Bug 753621

Summary: radeon_combios_get_power_modes: kernel NULL pointer dereference
Product: [Fedora] Fedora Reporter: John Reiser <jreiser>
Component: kernelAssignee: Dave Airlie <airlied>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, michal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-20 19:52:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
serial console output
none
/var/log/Xorg.0.log from 3.2.0-0.rc1.git2.1.fc17.i686 none

Description John Reiser 2011-11-13 19:38:32 UTC 
Description of problem: Kernel Oops at boot.


Version-Release number of selected component (if applicable):
kernel-PAE-3.2.0-0.rc1.git3.1.fc17.i686
xorg-x11-drv-ati-6.14.3-1.fc17.i686
xorg-x11-server-Xorg-1.11.99.1-1.20111109.fc17.i686
mesa-dri-filesystem-7.11-11.fc17.i686
xorg-x11-drv-fbdev-0.4.2-3.fc17.i686
xorg-x11-drv-vesa-2.3.0-10.fc17.i686

How reproducible: every time


Steps to Reproduce:
1. boot
2.
3.
  
Actual results:
[   12.114519] BUG: unable to handle kernel NULL pointer dereference at   (null)
[   12.115231] IP: [<f7fbd221>] radeon_combios_get_power_modes+0xd1/0x7d0 [radeon]
[   12.115231] *pdpt = 0000000033ec3001 *pde = 0000000000000000 
[   12.115231] Oops: 0002 [#1] SMP 
[   12.115231] Modules linked in: radeon(+) ttm drm_kms_helper drm i2c_algo_bit i2c_core
[   12.115231] 
[   12.115231] Pid: 102, comm: modprobe Not tainted 3.2.0-0.rc1.git3.1.fc17.i686.PAE #1 System Manufacturer System Name/P4B266
[   12.115231] EIP: 0060:[<f7fbd221>] EFLAGS: 00010246 CPU: 0
[   12.115231] EIP is at radeon_combios_get_power_modes+0xd1/0x7d0 [radeon]
[   12.115231] EAX: 00000000 EBX: f52ba0b0 ECX: 00000000 EDX: 00000000
[   12.115231] ESI: f52ba0b0 EDI: 000040d8 EBP: f3e7bca8 ESP: f3e7bb94
[   12.115231]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   12.115231] Process modprobe (pid: 102, ti=f3e7a000 task=f3c60000 task.ti=f3e7a000)
[   12.115231] Stack:
[   12.115231]  f5b48850 f5b48840 d210af1c 00000002 d210b85c 00000002 d210af1c 00000002
[   12.115231]  00000000 00000001 f3c6a2c0 f3e7bbe8 c0492fff f3c60000 00000006 c0f7aed0
[   12.115231]  f3c604d8 00000002 f3e7bc00 c04a6026 c04a0afb 00000007 00000006 f3c60000
[   12.115231] Call Trace:
[   12.115231]  [<c0492fff>] ? sched_clock_cpu+0xcf/0x150
[   12.115231]  [<c04a6026>] ? mark_held_locks+0x66/0xf0
[   12.115231]  [<c04a0afb>] ? trace_hardirqs_off+0xb/0x10
[   12.115231]  [<c09bf6dd>] ? restore_all+0xf/0xf
[   12.115231]  [<c04a61a4>] ? trace_hardirqs_on_caller+0xf4/0x180
[   12.115231]  [<c06a4de8>] ? trace_hardirqs_on_thunk+0xc/0x10
[   12.115231]  [<c09bf6dd>] ? restore_all+0xf/0xf
[   12.115231]  [<c0469f06>] ? vprintk+0x2c6/0x530
[   12.115231]  [<f7ffcc26>] radeon_pm_init+0x96/0x590 [radeon]
[   12.115231]  [<f7fdaee6>] ? r100_hpd_sense+0x16/0x50 [radeon]
[   12.115231]  [<f7fdfaed>] ? r100_hpd_set_polarity+0x1d/0x120 [radeon]
[   12.115231]  [<f7fd7b88>] ? r100_hpd_init+0x88/0x90 [radeon]
[   12.115231]  [<f7fceff1>] radeon_modeset_init+0x3b1/0x890 [radeon]
[   12.115231]  [<f7fb149b>] radeon_driver_load_kms+0xeb/0x160 [radeon]
[   12.115231]  [<f7e83003>] drm_get_pci_dev+0x153/0x270 [drm]
[   12.115231]  [<f800f39c>] ? radeon_pci_probe+0xb0/0xc7 [radeon]
[   12.115231]  [<f800f3ab>] radeon_pci_probe+0xbf/0xc7 [radeon]
[   12.115231]  [<c06c4fa5>] pci_device_probe+0x95/0x120
[   12.115231]  [<c05d1817>] ? sysfs_create_link+0x17/0x20
[   12.115231]  [<c0780f2f>] driver_probe_device+0x8f/0x2e0
[   12.115231]  [<c0781219>] __driver_attach+0x99/0xa0
[   12.115231]  [<c0781180>] ? driver_probe_device+0x2e0/0x2e0
[   12.115231]  [<c077fed9>] bus_for_each_dev+0x49/0x70
[   12.115231]  [<c0780b81>] driver_attach+0x21/0x30
[   12.115231]  [<c0781180>] ? driver_probe_device+0x2e0/0x2e0
[   12.115231]  [<c07807d7>] bus_add_driver+0x1c7/0x2e0
[   12.115231]  [<c06c5030>] ? pci_device_probe+0x120/0x120
[   12.115231]  [<c06c5030>] ? pci_device_probe+0x120/0x120
[   12.115231]  [<c07816e6>] driver_register+0x66/0x110
[   12.115231]  [<c06aa9e2>] ? __raw_spin_lock_init+0x32/0x60
[   12.115231]  [<c06c4d27>] __pci_register_driver+0x57/0xd0
[   12.115231]  [<f7e8321d>] drm_pci_init+0xfd/0x110 [drm]
[   12.115231]  [<f7e510d9>] radeon_init+0xd9/0x1000 [radeon]
[   12.115231]  [<c0403035>] do_one_initcall+0x35/0x170
[   12.115231]  [<f7e51000>] ? 0xf7e50fff
[   12.115231]  [<c04b137a>] sys_init_module+0xeca/0x1b40
[   12.115231]  [<c09bf6a4>] syscall_call+0x7/0xb
[   12.115231] Code: 24 24 01 00 00 00 c7 04 01 00 00 00 00 8b 8b 24 12 00 00 c7 44 01 08 01 00 00 00 8b 8b 24 12 00 00 8b bb 8c 02 00 00 8b 4c 01 04 
[   12.115231]  39 8b 8b 24 12 00 00 8b bb 90 02 00 00 8b 4c 01 04 89 79 04 
[   12.115231] EIP: [<f7fbd221>] radeon_combios_get_power_modes+0xd1/0x7d0 [radeon] SS:ESP 0068:f3e7bb94
[   12.115231] CR2: 0000000000000000
[   12.464671] ---[ end trace c5b9f0b6271932b0 ]---


Expected results: No Oops.


Additional info:
01:00.0 VGA compatible controller: ATI Technologies Inc RV280 [Radeon 9200 PRO] (rev 01)
Comment 1 John Reiser 2011-11-13 19:39:37 UTC 
Created attachment 533400 [details]
serial console output
Comment 2 John Reiser 2011-11-13 19:43:33 UTC 
Created attachment 533401 [details]
/var/log/Xorg.0.log from 3.2.0-0.rc1.git2.1.fc17.i686

When booting previous kernel-PAE-3.2.0-0.rc1.git2.1.fc17.i686, then GNOME desktop fails because:
[    71.900] (EE) AIGLX error: dlopen of /usr/lib/dri/r200_dri.so failed (/usr/lib/dri/r200_dri.so
: cannot open shared object file: No such file or directory)
[    71.901] (EE) AIGLX: reverting to software rendering
[    71.902] (EE) AIGLX error: dlopen of /usr/lib/dri/swrast_dri.so failed (/usr/lib/dri/swrast_dr
i.so: cannot open shared object file: No such file or directory)
[    71.902] (EE) GLX: could not load software renderer
Comment 3 John Reiser 2011-11-13 19:47:46 UTC 
# cat /proc/cpuinfo
processor	: 0
vendor_id	: GenuineIntel
cpu family	: 15
model		: 2
model name	: Intel(R) Pentium(R) 4 CPU 1.60GHz
stepping	: 4
microcode	: 0x1e
cpu MHz		: 1600.000
cache size	: 512 KB
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 2
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm up pebs bts
bogomips	: 3228.02
clflush size	: 64
cache_alignment	: 128
address sizes	: 36 bits physical, 32 bits virtual
power management:
Comment 4 Adam Jackson 2011-11-14 16:13:20 UTC 
Clearly not a Mesa bug.
Comment 5 Michal Jaegermann 2011-11-14 22:33:25 UTC 
I see the same bug on x86_64 machine with 3.2.0-0.rc1.git3.1.fc17.x86_64 kerneln but also with ATI Technologies Inc RV280 [Radeon 9200 PRO].  Addresses are clearly different but otherwise traces look familiar.  This crash happens after
enumerating connectors.  This is a fragment of dmesg from a booting kernel
with a location of a crash marked.


[    3.502567] [drm] Radeon Display Connectors
[    3.502641] [drm] Connector 0:
[    3.502711] [drm]   VGA
[    3.502780] [drm]   DDC: 0x60 0x60 0x60 0x60 0x60 0x60 0x60 0x60
[    3.502854] [drm]   Encoders:
[    3.502923] [drm]     CRT1: INTERNAL_DAC1
[    3.502994] [drm] Connector 1:
[    3.503078] [drm]   DVI-I
[    3.503147] [drm]   HPD1
[    3.503216] [drm]   DDC: 0x64 0x64 0x64 0x64 0x64 0x64 0x64 0x64
[    3.503289] [drm]   Encoders:
[    3.503358] [drm]     CRT2: INTERNAL_DAC2
[    3.503429] [drm]     DFP1: INTERNAL_TMDS1
[    3.503499] [drm] Connector 2:
[    3.503569] [drm]   S-video
[    3.503637] [drm]   Encoders:
[    3.503706] [drm]     TV1: INTERNAL_DAC2
   ===== NULL pointer derefernce here ====
[    3.688301] [drm] fb mappable at 0xD0040000
[    3.688373] [drm] vram apper at 0xD0000000
[    3.688444] [drm] size 7680000
[    3.688513] [drm] fb depth is 24
[    3.688582] [drm]    pitch is 6400
......

If one will wait long enough then after a timeout udev will eventually
get into an infinite loop ping-ponging between killing two modprobe processes.

I am afraid that I do not have a place to attach a serial console and my experiments with netconsole so far produced no output.
Comment 6 Michal Jaegermann 2011-11-18 19:29:52 UTC 
kernel-3.2.0-0.rc2.git1.1.fc17.x86_64 boots for me once again.
Comment 7 John Reiser 2011-11-18 20:22:29 UTC 
Both of these are working for me:
  kernel-PAE-3.2.0-0.rc1.git4.1.fc17.i686
  kernel-PAE-3.2.0-0.rc2.git1.1.fc17.i686