i915: NULL pointer dereference in i915_update_dri1

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* i915: NULL pointer dereference in i915_update_dri1_breadcrumb() during shutdown
@ 2013-12-10  8:27 Eugene Shatokhin
  2013-12-10 12:23 ` Daniel Vetter
  0 siblings, 1 reply; 3+ messages in thread
From: Eugene Shatokhin @ 2013-12-10  8:27 UTC (permalink / raw)
  To: intel-gfx; +Cc: Daniel Vetter, LKML

Hi,

I have recently observed a NULL pointer dereference in i915 driver on my 
Eee PC running ROSA Linux with kernel 3.10.21.

The crash occurs during shutdown but quite rarely, not each time.

The system log is lost but here is what I extracted from the info 
displayed on the screen.

NULL pointer dereference at 0x4
EIP is at i915_update_dri1_breadcrumb+0x25/0x70
comm: systemd-journal

i915_update_dri1_breadcrumb+0x25:
	mov    0x4(%eax),%ebx // %eax contains 0, the list of register values 
confirms that.

That is the reading of 'master_priv->sarea_priv':

void i915_update_dri1_breadcrumb(struct drm_device *dev)
{
	drm_i915_private_t *dev_priv = dev->dev_private;
	struct drm_i915_master_private *master_priv;

	if (dev->primary->master) {
		master_priv = dev->primary->master->driver_priv;
		if (master_priv->sarea_priv) // <<< crashes here
			master_priv->sarea_priv->last_dispatch =
				READ_BREADCRUMB(dev_priv);
	}
}

addr2line points to the same line too.

So, i915_update_dri1_breadcrumb() was called somehow when 
dev->primary->master->driver_priv was NULL already. A race with 
i915_master_destroy() or something else?

Hardware info, from the output of lspci -vnn:
------------------------------
00:02.0 VGA compatible controller [0300]: Intel Corporation Atom 
Processor D4xx/D5xx/N4xx/N5xx Integrated Graphics Controller [8086:a011] 
(prog-if 00 [VGA controller])
	Subsystem: ASUSTeK Computer Inc. Device [1043:83ac]
	Flags: bus master, fast devsel, latency 0, IRQ 44
	Memory at f7e00000 (32-bit, non-prefetchable) [size=512K]
	I/O ports at dc00 [size=8]
	Memory at d0000000 (32-bit, prefetchable) [size=256M]
	Memory at f7d00000 (32-bit, non-prefetchable) [size=1M]
	Expansion ROM at <unassigned> [disabled]
	Capabilities: [90] MSI: Enable+ Count=1/1 Maskable- 64bit-
	Capabilities: [d0] Power Management version 2
	Kernel driver in use: i915
------------------------------

Regards,
Eugene

-- 
Eugene Shatokhin, ROSA Laboratory.
www.rosalab.com

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: i915: NULL pointer dereference in i915_update_dri1_breadcrumb() during shutdown
  2013-12-10  8:27 i915: NULL pointer dereference in i915_update_dri1_breadcrumb() during shutdown Eugene Shatokhin
@ 2013-12-10 12:23 ` Daniel Vetter
  2013-12-10 14:25   ` Eugene Shatokhin
  0 siblings, 1 reply; 3+ messages in thread
From: Daniel Vetter @ 2013-12-10 12:23 UTC (permalink / raw)
  To: Eugene Shatokhin; +Cc: intel-gfx, Daniel Vetter, LKML

On Tue, Dec 10, 2013 at 12:27:55PM +0400, Eugene Shatokhin wrote:
> Hi,
> 
> I have recently observed a NULL pointer dereference in i915 driver
> on my Eee PC running ROSA Linux with kernel 3.10.21.
> 
> The crash occurs during shutdown but quite rarely, not each time.
> 
> The system log is lost but here is what I extracted from the info
> displayed on the screen.
> 
> NULL pointer dereference at 0x4
> EIP is at i915_update_dri1_breadcrumb+0x25/0x70
> comm: systemd-journal
> 
> i915_update_dri1_breadcrumb+0x25:
> 	mov    0x4(%eax),%ebx // %eax contains 0, the list of register
> values confirms that.
> 
> That is the reading of 'master_priv->sarea_priv':
> 
> void i915_update_dri1_breadcrumb(struct drm_device *dev)
> {
> 	drm_i915_private_t *dev_priv = dev->dev_private;
> 	struct drm_i915_master_private *master_priv;
> 
> 	if (dev->primary->master) {
> 		master_priv = dev->primary->master->driver_priv;
> 		if (master_priv->sarea_priv) // <<< crashes here
> 			master_priv->sarea_priv->last_dispatch =
> 				READ_BREADCRUMB(dev_priv);
> 	}
> }

Indeed, that's fairly hapzardous. But also only needed for legacy ums
support. I'll send out a patch to block this in kms mode quickly. Please
test it.

Thanks, Daniel

> 
> addr2line points to the same line too.
> 
> So, i915_update_dri1_breadcrumb() was called somehow when
> dev->primary->master->driver_priv was NULL already. A race with
> i915_master_destroy() or something else?
> 
> Hardware info, from the output of lspci -vnn:
> ------------------------------
> 00:02.0 VGA compatible controller [0300]: Intel Corporation Atom
> Processor D4xx/D5xx/N4xx/N5xx Integrated Graphics Controller
> [8086:a011] (prog-if 00 [VGA controller])
> 	Subsystem: ASUSTeK Computer Inc. Device [1043:83ac]
> 	Flags: bus master, fast devsel, latency 0, IRQ 44
> 	Memory at f7e00000 (32-bit, non-prefetchable) [size=512K]
> 	I/O ports at dc00 [size=8]
> 	Memory at d0000000 (32-bit, prefetchable) [size=256M]
> 	Memory at f7d00000 (32-bit, non-prefetchable) [size=1M]
> 	Expansion ROM at <unassigned> [disabled]
> 	Capabilities: [90] MSI: Enable+ Count=1/1 Maskable- 64bit-
> 	Capabilities: [d0] Power Management version 2
> 	Kernel driver in use: i915
> ------------------------------
> 
> Regards,
> Eugene
> 
> -- 
> Eugene Shatokhin, ROSA Laboratory.
> www.rosalab.com

-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: i915: NULL pointer dereference in i915_update_dri1_breadcrumb() during shutdown
  2013-12-10 12:23 ` Daniel Vetter
@ 2013-12-10 14:25   ` Eugene Shatokhin
  0 siblings, 0 replies; 3+ messages in thread
From: Eugene Shatokhin @ 2013-12-10 14:25 UTC (permalink / raw)
  To: Daniel Vetter; +Cc: intel-gfx, LKML

On 12/10/2013 04:23 PM, Daniel Vetter wrote:
> On Tue, Dec 10, 2013 at 12:27:55PM +0400, Eugene Shatokhin wrote:
>> Hi,
>>
>> I have recently observed a NULL pointer dereference in i915 driver
>> on my Eee PC running ROSA Linux with kernel 3.10.21.
>>
>> The crash occurs during shutdown but quite rarely, not each time.
>>
>> The system log is lost but here is what I extracted from the info
>> displayed on the screen.
>>
>> NULL pointer dereference at 0x4
>> EIP is at i915_update_dri1_breadcrumb+0x25/0x70
>> comm: systemd-journal
>>
>> i915_update_dri1_breadcrumb+0x25:
>> 	mov    0x4(%eax),%ebx // %eax contains 0, the list of register
>> values confirms that.
>>
>> That is the reading of 'master_priv->sarea_priv':
>>
>> void i915_update_dri1_breadcrumb(struct drm_device *dev)
>> {
>> 	drm_i915_private_t *dev_priv = dev->dev_private;
>> 	struct drm_i915_master_private *master_priv;
>>
>> 	if (dev->primary->master) {
>> 		master_priv = dev->primary->master->driver_priv;
>> 		if (master_priv->sarea_priv) // <<< crashes here
>> 			master_priv->sarea_priv->last_dispatch =
>> 				READ_BREADCRUMB(dev_priv);
>> 	}
>> }
>
> Indeed, that's fairly hapzardous. But also only needed for legacy ums
> support. I'll send out a patch to block this in kms mode quickly. Please
> test it.
>
> Thanks, Daniel

Thanks a lot!

I am building kernel 3.10.23 now with this patch applied and will let 
you know if something goes wrong.

Regards,
Eugene

-- 
Eugene Shatokhin, ROSA Laboratory.
www.rosalab.com

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2013-12-10 14:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-10  8:27 i915: NULL pointer dereference in i915_update_dri1_breadcrumb() during shutdown Eugene Shatokhin
2013-12-10 12:23 ` Daniel Vetter
2013-12-10 14:25   ` Eugene Shatokhin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox