Bug 46631

Summary: NULL pointer dereference in intel_sdvo_detect on Dell Latitude D610
Product: Drivers Reporter: Ben Gamari (bgamari)
Component: Video(DRI - Intel)Assignee: Jani Nikula (jani.nikula)
Status: RESOLVED PATCH_ALREADY_AVAILABLE    
Severity: normal CC: alan, bjo, chris, daniel, jani.nikula
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 3.5 Subsystem:
Regression: No Bisected commit-id:
Attachments: drm/i915/sdvo: clean up connectors on intel_sdvo_init() failures

Description Ben Gamari 2012-08-29 14:33:26 UTC 
This bug was originally fixed in #24312 but seems to have come back in v3.5.
Comment 1 Ben Gamari 2012-08-29 14:33:39 UTC 
[   38.795170] BUG: unable to handle kernel NULL pointer dereference at 00000109
[   38.796004] IP: [<c146b9d0>] i2c_transfer+0x10/0xc0
[   38.796004] *pdpt = 00000000356d3001 *pde = 0000000000000000 
[   38.796004] Oops: 0000 [#1] SMP 
[   38.796004] Modules linked in: michael_mic arc4 lib80211_crypt_tkip lib80211_crypt_ccmp bnep bluetooth parport_pc ppdev i915 snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm ipw2200 snd_seq_midi drm_kms_helper snd_rawmidi libipw snd_seq_midi_event drm snd_seq joydev snd_timer cfg80211 snd_seq_device pcmcia snd psmouse dell_laptop yenta_socket soundcore gpio_ich pcmcia_rsrc serio_raw pcmcia_core microcode snd_page_alloc i2c_algo_bit dcdbas lpc_ich mac_hid lib80211 video lp parport tg3
[   38.796004] 
[   38.796004] Pid: 1175, comm: Xorg Not tainted 3.5.0 #9 Dell Inc. Latitude D610                   /0U8082
[   38.796004] EIP: 0060:[<c146b9d0>] EFLAGS: 00013286 CPU: 0
[   38.796004] EIP is at i2c_transfer+0x10/0xc0
[   38.796004] EAX: 00000101 EBX: f6fe6c00 ECX: 00000003 EDX: f5ae2fc0
[   38.796004] ESI: 00000101 EDI: 00000018 EBP: f566bcd8 ESP: f566bcc0
[   38.796004]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   38.796004] CR0: 80050033 CR2: 00000109 CR3: 35b81000 CR4: 000007f0
[   38.796004] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[   38.796004] DR6: ffff0ff0 DR7: 00000400
[   38.796004] Process Xorg (pid: 1175, ti=f566a000 task=f0428cb0 task.ti=f566a000)
[   38.796004] Stack:
[   38.796004]  000080d0 00000024 0000ca01 f6fe6c00 f5ae2fcc 00000018 f566bd20 f878bc1b
[   38.796004]  00000004 00000000 00000000 f87b4681 f87b0360 0000000b 0000000c 0b000001
[   38.796004]  00000003 f5ae2fc0 f547c0e8 f6fe6c00 09000001 f6fe6c00 f5757800 00000003
[   38.796004] Call Trace:
[   38.796004]  [<f878bc1b>] intel_sdvo_write_cmd+0x28b/0x370 [i915]
[   38.796004]  [<f878e136>] intel_sdvo_detect+0x36/0x310 [i915]
[   38.796004]  [<c12cf54a>] ? snprintf+0x1a/0x20
[   38.796004]  [<f860cc15>] ? drm_get_connector_name+0x45/0x50 [drm]
[   38.796004]  [<f8658ef8>] drm_helper_probe_single_connector_modes+0x178/0x320 [drm_kms_helper]
[   38.796004]  [<f860f453>] drm_mode_getconnector+0x303/0x360 [drm]
[   38.796004]  [<c11038cf>] ? __generic_file_aio_write+0x22f/0x4f0
[   38.796004]  [<f8601ee8>] drm_ioctl+0x408/0x470 [drm]
[   38.796004]  [<f860f150>] ? drm_mode_getcrtc+0xd0/0xd0 [drm]
[   38.796004]  [<f8601ae0>] ? drm_copy_field+0x80/0x80 [drm]
[   38.796004]  [<c115f372>] do_vfs_ioctl+0x82/0x5b0
[   38.796004]  [<c114fc3d>] ? vfs_write+0xed/0x160
[   38.796004]  [<c114f0e0>] ? wait_on_retry_sync_kiocb+0x50/0x50
[   38.796004]  [<c115f90f>] sys_ioctl+0x6f/0x80
[   38.796004]  [<c15cba5f>] sysenter_do_call+0x12/0x28
[   38.796004] Code: 00 00 00 8d 42 d8 e8 d0 ff ff ff 5d c3 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00 55 89 e5 57 56 53 83 ec 0c 3e 8d 74 26 00 89 c6 <8b> 40 08 89 55 f0 89 4d ec 8b 00 85 c0 0f 84 8e 00 00 00 89 e0 
[   38.796004] EIP: [<c146b9d0>] i2c_transfer+0x10/0xc0 SS:ESP 0068:f566bcc0
[   38.796004] CR2: 0000000000000109
Comment 2 Ben Gamari 2012-08-29 14:48:04 UTC 
I can verify that the following works around the issue:


diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo
index b6a9d45..f366db2 100644
--- a/drivers/gpu/drm/i915/intel_sdvo.c
+++ b/drivers/gpu/drm/i915/intel_sdvo.c
@@ -1950,7 +1950,7 @@ intel_sdvo_select_i2c_bus(struct drm_i915_private *dev_pri
        if (mapping->initialized)
                pin = mapping->i2c_pin;
 
-       if (intel_gmbus_is_port_valid(pin)) {
+       if (0 && intel_gmbus_is_port_valid(pin)) {
                sdvo->i2c = intel_gmbus_get_adapter(dev_priv, pin);
                intel_gmbus_set_speed(sdvo->i2c, GMBUS_RATE_1MHZ);
                intel_gmbus_force_bit(sdvo->i2c, true);
Comment 3 Daniel Vetter 2012-08-29 15:48:38 UTC 
Can you grab the source lines with 

addr2line -e drivers/gpu/drm/i915/i915.ko intel_sdvo_write_cmd+0x28b 

addr2line -e drivers/gpu/drm/i915/i915.ko intel_sdvo_detect+0x36

The build needs to match the oops, obviously. Thanks.

Might be a duplicate of bug #46381
Comment 4 Jani Nikula 2012-10-03 07:57:54 UTC 
Ben, please attach dmesg with drm.debug=0xe - I think it's interesting because this one occurs on an ioctl rather than module load as in bug #46381.
Comment 5 Daniel Vetter 2012-11-09 20:45:15 UTC 
Can you please retest this on latest 3.7-rc kernels? If it's still an issue, I
guess we need the bisect result to make progress on this here.
Comment 6 Jani Nikula 2012-11-12 16:37:34 UTC 
Created attachment 86181 [details]
drm/i915/sdvo: clean up connectors on intel_sdvo_init()  failures

Please try the attached patch.
Comment 7 Daniel Vetter 2012-11-12 19:13:58 UTC 
Potential fixed merged to drm-intel-fixes:

commit d0ddfbd3d1346c1f481ec2289eef350cdba64b42
Author: Jani Nikula <jani.nikula@intel.com>
Date:   Mon Nov 12 18:31:35 2012 +0200

    drm/i915/sdvo: clean up connectors on intel_sdvo_init() failures

Thanks a lot for your report, and please reopen this bug report if your issue is not yet fixed with this patch applied.