On Thu, 05 May 2011 Bruno PrÃmont <bonbons@xxxxxxxxxxxxxxxxx> wrote: > With 2.6.39-rc6 I'm hitting the following (relevant part from objdump of > drm_mm.o at bottom). > Some part of node passed to drm_mm_remove_node() is being use after free > and hits SLUB poison. > > Bruno > > > [ 328.447498] drm: unregistered panic notifier > [ 328.447648] [drm] nouveau 0000:02:00.0: 0xAFD8: Parsing digital output script table > [ 328.448642] [drm] nouveau 0000:02:00.0: Restoring VGA fonts > [ 328.450949] [drm:drm_mm_takedown] *ERROR* Memory manager not clean. Delaying takedown Here is the trace to the erroring drm_mm_takedown() call: [ 95.486464] [drm:drm_mm_takedown] *ERROR* Memory manager not clean. Delaying takedown [ 95.486585] ------------[ cut here ]------------ [ 95.486640] kernel BUG at /usr/src/linux-2.6/drivers/gpu/drm/drm_mm.c:628! [ 95.486697] invalid opcode: 0000 [#1] [ 95.486805] last sysfs file: /sys/devices/platform/w83627hf.656/temp3_input [ 95.486862] Modules linked in: nouveau(-) fbcon tileblit font ttm bitblit softcursor drm_kms_helper drm fb fbdev i2c_algo_bit cfbcopyarea video cfbimgblt cfbfillrect nfs lockd nfs_acl sunrpc snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_timer snd snd_page_alloc pcspkr [ 95.488061] [ 95.488121] Pid: 1714, comm: rmmod Tainted: G W 2.6.39-rc6-jupiter-00001-g443badf-dirty #13 NVIDIA Corporation. nFORCE-MCP/MS-6373 [ 95.488306] EIP: 0060:[<deb52e0c>] EFLAGS: 00010292 CPU: 0 [ 95.488397] EIP is at drm_mm_takedown+0x7c/0x80 [drm] [ 95.488451] EAX: 0000005f EBX: da148620 ECX: fffffed5 EDX: 00000000 [ 95.488508] ESI: da148620 EDI: 00000090 EBP: dbc47e18 ESP: dbc47e04 [ 95.488563] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 [ 95.488631] Process rmmod (pid: 1714, ti=dbc46000 task=dd446470 task.ti=dbc46000) [ 95.488693] Stack: [ 95.488740] deb62a24 deb5c8ab da148620 da0001e8 00000090 dbc47e28 dec5934b da000148 [ 95.489099] da0001d8 dbc47e44 dec550eb dbc47e44 def998cb da204820 da000000 da000000 [ 95.489469] dbc47e64 def6dc51 deb5c280 da000148 da204830 da204820 dd5270c0 dd5271d8 [ 95.489839] Call Trace: [ 95.489907] [<dec5934b>] ttm_bo_man_takedown+0x2b/0x50 [ttm] [ 95.489968] [<dec550eb>] ttm_bo_clean_mm+0x5b/0xa0 [ttm] [ 95.490063] [<def998cb>] ? nv10_fb_takedown+0x2b/0x50 [nouveau] [ 95.490130] [<def6dc51>] nouveau_unload+0xa1/0x150 [nouveau] [ 95.490198] [<deb4ec33>] drm_put_dev+0xb3/0x1c0 [drm] [ 95.490263] [<def6d010>] nouveau_pci_remove+0x10/0x20 [nouveau] [ 95.490325] [<c11d0baf>] pci_device_remove+0x3f/0xf0 [ 95.490384] [<c123b6ab>] __device_release_driver+0x4b/0xa0 [ 95.490424] [<c123b777>] driver_detach+0x77/0x80 [ 95.490424] [<c123aa5b>] bus_remove_driver+0x5b/0xa0 [ 95.490424] [<c123bfc6>] driver_unregister+0x46/0x80 [ 95.490424] [<c110087f>] ? sysfs_remove_file+0xf/0x20 [ 95.490424] [<c11d0e4a>] pci_unregister_driver+0x2a/0x70 [ 95.490424] [<deb50adf>] drm_pci_exit+0x7f/0x90 [drm] [ 95.490424] [<defe9f17>] nouveau_exit+0x1b/0x22 [nouveau] [ 95.490424] [<c105cdbb>] sys_delete_module+0x19b/0x1f0 [ 95.490424] [<c10a42d2>] ? do_munmap+0x212/0x2f0 [ 95.490424] [<c1370bd7>] sysenter_do_call+0x12/0x26 [ 95.490424] Code: 75 d5 85 c9 75 0d 83 c4 08 5b 5e 5f c9 c3 8b 4e 30 eb ef 0f 0b eb fe c7 44 24 04 ab c8 b5 de c7 04 24 24 2a b6 de e8 75 bc 81 e2 <0f> 0b eb fe 55 89 e5 56 53 8b 58 1c ff 4b 48 0f b6 50 10 f6 c2 [ 95.490424] EIP: [<deb52e0c>] drm_mm_takedown+0x7c/0x80 [drm] SS:ESP 0068:dbc47e04 [ 95.494410] ---[ end trace ea6b63472f535569 ]--- _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
