Bug 65927

Summary: [HSW] crash when vga output set to mirror mode
Product: DRI Reporter: Timo Aaltonen <tjaalton>
Component: DRM/IntelAssignee: Chris Wilson <chris>
Status: CLOSED FIXED QA Contact: Intel GFX Bugs mailing list <intel-gfx-bugs>
Severity: blocker    
Priority: highest CC: yangweix.shui
Version: XOrg git   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
dmesg with drm-intel-nightly from ~1w ago
none
Fix broken array dereference in is_crtc_connector_off() none

Description Timo Aaltonen 2013-06-19 11:00:57 UTC
Created attachment 81061 [details]
dmesg with drm-intel-nightly from ~1w ago

HDMI works fine, VGA crashes when switching to mirror mode

[  418.588027] [drm:drm_mode_setcrtc], [CRTC:3]
[  418.588381] [drm:drm_mode_setcrtc], [CONNECTOR:12:eDP-1]
[  418.588724] [drm:drm_mode_setcrtc], [CONNECTOR:9:VGA-1]
[  418.588726] [drm:intel_crtc_set_config], [CRTC:3] [FB:26] #connectors=2 (x y) (0 0)
[  418.588744] BUG: unable to handle kernel paging request at 0000002000000038
[  418.589116] IP: [<ffffffffa0514d98>] intel_set_config_compute_mode_changes.isra.50+0x68/0x1b0 [i915]
[  418.589504] PGD 0 
[  418.589854] Oops: 0000 [#1] SMP 
[  418.589867] Modules linked in: snd_hda_codec_realtek coretemp i915 snd_hda_intel snd_hda_codec kvm snd_hwdep snd_pcm crc32_pclmul ghash_clmulni_intel aesni_intel snd_seq_midi snd_rawmidi drm_kms_helper snd_seq_midi_event rfcomm snd_seq uvcvideo ablk_helper snd_timer cryptd parport_pc snd_seq_device lrw ppdev gf128mul lp bnep videobuf2_core joydev drm snd parport bluetooth psmouse videodev hp_accel glue_helper hp_wmi videobuf2_vmalloc lis3lv02d aes_x86_64 videobuf2_memops soundcore snd_page_alloc dm_multipath input_polldev lpc_ich sparse_keymap rtsx_pci_ms memstick i2c_algo_bit video serio_raw microcode scsi_dh mac_hid wmi(OF) binfmt_misc dm_mirror dm_region_hash dm_log btrfs raid6_pq rtsx_pci_sdmmc rtsx_pci r8169 ahci libahci xor zlib_deflate libcrc32c
[  418.590136] CPU: 7 PID: 1255 Comm: Xorg Tainted: GF          O 3.10.0-994-generic #201306100405
[  418.590161] Hardware name: Notebook PC, BIOS F.02 03/21/2013
[  418.590187] task: ffff8800365bddc0 ti: ffff88005411e000 task.ti: ffff88005411e000
[  418.590209] RIP: 0010:[<ffffffffa0514d98>]  [<ffffffffa0514d98>] intel_set_config_compute_mode_changes.isra.50+0x68/0x1b0 [i915]
[  418.590251] RSP: 0018:ffff88005411fc18  EFLAGS: 00010206
[  418.590266] RAX: 0000000000000550 RBX: ffff88005411fd48 RCX: ffff880065ec1000
[  418.590287] RDX: 0000002000000000 RSI: 0000000000000aa0 RDI: ffff880065f88000
[  418.590308] RBP: ffff88005411fc38 R08: ffff880065ec4478 R09: ffff880052e36a60
[  418.590328] R10: 00000000000007f2 R11: 00000000000007f1 R12: ffff880052e360d0
[  418.590349] R13: ffff880052e360d1 R14: ffff880065ec4000 R15: ffff880065f88000
[  418.590370] FS:  00007fa55b157880(0000) GS:ffff8801003c0000(0000) knlGS:0000000000000000
[  418.590393] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  418.590410] CR2: 0000002000000038 CR3: 000000005620f000 CR4: 00000000001407e0
[  418.590431] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  418.590451] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  418.590472] Stack:
[  418.590478]  ffff88005411fd48 ffff88005411fd48 ffff880052e360c0 ffff880052e360d1
[  418.590504]  ffff88005411fca8 ffffffffa051e215 0000000000000002 ffff880000000000
[  418.590529]  ffff880000000000 ffffffff81047eaf 0000000000000000 0000000000000000
[  418.590554] Call Trace:
[  418.590571]  [<ffffffffa051e215>] intel_crtc_set_config+0x125/0x2f0 [i915]
[  418.590594]  [<ffffffff81047eaf>] ? vprintk+0x1f/0x30
[  418.590621]  [<ffffffffa02d0d0e>] drm_mode_set_config_internal+0x2e/0x60 [drm]
[  418.590648]  [<ffffffffa02d39c8>] drm_mode_setcrtc+0x2e8/0x540 [drm]
[  418.590670]  [<ffffffff816c9acd>] ? mutex_lock+0x1d/0x50
[  418.590691]  [<ffffffffa02c354a>] drm_ioctl+0x50a/0x650 [drm]
[  418.590713]  [<ffffffffa02d36e0>] ? drm_mode_setplane+0x3e0/0x3e0 [drm]
[  418.590735]  [<ffffffff811987c7>] do_vfs_ioctl+0x87/0x330
[  418.590751]  [<ffffffff816ca8af>] ? __schedule+0x13f/0x6b0
[  418.590769]  [<ffffffff81198b01>] SyS_ioctl+0x91/0xb0
[  418.590786]  [<ffffffff816d5546>] system_call_fastpath+0x1a/0x1f
[  418.590803] Code: 83 c6 01 48 69 f6 50 05 00 00 eb 12 0f 1f 80 00 00 00 00 48 05 50 05 00 00 48 39 f0 74 35 48 8b 94 01 a0 04 00 00 48 85 d2 74 e8 <48> 3b 7a 38 75 e2 44 8b 84 01 84 04 00 00 45 85 c0 75 3b 48 05 
[  418.591714] RIP  [<ffffffffa0514d98>] intel_set_config_compute_mode_changes.isra.50+0x68/0x1b0 [i915]
[  418.592563]  RSP <ffff88005411fc18>
[  418.593404] CR2: 0000002000000038
Comment 1 Chris Wilson 2013-06-19 13:11:58 UTC
Doesn't look like a NULL pointer, just an invalid address. Can you translate intel_set_config_compute_mode_changes.isra.50+0x68 back into a line number so we can have a better idea which is wrong?
Comment 2 Timo Aaltonen 2013-06-19 22:28:36 UTC
no debugging symbols, dunno how to dig those since objdump outputs only asm code of the module and I got lost there..

it's this kernel, if you know what to look for:

http://kernel.ubuntu.com/~kernel-ppa/mainline/drm-intel-nightly/2013-06-10-saucy/
Comment 3 Chris Wilson 2013-06-20 08:00:49 UTC
Nope, not much we can do without the debug symbols to work out which pointer was invalid.
Comment 4 Gordon Jin 2013-06-24 13:39:30 UTC
Yangwei, can you reproduce? I guess this is HSW laptop?
Comment 5 shui yangwei 2013-06-25 06:57:40 UTC
(In reply to comment #4)
> Yangwei, can you reproduce? I guess this is HSW laptop?

Environment:
---------------------
HW info: 
Acer Haswell Notebook Aspire V3 772G 17.3 ; 
Host bridge ID=0x0c04 (rev 06);
VGA ID=0x0416 (rev06);
CPU: i7-4702MQ 2.2GHz; 
BIOS:v1.04 MEM: 4G ;

drm-intel-next-queued kernel: 1acd12dc0d6a20f6bc7c6c7f2ef7119e15d3fe64

    drm/i915: Introduce an HAS_IPS() macro

    Follow the trend and don't code conditions with platforms but with
    features.

    Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>

Test step:
---------------------
1. xrandr --output VGA1 --off
2. xrandr --output VGA1 --same-as HDMI1 --mode 1024x768

Description:
---------------------
I tried our HSW laptop VGA clone mode, it works well, and there's not "Call Trace" in dmesg.
Comment 6 Chris Wilson 2013-06-25 08:45:13 UTC
Timo, can you reproduce this with debugging symbols?
Comment 7 Timo Aaltonen 2013-06-26 07:01:33 UTC
I don't have the hw myself, currently waiting for the guys to provide feedback.
Comment 8 Timo Aaltonen 2013-07-17 10:06:22 UTC
ok got something, although again not the same trace as originally:

[   63.226349] Call Trace:
[   63.226361]  [<ffffffff8134d1e9>] ? snprintf+0x39/0x40
[   63.226388]  [<ffffffffa032d7dd>] drm_mode_set_config_internal+0x5d/0xe
0 [drm]
[   63.226416]  [<ffffffffa032feeb>] drm_mode_setcrtc+0xfb/0x600 [drm]
[   63.226437]  [<ffffffff816e233d>] ? mutex_lock+0x1d/0x41
[   63.226458]  [<ffffffffa0320529>] drm_ioctl+0x539/0x670 [drm]
[   63.226481]  [<ffffffffa032fdf0>] ? drm_mode_setplane+0x3b0/0x3b0 [drm]
[   63.226503]  [<ffffffff811a8877>] do_vfs_ioctl+0x97/0x560
[   63.226521]  [<ffffffff8108fed4>] ? vtime_account_user+0x74/0x90
[   63.226540]  [<ffffffff811a8dd1>] SyS_ioctl+0x91/0xb0
[   63.226557]  [<ffffffff816ee82f>] tracesys+0xe1/0xe6
[   63.226572] Code: c0 48 8b 7d c0 48 8d 72 01 48 69 f6 50 05 00 00 eb 0c
 90 48 05 50 05 00 00 48 39 f0 74 2d 48 8b 94 01 a0 04 00 00 48 85 d2 74 e8 <48> 3b 7a 38 75 e2 8b 94 01 84 04 00 00 85 d2 75 3
9 48 05 50 05 
[   63.228974] RIP  [<ffffffffa03d8f18>] intel_crtc_set_config+0x218/0x970 [i915]

so checking 'intel_crtc_set_config+0x218' from i915.ko gives:

8545                          int num_connectors)
8546    {
8547            int i;
8548
8549            for (i = 0; i < num_connectors; i++)
8550                    if (connectors[i].encoder &&
8551                        connectors[i].encoder->crtc == crtc &&
8552                        connectors[i].dpms != DRM_MODE_DPMS_ON)
8553                            return true;
8554

HEAD at 8bbbb45b2125a28ea1de657e7893a521b44b60c3
Comment 9 Timo Aaltonen 2013-07-17 10:11:53 UTC
if you want to check something else, the .ko is at http://kernel.ubuntu.com/~tjaalton/lp1179872/

don't mind the kernel version, it came from the packaging copied elsewhere, it's using whatever was in drm-intel-fixes on Jul 5th-ish.
Comment 10 Chris Wilson 2013-07-17 11:03:26 UTC
Oh my.
Comment 11 Chris Wilson 2013-07-17 11:15:41 UTC
Created attachment 82537 [details] [review]
Fix broken array dereference in is_crtc_connector_off()
Comment 12 Chris Wilson 2013-07-17 11:35:05 UTC
commit 2e57f47d317dd035b18634b0c602272529368fcc
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Wed Jul 17 12:14:40 2013 +0100

    drm/i915: Fix dereferencing invalid connectors in is_crtc_connector_off()
Comment 13 Jari Tahvanainen 2016-10-07 05:43:10 UTC
Fix provided. Closing.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.