From owner-freebsd-x11@FreeBSD.ORG Fri Jan 2 07:26:40 2015 Return-Path: Delivered-To: freebsd-x11@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BFE979A2; Fri, 2 Jan 2015 07:26:40 +0000 (UTC) Received: from mail.myota.org (mail.myota.org [85.10.206.105]) by mx1.freebsd.org (Postfix) with ESMTP id 623C11294; Fri, 2 Jan 2015 07:26:39 +0000 (UTC) Received: from g229017217.adsl.alicedsl.de (g229017217.adsl.alicedsl.de [92.229.17.217]) (authenticated bits=128) by mail.myota.org (8.14.9/8.14.9) with ESMTP id t027QKwK059692; Fri, 2 Jan 2015 08:26:26 +0100 (CET) (envelope-from andre@fbsd.ata.myota.org) Received: from submit.client ([127.0.0.1]) by gate.local (8.14.9/8.14.9) with ESMTP id t027QKDx065869; Fri, 2 Jan 2015 08:26:20 +0100 (CET) (envelope-from andre@fbsd.ata.myota.org) Received: (from user@localhost) by gate.local (8.14.9/8.14.9/Submit) id t027QKqU065868; Fri, 2 Jan 2015 08:26:20 +0100 (CET) (envelope-from andre@fbsd.ata.myota.org) Date: Fri, 2 Jan 2015 08:26:20 +0100 From: Andre Albsmeier To: Adrian Chadd Subject: Re: [PATCH] Fixing panic in vt_fb_blank() if fb_size is not a multiple of fb_stride Message-ID: <20150102072620.GB65505@gate> References: <20150101192219.GA46601@voyager> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Echelon: 767, Compsec, USSS, MD4, detonator X-Advice: Drop that crappy M$-Outlook, I'm tired of your viruses! User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Not delayed on 85.10.206.105, ACL: AUTH(59), Origin: DE, OS: FreeBSD 9.x X-Greylist: Not delayed, ACL: localhost(52) X-Virus-Scanned: clamav-milter 0.98.5 at colo X-Virus-Status: Clean Cc: Andre Albsmeier , freebsd-x11@freebsd.org, "freebsd-hackers@freebsd.org" X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Jan 2015 07:26:41 -0000 On Thu, 01-Jan-2015 at 13:34:53 -0800, Adrian Chadd wrote: > oh cool! > > Would you mind filing a PR? This is a pretty nifty find, good work! Thanks ;-) Given the fact that emaste@ apparently fixed that in -head already do you think the PR is still needed (for documentation purposes or otherwise)? -Andre > > On 1 January 2015 at 11:22, Andre Albsmeier wrote: > > [Crossposting to -hackers and -x11 as this is vt and i915kms related] > > > > I can reliably crash an older notebook (Fujitsu E8310) with Intel > > graphics (GM965) by loading i915kms after having booted but only > > if vt(4) is used instead of old syscons. > > > > Reason for the crash is a page fault in vt_fb_blank() which is > > in /sys/dev/vt/hw/fb/vt_fb.c: > > > > #7 0xc08c929e in bcopy () at /src/src-9/sys/i386/i386/support.s:198 > > #8 0xc08d93e0 in memmove (dest=0xedfd3c00, src=0xeda30000, n=5632) at /src/src-9/sys/libkern/memmove.c:36 > > #9 0xc053fac7 in vt_fb_mem_copy (sc=0xc6919500, offset_to=5913600, offset_from=0, size=5632) at /src/src-9/sys/dev/fb/fbd.c:205 > > #10 0xc060370e in vt_fb_blank (vd=0xc09c3c40, color=) at /src/src-9/sys/dev/vt/hw/fb/vt_fb.c:179 > > #11 0xc0603b10 in vt_fb_init (vd=0xc09c3c40) at /src/src-9/sys/dev/vt/hw/fb/vt_fb.c:306 > > #12 0xc06098db in vt_allocate (drv=0xc09c3b80, softc=0xc6919500) at /src/src-9/sys/dev/vt/vt_core.c:1970 > > > > in vt_fb_blank() we find: > > > > for (o = info->fb_stride; o < info->fb_size; o += info->fb_stride) { > > info->copy(info, o, 0, info->fb_stride); > > } > > > > fb_size gets calculated in intelfb_create() which is in > > /sys/dev/drm2/i915/intel_fb.c as > > > > size = mode_cmd.pitches[0] * mode_cmd.height; > > size = roundup2(size, PAGE_SIZE); > > > > with fb_stride being the result of > > > > mode_cmd.pitches[0] = roundup2( (mode_cmd.width * ((sizes->surface_bpp + 7) / 8), 64); > > > > So with my funky resolution of 1400 x 1050 @32bit we get > > > > fb_stride = 5632 > > fb_size = 5914624 > > > > We see that fb_stride won't fit into fb_size in whole numbers > > (5914624 / 5632 = 1050.18181818181818181818) so this is why > > the loop runs beyond fb_size and gives a page fault. > > > > I am now using this modified loop in vt_fb_blank() which does > > not try to run to the end of the fb by replacing > > > > info->fb_size > > > > by > > > > info->fb_height * info->fb_stride > > > > for (o = info->fb_stride; o < info->fb_height * info->fb_stride; o += info->fb_stride) { > > info->copy(info, o, 0, info->fb_stride); > > } > > > > All this is on 9.3-STABLE. I have no idea if this is the correct > > solution but at least I can use vt instead of sc on this notebook. > > > > -Andre > > _______________________________________________ > > freebsd-hackers@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" -- The day Micro$oft makes a product that doesn't suck is the day they make a vacuum cleaner.