Here's the Oops without the split lines:

[   72.920167] BUG: unable to handle kernel NULL pointer dereference at (null)
[   72.920176] IP: [<fab2a7a4>] r600_ioctl_wait_idle+0x4f/0x98 [radeon]
[   72.920208] *pdpt = 000000003690d001 *pde = 0000000000000000 
[   72.920214] Oops: 0000 [#1] SMP 
[   72.920218] last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:02:0c.0/resource
[   72.920223] Modules linked in: binfmt_misc microcode fuse ext4 jbd2 crc16 sha256_generic aes_i586 aes_generic cbc iTCO_wdt iTCO_vendor_support tcp_diag inet_diag autofs4 loop grip w83627hf hwmon_vid dm_crypt snd_hda_codec_atihdmi cx22702 cx88_dvb cx88_vp3054_i2c videobuf_dvb dvb_core snd_hda_intel rc_hauppauge_new snd_intel8x0 radeon snd_hda_codec tuner_simple tuner_types snd_ac97_codec snd_wavefront snd_cs4236 snd_usb_audio ac97_bus cx88_alsa snd_wss_lib snd_pcm_oss snd_opl3_lib snd_mixer_oss snd_hwdep snd_usbmidi_lib snd_mpu401 snd_mpu401_uart btusb tuner joydev snd_seq_midi snd_pcm 
ttm bluetooth snd_rawmidi usblp rfkill hid_logitech cx8800 pwc ir_sony_decoder cx8802 snd_seq_midi_event ff_memless ir_jvc_decoder cx88xx drm_kms_helper snd_seq ir_rc6_decoder ir_rc5_decoder ir_nec_decoder v4l2_common ir_common snd_timer snd_seq_device ir_core videodev drm v4l1_compat evdev tveeprom videobuf_dma_sg videobuf_core btcx_risc parport_pc i2c_algo_bit tpm_tis snd i2c_i801 ns558 parport psmouse tpm gameport shpchp tpm_bios serio_raw processor rng_core i2c_core pcspkr soundcore button pci_hotplug snd_page_alloc ext3 jbd mbcache dm_mod raid1 raid0 md_mod usbhid hid sg sr_mod sd_mod cdrom crc_t10dif ata_generic uhci_hcd ata_piix libata aic7xxx ehci_hcd aic79xx 3w_xxxx scsi_transport_spi usbcore scsi_mod firewire_ohci floppy firewire_core thermal skge crc_itu_t thermal_sys nls_base [last unloaded: scsi_wait_scan]
[   72.920354] 
[   72.920359] Pid: 3603, comm: Xorg Not tainted 2.6.35-trunk-686-bigmem #1 P4P800/To Be Filled By O.E.M.
[   72.920363] EIP: 0060:[<fab2a7a4>] EFLAGS: 00013246 CPU: 0
[   72.920383] EIP is at r600_ioctl_wait_idle+0x4f/0x98 [radeon]
[   72.920386] EAX: 00000000 EBX: f62109c0 ECX: faf80000 EDX: 00000000
[   72.920389] ESI: f6026600 EDI: 00000000 EBP: f63abe84 ESP: f63abe5c
[   72.920392]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   72.920396] Process Xorg (pid: 3603, ti=f63aa000 task=f6508840 task.ti=f63aa000)
[   72.920399] Stack:
[   72.920401]  f62109c0 fab0dc33 f6a4c580 f64ae000 00000064 f90709f4 c0086464 fab697d4
[   72.920409] <0> fab0dbf0 bfb84228 00000001 00000000 00000000 00000000 00004000 00000000
[   72.920417] <0> 00000000 00000001 c10906aa f6a4c280 c10909e6 c143d4c0 c10265c2 fffff000
[   72.920427] Call Trace:
[   72.920451]  [<fab0dc33>] ? radeon_gem_wait_idle_ioctl+0x43/0x50 [radeon]
[   72.920472]  [<f90709f4>] ? drm_ioctl+0x1e6/0x2aa [drm]
[   72.920494]  [<fab0dbf0>] ? radeon_gem_wait_idle_ioctl+0x0/0x50 [radeon]
[   72.920503]  [<c10906aa>] ? lock_page+0x8/0x1d
[   72.920507]  [<c10909e6>] ? filemap_fault+0xb9/0x2ef
[   72.920514]  [<c10265c2>] ? kmap_atomic_prot+0xcb/0xe7
[   72.920518]  [<c102645c>] ? kunmap_atomic+0x48/0x57
[   72.920525]  [<c10a29fc>] ? __do_fault+0x3f8/0x42e
[   72.920540]  [<f907080e>] ? drm_ioctl+0x0/0x2aa [drm]
[   72.920546]  [<c10c6596>] ? vfs_ioctl+0x1c/0x7d
[   72.920550]  [<c10c6b0e>] ? do_vfs_ioctl+0x472/0x4ac
[   72.920555]  [<c10a70a2>] ? mmap_region+0x342/0x415
[   72.920559]  [<c10c6b8c>] ? sys_ioctl+0x44/0x64
[   72.920564]  [<c1007cdf>] ? sysenter_do_call+0x12/0x28
[   72.920566] Code: 00 76 10 8b 88 9c 00 00 00 31 c0 89 81 34 2f 00 00 eb 18 8b 98 9c 00 00 00 b9 34 2f 00 00 89 0b 8b 88 9c 00 00 00 31 c0 89 41 04 <8b> 02 eb 43 83 b8 98 00 00 00 00 77 0c 81 b8 94 00 00 00 80 54 
[   72.920619] EIP: [<fab2a7a4>] r600_ioctl_wait_idle+0x4f/0x98 [radeon] SS:ESP 0068:f63abe5c
[   72.920641] CR2: 0000000000000000
[   72.920645] ---[ end trace 57bf3e55b0124490 ]---

Patch available:
https://bugs.freedesktop.org/show_bug.cgi?id=29834

That patch does indeed fix the bug, thanks!

I don't know what the usual practice is here, so I'm leaving the bug open for now, given that the patch isn't in Linus's tree yet AFAICS.

Regards,

Stephen

Patch queued

Patch : https://bugs.freedesktop.org/attachment.cgi?id=38227
Handled-By : Alex Deucher <alexdeucher@gmail.com>

*** Bug 17702 has been marked as a duplicate of this bug. ***

[I filed #17702, the dup.]

There's apparently something else happening, too.  Because with the patch, 2.6.36-rc3 gets farther than it did before, X starts, but it consistently freezes (hard kernel freeze, Magic-SRQ fails, hard-reset time) before I hit the desktop, while without the patch, it soft-freezes (X has gobbled the keyboard and VT-switching is dead, but I can Magic-SRQ-R, then C-A-Del to reboot) while it's still black-screened, before the KDE splash.

Meanwhile, reverting the original commit (4437579efca258e3c4a09f59838c8f933611990 as mentioned in bug #17702), everything works fine, just as it did with earlier kernels.  So there's obviously something still wrong with the code-path after the patch, or it wouldn't be hard-freezing the kernel.

Also, as with the original bug after the commit, if I set disable dri in xorg.conf.d, everything works, but of course without accelerated 3D.

Unfortunately, while I could get a log after the soft freeze, that's not possible now, as it's a hard freeze.  But we know the commit that does it, and the patch above does at least allow X to start; it just hard-kernel freezes before it hits the full kde (4.5.0, I've not upgraded to 4.5.1 yet) plasma-desktop.

So either this bug needs reopened, or I can reopen mine or file a new one.

Duncan, please file a new bug entry, preferably if you can reproduce the problem
with the commit below applied.

Fixed by commit 87cbf8f2c5d1b1fc4642c3dc0bb6efc587479603 .