| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Nov 2010 18:02:21 +0100
From: Markus Trippelsdorf <markus@...ppelsdorf.de>
To: dri-devel@...ts.freedesktop.org
Cc: linux-kernel@...r.kernel.org, airlied@...ux.ie
Subject: Radeon RS780 - BUG: unable to handle kernel NULL pointer
dereference
I can trigger a kernel crash on my system by simply loading this png
image with firefox:
http://mediaarchive.cern.ch/MediaArchive/Photo/Public/2010/1011251/1011251_01/1011251_01-A4-at-144-dpi.jpg
The system has an embedded RS780 and is running the latest git kernel.
(Xorg.0.log is attached)
The crash looks as follows:
Nov 8 17:37:21 arch kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
Nov 8 17:37:21 arch kernel: IP: [<ffffffff81449f1f>] _raw_write_lock+0xf/0x20
Nov 8 17:37:21 arch kernel: PGD 11bf20067 PUD 11bfa7067 PMD 0
Nov 8 17:37:21 arch kernel: Oops: 0002 [#1] PREEMPT SMP
Nov 8 17:37:21 arch kernel: last sysfs file: /sys/devices/pci0000:00/0000:00:18.3/temp1_input
Nov 8 17:37:21 arch kernel: CPU 0
Nov 8 17:37:21 arch kernel: Pid: 1502, comm: X Not tainted 2.6.37-rc1-00116-g151f52f-dirty #31 M4A78T-E/System Product Name
Nov 8 17:37:21 arch kernel: RIP: 0010:[<ffffffff81449f1f>] [<ffffffff81449f1f>] _raw_write_lock+0xf/0x20
Nov 8 17:37:21 arch kernel: RSP: 0018:ffff88011b523cc0 EFLAGS: 00010202
Nov 8 17:37:21 arch kernel: RAX: ffff88011b523fd8 RBX: 0000000000000020 RCX: 00000000ffffffff
Nov 8 17:37:22 arch kernel: RDX: 00000000ffffffff RSI: ffffffff8120a6f0 RDI: 0000000000000020
Nov 8 17:37:22 arch kernel: RBP: ffff880113f39c48 R08: 0000000000000006 R09: 0000000000000006
Nov 8 17:37:22 arch kernel: R10: 0000000000000006 R11: 0000000000000006 R12: 0000000000000071
Nov 8 17:37:22 arch kernel: R13: ffff8800c07ffb40 R14: 0000000040086409 R15: 00000000fffffff2
Nov 8 17:37:22 arch kernel: FS: 00007f3786cdc700(0000) GS:ffff8800dfc00000(0000) knlGS:0000000000000000
Nov 8 17:37:22 arch kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Nov 8 17:37:22 arch kernel: CR2: 0000000000000020 CR3: 000000011f60a000 CR4: 00000000000006f0
Nov 8 17:37:22 arch kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Nov 8 17:37:22 arch kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Nov 8 17:37:22 arch kernel: Process X (pid: 1502, threadinfo ffff88011b522000, task ffff88011cc3d460)
Nov 8 17:37:22 arch kernel: Stack:
Nov 8 17:37:22 arch kernel: ffffffff8121cbb8 0000000000000292 ffff88011ffabbc0 ffff88011b523d20
Nov 8 17:37:22 arch kernel: ffffffff81252a92 0000000000000296 0000000000000000 ffff88011d9410a8
Nov 8 17:37:22 arch kernel: ffff8800c07ffb40 ffffffff8120a6f0 ffffffff8126711e ffff88011f632a90
Nov 8 17:37:22 arch kernel: Call Trace:
Nov 8 17:37:22 arch kernel: [<ffffffff8121cbb8>] ? ttm_bo_unref+0x28/0x50
Nov 8 17:37:22 arch kernel: [<ffffffff81252a92>] ? radeon_bo_unref+0x42/0x80
Nov 8 17:37:22 arch kernel: [<ffffffff8120a6f0>] ? drm_gem_object_free+0x0/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff8126711e>] ? radeon_gem_object_free+0x2e/0x50
Nov 8 17:37:22 arch kernel: [<ffffffff81183493>] ? kref_put+0x33/0x70
Nov 8 17:37:22 arch kernel: [<ffffffff8120aeb0>] ? drm_gem_close_ioctl+0xc0/0xf0
Nov 8 17:37:22 arch kernel: [<ffffffff8120963c>] ? drm_ioctl+0x39c/0x450
Nov 8 17:37:22 arch kernel: [<ffffffff8120adf0>] ? drm_gem_close_ioctl+0x0/0xf0
Nov 8 17:37:22 arch kernel: [<ffffffff810cd80f>] ? do_sync_read+0xbf/0x100
Nov 8 17:37:22 arch kernel: [<ffffffff810dd2c9>] ? do_vfs_ioctl+0xa9/0x610
Nov 8 17:37:22 arch kernel: [<ffffffff810dd879>] ? sys_ioctl+0x49/0x80
Nov 8 17:37:22 arch kernel: [<ffffffff810ce24e>] ? sys_read+0x4e/0x90
Nov 8 17:37:22 arch kernel: [<ffffffff8102dc2b>] ? system_call_fastpath+0x16/0x1b
Nov 8 17:37:22 arch kernel: Code: 83 c4 08 c3 e8 f3 dd ff ff 31 c0 eb f2 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 65 48 8b 04 25 c8 b6 00 00 ff 80 44 e0 ff ff <f0> 81 2f 00 00 00 01 74 05 e8 83 ff d3 ff c3 66 90 9c 58 fa 65
Nov 8 17:37:22 arch kernel: RIP [<ffffffff81449f1f>] _raw_write_lock+0xf/0x20
Nov 8 17:37:22 arch kernel: RSP <ffff88011b523cc0>
Nov 8 17:37:22 arch kernel: CR2: 0000000000000020
Nov 8 17:37:22 arch kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000088
Nov 8 17:37:22 arch kernel: IP: [<ffffffff81449b84>] _raw_spin_lock+0x14/0x30
Nov 8 17:37:22 arch kernel: PGD 11bf20067 PUD 11bfa7067 PMD 0
Nov 8 17:37:22 arch kernel: Oops: 0002 [#2] PREEMPT SMP
Nov 8 17:37:22 arch kernel: last sysfs file: /sys/devices/pci0000:00/0000:00:18.3/temp1_input
Nov 8 17:37:22 arch kernel: CPU 0
Nov 8 17:37:22 arch kernel: Pid: 1502, comm: X Not tainted 2.6.37-rc1-00116-g151f52f-dirty #31 M4A78T-E/System Product Name
Nov 8 17:37:22 arch kernel: RIP: 0010:[<ffffffff81449b84>] [<ffffffff81449b84>] _raw_spin_lock+0x14/0x30
Nov 8 17:37:22 arch kernel: RSP: 0018:ffff88011b523660 EFLAGS: 00010002
Nov 8 17:37:22 arch kernel: RAX: 0000000000000100 RBX: ffff88011ff2c048 RCX: 0000000000000000
Nov 8 17:37:22 arch kernel: RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000088
Nov 8 17:37:22 arch kernel: RBP: 0000000000000088 R08: 0000000000000000 R09: ffffffff816a0a00
Nov 8 17:37:22 arch kernel: R10: 0000000000000000 R11: 0000000000000002 R12: 0000000000000001
Nov 8 17:37:22 arch kernel: R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Nov 8 17:37:22 arch kernel: FS: 00007f3786cdc700(0000) GS:ffff8800dfc00000(0000) knlGS:0000000000000000
Nov 8 17:37:22 arch kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Nov 8 17:37:22 arch kernel: CR2: 0000000000000088 CR3: 000000011f60a000 CR4: 00000000000006f0
Nov 8 17:37:22 arch kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Nov 8 17:37:22 arch kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Nov 8 17:37:22 arch kernel: Process X (pid: 1502, threadinfo ffff88011b522000, task ffff88011cc3d460)
Nov 8 17:37:22 arch kernel: Stack:
Nov 8 17:37:22 arch kernel: ffffffff8121c97f 0000000000000000 ffff880100000000 ffff88011ffaa000
Nov 8 17:37:22 arch kernel: ffff88011ff99000 ffff88011f67beb8 ffff88011ff2c000 ffff88011fcf6cc0
Nov 8 17:37:22 arch kernel: ffffffff8124540c ffffffff00000028 ffff88011b523708 ffff88011ff2c048
Nov 8 17:37:22 arch kernel: Call Trace:
Nov 8 17:37:22 arch kernel: [<ffffffff8121c97f>] ? ttm_bo_reserve+0x2f/0x120
Nov 8 17:37:22 arch kernel: [<ffffffff8124540c>] ? avivo_crtc_do_set_base+0x6c/0x8e0
Nov 8 17:37:22 arch kernel: [<ffffffff812044da>] ? drm_crtc_helper_set_config+0x72a/0x8c0
Nov 8 17:37:22 arch kernel: [<ffffffff812027f4>] ? drm_fb_helper_pan_display+0x84/0xc0
Nov 8 17:37:22 arch kernel: [<ffffffff8119efad>] ? fb_pan_display+0xad/0x140
Nov 8 17:37:22 arch kernel: [<ffffffff811b1d85>] ? ccw_update_start+0x45/0x70
Nov 8 17:37:22 arch kernel: [<ffffffff811abdbd>] ? fbcon_switch+0x44d/0x5f0
Nov 8 17:37:22 arch kernel: [<ffffffff811f6961>] ? redraw_screen+0x181/0x270
Nov 8 17:37:22 arch kernel: [<ffffffff811aa652>] ? fbcon_blank+0x232/0x2e0
Nov 8 17:37:22 arch kernel: [<ffffffff8105d6b7>] ? release_console_sem+0x1a7/0x1f0
Nov 8 17:37:22 arch kernel: [<ffffffff81447163>] ? printk+0x40/0x45
Nov 8 17:37:22 arch kernel: [<ffffffff81067f93>] ? lock_timer_base.clone.25+0x33/0x70
Nov 8 17:37:22 arch kernel: [<ffffffff810683d0>] ? mod_timer+0x130/0x210
Nov 8 17:37:22 arch kernel: [<ffffffff811f8136>] ? do_unblank_screen+0xa6/0x1a0
Nov 8 17:37:22 arch kernel: [<ffffffff8118ad0d>] ? bust_spinlocks+0x1d/0x40
Nov 8 17:37:22 arch kernel: [<ffffffff81031f79>] ? oops_end+0x39/0xe0
Nov 8 17:37:22 arch kernel: [<ffffffff8104aae5>] ? no_context+0xf5/0x260
Nov 8 17:37:22 arch kernel: [<ffffffff810ddf50>] ? __pollwait+0x0/0x110
Nov 8 17:37:22 arch kernel: [<ffffffff8104b41e>] ? do_page_fault+0x36e/0x410
Nov 8 17:37:22 arch kernel: [<ffffffff810de060>] ? pollwake+0x0/0x60
Nov 8 17:37:22 arch kernel: [<ffffffff810de060>] ? pollwake+0x0/0x60
Nov 8 17:37:22 arch kernel: [<ffffffff813ae4aa>] ? sock_wfree+0x4a/0x60
Nov 8 17:37:22 arch kernel: [<ffffffff81430323>] ? unix_destruct_scm+0x93/0xb0
Nov 8 17:37:22 arch kernel: [<ffffffff8144a40f>] ? page_fault+0x1f/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff8120a6f0>] ? drm_gem_object_free+0x0/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff81449f1f>] ? _raw_write_lock+0xf/0x20
Nov 8 17:37:22 arch kernel: [<ffffffff8121cbb8>] ? ttm_bo_unref+0x28/0x50
Nov 8 17:37:22 arch kernel: [<ffffffff81252a92>] ? radeon_bo_unref+0x42/0x80
Nov 8 17:37:22 arch kernel: [<ffffffff8120a6f0>] ? drm_gem_object_free+0x0/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff8126711e>] ? radeon_gem_object_free+0x2e/0x50
Nov 8 17:37:22 arch kernel: [<ffffffff81183493>] ? kref_put+0x33/0x70
Nov 8 17:37:22 arch kernel: [<ffffffff8120aeb0>] ? drm_gem_close_ioctl+0xc0/0xf0
Nov 8 17:37:22 arch kernel: [<ffffffff8120963c>] ? drm_ioctl+0x39c/0x450
Nov 8 17:37:22 arch kernel: [<ffffffff8120adf0>] ? drm_gem_close_ioctl+0x0/0xf0
Nov 8 17:37:22 arch kernel: [<ffffffff810cd80f>] ? do_sync_read+0xbf/0x100
Nov 8 17:37:22 arch kernel: [<ffffffff810dd2c9>] ? do_vfs_ioctl+0xa9/0x610
Nov 8 17:37:22 arch kernel: [<ffffffff810dd879>] ? sys_ioctl+0x49/0x80
Nov 8 17:37:22 arch kernel: [<ffffffff810ce24e>] ? sys_read+0x4e/0x90
Nov 8 17:37:22 arch kernel: [<ffffffff8102dc2b>] ? system_call_fastpath+0x16/0x1b
Nov 8 17:37:22 arch kernel: Code: 4a 1c 48 8b 7c 24 08 e8 2b 85 c1 ff 31 c0 5b c3 0f 1f 80 00 00 00 00 65 48 8b 04 25 c8 b6 00 00 ff 80 44 e0 ff ff b8 00 01 00 00 <f0> 66 0f c1 07 38 e0 74 06 f3 90 8a 07 eb f6 c3 66 66 66 2e 0f
Nov 8 17:37:22 arch kernel: RIP [<ffffffff81449b84>] _raw_spin_lock+0x14/0x30
Nov 8 17:37:22 arch kernel: RSP <ffff88011b523660>
Nov 8 17:37:22 arch kernel: CR2: 0000000000000088
Nov 8 17:37:22 arch kernel: ---[ end trace f7be0a67c5c584c7 ]---
Nov 8 17:37:22 arch kernel: note: X[1502] exited with preempt_count 2
Nov 8 17:37:22 arch kernel: BUG: scheduling while atomic: X/1502/0x10000003
Nov 8 17:37:22 arch kernel: Pid: 1502, comm: X Tainted: G D 2.6.37-rc1-00116-g151f52f-dirty #31
Nov 8 17:37:22 arch kernel: Call Trace:
Nov 8 17:37:22 arch kernel: [<ffffffff81447ad9>] ? schedule+0x639/0x850
Nov 8 17:37:22 arch kernel: [<ffffffff8105826d>] ? __cond_resched+0x1d/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff81447f2f>] ? _cond_resched+0x2f/0x40
Nov 8 17:37:22 arch kernel: [<ffffffff810b57fc>] ? unmap_vmas+0x82c/0x9c0
Nov 8 17:37:22 arch kernel: [<ffffffff810bcb62>] ? exit_mmap+0xe2/0x1a0
Nov 8 17:37:22 arch kernel: [<ffffffff8105a705>] ? mmput+0x25/0xc0
Nov 8 17:37:22 arch kernel: [<ffffffff8105e734>] ? exit_mm+0x104/0x130
Nov 8 17:37:22 arch kernel: [<ffffffff81449ca0>] ? _raw_spin_unlock_irq+0x10/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff8106045a>] ? do_exit+0x5aa/0x760
Nov 8 17:37:22 arch kernel: [<ffffffff81447163>] ? printk+0x40/0x45
Nov 8 17:37:22 arch kernel: [<ffffffff8105e33c>] ? kmsg_dump+0x7c/0x150
Nov 8 17:37:22 arch kernel: [<ffffffff81031fda>] ? oops_end+0x9a/0xe0
Nov 8 17:37:22 arch kernel: [<ffffffff8104aae5>] ? no_context+0xf5/0x260
Nov 8 17:37:22 arch kernel: [<ffffffff8104b41e>] ? do_page_fault+0x36e/0x410
Nov 8 17:37:22 arch kernel: [<ffffffff8102c722>] ? __switch_to+0x1e2/0x2b0
Nov 8 17:37:22 arch kernel: [<ffffffff8118885e>] ? vsnprintf+0x46e/0x620
Nov 8 17:37:22 arch kernel: [<ffffffff81187957>] ? number.clone.2+0x2b7/0x2f0
Nov 8 17:37:22 arch kernel: [<ffffffff8144a40f>] ? page_fault+0x1f/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff81449b84>] ? _raw_spin_lock+0x14/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff8121c97f>] ? ttm_bo_reserve+0x2f/0x120
Nov 8 17:37:22 arch kernel: [<ffffffff8124540c>] ? avivo_crtc_do_set_base+0x6c/0x8e0
Nov 8 17:37:22 arch kernel: [<ffffffff812044da>] ? drm_crtc_helper_set_config+0x72a/0x8c0
Nov 8 17:37:22 arch kernel: [<ffffffff812027f4>] ? drm_fb_helper_pan_display+0x84/0xc0
Nov 8 17:37:22 arch kernel: [<ffffffff8119efad>] ? fb_pan_display+0xad/0x140
Nov 8 17:37:22 arch kernel: [<ffffffff811b1d85>] ? ccw_update_start+0x45/0x70
Nov 8 17:37:22 arch kernel: [<ffffffff811abdbd>] ? fbcon_switch+0x44d/0x5f0
Nov 8 17:37:22 arch kernel: [<ffffffff811f6961>] ? redraw_screen+0x181/0x270
Nov 8 17:37:22 arch kernel: [<ffffffff811aa652>] ? fbcon_blank+0x232/0x2e0
Nov 8 17:37:22 arch kernel: [<ffffffff8105d6b7>] ? release_console_sem+0x1a7/0x1f0
Nov 8 17:37:22 arch kernel: [<ffffffff81447163>] ? printk+0x40/0x45
Nov 8 17:37:22 arch kernel: [<ffffffff81067f93>] ? lock_timer_base.clone.25+0x33/0x70
Nov 8 17:37:22 arch kernel: [<ffffffff810683d0>] ? mod_timer+0x130/0x210
Nov 8 17:37:22 arch kernel: [<ffffffff811f8136>] ? do_unblank_screen+0xa6/0x1a0
Nov 8 17:37:22 arch kernel: [<ffffffff8118ad0d>] ? bust_spinlocks+0x1d/0x40
Nov 8 17:37:22 arch kernel: [<ffffffff81031f79>] ? oops_end+0x39/0xe0
Nov 8 17:37:22 arch kernel: [<ffffffff8104aae5>] ? no_context+0xf5/0x260
Nov 8 17:37:22 arch kernel: [<ffffffff810ddf50>] ? __pollwait+0x0/0x110
Nov 8 17:37:22 arch kernel: [<ffffffff8104b41e>] ? do_page_fault+0x36e/0x410
Nov 8 17:37:22 arch kernel: [<ffffffff810de060>] ? pollwake+0x0/0x60
Nov 8 17:37:22 arch kernel: [<ffffffff810de060>] ? pollwake+0x0/0x60
Nov 8 17:37:22 arch kernel: [<ffffffff813ae4aa>] ? sock_wfree+0x4a/0x60
Nov 8 17:37:22 arch kernel: [<ffffffff81430323>] ? unix_destruct_scm+0x93/0xb0
Nov 8 17:37:22 arch kernel: [<ffffffff8144a40f>] ? page_fault+0x1f/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff8120a6f0>] ? drm_gem_object_free+0x0/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff81449f1f>] ? _raw_write_lock+0xf/0x20
Nov 8 17:37:22 arch kernel: [<ffffffff8121cbb8>] ? ttm_bo_unref+0x28/0x50
Nov 8 17:37:22 arch kernel: [<ffffffff81252a92>] ? radeon_bo_unref+0x42/0x80
Nov 8 17:37:22 arch kernel: [<ffffffff8120a6f0>] ? drm_gem_object_free+0x0/0x30
Nov 8 17:37:22 arch kernel: [<ffffffff8126711e>] ? radeon_gem_object_free+0x2e/0x50
Nov 8 17:37:22 arch kernel: [<ffffffff81183493>] ? kref_put+0x33/0x70
Nov 8 17:37:22 arch kernel: [<ffffffff8120aeb0>] ? drm_gem_close_ioctl+0xc0/0xf0
Nov 8 17:37:22 arch kernel: [<ffffffff8120963c>] ? drm_ioctl+0x39c/0x450
Nov 8 17:37:22 arch kernel: [<ffffffff8120adf0>] ? drm_gem_close_ioctl+0x0/0xf0
Nov 8 17:37:22 arch kernel: [<ffffffff810cd80f>] ? do_sync_read+0xbf/0x100
Nov 8 17:37:22 arch kernel: [<ffffffff810dd2c9>] ? do_vfs_ioctl+0xa9/0x610
Nov 8 17:37:22 arch kernel: [<ffffffff810dd879>] ? sys_ioctl+0x49/0x80
Nov 8 17:37:22 arch kernel: [<ffffffff810ce24e>] ? sys_read+0x4e/0x90
Nov 8 17:37:22 arch kernel: [<ffffffff8102dc2b>] ? system_call_fastpath+0x16/0x1b
--
Markus
View attachment "Xorg.0.log" of type "text/plain" (38012 bytes)
Powered by blists - more mailing lists