[Bug 87554] New: [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini

[Bug 87554] New: [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 5207 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=87554

            Bug ID: 87554
           Summary: [NV1A] 3.19-rc1 NULL dereference on modprobe in
                    pramin_fini
           Product: xorg
           Version: unspecified
          Hardware: x86 (IA32)
                OS: Linux (All)
            Status: NEW
          Severity: major
          Priority: medium
         Component: Driver/nouveau
          Assignee: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
          Reporter: bonbons67-H4aWS73dXupiYsDpGMXq6A@public.gmane.org
        QA Contact: xorg-team-go0+a7rfsptAfugRpC6u6w@public.gmane.org

[  441.685835] wmi: Mapper loaded
[  442.129083] ACPI: PCI Interrupt Link [LNK5] enabled at IRQ 12
[  442.135019] PCI: setting IRQ 12 as level-triggered
[  442.144839] nouveau  [  DEVICE][0000:02:00.0] BOOT0  : 0x01a000b1
[  442.151063] nouveau  [  DEVICE][0000:02:00.0] Chipset: nForce (NV1A)
[  442.157481] nouveau  [  DEVICE][0000:02:00.0] Family : NV10
[  442.172505] BUG: unable to handle kernel NULL pointer dereference at  
(null)
[  442.179823] IP: [<dea2c6c6>] pramin_fini+0x6/0x30 [nouveau]
[  442.180015] *pde = 00000000 
[  442.180015] Oops: 0000 [#1] 
[  442.180015] Modules linked in: nouveau(+) wmi ttm drm_kms_helper nfsv3
nfs_acl nfs lockd grace sunrpc
[  442.180015] CPU: 0 PID: 1267 Comm: modprobe Not tainted 3.19.0-rc1-jupiter
#1
[  442.180015] Hardware name: NVIDIA Corporation. nFORCE-MCP/MS-6373, BIOS 6.00
PG 04/12/2002
[  442.180015] task: dc010c90 ti: dcfba000 task.ti: dcfba000
[  442.180015] EIP: 0060:[<dea2c6c6>] EFLAGS: 00010286 CPU: 0
[  442.180015] EIP is at pramin_fini+0x6/0x30 [nouveau]
[  442.180015] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: dea2c6c0
[  442.180015] ESI: dcfbb8a4 EDI: deacf670 EBP: dcfbb834 ESP: dcfbb830
[  442.180015]  DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[  442.180015] CR0: 8005003b CR2: 00000000 CR3: 1c042000 CR4: 000007d0
[  442.180015] Stack:
[  442.180015]  dcedad90 dcfbb860 dea2c02e dcedad90 00000004 deaef771 deaef81b
00000000
[  442.180015]  deaf5320 dcfbb8a4 dcfbb884 dcfbb884 dcfbb994 dea2c2db dcfbb87c
c10dbf41
[  442.180015]  ddfcdb40 dd401180 dcedad90 00000000 dcfbb8a4 10000001 deaf54a0
00000000
[  442.180015] Call Trace:
[  442.180015]  [<dea2c02e>] shadow_method+0x8e/0xe0 [nouveau]
[  442.180015]  [<dea2c2db>] nvbios_shadow+0x25b/0x360 [nouveau]
[  442.180015]  [<c10dbf41>] ? init_object+0x51/0x60
[  442.180015]  [<dea1f0eb>] nouveau_bios_ctor+0x4b/0x3b0 [nouveau]
[  442.180015]  [<c10dd62f>] ? kmem_cache_alloc_trace+0xcf/0x160
[  442.180015]  [<dea1cd25>] nouveau_object_ctor+0x35/0xd0 [nouveau]
[  442.180015]  [<dea64ebf>] nouveau_devobj_ctor+0x77f/0x880 [nouveau]
[  442.180015]  [<dea1cd25>] nouveau_object_ctor+0x35/0xd0 [nouveau]
[  442.180015]  [<dea1bb89>] nvkm_ioctl_new+0x229/0x300 [nouveau]
[  442.180015]  [<dea1c020>] nvkm_ioctl+0x2a0/0x340 [nouveau]
[  442.180015]  [<deaa913c>] nvkm_client_ioctl+0x1c/0x30 [nouveau]
[  442.180015]  [<dea9ccee>] nvif_object_ioctl+0x7e/0x90 [nouveau]
[  442.180015]  [<dea9d44a>] nvif_object_init+0x10a/0x130 [nouveau]
[  442.180015]  [<dea9d7a8>] nvif_device_init+0x28/0x50 [nouveau]
[  442.180015]  [<dea9f630>] nouveau_drm_load+0x2e0/0x560 [nouveau]
[  442.180015]  [<c12c6bff>] drm_dev_register+0x5f/0xe0
[  442.180015]  [<c12c9231>] drm_get_pci_dev+0xe1/0x1a0
[  442.180015]  [<c122e9f5>] ? pcibios_set_master+0x25/0x80
[  442.180015]  [<dea9f068>] nouveau_drm_probe+0x1a8/0x1d0 [nouveau]
[  442.180015]  [<c122fed5>] pci_device_probe+0x65/0xc0
[  442.180015]  [<c12e801d>] driver_probe_device+0x14d/0x330
[  442.180015]  [<c12e824d>] __driver_attach+0x4d/0x80
[  442.180015]  [<c12e8200>] ? driver_probe_device+0x330/0x330
[  442.180015]  [<c12e68dc>] bus_for_each_dev+0x3c/0x70
[  442.180015]  [<c12e7b7c>] driver_attach+0x1c/0x30
[  442.180015]  [<c12e8200>] ? driver_probe_device+0x330/0x330
[  442.180015]  [<c12e76ec>] bus_add_driver+0xdc/0x1f0
[  442.180015]  [<c12e89b7>] driver_register+0x87/0xc0
[  442.180015]  [<c10dffff>] ? migrate_page_copy+0x18f/0x250
[  442.180015]  [<c122ffb8>] __pci_register_driver+0x28/0x30
[  442.180015]  [<c12c933b>] drm_pci_init+0x4b/0xe0
[  442.180015]  [<deb39235>] nouveau_drm_init+0x235/0x1000 [nouveau]
[  442.180015]  [<c1000441>] ? do_one_initcall+0xb1/0x1d0
[  442.180015]  [<c10004b4>] do_one_initcall+0x124/0x1d0
[  442.180015]  [<deb39000>] ? 0xdeb39000
[  442.180015]  [<deb39000>] ? 0xdeb39000
[  442.180015]  [<c10dd344>] ? kfree+0x134/0x140
[  442.180015]  [<c10d52ac>] ? __vunmap+0xcc/0xe0
[  442.180015]  [<c10d52ac>] ? __vunmap+0xcc/0xe0
[  442.180015]  [<c10d52ac>] ? __vunmap+0xcc/0xe0
[  442.180015]  [<c10d52ac>] ? __vunmap+0xcc/0xe0
[  442.180015]  [<c107e125>] load_module+0x1035/0x16b0
[  442.180015]  [<c107e885>] SyS_init_module+0xe5/0xf0
[  442.180015]  [<c14c23d2>] sysenter_do_call+0x12/0x12
[  442.180015] Code: 43 7f e2 39 5d f0 89 07 77 e3 eb 08 90 c7 45 ec 00 00 00
00 8b 45 ec 83 c4 08 5b 5e 5f 5d c3 
[  442.180015] EIP: [<dea2c6c6>] pramin_fini+0x6/0x30 [nouveau] SS:ESP
0068:dcfbb830
[  442.180015] CR2: 0000000000000000
[  442.555577] ---[ end trace 5944a013025347a6 ]---

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 6696 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 1757 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=87554

--- Comment #1 from Bruno <bonbons67-H4aWS73dXupiYsDpGMXq6A@public.gmane.org> ---
Matching objdump -d -S nouveau.ko:

000136c0 <pramin_fini>:

static void
pramin_fini(void *data)
{
   136c0:       55                      push   %ebp
   136c1:       89 e5                   mov    %esp,%ebp
   136c3:       53                      push   %ebx
   136c4:       89 c3                   mov    %eax,%ebx
static inline void
nv_wr32(void *obj, u32 addr, u32 data)
{
        struct nouveau_subdev *subdev = nv_subdev(obj);
        nv_spam(subdev, "nv_wr32 0x%06x 0x%08x\n", addr, data);
        iowrite32_native(data, subdev->mmio + addr);
   136c6:       8b 00                   mov    (%eax),%eax
   136c8:       8b 50 24                mov    0x24(%eax),%edx
   136cb:       8b 43 04                mov    0x4(%ebx),%eax
   136ce:       81 c2 00 17 00 00       add    $0x1700,%edx
   136d4:       e8 fc ff ff ff          call   136d5 <pramin_fini+0x15>
        struct priv *priv = data;
        nv_wr32(priv->bios, 0x001700, priv->bar0);
        kfree(priv);
   136d9:       89 d8                   mov    %ebx,%eax
   136db:       e8 fc ff ff ff          call   136dc <pramin_fini+0x1c>
}
   136e0:       5b                      pop    %ebx
   136e1:       5d                      pop    %ebp
   136e2:       c3                      ret    
   136e3:       8d b6 00 00 00 00       lea    0x0(%esi),%esi
   136e9:       8d bc 27 00 00 00 00    lea    0x0(%edi,%eiz,1),%edi


Source code:
static void
pramin_fini(void *data)
{
        struct priv *priv = data;
        nv_wr32(priv->bios, 0x001700, priv->bar0);
        kfree(priv);
}

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2552 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 1545 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=87554

--- Comment #2 from Bruno <bonbons67-H4aWS73dXupiYsDpGMXq6A@public.gmane.org> ---
Created attachment 111111
  --> https://bugs.freedesktop.org/attachment.cgi?id=111111&action=edit
Consider ->init NULL return as a failure

Things are crashing because pramin_init returns NULL (and not a ERR_PTR).

Would the following change be a proper fix?:

 static int
 shadow_method(struct nouveau_bios *bios, struct shadow *mthd, const char
*name)
 {
         const struct nvbios_source *func = mthd->func;
         if (func->name) {
                 nv_debug(bios, "trying %s...\n", name ? name : func->name);
                 if (func->init) {
                         mthd->data = func->init(bios, name);
                         if (IS_ERR(mthd->data)) {
                                 mthd->data = NULL;
                                 return 0;
+                        } else if (!mthd->data) {
+                                return 0;
                         }
                 }
                 mthd->score = shadow_score(bios, mthd);
                 if (func->fini)
                         func->fini(mthd->data);
                 nv_debug(bios, "scored %d\n", mthd->score);
                 mthd->data = bios->data;
                 mthd->size = bios->size;
                 bios->data  = NULL;
                 bios->size  = 0;
         }
         return mthd->score;
 }

If so, please apply attached patch.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2647 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 312 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=87554

--- Comment #3 from Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> ---
http://cgit.freedesktop.org/~darktama/nouveau/commit/?id=b19dbc526bb963670dafc86da92d9fa2755b1997

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1182 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 579 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=87554

Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rjgleits-Bdlq13kUjeyLZ21kGMrzwg@public.gmane.org

--- Comment #4 from Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> ---
*** Bug 87576 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1993 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 290 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=87554

--- Comment #5 from Tobias Klausmann <tobias.klausmann-AqjdNwhu20eELgA04lAiVw@public.gmane.org> ---
*** Bug 87641 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1243 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 563 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=87554

Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> ---
Should be fixed in 3.19-final.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2002 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/nouveau