75963 – [PNV ILK Regression]system boot fail

Bug 75963 - [PNV ILK Regression]system boot fail

Summary: [PNV ILK Regression]system boot fail

Status:	CLOSED FIXED

Alias:	None

Product:	DRI
Classification:	Unclassified
Component:	DRM/Intel (show other bugs)
Version:	unspecified
Hardware:	All Linux (All)

Importance:	high critical
Assignee:	Chris Wilson
QA Contact:	Intel GFX Bugs mailing list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-03-10 01:53 UTC by lu hua
Modified:	2017-10-06 14:39 UTC (History)
CC List:	1 user (show)

See Also:
i915 platform:
i915 features:

Attachments
dmesg (72.42 KB, text/plain) 2014-03-10 01:53 UTC, lu hua	no flags	Details
View All

Description lu hua 2014-03-10 01:53:28 UTC

Created attachment 95483 [details]
dmesg

System Environment:
--------------------------
Platform: Ironlake/Pineview
kernel:   drm-intel-nightly/32faf6da913d67a4a3fcddd810305ec3445ed581

Bug detailed description:
---------------------------
Clean system, system boot fail. It happens on Ironlake and Pineview with -nightly and -queued kernel.
On Pineview, screen is black, can't connect via ssh.
On Ironlake, screen is black, connect successfully via ssh. Run xinit or reboot, System is no response.

The latest known good commit: eb162c62dbeb3424c061f057e47edfa88e235ca1
The latest known bad commit: 484b41dd70a9fbea894632d8926bbb93f05021c7

Reproduce steps:
-------------------------
1. clean system

Comment 1 Chris Wilson 2014-03-10 07:40:49 UTC

commit 484b41dd70a9fbea894632d8926bbb93f05021c7
Author: Jesse Barnes <jbarnes@virtuousgeek.org>
Date:   Fri Mar 7 08:57:55 2014 -0800

    drm/i915: remove early fb allocation dependency on CONFIG_FB v2
    
    By stuffing the fb allocation into the crtc, we get mode set lifetime
    refcounting for free, but have to handle the initial pin & fence
    slightly differently.  It also means we can move the shared fb handling
    into the core rather than leaving it out in the fbdev code.
    
    v2: null out crtc->fb on error (Daniel)
        take fbdev fb ref and remove unused error path (Daniel)
    
    Requested-by: Daniel Vetter <daniel@ffwll.ch>
    Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>

Comment 2 Chris Wilson 2014-03-10 07:41:09 UTC

Should be fixed by

diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 6e9f189765f6..c3864d1bc62f 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -2125,6 +2125,7 @@ static void intel_find_plane_obj(struct intel_crtc *intel_crtc,
                return;
 
        kfree(intel_crtc->base.fb);
+       intel_crtc->base.fb = NULL;
 
        /*
         * Failed to alloc the obj, check to see if we should share

Please test.

Comment 3 lu hua 2014-03-10 08:22:49 UTC

(In reply to comment #2)
> Should be fixed by
> 
> diff --git a/drivers/gpu/drm/i915/intel_display.c
> b/drivers/gpu/drm/i915/intel_display.c
> index 6e9f189765f6..c3864d1bc62f 100644
> --- a/drivers/gpu/drm/i915/intel_display.c
> +++ b/drivers/gpu/drm/i915/intel_display.c
> @@ -2125,6 +2125,7 @@ static void intel_find_plane_obj(struct intel_crtc
> *intel_crtc,
>                 return;
>  
>         kfree(intel_crtc->base.fb);
> +       intel_crtc->base.fb = NULL;
>  
>         /*
>          * Failed to alloc the obj, check to see if we should share
> 
> Please test.

Fixed by this patch.

Comment 4 Daniel Vetter 2014-03-10 09:19:55 UTC

commit d1a59868efa65379482c79de997973b06cefb9d2
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Mon Mar 10 08:07:01 2014 +0000

    drm/i915: Prevent use-after-free of inherited framebuffer

Comment 5 lu hua 2014-03-11 07:16:50 UTC

Verified.Fixed.

Comment 6 Elizabeth 2017-10-06 14:39:28 UTC

Closing old verified.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.