kern/48492: sys/dev/wscons/wsdisplay_glyphcache.c/glyphcache_wipe causes kernel panic.

[nullnilaki%gmail.com@localhost]

>Number:         48492
>Category:       kern
>Synopsis:       sys/dev/wscons/wsdisplay_glyphcache.c/glyphcache_wipe causes 
>kernel panic.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 03 03:45:00 +0000 2014
>Originator:     nullnilaki
>Release:        NetBSD 6.99.28 (GENERIC-$Revision: 1.356 $) #0: Wed Jan 1
>Organization:
Japan
>Environment:
NetBSD  6.99.28 NetBSD 6.99.28 (GENERIC-$Revision: 1.356 $) #0: Wed Jan  1 
21:32:40 JST 2014  
naruaki@NetBSD:/usr/current/obj.alpha/sys/arch/alpha/compile/GENERIC alpha
>Description:
1.Defined RADEONFB_DEFAULT_DEPTH 32 in radeonfb.
http://nxr.netbsd.org/xref/src/sys/dev/pci/radeonfb.c#104
2.Use Video modes 1920x1200 display.
3.rd_stride is 7680.(1920 * 4).
http://nxr.netbsd.org/xref/src/sys/dev/pci/radeonfb.c#845
4.glyphcache_init is called.
http://nxr.netbsd.org/xref/src/sys/dev/pci/radeonfb.c#927
5.Third argument to glyphcache_init (int lines) is -112.
(0x800000 / 7680) - (1200 + 4) = -112.
6.If lines is under than zero,buckets is zero and return ENOMEM.
http://nxr.netbsd.org/source/xref/src/sys/dev/wscons/wsdisplay_glyphcache.c#70
     70         if (lines < 0) lines = 0;
     71         cache_lines = lines / cellheight; -> 0
     72         gc->gc_numcells = cache_lines * gc->gc_cellsperline; -> 0
     73 
     74         /* now allocate buckets */
     75         buckets = (gc->gc_numcells / 223); -> 0
     76         if ((buckets * 223) < gc->gc_numcells) ->false
     77                 buckets++;
     78 
     79         /*
     80          * if we don't have enough video memory to cache at least a few 
glyphs
     81          * we stop right here
     82          */
     83         if (buckets < 1) -> true
     84                 return ENOMEM;
7.glyphcache_wipe is called in radeonfb.
http://nxr.netbsd.org/xref/src/sys/dev/pci/radeonfb.c#1127
8.Illegal memory access because gc->gc_buckets[0].gb_index is not allocated.
http://nxr.netbsd.org/source/xref/src/sys/dev/wscons/wsdisplay_glyphcache.c#127
----------------------------------------------------

Please see.
http://p.twipple.jp/lEJO3
(Sorry I cannot trace on console).

----------------------------------------------------

radeonfb0 at pci1 dev 7 function 0: ATI Technologies Radeon 7500 QW (rev. 0x00)
radeonfb0: Found 48 KB Legacy BIOS
radeonfb0: refclk = 27.000 MHz, refdiv = 8 minpll = 200000, maxpll = 350000
radeonfb0: 64 MB aperture at 0x40000000, 64 KB registers at 0x01080000
radeonfb0: display 0: initial virtual resolution 1920x1200 at 32 bpp
radeonfb0: port 0: physical 1920x1200 60Hz
radeonfb0: port 1: physical 1920x1200 60Hz
stride: 7680
lines -112
gc->gc_cellwidth 12
gc->gc_cellheight 22
gc->gc_firstline 1204
gc->gc_cellsperline 160
lines 0
cache_lines 0
gc->gc_numcells 0
buckets 0
wsdisplay0 at radeonfb0 kbdmux 1: console (fb, vt100 emulation), using wskbd0

>How-To-Repeat:

>Fix:
Sorry...