(256 * sizeof(u32),
> > GFP_KERNEL); if (!viafb_gamma_table)
> > return -ENOMEM;
> > viafb_get_gamma_table(viafb_gamma_table);
> > if (copy_to_user(argp, viafb_gamma_table,
> > sizeof(viafb_gamma_table))) {
> > kfree(viafb_gamma_table);
> > return -EFAULT;
> > }
> > kfree(viafb_gamma_table);
> > break;
> >
> > I don't know if there is a userspace app that uses these VIA
> > IOCTLs... so the ioctl part is just compile-tested.
> > After checking, fbset just uses some generic framebuffer IOCTLs
> > outside of viafb's scope, thus not passing through viafb_ioctl().
> >
> >
> >
> > ---
> > --- linux-2.6.28-rc3/drivers/video/via/viafbdev.c.orig
> > 2008-11-09 19:36:47.000000000 +0100 +++
> > linux-2.6.28-rc3/drivers/video/via/viafbdev.c 2008-11-10
> > 20:50:32.000000000 +0100
>
> hm, OK, I dropped the old patch and merged this one.
>
> It'd be nice to have it runtime tested and reviewed by Joseph, but we
> haven't heard from him yet. viafb might be 8k-stacks-only in 2.6.27,
> which would be bad.
>
WARNING: multiple messages have this Message-ID (diff)
From: "Bruno Prémont" <bonbons@linux-vserver.org>
To: <JosephChan@via.com.tw>
Cc: <akpm@linux-foundation.org>, <arjan@infradead.org>,
<linux-fbdev-devel@lists.sourceforge.net>,
<linux-kernel@vger.kernel.org>, <ScottFang@viatech.com.cn>
Subject: Re: [PATCH] Fix crash in viafb due to 4k stack overflow
Date: Fri, 14 Nov 2008 10:01:56 +0100 [thread overview]
Message-ID: <20081114100156.4557760c@pluto.restena.lu> (raw)
In-Reply-To: <C80EF34A3D2E494DBAF9AC29C7AE4EB808226A07@exchtp03.taipei.via.com.tw>
Joseph,
Are you testing with 4k stacks or with 8k stacks (CONFIG_4KSTACKS)?
Note that your failure looks pretty much like the ones I mentionned in
http://lkml.org/lkml/2008/11/9/204
It looks like some kernel text/data got corrupted though I have no
idea what caused it. For me this kind of NULL pointer dereference did
happen a few times then stopped showing up (just a reboot, not kernel
change/recompile)
Bruno
On Fri, 14 Nov 2008 <JosephChan@via.com.tw> wrote:
> After testing the patch with 2.6.28-rc4 kernel, I found something
> strange in both viafb built-in and module modes. See the result on my
> EPIA-EX (CX700) below. Based on the result, it looks like something
> wrong with the new patch.
>
> Kernel 2.6.28-rc4 + viafb-fix-crash-due-to-4k-stack-overflow.patch
>
> 1. w/o patching the viafb-fix-crash-due-to-4k-stack-overflow.patch
> => System works properly without "kernel panic" issue.
>
> 2. w/ patching the viafb-fix-crash-due-to-4k-stack-overflow.patch
> => System hangs with "kernel panic" randomly after loading the viafb
> module. Such as:
> BUG: unable to handle kernel NULL pointer dereference at 000000c7
> IP: [<c03dc6ec>] rt_worker_func+0xc7/0x15d
> Last sysfs file: /sys/class/graphics/fb0/dev
> Modules linked in: viafb i2c_algo_bit via_rhine sg pata_via sd_mod
> ehci_hcd
>
> Pid: 6, comm: events/0 Not tainted (2.6.28-rc4b #1) pn test
> EIP: 0060:[<c03dc6ec>] EFLAGS: 00010286 CPU:0
> EIP is at rt_worker_func+0xc7/0x15d
> ......
> ....
> .....
>
>
> BRs,
> Joseph
>
> -----Original Message-----
> From: Joseph Chan
> Sent: Thursday, November 13, 2008 8:58 AM
> To: 'Andrew Morton'; Bruno Prémont
> Cc: arjan@infradead.org; linux-fbdev-devel@lists.sourceforge.net;
> linux-kernel@vger.kernel.org Subject: RE: [PATCH] Fix crash in viafb
> due to 4k stack overflow
>
> I will try this new patch later. :)
>
> BRs,
> Joseph Chan
>
> -----Original Message-----
> From: Andrew Morton [mailto:akpm@linux-foundation.org]
> Sent: Thursday, November 13, 2008 7:01 AM
> To: Bruno Prémont
> Cc: arjan@infradead.org; Joseph Chan;
> linux-fbdev-devel@lists.sourceforge.net; linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] Fix crash in viafb due to 4k stack overflow
>
> On Mon, 10 Nov 2008 22:00:46 +0100
> Bruno Pr__mont <bonbons@linux-vserver.org> wrote:
>
> > During conversion of viafb_ioctl() I noticed the following:
> >
> > Those two cases just copy_from_user and do nothing with copied
> > data, incomplete implementation?:
> > case VIAFB_SET_PANEL_POSITION:
> > if (copy_from_user(&u.panel_pos_size_para, argp,
> > sizeof(u.panel_pos_size_para)))
> > return -EFAULT;
> > break;
> > case VIAFB_SET_PANEL_SIZE:
> > if (copy_from_user(&u.panel_pos_size_para, argp,
> > sizeof(u.panel_pos_size_para)))
> > return -EFAULT;
> > break;
> >
> > Handling of GET/SET GAMMA looks buggy:
> > In each case 256*4 bytes are allocated but only 4 bytes (size of
> > pointer) are copied to/from userspace though
> > viafb_(get|set)_gamma_table() operates on the full 256 elements...
> > case VIAFB_SET_GAMMA_LUT:
> > viafb_gamma_table = kmalloc(256 * sizeof(u32),
> > GFP_KERNEL); if (!viafb_gamma_table)
> > return -ENOMEM;
> > if (copy_from_user(viafb_gamma_table, argp,
> > sizeof(viafb_gamma_table))) {
> > kfree(viafb_gamma_table);
> > return -EFAULT;
> > }
> > viafb_set_gamma_table(viafb_bpp, viafb_gamma_table);
> > kfree(viafb_gamma_table);
> > break;
> >
> > case VIAFB_GET_GAMMA_LUT:
> > viafb_gamma_table = kmalloc(256 * sizeof(u32),
> > GFP_KERNEL); if (!viafb_gamma_table)
> > return -ENOMEM;
> > viafb_get_gamma_table(viafb_gamma_table);
> > if (copy_to_user(argp, viafb_gamma_table,
> > sizeof(viafb_gamma_table))) {
> > kfree(viafb_gamma_table);
> > return -EFAULT;
> > }
> > kfree(viafb_gamma_table);
> > break;
> >
> > I don't know if there is a userspace app that uses these VIA
> > IOCTLs... so the ioctl part is just compile-tested.
> > After checking, fbset just uses some generic framebuffer IOCTLs
> > outside of viafb's scope, thus not passing through viafb_ioctl().
> >
> >
> >
> > ---
> > --- linux-2.6.28-rc3/drivers/video/via/viafbdev.c.orig
> > 2008-11-09 19:36:47.000000000 +0100 +++
> > linux-2.6.28-rc3/drivers/video/via/viafbdev.c 2008-11-10
> > 20:50:32.000000000 +0100
>
> hm, OK, I dropped the old patch and merged this one.
>
> It'd be nice to have it runtime tested and reviewed by Joseph, but we
> haven't heard from him yet. viafb might be 8k-stacks-only in 2.6.27,
> which would be bad.
>
next prev parent reply other threads:[~2008-11-14 9:01 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-14 8:41 [PATCH] Fix crash in viafb due to 4k stack overflow JosephChan
2008-11-14 8:41 ` JosephChan
2008-11-14 9:01 ` Bruno Prémont [this message]
2008-11-14 9:01 ` Bruno Prémont
2008-11-14 10:20 ` JosephChan
2008-11-14 10:20 ` JosephChan
-- strict thread matches above, loose matches on Subject: below --
2008-11-09 19:25 Bruno Prémont
2008-11-09 19:25 ` Bruno Prémont
2008-11-09 19:36 ` Andrew Morton
2008-11-09 19:36 ` Andrew Morton
2008-11-09 20:25 ` Arjan van de Ven
2008-11-09 20:38 ` Bruno Prémont
2008-11-09 20:38 ` Bruno Prémont
2008-11-09 20:55 ` Andrew Morton
2008-11-09 20:55 ` Andrew Morton
2008-11-09 21:37 ` Bruno Prémont
2008-11-09 21:37 ` Bruno Prémont
2008-11-09 22:57 ` Trent Piepho
2008-11-09 22:59 ` Andrew Morton
2008-11-09 22:59 ` Andrew Morton
2008-11-10 21:00 ` Bruno Prémont
2008-11-10 21:00 ` Bruno Prémont
2008-11-12 23:01 ` Andrew Morton
2008-11-13 0:58 ` JosephChan
2008-11-13 0:58 ` JosephChan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081114100156.4557760c@pluto.restena.lu \
--to=bonbons@linux-vserver.org \
--cc=JosephChan@via.com.tw \
--cc=ScottFang@viatech.com.cn \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=linux-fbdev-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.