Bug 48269

Summary: [8xx dinq regression] gmbus NULL pointer deref due to dvo detection (zero length reads/writes)
Product: DRI Reporter: Chris Wilson <chris>
Component: DRM/IntelAssignee: Daniel Vetter <daniel>
Status: CLOSED FIXED QA Contact:
Severity: normal    
Priority: medium CC: ben, chris, daniel, florian, jbarnes
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Chris Wilson 2012-04-03 15:23:56 UTC 
[    8.833541] BUG: unable to handle kernel NULL pointer dereference at   (null)
[    8.833647] IP: [<d0e0717f>] gmbus_xfer+0x135/0x3ef [i915]
[    8.833758] *pde = 00000000 
[    8.833817] Oops: 0002 [#1] 
[    8.833873] Modules linked in: i915(+) cfbfillrect cfbimgblt cfbcopyarea drm_kms_helper
[    8.834059] 
[    8.834089] Pid: 142, comm: modprobe Not tainted 3.3.0+ #19 Dell Computer Corporation Inspiron 1100                   /09U784
[    8.834212] EIP: 0060:[<d0e0717f>] EFLAGS: 00010296 CPU: 0
[    8.834281] EIP is at gmbus_xfer+0x135/0x3ef [i915]
[    8.834319] EAX: 0000004a EBX: ce898000 ECX: 00000000 EDX: fffdfffc
[    8.834356] ESI: 00000000 EDI: 00000000 EBP: cfa0fd7c ESP: cfa0fd0c
[    8.834393]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[    8.834432] CR0: 8005003b CR2: 00000000 CR3: 0face000 CR4: 00000790
[    8.834471] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[    8.834509] DR6: ffff0ff0 DR7: 00000400
[    8.834554] Process modprobe (pid: 142, ti=cfa0e000 task=cf9d8350 task.ti=cfa0e000)
[    8.834614] Stack:
[    8.834653]  fffe0000 00005108 d0e073f9 fffee3b2 00005108 fffee3b4 00000000 00000003
[    8.834905]  00005100 cfa0fd7c 0000510c cf9d7158 ce898024 00005104 d0e148b4 cf9d7158
[    8.835161]  00000000 00000003 c1132427 fffee3a7 cfa0fd7c ce8ddcc0 00000000 cfa0fda0
[    8.835419] Call Trace:
[    8.835497]  [<d0e073f9>] ? gmbus_xfer+0x3af/0x3ef [i915]
[    8.835557]  [<c1132427>] ? i2c_transfer+0x7e/0xab
[    8.835636]  [<d0e0dcae>] ? ivch_read+0x7b/0xd6 [i915]
[    8.835717]  [<d0e0e0c8>] ? ivch_init+0x35/0x98 [i915]
[    8.835796]  [<d0e08def>] ? intel_dvo_init+0xbc/0x1f5 [i915]
[    8.835875]  [<d0dfdd69>] ? intel_modeset_init+0xc87/0xdda [i915]
[    8.835949]  [<d0de39fa>] ? i915_driver_load+0x7b7/0xc07 [i915]
[    8.836002]  [<c113e670>] ? drm_get_minor+0x1c8/0x212
[    8.836051]  [<c113fbe1>] ? drm_get_pci_dev+0x11a/0x1f6
[    8.836130]  [<d0e0e984>] ? sil164_init+0xba/0xba [i915]
[    8.836184]  [<c10d92e7>] ? pci_device_probe+0x39/0x60
[    8.836235]  [<c1105ecf>] ? driver_probe_device+0x7d/0x147
[    8.836283]  [<c1105fd9>] ? __driver_attach+0x40/0x5b
[    8.836331]  [<c1104ef8>] ? bus_for_each_dev+0x37/0x59
[    8.836379]  [<c1105baa>] ? driver_attach+0x14/0x17
[    8.836427]  [<c1105f99>] ? driver_probe_device+0x147/0x147
[    8.836475]  [<c110589b>] ? bus_add_driver+0x83/0x1ac
[    8.836526]  [<c10ca8e0>] ? kset_find_obj+0x18/0x39
[    8.836574]  [<d0e28000>] ? 0xd0e27fff
[    8.836620]  [<c11061be>] ? driver_register+0x6e/0xc1
[    8.836666]  [<d0e28000>] ? 0xd0e27fff
[    8.836717]  [<d0e28000>] ? 0xd0e27fff
[    8.836763]  [<c10d9361>] ? __pci_register_driver+0x2b/0x76
[    8.836814]  [<c1001065>] ? do_one_initcall+0x65/0x104
[    8.836865]  [<c1036eff>] ? sys_init_module+0x1033/0x1369
[    8.836918]  [<c11b4110>] ? sysenter_do_call+0x12/0x26
[    8.836965] Code: e8 af 55 21 f0 8b 54 24 10 89 d8 e8 9b a4 fd ff f6 c4 0c 74 ce e9 95 02 00 00 8b 54 24 28 89 d8 e8 86 a4 fd ff 8b 14 24 83 ea 04 <88> 06 c1 e8 08 66 ff 0c 24 0f 84 ff 00 00 00 46 66 39 14 24 75 
[    8.837520] EIP: [<d0e0717f>] gmbus_xfer+0x135/0x3ef [i915] SS:ESP 0068:cfa0fd0c
[    8.837520] CR2: 0000000000000000
[    8.839048] ---[ end trace 1cbb1d015631f846 ]---
[   10.394255] Adding 495612k swap on /dev/sda5.  Priority:-1 extents:1 across:495612k
Comment 1 Chris Wilson 2012-04-03 15:31:41 UTC 
Zero-byte read: see <1333108003-6341-2-git-send-email-djkurtz@chromium.org>
Comment 2 Chris Wilson 2012-04-03 15:32:49 UTC 
(Note only in dinq, not 3.4, as this is gen2)
Comment 3 Chris Wilson 2012-04-03 15:35:21 UTC 
Hmm, linked patch is for zero byte *write* not read.
Comment 4 Chris Wilson 2012-04-03 15:44:53 UTC 
And after "fixing" that:

[    8.821258] [drm] GMBUS timed out, falling back to bit banging on pin 1 [i915 gmbus ssc]
[    8.917260] [drm] GMBUS timed out, falling back to bit banging on pin 5 [i915 gmbus dpb]
Comment 5 Gordon Jin 2012-04-05 00:14:24 UTC 
(I excluded bugs starting with "[8" from Intel bug statisctic)
Comment 6 Chris Wilson 2012-04-13 06:51:25 UTC 
commit 79985eee842ef146ed6307a29fdc2fa008036421
Author: Daniel Kurtz <djkurtz@chromium.org>
Date:   Fri Apr 13 19:47:53 2012 +0800

    drm/i915/intel_i2c: handle zero-length reads
    
    A common method of probing an i2c bus is trying to do a zero-length read.
    Handle this case by checking the length first waiting for data to be read.
    
    This is actually important, since attempting a zero-length read is one
    of the ways that i2cdetect and i2c_new_probed_device detect whether
    there is device present on the bus with a given address.
    
    Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=48269
    Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
    Signed-Off-by: Daniel Vetter <daniel.vetter@ffwll.ch>

Tested on my 845g.
Comment 7 Florian Mickler 2012-04-16 14:30:09 UTC 
A patch referencing this bug report has been merged in Linux v3.4-rc3:

commit 6a562e3daee217ce99fe0e31150acd89a5b22606
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Mon Apr 9 21:10:38 2012 +0200

    Revert "drm/i915: reenable gmbus on gen3+ again"

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.