From mboxrd@z Thu Jan 1 00:00:00 1970 From: bugzilla-daemon@freedesktop.org Subject: [Bug 98620] radeon kernel module NULL pointer dereference on Radeon 9550 at shut-down Date: Mon, 07 Nov 2016 04:00:47 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1202175600==" Return-path: Received: from culpepper.freedesktop.org (culpepper.freedesktop.org [131.252.210.165]) by gabe.freedesktop.org (Postfix) with ESMTP id 73F5C6E2D6 for ; Mon, 7 Nov 2016 04:00:47 +0000 (UTC) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org --===============1202175600== Content-Type: multipart/alternative; boundary="14784912470.7EB99.16147"; charset="UTF-8" --14784912470.7EB99.16147 Date: Mon, 7 Nov 2016 04:00:47 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.freedesktop.org/ Auto-Submitted: auto-generated https://bugs.freedesktop.org/show_bug.cgi?id=3D98620 Bug ID: 98620 Summary: radeon kernel module NULL pointer dereference on Radeon 9550 at shut-down Product: DRI Version: unspecified Hardware: x86-64 (AMD64) OS: Linux (All) Status: NEW Severity: normal Priority: medium Component: DRM/Radeon Assignee: dri-devel@lists.freedesktop.org Reporter: arthur.marsh@internode.on.net Created attachment 127808 --> https://bugs.freedesktop.org/attachment.cgi?id=3D127808&action=3Dedit full dmesg when crashing At shut-down: [ 2515.296325] BUG: unable to handle kernel NULL pointer dereference at 000007b4 [ 2515.300025] IP: [] radeon_connector_unregister+0x6/0x40 [radeo= n] [ 2515.300025] *pde =3D 00000000=20 [ 2515.300025] Oops: 0000 [#1] PREEMPT SMP [ 2515.300025] Modules linked in: eata cpufreq_conservative cpufreq_powersa= ve cp ufreq_userspace binfmt_misc nls_utf8 nls_cp437 vfat fat hwmon_vid tun cuse = fuse=20 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi lp ppdev powernow_k8 amd64_ edac_mod edac_mce_amd edac_core snd_via82xx snd_ac97_codec pcspkr ac97_bus snd_m pu401_uart radeon snd_pcm snd_timer snd_rawmidi evdev snd_seq_device gamepo= rt sn d ttm drm_kms_helper soundcore serio_raw drm k8temp i2c_algo_bit fb_sys_fops i2c _viapro syscopyarea sysfillrect sysimgblt sg parport_pc parport asus_atk0110 acp i_cpufreq button tpm_tis tpm_tis_core tpm ext4 crc16 jbd2 mbcache sr_mod cd= rom a ta_generic uas sd_mod usb_storage psmouse via_rhine mii pata_via ehci_pci uhci_h cd ehci_hcd usbcore usb_common libata scsi_mod [last unloaded: eata] [ 2515.300025] CPU: 0 PID: 7439 Comm: reboot Not tainted 4.9.0-rc4 #520 [ 2515.300025] Hardware name: System manufacturer System Product Name/A8V-M= X, BI OS 0503 12/06/2005 [ 2515.300025] task: f2cc6080 task.stack: f3934000 [ 2515.300025] EIP: 0060:[] EFLAGS: 00010286 CPU: 0 [ 2515.300025] EIP is at radeon_connector_unregister+0x6/0x40 [radeon] [ 2515.300025] EAX: f73a1000 EBX: f73a1000 ECX: 00000006 EDX: 00000000 [ 2515.300025] ESI: f5a09c64 EDI: f5a09800 EBP: f3935db4 ESP: f3935dac [ 2515.300025] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 [ 2515.300025] CR0: 80050033 CR2: 000007b4 CR3: 33dbc000 CR4: 000006d0 [ 2515.300025] Stack: [ 2515.300025] f83471d7 f73a1000 f3935dc4 f8347967 f5a09800 f5a09c8c f3935= dd8 f 83383b3 [ 2515.300025] f5a09800 f5a09800 f86a0000 f3935dec f8332ff7 f5a09800 f61d3= 000 f 86a0000 [ 2515.300025] f3935e04 f8333640 f8358dca 00000001 f8358dc8 f61d3068 f3935= e0c f 85702ee [ 2515.300025] Call Trace: [ 2515.300025] [] ? drm_connector_unregister.part.6+0x17/0x30 [d= rm] [ 2515.300025] [] drm_connector_unregister_all+0x37/0x50 [drm] [ 2515.300025] [] drm_modeset_unregister_all+0x13/0x50 [drm] [ 2515.300025] [] drm_dev_unregister+0x97/0xa0 [drm] [ 2515.300025] [] drm_put_dev+0x30/0x70 [drm] [ 2515.300025] [] radeon_pci_shutdown+0xe/0x10 [radeon] [ 2515.300025] [] pci_device_shutdown+0x2d/0x70 [ 2515.300025] [] device_shutdown+0xb4/0x170 [ 2515.300025] [] kernel_restart_prepare+0x2d/0x30 [ 2515.300025] [] kernel_restart+0xe/0x60 [ 2515.300025] [] SYSC_reboot+0x1bf/0x200 [ 2515.300025] [] ? debug_lockdep_rcu_enabled+0x1a/0x20 [ 2515.300025] [] ? debug_lockdep_rcu_enabled+0x1a/0x20 [ 2515.300025] [] ? mnt_get_count+0x40/0x40 [ 2515.300025] [] ? mntput_no_expire+0x6f/0x3a0 [ 2515.300025] [] ? mntput_no_expire+0x89/0x3a0 [ 2515.300025] [] ? mnt_get_count+0x40/0x40 [ 2515.300025] [] ? mntput+0x1b/0x30 [ 2515.300025] [] ? __fput+0x153/0x1d0 [ 2515.300025] [] ? task_work_run+0x6f/0x80 [ 2515.300025] [] ? trace_hardirqs_on_caller+0xec/0x1d0 [ 2515.300025] [] ? trace_hardirqs_off+0xb/0x10 [ 2515.300025] [] SyS_reboot+0x1a/0x20 [ 2515.300025] [] do_fast_syscall_32+0x9a/0x220 [ 2515.300025] [] sysenter_past_esp+0x45/0x74 [ 2515.300025] Code: d8 e8 df 36 db ff 89 d8 e8 f8 36 db ff 89 d8 e8 11 58 = c2 c8 5b 5d c3 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00 8b 90 d4 02 00 00 <80> = ba b4 07 00 00 00 75 01 c3 55 89 e5 53 89 c3 8d 82 e8 03 00 [ 2515.300025] EIP: []=20 [ 2515.300025] radeon_connector_unregister+0x6/0x40 [radeon] [ 2515.300025] SS:ESP 0068:f3935dac [ 2515.300025] CR2: 00000000000007b4 [ 2516.877047] ---[ end trace 076c5e2ae2d51112 ]--- Full dmesg from boot to crash is attached. # lspci -vv -s 01:00 01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] R= V350 [Radeon 9550] (prog-if 00 [VGA controller]) Subsystem: Gigabyte Technology Co., Ltd RV350 [Radeon 9550] Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx- Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=3Dmedium >TAbort- SERR- TAbort- SERR- Date: Tue Oct 11 10:44:24 2016 -0400 drm/radeon: fix up dp aux tear down (v2) Port the amdgpu fixes from Grazvydas to radeon. v2: drop unrelated whitespace change. bug: https://bugs.freedesktop.org/show_bug.cgi?id=3D98200 Reviewed-and-Tested-by: Michel D=C3=A4nzer Signed-off-by: Alex Deucher :040000 040000 b187ce6d75761c9e2eed71b385c8e0f085dbfd55 aca34c667d6253da66e824b2 a624f308841555b0 M drivers Rebuilding and running the kernel with that commit removed confirmed normal shutdown. --=20 You are receiving this mail because: You are the assignee for the bug.= --14784912470.7EB99.16147 Date: Mon, 7 Nov 2016 04:00:47 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.freedesktop.org/ Auto-Submitted: auto-generated
Bug ID 98620
Summary radeon kernel module NULL pointer dereference on Radeon 9550 = at shut-down
Product DRI
Version unspecified
Hardware x86-64 (AMD64)
OS Linux (All)
Status NEW
Severity normal
Priority medium
Component DRM/Radeon
Assignee dri-devel@lists.freedesktop.org
Reporter arthur.marsh@internode.on.net 

Created attachment 1278=
08 [details]
full dmesg when crashing

At shut-down:

[ 2515.296325] BUG: unable to handle kernel NULL pointer dereference at
000007b4
[ 2515.300025] IP: [<f8593b36>] radeon_connector_unregister+0x6/0x40 =
[radeon]
[ 2515.300025] *pde =3D 00000000=20

[ 2515.300025] Oops: 0000 [#1] PREEMPT SMP
[ 2515.300025] Modules linked in: eata cpufreq_conservative cpufreq_powersa=
ve
cp
ufreq_userspace binfmt_misc nls_utf8 nls_cp437 vfat fat hwmon_vid tun cuse =
fuse=20
iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi lp ppdev powernow_k8
amd64_
edac_mod edac_mce_amd edac_core snd_via82xx snd_ac97_codec pcspkr ac97_bus
snd_m
pu401_uart radeon snd_pcm snd_timer snd_rawmidi evdev snd_seq_device gamepo=
rt
sn
d ttm drm_kms_helper soundcore serio_raw drm k8temp i2c_algo_bit fb_sys_fops
i2c
_viapro syscopyarea sysfillrect sysimgblt sg parport_pc parport asus_atk0110
acp
i_cpufreq button tpm_tis tpm_tis_core tpm ext4 crc16 jbd2 mbcache sr_mod cd=
rom
a
ta_generic uas sd_mod usb_storage psmouse via_rhine mii pata_via ehci_pci
uhci_h
cd ehci_hcd usbcore usb_common libata scsi_mod [last unloaded: eata]
[ 2515.300025] CPU: 0 PID: 7439 Comm: reboot Not tainted 4.9.0-rc4 #520
[ 2515.300025] Hardware name: System manufacturer System Product Name/A8V-M=
X,
BI
OS 0503    12/06/2005
[ 2515.300025] task: f2cc6080 task.stack: f3934000
[ 2515.300025] EIP: 0060:[<f8593b36>] EFLAGS: 00010286 CPU: 0
[ 2515.300025] EIP is at radeon_connector_unregister+0x6/0x40 [radeon]
[ 2515.300025] EAX: f73a1000 EBX: f73a1000 ECX: 00000006 EDX: 00000000
[ 2515.300025] ESI: f5a09c64 EDI: f5a09800 EBP: f3935db4 ESP: f3935dac
[ 2515.300025]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 2515.300025] CR0: 80050033 CR2: 000007b4 CR3: 33dbc000 CR4: 000006d0
[ 2515.300025] Stack:
[ 2515.300025]  f83471d7 f73a1000 f3935dc4 f8347967 f5a09800 f5a09c8c f3935=
dd8
f
83383b3
[ 2515.300025]  f5a09800 f5a09800 f86a0000 f3935dec f8332ff7 f5a09800 f61d3=
000
f
86a0000
[ 2515.300025]  f3935e04 f8333640 f8358dca 00000001 f8358dc8 f61d3068 f3935=
e0c
f
85702ee
[ 2515.300025] Call Trace:
[ 2515.300025]  [<f83471d7>] ? drm_connector_unregister.part.6+0x17/0=
x30 [drm]
[ 2515.300025]  [<f8347967>] drm_connector_unregister_all+0x37/0x50 [=
drm]
[ 2515.300025]  [<f83383b3>] drm_modeset_unregister_all+0x13/0x50 [dr=
m]
[ 2515.300025]  [<f8332ff7>] drm_dev_unregister+0x97/0xa0 [drm]
[ 2515.300025]  [<f8333640>] drm_put_dev+0x30/0x70 [drm]
[ 2515.300025]  [<f85702ee>] radeon_pci_shutdown+0xe/0x10 [radeon]
[ 2515.300025]  [<c134da9d>] pci_device_shutdown+0x2d/0x70
[ 2515.300025]  [<c140b834>] device_shutdown+0xb4/0x170
[ 2515.300025]  [<c108126d>] kernel_restart_prepare+0x2d/0x30
[ 2515.300025]  [<c10812fe>] kernel_restart+0xe/0x60
[ 2515.300025]  [<c108162f>] SYSC_reboot+0x1bf/0x200
[ 2515.300025]  [<c10cd2ea>] ? debug_lockdep_rcu_enabled+0x1a/0x20
[ 2515.300025]  [<c10cd2ea>] ? debug_lockdep_rcu_enabled+0x1a/0x20
[ 2515.300025]  [<c11f9c50>] ? mnt_get_count+0x40/0x40
[ 2515.300025]  [<c11f9cbf>] ? mntput_no_expire+0x6f/0x3a0
[ 2515.300025]  [<c11f9cd9>] ? mntput_no_expire+0x89/0x3a0
[ 2515.300025]  [<c11f9c50>] ? mnt_get_count+0x40/0x40
[ 2515.300025]  [<c11fa00b>] ? mntput+0x1b/0x30
[ 2515.300025]  [<c11d7963>] ? __fput+0x153/0x1d0
[ 2515.300025]  [<c107ca4f>] ? task_work_run+0x6f/0x80
[ 2515.300025]  [<c10b02ac>] ? trace_hardirqs_on_caller+0xec/0x1d0
[ 2515.300025]  [<c10ad2eb>] ? trace_hardirqs_off+0xb/0x10
[ 2515.300025]  [<c10816da>] SyS_reboot+0x1a/0x20
[ 2515.300025]  [<c1001c7a>] do_fast_syscall_32+0x9a/0x220
[ 2515.300025]  [<c15ae2ec>] sysenter_past_esp+0x45/0x74
[ 2515.300025] Code: d8 e8 df 36 db ff 89 d8 e8 f8 36 db ff 89 d8 e8 11 58 =
c2
c8
 5b 5d c3 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00 8b 90 d4 02 00 00 <8=
0> ba
b4
 07 00 00 00 75 01 c3 55 89 e5 53 89 c3 8d 82 e8 03 00
[ 2515.300025] EIP: [<f8593b36>]=20
[ 2515.300025] radeon_connector_unregister+0x6/0x40 [radeon]
[ 2515.300025]  SS:ESP 0068:f3935dac
[ 2515.300025] CR2: 00000000000007b4
[ 2516.877047] ---[ end trace 076c5e2ae2d51112 ]---

Full dmesg from boot to crash is attached.

# lspci -vv -s 01:00
01:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] R=
V350
[Radeon 9550] (prog-if 00 [VGA controller])
        Subsystem: Gigabyte Technology Co., Ltd RV350 [Radeon 9550]
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR+ FastB2B- DisINTx-
        Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=3Dmedium >TAbor=
t-
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 64 (2000ns min), Cache Line Size: 64 bytes
        Interrupt: pin A routed to IRQ 16
        Region 0: Memory at a0000000 (32-bit, prefetchable) [size=3D256M]
        Region 1: I/O ports at b000 [size=3D256]
        Region 2: Memory at ff4f0000 (32-bit, non-prefetchable) [size=3D64K]
        Expansion ROM at 000c0000 [disabled] [size=3D128K]
        Capabilities: [58] AGP version 3.0
                Status: RQ=3D256 Iso- ArqSz=3D0 Cal=3D0 SBA+ ITACoh- GART64=
- HTrans-
64bit- FW+ AGP3+ Rate=3Dx4,x8
                Command: RQ=3D32 ArqSz=3D0 Cal=3D0 SBA+ AGP+ GART64- 64bit-=
 FW-
Rate=3Dx8
        Capabilities: [50] Power Management version 2
                Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=3D0mA
PME(D0-,D1-,D2-,D3hot-,D3cold-)
                Status: D0 NoSoftRst- PME-Enable- DSel=3D0 DScale=3D0 PME-
        Kernel driver in use: radeon
        Kernel modules: radeonfb, radeon

01:00.1 Display controller: Advanced Micro Devices, Inc. [AMD/ATI] RV350
[Radeon 9550] (Secondary)
        Subsystem: Gigabyte Technology Co., Ltd RV350 [Radeon 9550] (Second=
ary)
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
        Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=3Dmedium >TAbor=
t-
<TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 64 (2000ns min), Cache Line Size: 64 bytes
        Region 0: Memory at 90000000 (32-bit, prefetchable) [size=3D256M]
        Region 1: Memory at ff4e0000 (32-bit, non-prefetchable) [size=3D64K]
        Capabilities: [50] Power Management version 2
                Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=3D0mA
PME(D0-,D1-,D2-,D3hot-,D3cold-)
                Status: D0 NoSoftRst- PME-Enable- DSel=3D0 DScale=3D0 PME-

git-bisect revealed:

git bisect bad
b0c80bd5d2e317f7596fe2badc1a3379fb3211e5 is the first bad commit
commit b0c80bd5d2e317f7596fe2badc1a3379fb3211e5
Author: Alex Deucher <a=
lexander.deucher@amd.com>
Date:   Tue Oct 11 10:44:24 2016 -0400

    drm/radeon: fix up dp aux tear down (v2)

    Port the amdgpu fixes from Grazvydas to radeon.

    v2: drop unrelated whitespace change.

    bug:
    https://bugs.freedesktop.org/show_bug.c=
gi?id=3D98200

    Reviewed-and-Tested-by: Michel D=C3=A4nzer <michel.daenzer@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

:040000 040000 b187ce6d75761c9e2eed71b385c8e0f085dbfd55
aca34c667d6253da66e824b2
a624f308841555b0 M      drivers

Rebuilding and running the kernel with that commit removed confirmed normal
shutdown.

You are receiving this mail because:
  • You are the assignee for the bug.
= --14784912470.7EB99.16147-- --===============1202175600== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlz dHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg== --===============1202175600==--