Bug 46631 - NULL pointer dereference in intel_sdvo_detect on Dell Latitude D610
Summary: NULL pointer dereference in intel_sdvo_detect on Dell Latitude D610
Status: RESOLVED PATCH_ALREADY_AVAILABLE
Alias: None
Product: Drivers
Classification: Unclassified
Component: Video(DRI - Intel) (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Jani Nikula
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-29 14:33 UTC by Ben Gamari
Modified: 2012-11-12 19:13 UTC (History)
5 users (show)

See Also:
Kernel Version: 3.5
Subsystem:
Regression: No
Bisected commit-id:

Attachments
drm/i915/sdvo: clean up connectors on intel_sdvo_init() failures (3.22 KB, patch)
2012-11-12 16:37 UTC, Jani Nikula 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Ben Gamari 2012-08-29 14:33:26 UTC 
This bug was originally fixed in #24312 but seems to have come back in v3.5.
Comment 1 Ben Gamari 2012-08-29 14:33:39 UTC 
[   38.795170] BUG: unable to handle kernel NULL pointer dereference at 00000109
[   38.796004] IP: [<c146b9d0>] i2c_transfer+0x10/0xc0
[   38.796004] *pdpt = 00000000356d3001 *pde = 0000000000000000 
[   38.796004] Oops: 0000 [#1] SMP 
[   38.796004] Modules linked in: michael_mic arc4 lib80211_crypt_tkip lib80211_crypt_ccmp bnep bluetooth parport_pc ppdev i915 snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm ipw2200 snd_seq_midi drm_kms_helper snd_rawmidi libipw snd_seq_midi_event drm snd_seq joydev snd_timer cfg80211 snd_seq_device pcmcia snd psmouse dell_laptop yenta_socket soundcore gpio_ich pcmcia_rsrc serio_raw pcmcia_core microcode snd_page_alloc i2c_algo_bit dcdbas lpc_ich mac_hid lib80211 video lp parport tg3
[   38.796004] 
[   38.796004] Pid: 1175, comm: Xorg Not tainted 3.5.0 #9 Dell Inc. Latitude D610                   /0U8082
[   38.796004] EIP: 0060:[<c146b9d0>] EFLAGS: 00013286 CPU: 0
[   38.796004] EIP is at i2c_transfer+0x10/0xc0
[   38.796004] EAX: 00000101 EBX: f6fe6c00 ECX: 00000003 EDX: f5ae2fc0
[   38.796004] ESI: 00000101 EDI: 00000018 EBP: f566bcd8 ESP: f566bcc0
[   38.796004]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[   38.796004] CR0: 80050033 CR2: 00000109 CR3: 35b81000 CR4: 000007f0
[   38.796004] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[   38.796004] DR6: ffff0ff0 DR7: 00000400
[   38.796004] Process Xorg (pid: 1175, ti=f566a000 task=f0428cb0 task.ti=f566a000)
[   38.796004] Stack:
[   38.796004]  000080d0 00000024 0000ca01 f6fe6c00 f5ae2fcc 00000018 f566bd20 f878bc1b
[   38.796004]  00000004 00000000 00000000 f87b4681 f87b0360 0000000b 0000000c 0b000001
[   38.796004]  00000003 f5ae2fc0 f547c0e8 f6fe6c00 09000001 f6fe6c00 f5757800 00000003
[   38.796004] Call Trace:
[   38.796004]  [<f878bc1b>] intel_sdvo_write_cmd+0x28b/0x370 [i915]
[   38.796004]  [<f878e136>] intel_sdvo_detect+0x36/0x310 [i915]
[   38.796004]  [<c12cf54a>] ? snprintf+0x1a/0x20
[   38.796004]  [<f860cc15>] ? drm_get_connector_name+0x45/0x50 [drm]
[   38.796004]  [<f8658ef8>] drm_helper_probe_single_connector_modes+0x178/0x320 [drm_kms_helper]
[   38.796004]  [<f860f453>] drm_mode_getconnector+0x303/0x360 [drm]
[   38.796004]  [<c11038cf>] ? __generic_file_aio_write+0x22f/0x4f0
[   38.796004]  [<f8601ee8>] drm_ioctl+0x408/0x470 [drm]
[   38.796004]  [<f860f150>] ? drm_mode_getcrtc+0xd0/0xd0 [drm]
[   38.796004]  [<f8601ae0>] ? drm_copy_field+0x80/0x80 [drm]
[   38.796004]  [<c115f372>] do_vfs_ioctl+0x82/0x5b0
[   38.796004]  [<c114fc3d>] ? vfs_write+0xed/0x160
[   38.796004]  [<c114f0e0>] ? wait_on_retry_sync_kiocb+0x50/0x50
[   38.796004]  [<c115f90f>] sys_ioctl+0x6f/0x80
[   38.796004]  [<c15cba5f>] sysenter_do_call+0x12/0x28
[   38.796004] Code: 00 00 00 8d 42 d8 e8 d0 ff ff ff 5d c3 8d b4 26 00 00 00 00 8d bc 27 00 00 00 00 55 89 e5 57 56 53 83 ec 0c 3e 8d 74 26 00 89 c6 <8b> 40 08 89 55 f0 89 4d ec 8b 00 85 c0 0f 84 8e 00 00 00 89 e0 
[   38.796004] EIP: [<c146b9d0>] i2c_transfer+0x10/0xc0 SS:ESP 0068:f566bcc0
[   38.796004] CR2: 0000000000000109
Comment 2 Ben Gamari 2012-08-29 14:48:04 UTC 
I can verify that the following works around the issue:


diff --git a/drivers/gpu/drm/i915/intel_sdvo.c b/drivers/gpu/drm/i915/intel_sdvo
index b6a9d45..f366db2 100644
--- a/drivers/gpu/drm/i915/intel_sdvo.c
+++ b/drivers/gpu/drm/i915/intel_sdvo.c
@@ -1950,7 +1950,7 @@ intel_sdvo_select_i2c_bus(struct drm_i915_private *dev_pri
        if (mapping->initialized)
                pin = mapping->i2c_pin;
 
-       if (intel_gmbus_is_port_valid(pin)) {
+       if (0 && intel_gmbus_is_port_valid(pin)) {
                sdvo->i2c = intel_gmbus_get_adapter(dev_priv, pin);
                intel_gmbus_set_speed(sdvo->i2c, GMBUS_RATE_1MHZ);
                intel_gmbus_force_bit(sdvo->i2c, true);
Comment 3 Daniel Vetter 2012-08-29 15:48:38 UTC 
Can you grab the source lines with 

addr2line -e drivers/gpu/drm/i915/i915.ko intel_sdvo_write_cmd+0x28b 

addr2line -e drivers/gpu/drm/i915/i915.ko intel_sdvo_detect+0x36

The build needs to match the oops, obviously. Thanks.

Might be a duplicate of bug #46381
Comment 4 Jani Nikula 2012-10-03 07:57:54 UTC 
Ben, please attach dmesg with drm.debug=0xe - I think it's interesting because this one occurs on an ioctl rather than module load as in bug #46381.
Comment 5 Daniel Vetter 2012-11-09 20:45:15 UTC 
Can you please retest this on latest 3.7-rc kernels? If it's still an issue, I
guess we need the bisect result to make progress on this here.
Comment 6 Jani Nikula 2012-11-12 16:37:34 UTC 
Created attachment 86181 [details]
drm/i915/sdvo: clean up connectors on intel_sdvo_init()  failures

Please try the attached patch.
Comment 7 Daniel Vetter 2012-11-12 19:13:58 UTC 
Potential fixed merged to drm-intel-fixes:

commit d0ddfbd3d1346c1f481ec2289eef350cdba64b42
Author: Jani Nikula <jani.nikula@intel.com>
Date:   Mon Nov 12 18:31:35 2012 +0200

    drm/i915/sdvo: clean up connectors on intel_sdvo_init() failures

Thanks a lot for your report, and please reopen this bug report if your issue is not yet fixed with this patch applied.
Note You need to log in before you can comment on or make changes to this bug.