Bug 12333

Summary: Radeon DRM produces kernel BUG at mm/vmalloc.c:292
Product: Drivers Reporter: Roger Luethi (rl)
Component: Video(DRI - non Intel)Assignee: drivers_video-dri
Status: CLOSED OBSOLETE    
Severity: normal CC: alan
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.28 Subsystem:
Regression: Yes Bisected commit-id:
Attachments: debug patch
messages from the crash

Description Roger Luethi 2008-12-30 12:13:26 UTC 
With 2.6.28, starting X results in a kernel BUG (X doesn't come up, console doesn't come back). Here goes:

[  135.938363] ------------[ cut here ]------------
[  135.938369] kernel BUG at mm/vmalloc.c:292!
[  135.938374] invalid opcode: 0000 [#1] PREEMPT SMP 
[  135.938382] last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:05:04.0/resource
[  135.938388] Dumping ftrace buffer:
[  135.938392]    (ftrace buffer empty)
[  135.938394] Modules linked in: ipt_MASQUERADE xt_mark nf_nat_irc nf_nat_ftp iptable_mangle iptable_nat nf_nat xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_limit ipt_LOG nf_conntrack_irc nf_conntrack_ftp nf_conntrack iptable_filter ip_tables x_tables lm78 snd_seq snd_seq_device af_packet coretemp w83627ehf hwmon_vid hwmon eeprom acpi_cpufreq cpufreq_userspace radeon drm agpgart usblp snd_hda_intel snd_pcm snd_timer snd soundcore 8139too uhci_hcd skge ehci_hcd radeonfb fb_ddc 8139cp i2c_algo_bit i2c_i801 thermal rtc snd_page_alloc via_rhine i2c_core processor sr_mod cdrom [last unloaded: microcode]
[  135.938450] 
[  135.938453] Pid: 10937, comm: X Not tainted (2.6.28 #3) System Product Name
[  135.938457] EIP: 0060:[<c017d106>] EFLAGS: 00013207 CPU: 0
[  135.938464] EIP is at alloc_vmap_area+0x17b/0x1f9
[  135.938467] EAX: 00da6000 EBX: fcda5000 ECX: 00000000 EDX: f58fd10c
[  135.938470] ESI: f57c2800 EDI: f5680e80 EBP: f572ee5c ESP: f572ee30
[  135.938474]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  135.938478] Process X (pid: 10937, ti=f572e000 task=f5692520 task.ti=f572e000)
[  135.938480] Stack:
[  135.938482]  04000000 f7ffe000 00000001 04001000 ffffffff 00000000 f7ffe000 c04c1ef4
[  135.938490]  f57c6ea0 04001000 00000001 f572ee84 c017d22f ff7fe000 ffffffff 000000d0
[  135.938498]  f7ffe000 00000002 04000000 000000d0 00000163 f572eea8 c017d871 ff7fe000
[  135.938507] Call Trace:
[  135.938511]  [<c017d22f>] ? __get_vm_area_node+0xab/0x132
[  135.938516]  [<c017d871>] ? __vmalloc_node+0x5f/0x83
[  135.938521]  [<c017d927>] ? vmalloc_32+0x17/0x19
[  135.938526]  [<c017d8e2>] ? __vmalloc+0x12/0x14
[  135.938530]  [<c017d927>] ? vmalloc_32+0x17/0x19
[  135.938534]  [<c017d927>] ? vmalloc_32+0x17/0x19
[  135.938539]  [<f871e447>] ? drm_sg_alloc+0x147/0x23a [drm]
[  135.938557]  [<f871e53a>] ? drm_sg_alloc_ioctl+0x0/0x12 [drm]
[  135.938573]  [<f871e547>] ? drm_sg_alloc_ioctl+0xd/0x12 [drm]
[  135.938588]  [<f8719887>] ? drm_ioctl+0x1b3/0x234 [drm]
[  135.938604]  [<c0194431>] ? vfs_ioctl+0x53/0x6c
[  135.938609]  [<c01948a4>] ? do_vfs_ioctl+0x38c/0x3d0
[  135.938613]  [<c01aad66>] ? inotify_inode_queue_event+0xe/0xac
[  135.938618]  [<c01ab33d>] ? inotify_dentry_parent_queue_event+0xe/0x83
[  135.938623]  [<c0104940>] ? trace+0x13/0x1b
[  135.938628]  [<c0194919>] ? sys_ioctl+0x31/0x4a
[  135.938632]  [<c0103ab7>] ? sysenter_do_call+0x12/0x2f
[  135.938637] Code: 68 dd 59 c0 89 1f 89 57 04 c7 47 08 00 00 00 00 eb 1f 8b 07 3b 42 f8 73 05 8d 42 08 eb 11 8b 47 04 3b 42 f4 76 05 8d 42 04 eb 04 <0f> 0b eb fe 89 d1 8b 10 85 d2 75 db 8d 5f 0c ba 68 dd 59 c0 89 
[  135.938683] EIP: [<c017d106>] alloc_vmap_area+0x17b/0x1f9 SS:ESP 0068:f572ee30
[  135.938691] ---[ end trace 1f77649fa6dca934 ]---
[  135.938694] note: X[10937] exited with preempt_count 2
[  135.940015] BUG: scheduling while atomic: X/10937/0x10000002
[  135.940017] Modules linked in: ipt_MASQUERADE xt_mark nf_nat_irc nf_nat_ftp iptable_mangle iptable_nat nf_nat xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_limit ipt_LOG nf_conntrack_irc nf_conntrack_ftp nf_conntrack iptable_filter ip_tables x_tables lm78 snd_seq snd_seq_device af_packet coretemp w83627ehf hwmon_vid hwmon eeprom acpi_cpufreq cpufreq_userspace radeon drm agpgart usblp snd_hda_intel snd_pcm snd_timer snd soundcore 8139too uhci_hcd skge ehci_hcd radeonfb fb_ddc 8139cp i2c_algo_bit i2c_i801 thermal rtc snd_page_alloc via_rhine i2c_core processor sr_mod cdrom [last unloaded: microcode]
[  135.940079] Pid: 10937, comm: X Tainted: G      D    2.6.28 #3
[  135.940081] Call Trace:
[  135.940086]  [<c012362d>] __schedule_bug+0x50/0x55
[  135.940092]  [<c03550ff>] schedule+0x7e/0x759
[  135.940096]  [<c011168a>] ? smp_apic_timer_interrupt+0x76/0x84
[  135.940102]  [<c016f512>] ? drain_cpu_pagevecs+0xb/0x71
[  135.940106]  [<c016f5ec>] ? lru_add_drain+0x32/0x34
[  135.940110]  [<c01245c8>] __cond_resched+0x16/0x33
[  135.940114]  [<c03558fb>] _cond_resched+0x24/0x2f
[  135.940118]  [<c0175b8d>] unmap_vmas+0x455/0x597
[  135.940123]  [<c0179085>] exit_mmap+0xa8/0x127
[  135.940127]  [<c0126475>] mmput+0x28/0x88
[  135.940131]  [<c0129895>] exit_mm+0xe6/0xee
[  135.940135]  [<c03571c0>] ? _spin_unlock_irq+0xd/0x2f
[  135.940139]  [<c012ac0e>] do_exit+0x1b7/0x6d4
[  135.940144]  [<c0128164>] ? print_oops_end_marker+0x23/0x28
[  135.940148]  [<c0357d1c>] oops_end+0x8e/0x96
[  135.940152]  [<c0105ef5>] die+0x5c/0x64
[  135.940156]  [<c035763b>] do_trap+0x89/0xa2
[  135.940160]  [<c0104e64>] ? do_invalid_op+0x0/0x89
[  135.940164]  [<c0104ee3>] do_invalid_op+0x7f/0x89
[  135.940169]  [<c017d106>] ? alloc_vmap_area+0x17b/0x1f9
[  135.940173]  [<c0104940>] ? trace+0x13/0x1b
[  135.940177]  [<c0173058>] ? __mod_zone_page_state+0xb/0x55
[  135.940182]  [<c016bb0e>] ? __rmqueue_smallest+0x8b/0xea
[  135.940186]  [<c0104940>] ? trace+0x13/0x1b
[  135.940194]  [<c035740a>] error_code+0x72/0x78
[  135.940200]  [<c017d106>] ? alloc_vmap_area+0x17b/0x1f9
[  135.940204]  [<c017d22f>] __get_vm_area_node+0xab/0x132
[  135.940209]  [<c017d871>] __vmalloc_node+0x5f/0x83
[  135.940213]  [<c017d927>] ? vmalloc_32+0x17/0x19
[  135.940217]  [<c017d8e2>] __vmalloc+0x12/0x14
[  135.940221]  [<c017d927>] ? vmalloc_32+0x17/0x19
[  135.940225]  [<c017d927>] vmalloc_32+0x17/0x19
[  135.940239]  [<f871e447>] drm_sg_alloc+0x147/0x23a [drm]
[  135.940254]  [<f871e53a>] ? drm_sg_alloc_ioctl+0x0/0x12 [drm]
[  135.940268]  [<f871e547>] drm_sg_alloc_ioctl+0xd/0x12 [drm]
[  135.940283]  [<f8719887>] drm_ioctl+0x1b3/0x234 [drm]
[  135.940289]  [<c0194431>] vfs_ioctl+0x53/0x6c
[  135.940293]  [<c01948a4>] do_vfs_ioctl+0x38c/0x3d0
[  135.940297]  [<c01aad66>] ? inotify_inode_queue_event+0xe/0xac
[  135.940302]  [<c01ab33d>] ? inotify_dentry_parent_queue_event+0xe/0x83
[  135.940306]  [<c0104940>] ? trace+0x13/0x1b
[  135.940310]  [<c0194919>] sys_ioctl+0x31/0x4a
[  135.940314]  [<c0103ab7>] sysenter_do_call+0x12/0x2f
[  135.963912] BUG: scheduling while atomic: X/10937/0x10000002
[  135.963915] Modules linked in: ipt_MASQUERADE xt_mark nf_nat_irc nf_nat_ftp iptable_mangle iptable_nat nf_nat xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_limit ipt_LOG nf_conntrack_irc nf_conntrack_ftp nf_conntrack iptable_filter ip_tables x_tables lm78 snd_seq snd_seq_device af_packet coretemp w83627ehf hwmon_vid hwmon eeprom acpi_cpufreq cpufreq_userspace radeon drm agpgart usblp snd_hda_intel snd_pcm snd_timer snd soundcore 8139too uhci_hcd skge ehci_hcd radeonfb fb_ddc 8139cp i2c_algo_bit i2c_i801 thermal rtc snd_page_alloc via_rhine i2c_core processor sr_mod cdrom [last unloaded: microcode]
[  135.963979] Pid: 10937, comm: X Tainted: G      D    2.6.28 #3
[  135.963982] Call Trace:
[  135.963989]  [<c012362d>] __schedule_bug+0x50/0x55
[  135.963994]  [<c03550ff>] schedule+0x7e/0x759
[  135.964021]  [<c01967a3>] ? d_free+0x2a/0x3c
[  135.964026]  [<c018afe7>] ? __fput+0x14e/0x156
[  135.964030]  [<c01245c8>] __cond_resched+0x16/0x33
[  135.964034]  [<c03558fb>] _cond_resched+0x24/0x2f
[  135.964039]  [<c0129a1e>] put_files_struct+0x72/0xaf
[  135.964042]  [<c0129a97>] exit_files+0x3c/0x41
[  135.964046]  [<c012ac65>] do_exit+0x20e/0x6d4
[  135.964051]  [<c0128164>] ? print_oops_end_marker+0x23/0x28
[  135.964056]  [<c0357d1c>] oops_end+0x8e/0x96
[  135.964060]  [<c0105ef5>] die+0x5c/0x64
[  135.964064]  [<c035763b>] do_trap+0x89/0xa2
[  135.964069]  [<c0104e64>] ? do_invalid_op+0x0/0x89
[  135.964073]  [<c0104ee3>] do_invalid_op+0x7f/0x89
[  135.964078]  [<c017d106>] ? alloc_vmap_area+0x17b/0x1f9
[  135.964082]  [<c0104940>] ? trace+0x13/0x1b
[  135.964087]  [<c0173058>] ? __mod_zone_page_state+0xb/0x55
[  135.964091]  [<c016bb0e>] ? __rmqueue_smallest+0x8b/0xea
[  135.964096]  [<c0104940>] ? trace+0x13/0x1b
[  135.964104]  [<c035740a>] error_code+0x72/0x78
[  135.964110]  [<c017d106>] ? alloc_vmap_area+0x17b/0x1f9
[  135.964115]  [<c017d22f>] __get_vm_area_node+0xab/0x132
[  135.964120]  [<c017d871>] __vmalloc_node+0x5f/0x83
[  135.964124]  [<c017d927>] ? vmalloc_32+0x17/0x19
[  135.964128]  [<c017d8e2>] __vmalloc+0x12/0x14
[  135.964132]  [<c017d927>] ? vmalloc_32+0x17/0x19
[  135.964136]  [<c017d927>] vmalloc_32+0x17/0x19
[  135.964152]  [<f871e447>] drm_sg_alloc+0x147/0x23a [drm]
[  135.964167]  [<f871e53a>] ? drm_sg_alloc_ioctl+0x0/0x12 [drm]
[  135.964181]  [<f871e547>] drm_sg_alloc_ioctl+0xd/0x12 [drm]
[  135.964195]  [<f8719887>] drm_ioctl+0x1b3/0x234 [drm]
[  135.964201]  [<c0194431>] vfs_ioctl+0x53/0x6c
[  135.964205]  [<c01948a4>] do_vfs_ioctl+0x38c/0x3d0
[  135.964210]  [<c01aad66>] ? inotify_inode_queue_event+0xe/0xac
[  135.964215]  [<c01ab33d>] ? inotify_dentry_parent_queue_event+0xe/0x83
[  135.964219]  [<c0104940>] ? trace+0x13/0x1b
[  135.964223]  [<c0194919>] sys_ioctl+0x31/0x4a
[  135.964227]  [<c0103ab7>] sysenter_do_call+0x12/0x2f
[  135.969319] [drm:drm_release] *ERROR* Device busy: 1 0

The change that introduced this new behavior is commit 78538bf14995a136c2d9a22159ada49937359119:

Author: Dave Airlie <airlied@linux.ie>
Date:   Tue Nov 11 17:56:16 2008 +1000
    drm/radeon: map registers at load time
Comment 1 Nick Piggin 2008-12-30 18:57:21 UTC 
Created attachment 19552 [details]
debug patch

It almost seems like there is a corrupted vmap area in the rbtree or attempted to be inserted...

Can you try the following patch and reproducing the bug and posting the messages that come out, please?

Thanks
Comment 2 Roger Luethi 2008-12-31 02:10:32 UTC 
Created attachment 19569 [details]
messages from the crash