92119 – NULL ptr deref in intel_fb_obj_invalidate

Bug 92119 - NULL ptr deref in intel_fb_obj_invalidate

Summary: NULL ptr deref in intel_fb_obj_invalidate

Status:	CLOSED DUPLICATE of bug 93822

Alias:	None

Product:	DRI
Classification:	Unclassified
Component:	DRM/Intel (show other bugs)
Version:	DRI git
Hardware:	x86-64 (AMD64) Linux (All)

Importance:	medium normal
Assignee:	Intel GFX Bugs mailing list
QA Contact:	Intel GFX Bugs mailing list

URL:
Whiteboard:
Keywords:

Duplicates (1):	93483 (view as bug list)
Depends on:
Blocks:

Reported:	2015-09-25 19:01 UTC by Ville Syrjala
Modified:	2017-07-24 22:45 UTC (History)
CC List:	2 users (show)

See Also:
i915 platform:
i915 features:

Attachments

Description Ville Syrjala 2015-09-25 19:01:38 UTC

[ 6809.025776] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[ 6809.025832] IP: [<ffffffffa0320409>] intel_fb_obj_invalidate+0x15/0xeb [i915]
[ 6809.025837] PGD 48b65067 PUD 4cda7067 PMD 0 
[ 6809.025841] Oops: 0000 [#1] PREEMPT SMP 
[ 6809.025888] Modules linked in: i915 i2c_algo_bit snd_soc_sst_bytcr_rt5640 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops coretemp drm hwmon intel_rapl intel_gtt intel_soc_dts_thermal punit_atom_debug agpgart i2c_hid snd_soc_rt5640 hid snd_soc_rl6231 serio video snd_intel_sst_acpi backlight snd_intel_sst_core snd_soc_sst_mfld_platform int3402_thermal snd_soc_core snd_compress int3400_thermal processor_thermal_device int3403_thermal intel_soc_dts_iosf acpi_thermal_rel int340x_thermal_zone snd_pcm evdev snd_timer i2c_designware_platform i2c_designware_core snd soundcore pwm_lpss_platform pwm_lpss sch_fq_codel efivarfs ipv6 autofs4
[ 6809.025893] CPU: 1 PID: 18404 Comm: Xorg Tainted: G        W       4.3.0-rc2-ffrd+ #142
[ 6809.025895] Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLAKFF81.X64.0088.R10.1403240443 FFD8_X64_R_2014_13_1_00 03/24/2014
[ 6809.025897] task: ffff88007a2f8000 ti: ffff880048b78000 task.ti: ffff880048b78000
[ 6809.025943] RIP: 0010:[<ffffffffa0320409>]  [<ffffffffa0320409>] intel_fb_obj_invalidate+0x15/0xeb [i915]
[ 6809.025945] RSP: 0018:ffff880048b7bb10  EFLAGS: 00010246
[ 6809.025946] RAX: 0000000080000000 RBX: ffff880074689300 RCX: 0000000000000246
[ 6809.025948] RDX: ffff880077bd8b40 RSI: 0000000000000000 RDI: 0000000000000000
[ 6809.025949] RBP: ffff880048b7bb38 R08: 0000000000000000 R09: ffffffff817b7d93
[ 6809.025951] R10: 0000000000000001 R11: 000000000000a0d3 R12: 0000000000000000
[ 6809.025952] R13: 0000000000000080 R14: 0000000000000000 R15: ffff880071f0e400
[ 6809.025954] FS:  00007f3179146940(0000) GS:ffff880079280000(0000) knlGS:0000000000000000
[ 6809.025956] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 6809.025958] CR2: 0000000000000008 CR3: 0000000048927000 CR4: 00000000001006e0
[ 6809.025958] Stack:
[ 6809.025964]  ffff880074689300 0000000000000000 0000000000000080 ffff880071f0e510
[ 6809.025968]  ffff880071f0e400 ffff880048b7bb58 ffffffffa0328619 0000000000000000
[ 6809.025972]  ffff880071f0e400 ffff880048b7bc88 ffffffff812adc51 002000017a2f8000
[ 6809.025973] Call Trace:
[ 6809.026020]  [<ffffffffa0328619>] intel_fbdev_set_par+0x42/0x56 [i915]
[ 6809.026026]  [<ffffffff812adc51>] fb_set_var+0x2ab/0x3a2
[ 6809.026032]  [<ffffffff8109cadc>] ? mark_lock+0x2f/0x225
[ 6809.026035]  [<ffffffff8109d7bb>] ? __lock_acquire+0x65e/0xdc3
[ 6809.026039]  [<ffffffff812a93c1>] fbcon_blank+0x8a/0x1f1
[ 6809.026045]  [<ffffffff813037a6>] do_unblank_screen+0xf2/0x160
[ 6809.026049]  [<ffffffff812fb68c>] vt_ioctl+0x52b/0xffe
[ 6809.026053]  [<ffffffff812f0fff>] tty_ioctl+0xb3a/0xbb4
[ 6809.026056]  [<ffffffff8109b033>] ? __lock_is_held+0x38/0x50
[ 6809.026061]  [<ffffffff81184d21>] ? rcu_read_unlock+0x3e/0x5d
[ 6809.026066]  [<ffffffff8117be8d>] do_vfs_ioctl+0x41d/0x4e9
[ 6809.026069]  [<ffffffff81184e40>] ? __fget_light+0x62/0x71
[ 6809.026073]  [<ffffffff8117bf96>] SyS_ioctl+0x3d/0x64
[ 6809.026077]  [<ffffffff81491d97>] entry_SYSCALL_64_fastpath+0x12/0x6f
[ 6809.026132] Code: f2 89 de 4c 89 e7 e8 da f8 ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 89 f6 41 55 41 54 53 <4c> 8b 6f 08 48 89 fb 41 8b 45 60 4d 8b 65 28 ff c8 75 21 48 c7 
[ 6809.026177] RIP  [<ffffffffa0320409>] intel_fb_obj_invalidate+0x15/0xeb [i915]
[ 6809.026178]  RSP <ffff880048b7bb10>
[ 6809.026179] CR2: 0000000000000008
[ 6809.026183] ---[ end trace 9cf425858b306ee6 ]---

Happened on BYT and BSW at least, didn't test other platforms so far. Basic steps were:

startx -- -bs
xrandr ... --off
kill X

Comment 1 Ville Syrjala 2015-09-25 19:09:59 UTC

Looking at the asm, it would appear to be the obj->base.dev where it blows up, so NULL obj gets passed in.

Comment 2 Ville Syrjala 2015-09-25 19:13:23 UTC

And just happened on IVB too.

Comment 3 Jiri Slaby 2016-02-01 15:15:05 UTC

Seems to be this:
https://apibugzilla.novell.com/show_bug.cgi?id=962866

Is it preceded by a WARNING from kref too?

Comment 4 Jiri Slaby 2016-02-01 15:17:37 UTC

*** Bug 93483 has been marked as a duplicate of this bug. ***

Comment 5 Jiri Slaby 2016-02-01 15:19:10 UTC


*** This bug has been marked as a duplicate of bug 93822 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.