Customer Contact Name:
  Koki Sanagi

Description of Problem:

  Putting a landscape display (we used 1680x1050) on a server and resizing the 
  screen size from 1024x768 to 1280x1024 causes CPU Fatal Error.

  According to our investigation, this is due to underestimating of memory size
  which is used for ShadowFB by MGA driver. Following is where MGA allocates
  memory.
>    height = pScrn->virtualY;
>
>     if(pMga->ShadowFB) {
>         /*
>          * I don't really feel like faffing about with resizing the
>          * shadow buffer when the front buffer grows in RANDR, so I'm
>          * just going to allocate enough up front and let the upload hook
>          * correct for width.
>          */
>         if (pMga->randr12)
>             pMga->ShadowPitch = BitmapBytePad(pScrn->bitsPerPixel * 2048);
>         else
>             pMga->ShadowPitch = BitmapBytePad(pScrn->bitsPerPixel * width);
> 
>         displayWidth = pMga->ShadowPitch / (pScrn->bitsPerPixel >> 3);
>         FBStart = pMga->ShadowPtr = malloc(pMga->ShadowPitch * height);
>     } else {

  Here, MGA assumes that width is 2048 whatever display is put. But as for
  height it uses a value from somewhere. If you put a 1680x1050 display, height
  becomes 900 because 1440x900 is possible. In that case 2048x900x3 bytes is
  allocated for ShadowFB.  But this display also can project a 1280x1024
  screen. Even if you change to that size, Xserver will not change that memory
  size but Xserver uses 2048x1024x3 bytes memory which is more than allocated. 
  Unluckily, /dev/mem is mapped right after this shadowFB memory. So this
  overflow write access results in CPU Fatal Error when it trespasses the
  reserved area for BIOS.

# pmap -x 4801
4801:   /usr/bin/Xorg :0 -nr -verbose -audit 4 -auth /var/run/gdm/auth-for-gdm-ulXrQ0/database -nolisten tcp vt1
---snip---
00007f883a521000    5496    5408    5408 rw---    [ anon ]   * for shadowFB
00007f883aa7f000     256       0       0 rw-s-  mem
00007f883aabf000     128       0       0 rw-s-  mem
00007f883aadf000     964     208     208 rw---    [ anon ]


Version-Release number of selected component:

  Red Hat Enterprise Linux Version Number:6
  Release Number:5
  Architecture:x86_64
  Kernel Version:2.6.32-431.el6.x86_64
  Related Package Version:
  Related Middleware/Application:

Drivers or hardware or architecture dependency:
  MGA driver and MGA G200e VGA controller

How reproducible:
  Always

Step to Reproduce:

  1. Put a 1680x1050 display.
  2. Resize the screen size from 1024x768 to 1280x1024.


Actual Results:
  The machine falls into CPU Fatal Error.

Expected Results:
  The screen size changes normally.

Summary of actions taken to resolve issue:
  None

Location of diagnostic data:
  None

Hardware configuration:

  Model/Hypervisor:PRIMEQUEST 2800E
  CPU Info:Xeon X5660 2sockets
  Memory Info:64GB
  Hardware Component Information:none
  Configuration Info:none
  Guest Configuration Info:none

Business Impact:

  None

  Target Release:6.6

  Errata Request:None

Additional Info:
  The displays we used are Fujitsu VL-22WB1G and DELL 2209WA. Both of them
  have 1680x1050 resolution.

  We made this bug as public by following reasons.
  This bug occurred at a customer who purchased a PRIMEQUEST 2800E.
  Customer thought that this was a HW issue, and he had FJ investigate it.

  FJ HW & SW team investigated this issue, and we reached the above conclusion.
  Customer purchased the RHEL support from Red Hat directly.
  So FJ filed this bug to share our analysis with customer and Red Hat.
  Therefore, FJ keeps this bug as public.
    
  I think customer would file support case by pointing this bug. Fujitsu are
  not sure whether this customer wants async errata or not.
  Of course Fujitsu believes that this issue will be resolved sometime since
  this issue might bother other our customers.