1295683 – NULL deref in intel_fb_obj_invalidate+0x15/0xf0

Bug 1295683 - NULL deref in intel_fb_obj_invalidate+0x15/0xf0

Summary: NULL deref in intel_fb_obj_invalidate+0x15/0xf0

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-05 08:48 UTC by Dan Aloni
Modified:	2016-02-01 15:16 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-01-05 12:39:13 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Dan Aloni 2016-01-05 08:48:19 UTC

I have compiled 4.4.0-0.rc8.git0.1 (kernel package githash 94beff34d1612edbd141baafed867613860eee79: 
Linux v4.4-rc8
    
    - Disable debugging options.
) for my laptop's Fedora 23. 

Software suspend (with hibernation) resulted in a kernel crash:

Jan 05 10:10:30 nitrogen systemd-sleep[3446]: Suspending system...
Jan 05 10:10:30 nitrogen /usr/libexec/gdm-x-session[2509]: (II) AIGLX: Suspending AIGLX clients for VT switch
Jan 05 10:10:30 nitrogen kernel: ------------[ cut here ]------------
Jan 05 10:10:30 nitrogen kernel: WARNING: CPU: 1 PID: 2515 at include/linux/kref.h:46 drm_framebuffer_reference+0x64/0x70 [drm]()
Jan 05 10:10:30 nitrogen kernel: Modules linked in: vmnet(OE) parport_pc vmw_vsock_vmci_transport vsock vmw_vmci vmmon(OE) rfcomm cmac xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_filter ebtable_nat e
btable_broute bridge ebtables ppdev parport ip6table_security ip6table_raw ip6table_mangle ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 fuse ip6table_filter ip6_tables iptable_security iptable_raw iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack bnep intel_rapl 
iosf_mbi x86_pkg_temp_thermal coretemp kvm_intel kvm vfat fat arc4 irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel iTCO_wdt iTCO_vendor_support iwlmvm mac80211 uvcvideo videobuf2_vmalloc
Jan 05 10:10:30 nitrogen kernel:  videobuf2_memops videobuf2_v4l2 videobuf2_core v4l2_common iwlwifi snd_hda_codec_realtek snd_hda_codec_hdmi btusb snd_hda_codec_generic btrtl videodev btbcm i2c_i801 btintel intel_pch_thermal cfg80211 snd_hda_intel lpc_ich bluetooth snd_hda_codec snd_usb_audio media joydev snd_hda_co
re snd_usbmidi_lib snd_rawmidi snd_hwdep cdc_acm snd_seq snd_seq_device shpchp snd_pcm mei_me mei snd_timer thinkpad_acpi snd wmi soundcore rfkill tpm_tis tpm cdc_mbim hid_multitouch cdc_ncm cdc_wdm 8021q garp stp llc mrp i915 i2c_algo_bit drm_kms_helper ax88179_178a drm e1000e usbnet ptp serio_raw mii pps_core video
 fjes [last unloaded: vmnet]
Jan 05 10:10:30 nitrogen kernel: CPU: 1 PID: 2515 Comm: Xorg Tainted: G        W  OE   4.4.0-0.rc8.git0.1.fc23.x86_64 #1
Jan 05 10:10:30 nitrogen kernel: Hardware name: LENOVO 20BS003PIV/20BS003PIV, BIOS N14ET30W (1.08 ) 06/05/2015
Jan 05 10:10:30 nitrogen kernel:  0000000000000000 0000000031f8b73f ffff880222b8f920 ffffffff813b04af
Jan 05 10:10:30 nitrogen kernel:  0000000000000000 ffff880222b8f958 ffffffff810a2ef2 ffff88003fa0dc00
Jan 05 10:10:30 nitrogen kernel:  ffff8801d3ceb300 ffff8801d3ceb300 ffff8801d3d4a800 ffff8800c73ed000
Jan 05 10:10:30 nitrogen kernel: Call Trace:
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff813b04af>] dump_stack+0x44/0x55
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff810a2ef2>] warn_slowpath_common+0x82/0xc0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff810a303a>] warn_slowpath_null+0x1a/0x20
Jan 05 10:10:30 nitrogen kernel:  [<ffffffffa00a6554>] drm_framebuffer_reference+0x64/0x70 [drm]
Jan 05 10:10:30 nitrogen kernel:  [<ffffffffa00b84ed>] drm_atomic_set_fb_for_plane+0x2d/0x90 [drm]
Jan 05 10:10:30 nitrogen kernel:  [<ffffffffa0116c8e>] __drm_atomic_helper_set_config+0xde/0x3c0 [drm_kms_helper]
Jan 05 10:10:30 nitrogen kernel:  [<ffffffffa0117bc1>] restore_fbdev_mode+0x221/0x260 [drm_kms_helper]
Jan 05 10:10:30 nitrogen kernel:  [<ffffffffa0119da3>] drm_fb_helper_restore_fbdev_mode_unlocked+0x33/0x80 [drm_kms_helper]
Jan 05 10:10:30 nitrogen kernel:  [<ffffffffa0119e1d>] drm_fb_helper_set_par+0x2d/0x50 [drm_kms_helper]
Jan 05 10:10:30 nitrogen kernel:  [<ffffffffa01c563a>] intel_fbdev_set_par+0x1a/0x60 [i915]
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8142956f>] ? fb_set_var+0x2ef/0x460
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff814294b6>] fb_set_var+0x236/0x460
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff816662b7>] ? sock_poll+0x107/0x120
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff810d5f89>] ? update_curr+0x79/0x150
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8141f65f>] fbcon_blank+0x30f/0x350
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff810cb889>] ? ttwu_do_wakeup+0x19/0xc0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff814a6393>] do_unblank_screen+0xd3/0x1a0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8149b569>] complete_change_console+0x59/0xe0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8149bd00>] vt_ioctl+0x710/0x12e0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff812455e5>] ? file_update_time+0xc5/0x110
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8148f3d6>] tty_ioctl+0x356/0xc00
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8122b399>] ? __vfs_write+0xc9/0x110
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8123e6d8>] do_vfs_ioctl+0x298/0x480
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff81146c3b>] ? __audit_syscall_entry+0xab/0xf0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8100315b>] ? do_audit_syscall_entry+0x4b/0x70
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff810039dc>] ? syscall_trace_enter_phase1+0x13c/0x160
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8123e939>] SyS_ioctl+0x79/0x90
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8179966e>] entry_SYSCALL_64_fastpath+0x12/0x71
Jan 05 10:10:30 nitrogen kernel: ---[ end trace 8259af18ecd4cc2f ]---
Jan 05 10:10:30 nitrogen kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
Jan 05 10:10:30 nitrogen kernel: IP: [<ffffffffa01bba75>] intel_fb_obj_invalidate+0x15/0xf0 [i915]
Jan 05 10:10:30 nitrogen kernel: PGD b360e067 PUD b35b9067 PMD 0 
Jan 05 10:10:30 nitrogen kernel: Oops: 0000 [#1] SMP 
Jan 05 10:10:30 nitrogen kernel: Modules linked in: vmnet(OE) parport_pc vmw_vsock_vmci_transport vsock vmw_vmci vmmon(OE) rfcomm cmac xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 tun nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_filter ebtable_nat ebtable_broute bridge ebtables ppdev parport ip6table_security ip6table_raw ip6table_mangle ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 fuse ip6table_filter ip6_tables iptable_security iptable_raw iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack bnep intel_rapl iosf_mbi x86_pkg_temp_thermal coretemp kvm_intel kvm vfat fat arc4 irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel iTCO_wdt iTCO_vendor_support iwlmvm mac80211 uvcvideo videobuf2_vmalloc
Jan 05 10:10:30 nitrogen kernel:  videobuf2_memops videobuf2_v4l2 videobuf2_core v4l2_common iwlwifi snd_hda_codec_realtek snd_hda_codec_hdmi btusb snd_hda_codec_generic btrtl videodev btbcm i2c_i801 btintel intel_pch_thermal cfg80211 snd_hda_intel lpc_ich bluetooth snd_hda_codec snd_usb_audio media joydev snd_hda_core snd_usbmidi_lib snd_rawmidi snd_hwdep cdc_acm snd_seq snd_seq_device shpchp snd_pcm mei_me mei snd_timer thinkpad_acpi snd wmi soundcore rfkill tpm_tis tpm cdc_mbim hid_multitouch cdc_ncm cdc_wdm 8021q garp stp llc mrp i915 i2c_algo_bit drm_kms_helper ax88179_178a drm e1000e usbnet ptp serio_raw mii pps_core video fjes [last unloaded: vmnet]
Jan 05 10:10:30 nitrogen kernel: CPU: 1 PID: 2515 Comm: Xorg Tainted: G        W  OE   4.4.0-0.rc8.git0.1.fc23.x86_64 #1
Jan 05 10:10:30 nitrogen kernel: Hardware name: LENOVO 20BS003PIV/20BS003PIV, BIOS N14ET30W (1.08 ) 06/05/2015
Jan 05 10:10:30 nitrogen kernel: task: ffff8800b3740000 ti: ffff880222b8c000 task.ti: ffff880222b8c000
Jan 05 10:10:30 nitrogen kernel: RIP: 0010:[<ffffffffa01bba75>]  [<ffffffffa01bba75>] intel_fb_obj_invalidate+0x15/0xf0 [i915]
Jan 05 10:10:30 nitrogen kernel: RSP: 0018:ffff880222b8fa58  EFLAGS: 00010246
Jan 05 10:10:30 nitrogen kernel: RAX: ffff8800b3740000 RBX: ffff88022157be00 RCX: 000000000164ef50
Jan 05 10:10:30 nitrogen kernel: RDX: ffff88003fa0dc00 RSI: 0000000000000000 RDI: 0000000000000000
Jan 05 10:10:30 nitrogen kernel: RBP: ffff880222b8fa80 R08: 000000000001a240 R09: ffffffffa00b6836
Jan 05 10:10:30 nitrogen kernel: R10: ffffea00058706c0 R11: ffff880161c1bbc0 R12: ffff880221a96000
Jan 05 10:10:30 nitrogen kernel: R13: 0000000000000000 R14: 0000000000200001 R15: 0000000000000080
Jan 05 10:10:30 nitrogen kernel: FS:  00007f527e93aa00(0000) GS:ffff88022dc40000(0000) knlGS:0000000000000000
Jan 05 10:10:30 nitrogen kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jan 05 10:10:30 nitrogen kernel: CR2: 0000000000000008 CR3: 0000000200b7d000 CR4: 00000000003406e0
Jan 05 10:10:30 nitrogen kernel: Stack:
Jan 05 10:10:30 nitrogen kernel:  ffff88022157be00 ffff880221a96000 0000000000000000 0000000000200001
Jan 05 10:10:30 nitrogen kernel:  0000000000000080 ffff880222b8faa0 ffffffffa01c5663 000000008142956f
Jan 05 10:10:30 nitrogen kernel:  ffff880222b8fc48 ffff880222b8fc18 ffffffff814294b6 ffff880221a96060
Jan 05 10:10:30 nitrogen kernel: Call Trace:
Jan 05 10:10:30 nitrogen kernel:  [<ffffffffa01c5663>] intel_fbdev_set_par+0x43/0x60 [i915]
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff814294b6>] fb_set_var+0x236/0x460
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff816662b7>] ? sock_poll+0x107/0x120
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff810d5f89>] ? update_curr+0x79/0x150
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8141f65f>] fbcon_blank+0x30f/0x350
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff810cb889>] ? ttwu_do_wakeup+0x19/0xc0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff814a6393>] do_unblank_screen+0xd3/0x1a0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8149b569>] complete_change_console+0x59/0xe0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8149bd00>] vt_ioctl+0x710/0x12e0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff812455e5>] ? file_update_time+0xc5/0x110
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8148f3d6>] tty_ioctl+0x356/0xc00
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8122b399>] ? __vfs_write+0xc9/0x110
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8123e6d8>] do_vfs_ioctl+0x298/0x480
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff81146c3b>] ? __audit_syscall_entry+0xab/0xf0
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8100315b>] ? do_audit_syscall_entry+0x4b/0x70
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff810039dc>] ? syscall_trace_enter_phase1+0x13c/0x160
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8123e939>] SyS_ioctl+0x79/0x90
Jan 05 10:10:30 nitrogen kernel:  [<ffffffff8179966e>] entry_SYSCALL_64_fastpath+0x12/0x71
Jan 05 10:10:30 nitrogen kernel: Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 41 89 f5 53 <4c> 8b 67 08 48 89 fb 41 8b 44 24 60 4d 8b 74 24 28 83 f8 01 74 
Jan 05 10:10:30 nitrogen kernel: RIP  [<ffffffffa01bba75>] intel_fb_obj_invalidate+0x15/0xf0 [i915]
Jan 05 10:10:30 nitrogen kernel:  RSP <ffff880222b8fa58>
Jan 05 10:10:30 nitrogen kernel: CR2: 0000000000000008
Jan 05 10:10:30 nitrogen kernel: ---[ end trace 8259af18ecd4cc30 ]---

Comment 1 Josh Boyer 2016-01-05 12:39:13 UTC

Fedora doesn't support setups with external modules loaded, or custom built kernels.  If you can recreate without the out of tree modules and with a Fedora built kernel, please reopen.

Comment 2 Jiri Slaby 2016-02-01 15:16:37 UTC

Likely this:
https://bugs.freedesktop.org/show_bug.cgi?id=92119

Note You need to log in before you can comment on or make changes to this bug.