Bug 1805278 - i915: kernel NULL pointer dereference, address: 0000000000000040 appearing randomly [NEEDINFO]
Summary: i915: kernel NULL pointer dereference, address: 0000000000000040 appearing ra...
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 31
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2020-02-20 15:46 UTC by throwawaythesun
Modified: 2020-03-19 17:18 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
Clone Of:
Last Closed: 2020-03-19 17:18:51 UTC
Type: Bug
jforbes: needinfo? (throwawaythesun)

Attachments (Terms of Use)
journalctl output of bug (296.17 KB, text/plain)
2020-02-20 15:46 UTC, throwawaythesun
no flags Details

Description throwawaythesun 2020-02-20 15:46:51 UTC
Created attachment 1664434 [details]
journalctl output of bug

1. Please describe the problem:

The system freezes randomly while working

2. What is the Version-Release number of the kernel:

5.4.7-200.fc31.x86_64 first encouter

3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  

First appearence on 5.4.7-200.fc31.x86_64

4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:

not reproducible, appears randomly while working, so far 6 times since Jan 29

5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:


6. Are you running any modules that not shipped with directly Fedora's kernel?:


7. Please attach the kernel logs. You can get the complete kernel log
   for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the
   issue occurred on a previous boot, use the journalctl ``-b`` flag.

Comment 1 Steve 2020-02-20 19:10:28 UTC
Thanks for reporting this. I believe this is the same bug:

Bug 1803372 - [abrt] i915_active_ref: BUG: kernel NULL pointer dereference, address: 0000000000000040 [i915]

Unfortunately, that is a "private" bug, so here is the complete call trace:

Description of problem:
Occurred twice:

With 5.4.14-100.fc30.x86_64: Loading a complex web page with Firefox.

With 5.4.17-100.fc30.x86_64: Running a Youtube video in a VM.

Additional info:
reporter:       libreport-2.11.3
BUG: kernel NULL pointer dereference, address: 0000000000000040
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: 0000 [#1] SMP PTI
CPU: 1 PID: 1496 Comm: xfwm4 Not tainted 5.4.14-100.fc30.x86_64 #1
Hardware name: ASUS All Series/B85M-G R2.0, BIOS 3602 03/23/2018
RIP: 0010:i915_active_acquire+0x9/0x70 [i915]
Code: 00 00 00 48 c7 46 58 00 00 00 00 c7 46 38 00 00 00 00 48 c7 c6 ca 76 50 c0 e9 13 fe d4 d6 0f 1f 00 0f 1f 44 00 00 41 54 55 53 <8b> 47 38 48 89 fb 85 c0 74 15 8d 50 01 f0 0f b1 53 38 75 f2 45 31
RSP: 0018:ffff9cc440bb7a48 EFLAGS: 00010292
RAX: 0000000000000000 RBX: ffff8f941041c180 RCX: 0000000000000000
RDX: ffff8f93b7e79d40 RSI: ffff8f941041c180 RDI: 0000000000000008
RBP: ffff8f93b7e79d40 R08: ffff8f93781f1808 R09: ffff8f93781f1808
R10: 0000000000000000 R11: ffffc11147c9bb60 R12: 0000000000000008
R13: 0000000000000004 R14: ffff8f93b7e79d40 R15: ffff8f93fd18fcc0
FS:  00007fdde8b2a280(0000) GS:ffff8f9417880000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000040 CR3: 00000002136ea003 CR4: 00000000001606e0
Call Trace:
 i915_active_ref+0x21/0x210 [i915]
 ? _cond_resched+0x15/0x30
 i915_vma_move_to_active+0x6e/0xf0 [i915]
 i915_gem_do_execbuffer+0xc7c/0x1580 [i915]
 ? _cond_resched+0x15/0x30
 ? mutex_lock+0xe/0x30
 ? unix_stream_read_generic+0x1f3/0x8c0
 ? __kmalloc_node+0x1ff/0x310
 i915_gem_execbuffer2_ioctl+0x1df/0x3d0 [i915]
 ? i915_gem_madvise_ioctl+0x149/0x2b0 [i915]
 ? i915_gem_execbuffer_ioctl+0x2e0/0x2e0 [i915]
 drm_ioctl_kernel+0xaa/0xf0 [drm]
 drm_ioctl+0x208/0x390 [drm]
 ? i915_gem_execbuffer_ioctl+0x2e0/0x2e0 [i915]
 ? selinux_file_ioctl+0x174/0x220
RIP: 0033:0x7fdde9820fcb
Code: 0f 1e fa 48 8b 05 bd ce 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8d ce 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffd79711108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd79711150 RCX: 00007fdde9820fcb
RDX: 00007ffd79711150 RSI: 0000000040406469 RDI: 000000000000000a
RBP: 0000000040406469 R08: 00005614a569c800 R09: 0000000000100000
R10: 0000000000000000 R11: 0000000000000246 R12: 00005614a5a7f700
R13: 000000000000000a R14: ffffffffffffffff R15: 00007fdde7180450
Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat iptable_mangle iptable_raw iptable_security nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c rfkill ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter nct6775 hwmon_vid sunrpc snd_hda_codec_realtek snd_hda_codec_hdmi snd_hda_codec_generic intel_rapl_msr intel_rapl_common ledtrig_audio snd_hda_intel x86_pkg_temp_thermal intel_powerclamp snd_intel_nhlt snd_hda_codec coretemp snd_hda_core snd_hwdep kvm_intel snd_seq kvm snd_seq_device snd_pcm irqbypass snd_timer snd soundcore crct10dif_pclmul crc32_pclmul iTCO_wdt ghash_clmulni_intel iTCO_vendor_support mei_wdt mei_hdcp intel_cstate mei_me mei intel_uncore lpc_ich pcspkr intel_rapl_perf i2c_i801 ip_tables i915 i2c_algo_bit drm_kms_helper crc32c_intel drm r8169 video fuse
CR2: 0000000000000040

Comment 2 Steve 2020-02-20 19:36:22 UTC
A web search for "i915_active_ref" found this bug report:

NULL pointer dereference in i915_active_acquire since Linux 5.4

It appears to have been closed with a bug fix:

commit da42104f589d979bbe402703fd836cec60befae1
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Wed Dec 18 10:40:43 2019 +0000

    drm/i915: Hold reference to intel_frontbuffer as we track activity

Comment 3 Steve 2020-02-20 20:46:25 UTC
(In reply to Steve from comment #2)
> It appears to have been closed with a bug fix:
> commit da42104f589d979bbe402703fd836cec60befae1
> Author: Chris Wilson <chris@chris-wilson.co.uk>
> Date:   Wed Dec 18 10:40:43 2019 +0000
>     drm/i915: Hold reference to intel_frontbuffer as we track activity

That appears to be in 5.5, but not in 5.4:

drm/i915: Hold reference to intel_frontbuffer as we track activity

Comment 4 Steve 2020-02-20 22:11:40 UTC
throwawaythesun: Could you put "i915" at the beginning of the bug summary, so it is easier for developers to see what the bug is about:

"i915: kernel NULL pointer dereference, address: 0000000000000040 appearing randomly"

Comment 5 Steve 2020-02-21 16:18:22 UTC
throwawaythesun: Thanks for updating the bug summary.

Since you are on F31, you could try:

kernel-5.5.5-200.fc31, kernel-headers-5.5.5-200.fc31, & 1 more

See, however, the negative karma comment from arcivanov and the reply from jforbes.

Comment 6 Steve 2020-02-24 23:17:29 UTC
This is against 5.5.5-200.fc31.x86_64, but the call trace looks very similar:

Bug 1806747 - [abrt] i915_active_ref: general protection fault in i915_active_ref [i915]

Comment 7 Steve 2020-02-25 18:33:18 UTC
The current "stable" kernel built for Fedora is available:

kernel-5.5.6-201.fc31, kernel-headers-5.5.6-200.fc31, & 1 more

Comment 8 Justin M. Forbes 2020-03-03 16:32:51 UTC
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There are a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 31 kernel bugs.

Fedora 31 has now been rebased to 5.5.7-200.fc31.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 32, and are still experiencing this issue, please change the version to Fedora 32.

If you experience different issues, please open a new bug report for those.

Note You need to log in before you can comment on or make changes to this bug.