Bug 25572

Summary: i915: NULL dereference in drm_ht_insert_item
Product: Drivers Reporter: mattho.l2p
Component: Video(DRI - Intel)Assignee: drivers_video-dri-intel (drivers_video-dri-intel)
Status: RESOLVED CODE_FIX    
Severity: normal CC: avillaci, chris
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: kernel-2.6.35.9-64.fc14.x86_64 Subsystem:
Regression: No Bisected commit-id:

Description mattho.l2p 2010-12-23 20:17:59 UTC 
Description:

At some point system seems to froze.


Relevant trace from messages:

kernel: [28655.336551] BUG: unable to handle kernel NULL pointer dereference at 000000000000000f
kernel: [28655.336557] IP: [<ffffffffa0033a57>] drm_ht_insert_item+0x45/0x98 [drm]
kernel: [28655.336579] PGD bab6067 PUD 2d09c067 PMD 0 
kernel: [28655.336583] Oops: 0000 [#1] SMP 
kernel: [28655.336586] last sysfs file: /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0A:00/power_supply/BAT0/charge_full
kernel: [28655.336590] CPU 1 
kernel: [28655.336591] Modules linked in: tcp_lp fuse ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat bridge stp llc sunrpc cpufreq_ondemand acpi_cp
ufreq freq_table mperf ip6t_REJECT nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 kvm uinput snd_hda_codec_intelhdmi snd_hda_codec_idt arc4 ecb snd_hda_intel snd_hda_codec iwlag
n snd_hwdep snd_seq snd_seq_device snd_pcm uvcvideo snd_timer videodev snd iwlcore mac80211 v4l1_compat cfg80211 e1000e soundcore v4l2_compat_ioctl32 iTCO_wdt snd_page_alloc joydev
 dell_laptop rfkill i2c_i801 dell_wmi iTCO_vendor_support microcode dcdbas wmi sdhci_pci sdhci firewire_ohci mmc_core firewire_core crc_itu_t i915 drm_kms_helper drm i2c_algo_bit i
2c_core video output [last unloaded: scsi_wait_scan]
kernel: [28655.336640] 
kernel: [28655.336643] Pid: 8151, comm: java Not tainted 2.6.35.9-64.fc14.x86_64 #1       /Latitude E6400                  
kernel: [28655.336645] RIP: 0010:[<ffffffffa0033a57>]  [<ffffffffa0033a57>] drm_ht_insert_item+0x45/0x98 [drm]
kernel: [28655.336657] RSP: 0018:ffff880030853cf0  EFLAGS: 00010286
kernel: [28655.336659] RAX: ffffc9000506eff8 RBX: ffff880076e7ee28 RCX: ffffffffffffffff
kernel: [28655.336661] RDX: ffff88003525d428 RSI: ffff88003525d428 RDI: ffffffffffffffff
kernel: [28655.336664] RBP: ffff880030853d08 R08: afc0000000000000 R09: ffff880030853cc8
kernel: [28655.336666] R10: 0000000000fe09f8 R11: 0000000000000008 R12: ffff880037830578
kernel: [28655.336669] R13: 000000000011f5f8 R14: ffff88004193f420 R15: ffff880037830540
kernel: [28655.336672] FS:  00007f6414d18700(0000) GS:ffff880002100000(0000) knlGS:0000000000000000
kernel: [28655.336674] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kernel: [28655.336676] CR2: 000000000000000f CR3: 0000000051221000 CR4: 00000000000006e0
kernel: [28655.336679] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kernel: [28655.336681] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
kernel: [28655.336684] Process java (pid: 8151, threadinfo ffff880030852000, task ffff880064ff8000)
kernel: [28655.336686] Stack:
kernel: [28655.336687]  ffff880076e7ee00 ffff880030853da8 ffff88003785d020 ffff880030853d58
kernel: [28655.336691] <0> ffffffffa007f828 ffff880030853d28 ffff88007760c000 ffff880030853d38
kernel: [28655.336695] <0> ffff88002ece2540 00000000fffffff2 ffff880030853da8 ffffffffa00a9e60
kernel: [28655.336700] Call Trace:
kernel: [28655.336714]  [<ffffffffa007f828>] i915_gem_mmap_gtt_ioctl+0x177/0x240 [i915]
kernel: [28655.336723]  [<ffffffffa002c2b8>] drm_ioctl+0x28b/0x389 [drm]
kernel: [28655.336734]  [<ffffffffa007f6b1>] ? i915_gem_mmap_gtt_ioctl+0x0/0x240 [i915]
kernel: [28655.336739]  [<ffffffff810f15e2>] ? mmap_region+0x35c/0x455
kernel: [28655.336743]  [<ffffffff810e929d>] ? pmd_offset+0x19/0x40
kernel: [28655.336747]  [<ffffffff81123f5b>] vfs_ioctl+0x36/0xa7
kernel: [28655.336750]  [<ffffffff811248bc>] do_vfs_ioctl+0x468/0x49b
kernel: [28655.336753]  [<ffffffff81124945>] sys_ioctl+0x56/0x79
kernel: [28655.336757]  [<ffffffff81009cf2>] system_call_fastpath+0x16/0x1b
kernel: [28655.336759] Code: fc 4c 89 ef e8 b7 fe ff ff 89 c0 31 d2 48 c1 e0 03 49 03 44 24 10 48 8b 30 48 89 f1 eb 08 77 19 48 89 ca 48 89 f9 48 85 c9 74 0e <4c> 39 69 10 48 8b 39 0f 18 0f 75 e7 eb 39 48 85 d2 74 1d 48 8b 
kernel: [28655.336791] RIP  [<ffffffffa0033a57>] drm_ht_insert_item+0x45/0x98 [drm]
kernel: [28655.336802]  RSP <ffff880030853cf0>
kernel: [28655.336803] CR2: 000000000000000f
kernel: [28655.336806] ---[ end trace 13ab7e449d6b6b06 ]---


Hardware details:

Dell Latitude E6400
lspci:
00:00.0 Host bridge: Intel Corporation Mobile 4 Series Chipset Memory Controller Hub (rev 07)
00:02.0 VGA compatible controller: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller (rev 07)
00:02.1 Display controller: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller (rev 07)
00:19.0 Ethernet controller: Intel Corporation 82567LM Gigabit Network Connection (rev 03)
00:1a.0 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #4 (rev 03)
00:1a.1 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #5 (rev 03)
00:1a.2 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #6 (rev 03)
00:1a.7 USB Controller: Intel Corporation 82801I (ICH9 Family) USB2 EHCI Controller #2 (rev 03)
00:1b.0 Audio device: Intel Corporation 82801I (ICH9 Family) HD Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation 82801I (ICH9 Family) PCI Express Port 1 (rev 03)
00:1c.1 PCI bridge: Intel Corporation 82801I (ICH9 Family) PCI Express Port 2 (rev 03)
00:1c.2 PCI bridge: Intel Corporation 82801I (ICH9 Family) PCI Express Port 3 (rev 03)
00:1c.3 PCI bridge: Intel Corporation 82801I (ICH9 Family) PCI Express Port 4 (rev 03)
00:1d.0 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #1 (rev 03)
00:1d.1 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #2 (rev 03)
00:1d.2 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #3 (rev 03)
00:1d.7 USB Controller: Intel Corporation 82801I (ICH9 Family) USB2 EHCI Controller #1 (rev 03)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev 93)
00:1f.0 ISA bridge: Intel Corporation ICH9M-E LPC Interface Controller (rev 03)
00:1f.2 RAID bus controller: Intel Corporation Mobile 82801 SATA RAID Controller (rev 03)
00:1f.3 SMBus: Intel Corporation 82801I (ICH9 Family) SMBus Controller (rev 03)
03:01.0 FireWire (IEEE 1394): Ricoh Co Ltd R5C832 IEEE 1394 Controller (rev 04)
03:01.1 SD Host controller: Ricoh Co Ltd R5C822 SD/SDIO/MMC/MS/MSPro Host Adapter (rev 21)
03:01.2 System peripheral: Ricoh Co Ltd R5C843 MMC Host Controller (rev 11)
0c:00.0 Network controller: Intel Corporation WiFi Link 5100


Additional system info:

kernel-2.6.35.9-64.fc14.x86_64
libdrm-2.4.22-1.fc14.x86_64
mesa-dri-drivers-7.9-4.fc14.x86_64


How to reproduce:

Not sure how to reproduce this porblem. Happened few times though.
Comment 1 Alex Villacis Lasso 2011-01-25 23:04:50 UTC 
I have what seems like the exact same bug. It is being followed at:
https://bugzilla.redhat.com/show_bug.cgi?id=665887
https://bugs.freedesktop.org/show_bug.cgi?id=29325
Comment 2 Chris Wilson 2011-03-19 12:42:06 UTC 
According to https://bugs.freedesktop.org/show_bug.cgi?id=29325 this was a use-after-free bug in another [network?] driver that has been fixed with 2.6.38.