lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 5 Dec 2008 19:50:28 +0100
From:	Bartlomiej Zolnierkiewicz <bzolnier@...il.com>
To:	"Dave Airlie" <airlied@...il.com>
Cc:	linux-kernel@...r.kernel.org,
	Benny Amorsen <benny+usenet@...rsen.dk>,
	linux-next@...r.kernel.org
Subject: next-2008120[3,4] drm oops (was Re: vanilla kernels hang randomly under Fedora 10 on system with Radeon card)

On Thursday 04 December 2008, Bartlomiej Zolnierkiewicz wrote:

[...]

> To add more fun I'm getting following DRM oops with next-2008120[3,4]:

Here is refreshed oops (I needed to tweak/rebuild the kernel):

BUG: unable to handle kernel NULL pointer dereference at 00000144               
IP: [<c0247371>] drm_addmap_core+0x548/0x561                                    
*pde = 00000000                                                                 
Oops: 0000 [#1] PREEMPT SMP                                                     
last sysfs file: /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.0/enable       
Modules linked in: radeon(+) lib80211_crypt_tkip xt_state ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 acerhk cpufreq_ondemand binfmt_misc snd_intel8x0 snd_intel8x0m snd_ac97_codec snd_seq_dummy ac97_bus snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm ipw2200 snd_timer libipw snd soundcore snd_page_alloc lib80211 ehci_hcd uhci_hcd parport_pc parport                                                      

Pid: 1740, comm: modprobe Not tainted (2.6.28-rc7-next-20081204 #268) Extensa 2900                                                                              
EIP: 0060:[<c0247371>] EFLAGS: 00213202 CPU: 0                                  
EIP is at drm_addmap_core+0x548/0x561                                           
EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: da1dec00
ESI: da2baac0 EDI: da177a80 EBP: e0010000 ESP: da2c1ea4
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process modprobe (pid: 1740, ti=da2c1000 task=df8741b0 task.ti=da2c1000)
Stack:
 da177a80 00010000 da1dec00 00000002 da1dec20 da177a88 da1decd4 da1decd4
 da1dece0 00010000 da2c1eec da285800 da285b44 da1dec00 c02473f2 00000001
 00000082 da2c1eec da2c1ef4 00010000 e085674c 00000001 00000082 da285b40
Call Trace:
 [<c02473f2>] drm_addmap+0x14/0x2e
 [<e085674c>] radeon_driver_load+0xef/0x15a [radeon]
 [<c024bb73>] drm_get_dev+0x240/0x4ab
 [<c01e48af>] kobject_get+0xf/0x13
 [<c024821d>] drm_init+0x5a/0x89
 [<e0832000>] radeon_init+0x0/0x14 [radeon]
 [<c010112c>] _stext+0x44/0x108
 [<c01430a8>] sys_init_module+0x87/0x174
 [<c0102eb1>] sysenter_do_call+0x12/0x25
 [<c0310000>] rtl8139_init_one+0x685/0x85e
Code: 12 0d 00 eb 35 8b 3c 24 8b 47 10 c7 47 1c 00 00 00 00 c1 e0 0c 89 47 18 8b 44 24 10 e8 a8 12 0d 00 8b 54 24 08 8b 82 b0 02 00 00 <8b> 80 44 01 00 00 89 47 20 8b 4c 24 44 89 39 83 c4 28 89 d8 5b
EIP: [<c0247371>] drm_addmap_core+0x548/0x561 SS:ESP 0068:da2c1ea4
---[ end trace b2c7f2a062698806 ]---

[...]

> which I think may be caused by:
> 
> commit c2f29f764c0daa0084674d4a463e7158ac5c4dc4
> Author: Dave Airlie <airlied@...hat.com>
> Date:   Fri Nov 28 14:22:24 2008 +1000
> 
>     drm: move to kref per-master structures.
> 
> however I haven't verified it yet.

It is confirmed now, reverting commit

c2f29f764c0daa0084674d4a463e7158ac5c4dc4
("drm: move to kref per-master structures.")

and [the one depending on the above one]

21680220acd264620d7172ed99868bf580ecf0d4.
("drm: fix leak of uninitialized data to userspace")

fixes the oops and makes DRI being enabled again.


The oops itself happens when loading 'radeon' module and is caused by
primary->master dereference (+ primary being NULL) in the following chunk:

@@ -319,6 +319,7 @@ static int drm_addmap_core(struct drm_device * dev, unsigned
        list->user_token = list->hash.key << PAGE_SHIFT;
        mutex_unlock(&dev->struct_mutex);

+       list->master = dev->primary->master;
        *maplist = list;
        return 0;
        }

Debug data:

$ gdb vmlinux

(gdb) l *0xc0247371
0xc0247371 is in drm_addmap_core (drivers/gpu/drm/drm_bufs.c:322).
317             }
318
319             list->user_token = list->hash.key << PAGE_SHIFT;
320             mutex_unlock(&dev->struct_mutex);
321
322             list->master = dev->primary->master;
323             *maplist = list;
324             return 0;
325             }
326

$ objdump -d drivers/gpu/drm/drm_bufs.o
...
00001fb9 <drm_addmap_core>:
...
    24f2:       e8 fc ff ff ff          call   24f3 <drm_addmap_core+0x53a>
    24f7:       8b 54 24 08             mov    0x8(%esp),%edx
    24fb:       8b 82 b0 02 00 00       mov    0x2b0(%edx),%eax
->  2501:       8b 80 44 01 00 00       mov    0x144(%eax),%eax
    2507:       89 47 20                mov    %eax,0x20(%edi)
...

Hope this helps.

Thanks,
Bart
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ