Bug 1045772

Summary: BUG: unable to handle kernel NULL pointer dereference setup_bdle.isra
Product: [Fedora] Fedora Reporter: Damian Wrobel <dwrobel>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dwrobel, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, michele
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-06 14:17:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Damian Wrobel 2013-12-21 21:48:26 UTC 
Just upgraded to the latest available kernel version: 3.12.5-200.fc19.i686.PAE.


/var/log/messages:

[24577.992565] BUG: unable to handle kernel NULL pointer dereference at 00000018
[24577.993509] IP: [<f8580832>] setup_bdle.isra.42+0x62/0x110 [snd_hda_intel]
[24577.993509] *pdpt = 000000000a92a001 *pde = 0000000000000000 
[24577.993509] Oops: 0000 [#1] SMP 
[24577.993509] Modules linked in: snd_seq_dummy tun ppdev parport_pc parport fuse vsock bnep bluetooth rfkill xt_conntrack xt_LOG xt_nat iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack snd_hda_codec_analog rc_dib0700_rc5 dvb_pll snd_hda_intel snd_hda_codec snd_hwdep mt352 snd_seq snd_seq_device dvb_usb_dib0700 dib8000 dib7000m dib0090 coretemp kvm_intel dib0070 dib7000p kvm dib3000mc joydev stv0299 b2c2_flexcop_usb dibx000_common dvb_usb rc_core snd_pcm b2c2_flexcop_pci b2c2_flexcop s5h1420 cx24113 cx24123 snd_page_alloc dvb_core usblp microcode snd_timer iTCO_wdt iTCO_vendor_support snd i2c_i801 soundcore serio_raw tpm_tis lpc_ich mfd_core mei_me mei acpi_cpufreq e1000e tpm tpm_bios ptp pps_core wmi nfsd auth_rpcgss nfs_acl lockd sunrpc binfmt_misc uinput i915 i2c_algo_bit drm_kms_helper ata_generic drm pata_acpi i2c_core video
[24577.993509] CPU: 0 PID: 4391 Comm: mscore Not tainted 3.12.5-200.fc19.i686.PAE #1
[24577.993509] Hardware name: LENOVO 6258A16/LENOVO, BIOS 5CKT40AUS 12/30/2008
[24577.993509] task: deabd200 ti: e0ba2000 task.ti: e0ba2000
[24577.993509] EIP: 0060:[<f8580832>] EFLAGS: 00210246 CPU: 0
[24577.993509] EIP is at setup_bdle.isra.42+0x62/0x110 [snd_hda_intel]
[24577.993509] EAX: 00000000 EBX: c0e8c000 ECX: 00000000 EDX: 00000000
[24577.993509] ESI: 00000000 EDI: 00000004 EBP: e0ba3dd0 ESP: e0ba3d98
[24577.993509]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[24577.993509] CR0: 80050033 CR2: 00000018 CR3: 20cc2000 CR4: 000407f0
[24577.993509] Stack:
[24577.993509]  00000001 f09000e0 ffffff04 c069adfa f087ec34 f6fcbc10 f087ec0c e0ba3dd0
[24577.993509]  00000000 00000002 00000000 e0ba3e2c f0907e00 f087ec0c e0ba3e3c f8580c8c
[24577.993509]  e0ba3e2c 00000000 00000004 00000001 d06400c0 00000003 d06400bc 00200092
[24577.993509] Call Trace:
[24577.993509]  [<c069adfa>] ? delay_tsc+0x2a/0x70
[24577.993509]  [<f8580c8c>] azx_pcm_prepare+0x3ac/0x450 [snd_hda_intel]
[24577.993509]  [<f82c19e0>] ? snd_pcm_post_stop+0x80/0x90 [snd_pcm]
[24577.993509]  [<f82c25a4>] snd_pcm_do_prepare+0x14/0x30 [snd_pcm]
[24577.993509]  [<f82c20c5>] snd_pcm_action_single+0x25/0x60 [snd_pcm]
[24577.993509]  [<f82c22d3>] snd_pcm_action_nonatomic+0x63/0x70 [snd_pcm]
[24577.993509]  [<f82c424f>] snd_pcm_common_ioctl1+0x87f/0xfd0 [snd_pcm]
[24577.993509]  [<c04ae1a9>] ? tick_program_event+0x29/0x30
[24577.993509]  [<c044e5e5>] ? kmap_atomic_prot+0x105/0x160
[24577.993509]  [<c0535e7a>] ? handle_mm_fault+0x4ca/0xd00
[24577.993509]  [<f82c4a8d>] snd_pcm_playback_ioctl1+0xed/0x400 [snd_pcm]
[24577.993509]  [<f82c4dc4>] snd_pcm_playback_ioctl+0x24/0x40 [snd_pcm]
[24577.993509]  [<f82c4da0>] ? snd_pcm_playback_ioctl1+0x400/0x400 [snd_pcm]
[24577.993509]  [<c0572506>] do_vfs_ioctl+0x2e6/0x4d0
[24577.993509]  [<c09b538f>] ? __do_page_fault+0x26f/0x500
[24577.993509]  [<c04a1b26>] ? handle_edge_irq+0x66/0x100
[24577.993509]  [<c0572750>] SyS_ioctl+0x60/0x80
[24577.993509]  [<c09b8f8d>] sysenter_do_call+0x12/0x28
[24577.993509] Code: 45 14 85 c0 0f 95 45 c8 eb 12 8d b4 26 00 00 00 00 3d ff 00 00 00 0f 87 ad 00 00 00 8b 45 e8 89 f1 c1 e9 0c c7 45 f0 00 00 00 00 <8b> 50 18 8d 04 49 8b 4a 0c 89 f2 81 e2 ff 0f 00 00 89 55 e0 8d
[24577.993509] EIP: [<f8580832>] setup_bdle.isra.42+0x62/0x110 [snd_hda_intel] SS:ESP 0068:e0ba3d98
[24577.993509] CR2: 0000000000000018
[24578.107450] ---[ end trace 894e2d55481acedd ]---


Haven't seen this on any previous kernel 3.[9-11].x series.

There is a chance that 3.12.6 [1] could help (but it's not available even in koji):

commit 922826da9d0c3fff415aa5fad0abbc015c2a7669
Author: Stefano Panella <stefano.panella>
Date:   Tue Dec 10 14:20:28 2013 +0000

    ALSA: memalloc.h - fix wrong truncation of dma_addr_t
    
    commit 932e9dec380c67ec15ac3eb073bb55797d8b4801 upstream.
    
    When running a 32bit kernel the hda_intel driver is still reporting
    a 64bit dma_mask if the HW supports it.
    
    From sound/pci/hda/hda_intel.c:
    
            /* allow 64bit DMA address if supported by H/W */
            if ((gcap & ICH6_GCAP_64OK) && !pci_set_dma_mask(pci, DMA_BIT_MASK(64)))
                    pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(64));
            else {
                    pci_set_dma_mask(pci, DMA_BIT_MASK(32));
                    pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(32));
            }
    
    which means when there is a call to dma_alloc_coherent from
    snd_malloc_dev_pages a machine address bigger than 32bit can be returned.
    This can be true in particular if running  the 32bit kernel as a pv dom0
    under the Xen Hypervisor or PAE on bare metal.
    
    The problem is that when calling setup_bdle to program the BLE the
    dma_addr_t returned from the dma_alloc_coherent is wrongly truncated
    from snd_sgbuf_get_addr if running a 32bit kernel:
    
    static inline dma_addr_t snd_sgbuf_get_addr(struct snd_dma_buffer *dmab,
                                               size_t offset)
    {
            struct snd_sg_buf *sgbuf = dmab->private_data;
            dma_addr_t addr = sgbuf->table[offset >> PAGE_SHIFT].addr;
            addr &= PAGE_MASK;
            return addr + offset % PAGE_SIZE;
    }
    
    where PAGE_MASK in a 32bit kernel is zeroing the upper 32bit af addr.
    
    Without this patch the HW will fetch the 32bit truncated address,
    which is not the one obtained from dma_alloc_coherent and will result
    to a non working audio but can corrupt host memory at a random location.
    
    The current patch apply to v3.13-rc3-74-g6c843f5
    
    Signed-off-by: Stefano Panella <stefano.panella>
    Reviewed-by: Frediano Ziglio <frediano.ziglio>
    Signed-off-by: Takashi Iwai <tiwai>
    Signed-off-by: Greg Kroah-Hartman <gregkh>


[1] https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.6
Comment 1 Michele Baldessari 2013-12-25 19:45:10 UTC 
Hi Damian,

as 3.12.6 was built in koji http://koji.fedoraproject.org/koji/buildinfo?buildID=486642, can you try it out and let us know if the issue persists?

Thanks,
Michele
Comment 2 Damian Wrobel 2013-12-30 18:44:45 UTC 
(In reply to Michele Baldessari from comment #1)

$ uname -r
3.12.6-200.fc19.i686.PAE
$ uptime
 19:41:35 up 3 days,  8:58,  6 users,  load average: 0.41, 0.44, 0.30

So far, so good.
Comment 3 Michele Baldessari 2013-12-30 22:50:38 UTC 
Hi Damian,

perfect. Give it a couple of days to be 100% sure (depending on how quickly you reproduced it before) and then feel free to close it.

Thanks for reporting back.

Michele
Comment 4 Josh Boyer 2014-01-06 14:17:24 UTC 
Please reopen if you see the issue again.
Comment 5 Damian Wrobel 2014-06-16 11:35:32 UTC 
Clearing 'needinfo' to satisfy the automatic reminder about outstanding requests.