Bug 27569

Summary: Radeon KMS panic with certain kernel config.
Product: DRI Reporter: Nick Bowler <nbowler>
Component: DRM/RadeonAssignee: Default DRI bug account <dri-devel>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Nick Bowler 2010-04-09 11:57:49 UTC 
With a kernel built with CONFIG_AGP=y, CONFIG_AGP_INTEL=m and CONFIG_DRM_RADEON=y, enabling radeon KMS (either by the config option or radeon.modeset=1 boot parameter) results in an immediate kernel panic.  Modesetting works fine when those options are all set to 'y' or all set to 'm'.

Both Linus' git and 2.6.33 are affected.  Full boot log follows.

Linux version 2.6.34-rc3-00406-gcf90bfe (root@ulna.ellipticsemi.com) (gcc version 4.3.0 20080428 (Red Hat 4.3.0-8) (GCC) ) #56 SMP PREEMPT Fri Apr 9 14:28:59 EDT 2010
BIOS-provided physical RAM map:
 BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
 BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
 BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved)
 BIOS-e820: 0000000000100000 - 000000001ff40000 (usable)
 BIOS-e820: 000000001ff40000 - 000000001ff50000 (ACPI data)
 BIOS-e820: 000000001ff50000 - 0000000020000000 (ACPI NVS)
Notice: NX (Execute Disable) protection missing in CPU or disabled in BIOS!
DMI 2.3 present.
last_pfn = 0x1ff40 max_arch_pfn = 0x100000
x86 PAT enabled: cpu 0, old 0x7040600070406, new 0x7010600070106
init_memory_mapping: 0000000000000000-000000001ff40000
RAMDISK: 1fbfc000 - 1ff30000
ACPI: RSDP 000f70e0 00014 (v00 ACPIAM)
ACPI: RSDT 1ff40000 00030 (v01 INTEL  D845EPT2 20020920 MSFT 00000097)
ACPI: FACP 1ff40200 00081 (v02 INTEL  D845EPT2 20020920 MSFT 00000097)
ACPI: DSDT 1ff40400 0420A (v01 INTEL  D845EPT2 0000010A MSFT 0100000D)
ACPI: FACS 1ff50000 00040
ACPI: APIC 1ff40300 00068 (v01 INTEL  D845EPT2 20020920 MSFT 00000097)
ACPI: ASF! 1ff44610 00084 (v16 AMIASF I845GASF 00000001 MSFT 0100000D)
511MB LOWMEM available.
  mapped low ram: 0 - 1ff40000
  low ram: 0 - 1ff40000
Zone PFN ranges:
  DMA      0x00000001 -> 0x00001000
  Normal   0x00001000 -> 0x0001ff40
Movable zone start PFN for each node
early_node_map[2] active PFN ranges
    0: 0x00000001 -> 0x0000009f
    0: 0x00000100 -> 0x0001ff40
Using APIC driver default
ACPI: PM-Timer IO Port: 0x408
ACPI: LAPIC (acpi_id[0x01] lapic_id[0x00] enabled)
ACPI: LAPIC (acpi_id[0x02] lapic_id[0x81] disabled)
ACPI: LAPIC_NMI (acpi_id[0x01] dfl dfl lint[0x1])
ACPI: LAPIC_NMI (acpi_id[0x02] dfl dfl lint[0x1])
ACPI: IOAPIC (id[0x01] address[0xfec00000] gsi_base[0])
IOAPIC[0]: apic_id 1, version 32, address 0xfec00000, GSI 0-23
ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
Using ACPI (MADT) for SMP configuration information
SMP: Allowing 2 CPUs, 1 hotplug CPUs
Allocating PCI resources starting at 20000000 (gap: 20000000:e0000000)
setup_percpu: NR_CPUS:8 nr_cpumask_bits:8 nr_cpu_ids:2 nr_node_ids:1
PERCPU: Embedded 16 pages/cpu @c2000000 s40980 r0 d24556 u2097152
pcpu-alloc: s40980 r0 d24556 u2097152 alloc=1*4194304
pcpu-alloc: [0] 0 1 
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 129759
Kernel command line: ro root=/dev/VolGroup00/LogVol00 rhgb console=ttyS0,115200n8 radeon.modeset=1
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Enabling fast FPU save and restore... done.
Enabling unmasked SIMD FPU exception support... done.
Initializing CPU#0
Subtract (34 early reservations)
  #1 [0000001000 - 0000002000]   EX TRAMPOLINE
  #2 [0001000000 - 00019cbd6c]   TEXT DATA BSS
  #3 [001fbfc000 - 001ff30000]         RAMDISK
  #4 [000009fc00 - 0000100000]   BIOS reserved
  #5 [00019cc000 - 00019d3110]             BRK
  #6 [0000002000 - 0000003000]      TRAMPOLINE
  #7 [0000007000 - 0000008000]         PGTABLE
  #8 [00019d3180 - 0001dd3180]         BOOTMEM
  #9 [00019cbd80 - 00019cbd84]         BOOTMEM
  #10 [0001dd3180 - 0001dd33c0]         BOOTMEM
  #11 [00019cbe00 - 00019cbe30]         BOOTMEM
  #12 [0001dd3400 - 0001dd7c00]         BOOTMEM
  #13 [00019cbe80 - 00019cbea7]         BOOTMEM
  #14 [00019cbf00 - 00019cbfc4]         BOOTMEM
  #15 [0001dd7c00 - 0001dd7c40]         BOOTMEM
  #16 [0001dd7c80 - 0001dd7cc0]         BOOTMEM
  #17 [0001dd7d00 - 0001dd7d40]         BOOTMEM
  #18 [0001dd7d80 - 0001dd7dc0]         BOOTMEM
  #19 [0001dd7e00 - 0001dd7e40]         BOOTMEM
  #20 [0001dd7e80 - 0001dd7ec0]         BOOTMEM
  #21 [0001dd7f00 - 0001dd7f4e]         BOOTMEM
  #22 [0001dd7f80 - 0001dd7fce]         BOOTMEM
  #23 [0002000000 - 0002010000]         BOOTMEM
  #24 [0002200000 - 0002210000]         BOOTMEM
  #25 [0001dda000 - 0001dda004]         BOOTMEM
  #26 [0001dda080 - 0001dda084]         BOOTMEM
  #27 [0001dda100 - 0001dda108]         BOOTMEM
  #28 [0001dda180 - 0001dda188]         BOOTMEM
  #29 [0001dda200 - 0001dda2a8]         BOOTMEM
  #30 [0001dda300 - 0001dda368]         BOOTMEM
  #31 [0001dd8000 - 0001dda000]         BOOTMEM
  #32 [0001dda380 - 0001e1a380]         BOOTMEM
  #33 [0001e1a380 - 0001e3a380]         BOOTMEM
Memory: 505136k/523520k available (2614k kernel code, 17992k reserved, 1670k data, 360k init, 0k highmem)
virtual kernel memory layout:
    fixmap  : 0xfff1f000 - 0xfffff000   ( 896 kB)
    vmalloc : 0xe0740000 - 0xfff1d000   ( 503 MB)
    lowmem  : 0xc0000000 - 0xdff40000   ( 511 MB)
      .init : 0xc1430000 - 0xc148a000   ( 360 kB)
      .data : 0xc128d881 - 0xc142f388   (1670 kB)
      .text : 0xc1000000 - 0xc128d881   (2614 kB)
Checking if this processor honours the WP bit even in supervisor mode...Ok.
Hierarchical RCU implementation.
NR_IRQS:512
Console: colour VGA+ 80x25
console [ttyS0] enabled
Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
... MAX_LOCKDEP_SUBCLASSES:  8
... MAX_LOCK_DEPTH:          48
... MAX_LOCKDEP_KEYS:        8191
... CLASSHASH_SIZE:          4096
... MAX_LOCKDEP_ENTRIES:     16384
... MAX_LOCKDEP_CHAINS:      32768
... CHAINHASH_SIZE:          16384
 memory used by lock dependency info: 3567 kB
 per task-struct memory footprint: 1152 bytes
Fast TSC calibration using PIT
Detected 2000.232 MHz processor.
Calibrating delay loop (skipped), value calculated using timer frequency.. 4000.46 BogoMIPS (lpj=2000232)
Mount-cache hash table entries: 512
CPU0: Hyper-Threading is disabled
mce: CPU supports 4 MCE banks
CPU0: Thermal monitoring enabled (TM1)
Performance Events: no PMU driver, software events only.
Checking 'hlt' instruction... OK.
Freeing SMP alternatives: 12k freed
ACPI: Core revision 20100121
Enabling APIC mode:  Flat.  Using 1 I/O APICs
..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
CPU0: Intel(R) Pentium(R) 4 CPU 2.00GHz stepping 04
Brought up 1 CPUs
Total of 1 processors activated (4000.46 BogoMIPS).
NET: Registered protocol family 16
ACPI: bus type pci registered
PCI: PCI BIOS revision 2.10 entry at 0xf0031, last bus=2
PCI: Using configuration type 1 for base access
bio: create slab <bio-0> at 0
ACPI: Executed 2 blocks of module-level executable AML code
ACPI: Interpreter enabled
ACPI: (supports S0 S5)
ACPI: Using IOAPIC for interrupt routing
ACPI: Power Resource [URP1] (off)
ACPI: Power Resource [URP2] (off)
ACPI: Power Resource [FDDP] (off)
ACPI: Power Resource [LPTP] (off)
ACPI: No dock devices found.
PCI: Ignoring host bridge windows from ACPI; if necessary, use "pci=use_crs" and report a bug
ACPI: PCI Root Bridge [PCI0] (0000:00)
* The chipset may have PM-Timer Bug. Due to workarounds for a bug,
* this clock source is slow. If you are sure your timer does not have
* this bug, please use "acpi_pm_good" to disable the workaround
pci 0000:00:1f.0: quirk: [io  0x0400-0x047f] claimed by ICH4 ACPI/GPIO/TCO
pci 0000:00:1f.0: quirk: [io  0x0480-0x04bf] claimed by ICH4 GPIO
pci 0000:00:01.0: PCI bridge to [bus 01-01]
pci 0000:00:1e.0: PCI bridge to [bus 02-02] (subtractive decode)
ACPI: PCI Interrupt Link [LNKA] (IRQs 3 4 5 7 9 10 *11 12 14 15)
ACPI: PCI Interrupt Link [LNKB] (IRQs 3 4 5 7 9 10 *11 12 14 15)
ACPI: PCI Interrupt Link [LNKC] (IRQs 3 4 5 7 *9 10 11 12 14 15)
ACPI: PCI Interrupt Link [LNKD] (IRQs 3 4 *5 7 9 10 11 12 14 15)
ACPI: PCI Interrupt Link [LNKE] (IRQs 3 4 5 6 7 9 10 11 12 14 15) *0, disabled.
ACPI: PCI Interrupt Link [LNKF] (IRQs 3 4 5 6 7 9 10 *11 12 14 15)
ACPI: PCI Interrupt Link [LNKG] (IRQs 3 4 5 6 7 9 10 *11 12 14 15)
ACPI: PCI Interrupt Link [LNKH] (IRQs 3 4 5 6 7 9 *10 11 12 14 15)
vgaarb: device added: PCI:0000:01:00.0,decodes=io+mem,owns=io+mem,locks=none
vgaarb: loaded
PCI: Using ACPI for IRQ routing
Switching to clocksource tsc
pnp: PnP ACPI init
ACPI: bus type pnp registered
pnp: PnP ACPI: found 15 devices
ACPI: ACPI bus type pnp unregistered
system 00:09: [io  0x04d0-0x04d1] has been reserved
system 00:0d: [io  0x0400-0x047f] has been reserved
system 00:0d: [io  0x0680-0x06ff] has been reserved
system 00:0d: [io  0x0480-0x04bf] has been reserved
system 00:0d: [mem 0xfec00000-0xfec00fff] could not be reserved
system 00:0d: [mem 0xfee00000-0xfee00fff] has been reserved
system 00:0e: [mem 0x00000000-0x0009ffff] could not be reserved
system 00:0e: [mem 0x000c0000-0x000dffff] could not be reserved
system 00:0e: [mem 0x000e0000-0x000fffff] could not be reserved
system 00:0e: [mem 0x00100000-0x1fffffff] could not be reserved
pci 0000:00:1f.1: BAR 5: assigned [mem 0x20000000-0x200003ff]
pci 0000:00:1f.1: BAR 5: set to [mem 0x20000000-0x200003ff] (PCI address [0x20000000-0x200003ff]
pci 0000:00:01.0: PCI bridge to [bus 01-01]
pci 0000:00:01.0:   bridge window [io  0xc000-0xcfff]
pci 0000:00:01.0:   bridge window [mem 0xfa900000-0xfa9fffff]
pci 0000:00:01.0:   bridge window [mem 0xe0600000-0xf06fffff pref]
pci 0000:00:1e.0: PCI bridge to [bus 02-02]
pci 0000:00:1e.0:   bridge window [io  0xd000-0xdfff]
pci 0000:00:1e.0:   bridge window [mem 0xfaa00000-0xfeafffff]
pci 0000:00:1e.0:   bridge window [mem 0xf0700000-0xf27fffff pref]
NET: Registered protocol family 2
IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
TCP established hash table entries: 16384 (order: 5, 131072 bytes)
TCP bind hash table entries: 16384 (order: 7, 524288 bytes)
TCP: Hash tables configured (established 16384 bind 16384)
TCP reno registered
UDP hash table entries: 256 (order: 2, 20480 bytes)
UDP-Lite hash table entries: 256 (order: 2, 20480 bytes)
NET: Registered protocol family 1
Unpacking initramfs...
Freeing initrd memory: 3280k freed
VFS: Disk quotas dquot_6.5.2
Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
msgmni has been set to 993
alg: No test for stdrng (krng)
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler cfq registered (default)
Linux agpgart interface v0.103
Hangcheck: starting hangcheck timer 0.9.0 (tick is 180 seconds, margin is 60 seconds).
Hangcheck: Using get_cycles().
[drm] Initialized drm 1.1.0 20060810
[drm] radeon kernel modesetting enabled.
radeon 0000:01:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
[drm] radeon: Initializing kernel modesetting.
[drm] register mmio base: 0xFA9F0000
[drm] register mmio size: 65536
[drm] GPU reset succeed (RBBM_STATUS=0x00000140)
[drm] 1 Power State(s)
[drm] State 0 Default (default)
[drm] 	1 Clock Mode(s)
[drm] 		0 engine/memory: 166000/166000
[drm] radeon: power management initialized
BUG: unable to handle kernel NULL pointer dereference at 00000040
IP: [<c11a4c65>] radeon_agp_init+0x14/0x36b
*pde = 00000000 
Oops: 0000 [#1] PREEMPT SMP 
last sysfs file: 
Modules linked in:

Pid: 1, comm: swapper Not tainted 2.6.34-rc3-00406-gcf90bfe #56 D845EPT2                       /        
EIP: 0060:[<c11a4c65>] EFLAGS: 00010286 CPU: 0
EIP is at radeon_agp_init+0x14/0x36b
EAX: 00000000 EBX: 00000000 ECX: c12884ed EDX: de9e1000
ESI: df578000 EDI: df578000 EBP: df44fe38 ESP: df44fde4
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process swapper (pid: 1, ti=df44f000 task=df462020 task.ti=df44f000)
Stack:
 00000000 c19c6484 df44fe18 df578000 df578c60 c19c647c df578000 00000000
<0> df578d00 df44fe18 c1285566 c13a85ff df44fe24 df44fe38 c11f350c c13a85ff
<0> 00000001 df578158 00000000 df578000 df578000 df44fe50 c11caf32 c11f8036
Call Trace:
 [<c1285566>] ? printk+0xf/0x11
 [<c11f350c>] ? radeon_pm_init+0x1ef/0x1f9
 [<c11caf32>] ? r100_init+0x18e/0x250
 [<c11f8036>] ? vga_client_register+0x58/0x5f
 [<c11a0512>] ? radeon_device_init+0x28d/0x305
 [<c119fb07>] ? radeon_vga_set_decode+0x0/0x20
 [<c11a1212>] ? radeon_driver_load_kms+0x101/0x163
 [<c117bf1c>] ? drm_get_dev+0x389/0x455
 [<c12839a5>] ? radeon_pci_probe+0xd/0xf
 [<c111b240>] ? local_pci_probe+0xe/0x10
 [<c111b3f6>] ? pci_device_probe+0x43/0x66
 [<c1202110>] ? driver_probe_device+0x79/0x105
 [<c12021df>] ? __driver_attach+0x43/0x5f
 [<c1201aa5>] ? bus_for_each_dev+0x3d/0x67
 [<c1201fe7>] ? driver_attach+0x14/0x16
 [<c120219c>] ? __driver_attach+0x0/0x5f
 [<c120151c>] ? bus_add_driver+0x104/0x236
 [<c1202423>] ? driver_register+0x8b/0xeb
 [<c1112a07>] ? __raw_spin_lock_init+0x24/0x49
 [<c111b5e3>] ? __pci_register_driver+0x4c/0xa5
 [<c1177b15>] ? drm_init+0x58/0xb0
 [<c144db18>] ? radeon_init+0x0/0xae
 [<c144dbc4>] ? radeon_init+0xac/0xae
 [<c1001051>] ? do_one_initcall+0x4c/0x136
 [<c1430357>] ? kernel_init+0x114/0x198
 [<c1430243>] ? kernel_init+0x0/0x198
 [<c1002d3a>] ? kernel_thread_helper+0x6/0x1a
Code: 8b 90 1c 03 00 00 85 d2 74 0b 83 7a 40 00 74 05 e8 83 7e fd ff 5d c3 55 89 e5 57 56 53 83 ec 48 89 c7 8b 50 04 8b 82 1c 03 00 00 <83> 78 40 00 75 1b 89 d0 e8 05 7e fd ff 89 45 cc 85 c0 74 0d 50 
EIP: [<c11a4c65>] radeon_agp_init+0x14/0x36b SS:ESP 0068:df44fde4
CR2: 0000000000000040
---[ end trace 0b3aebfa4a20514a ]---
Kernel panic - not syncing: Attempted to kill init!
Pid: 1, comm: swapper Tainted: G      D    2.6.34-rc3-00406-gcf90bfe #56
Call Trace:
 [<c1285566>] ? printk+0xf/0x11
 [<c12854e6>] panic+0x42/0xb3
 [<c1031fc1>] do_exit+0x5c/0x5d5
 [<c102ffce>] ? kmsg_dump+0xff/0x113
 [<c102f263>] ? oops_exit+0x2a/0x2f
 [<c128989c>] oops_end+0x92/0x9a
 [<c1019806>] no_context+0x114/0x11e
 [<c10068d6>] ? native_sched_clock+0x42/0x8d
 [<c1019949>] __bad_area_nosemaphore+0x139/0x141
 [<c104a02d>] ? sched_clock_local+0x17/0x104
 [<c101e8f3>] ? sched_slice+0x71/0x80
 [<c128ae35>] ? do_page_fault+0x196/0x41e
 [<c101995e>] bad_area_nosemaphore+0xd/0x10
 [<c128aef2>] do_page_fault+0x253/0x41e
 [<c110ef9c>] ? trace_hardirqs_on_thunk+0xc/0x10
 [<c12888f0>] ? restore_all_notrace+0x0/0x18
 [<c12884ed>] ? _raw_spin_unlock_irqrestore+0x2f/0x58
 [<c128ac9f>] ? do_page_fault+0x0/0x41e
 [<c1288f6b>] error_code+0x6b/0x70
 [<c12884ed>] ? _raw_spin_unlock_irqrestore+0x2f/0x58
 [<c128ac9f>] ? do_page_fault+0x0/0x41e
 [<c11a4c65>] ? radeon_agp_init+0x14/0x36b
 [<c1285566>] ? printk+0xf/0x11
 [<c11f350c>] ? radeon_pm_init+0x1ef/0x1f9
 [<c11caf32>] r100_init+0x18e/0x250
 [<c11f8036>] ? vga_client_register+0x58/0x5f
 [<c11a0512>] radeon_device_init+0x28d/0x305
 [<c119fb07>] ? radeon_vga_set_decode+0x0/0x20
 [<c11a1212>] radeon_driver_load_kms+0x101/0x163
 [<c117bf1c>] drm_get_dev+0x389/0x455
 [<c12839a5>] radeon_pci_probe+0xd/0xf
 [<c111b240>] local_pci_probe+0xe/0x10
 [<c111b3f6>] pci_device_probe+0x43/0x66
 [<c1202110>] driver_probe_device+0x79/0x105
 [<c12021df>] __driver_attach+0x43/0x5f
 [<c1201aa5>] bus_for_each_dev+0x3d/0x67
 [<c1201fe7>] driver_attach+0x14/0x16
 [<c120219c>] ? __driver_attach+0x0/0x5f
 [<c120151c>] bus_add_driver+0x104/0x236
 [<c1202423>] driver_register+0x8b/0xeb
 [<c1112a07>] ? __raw_spin_lock_init+0x24/0x49
 [<c111b5e3>] __pci_register_driver+0x4c/0xa5
 [<c1177b15>] drm_init+0x58/0xb0
 [<c144db18>] ? radeon_init+0x0/0xae
 [<c144dbc4>] radeon_init+0xac/0xae
 [<c1001051>] do_one_initcall+0x4c/0x136
 [<c1430357>] kernel_init+0x114/0x198
 [<c1430243>] ? kernel_init+0x0/0x198
 [<c1002d3a>] kernel_thread_helper+0x6/0x1a
Comment 1 Dave Airlie 2010-04-09 15:55:27 UTC 
Not sure how you expect this to work since we need AGP working.
Comment 2 Nick Bowler 2010-04-09 16:49:45 UTC 
I don't expect it to work.

I do expect the driver to not oops, however.
Comment 3 Nick Bowler 2010-05-05 10:41:08 UTC 
Well, looks like this has been fixed in latest Linus' git.  More than fixed, in
fact: not only does the kernel not panic, but modesetting actually works
(appears to fall back to a non-AGP mode of operation).

commit ccb2ad579f910e6146adf4eb3aa50325253ee8c9
Author: Robert Fitzsimons <robfitz@273k.net>
Date:   Sat Apr 24 01:18:13 2010 +0100

    drm/radeon/kms/agp The wrong AGP chipset can cause a NULL pointer dereference
    
    Selecting the wrong or no CONFIG_AGP_* chipset can cause a NULL pointer
    dereference when combined with CONFIG_DRM_RADEON_KMS and an old system
    with a R100 AGP card (should effect other cards too).  The agp field
    will be set to NULL if no suitable AGP chipset driver is loaded,
    drm_agp_acquire already preforms a suitable NULL check so it can be used
    directly.
    
    Signed-off-by: Robert Fitzsimons <robfitz@273k.net>
    Signed-off-by: Dave Airlie <airlied@redhat.com>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.