bugzilla-daemon at freedesktop.org
2014-Dec-21 15:06 UTC
[Nouveau] [Bug 87554] New: [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini
https://bugs.freedesktop.org/show_bug.cgi?id=87554
Bug ID: 87554
Summary: [NV1A] 3.19-rc1 NULL dereference on modprobe in
pramin_fini
Product: xorg
Version: unspecified
Hardware: x86 (IA32)
OS: Linux (All)
Status: NEW
Severity: major
Priority: medium
Component: Driver/nouveau
Assignee: nouveau at lists.freedesktop.org
Reporter: bonbons67 at internet.lu
QA Contact: xorg-team at lists.x.org
[ 441.685835] wmi: Mapper loaded
[ 442.129083] ACPI: PCI Interrupt Link [LNK5] enabled at IRQ 12
[ 442.135019] PCI: setting IRQ 12 as level-triggered
[ 442.144839] nouveau [ DEVICE][0000:02:00.0] BOOT0 : 0x01a000b1
[ 442.151063] nouveau [ DEVICE][0000:02:00.0] Chipset: nForce (NV1A)
[ 442.157481] nouveau [ DEVICE][0000:02:00.0] Family : NV10
[ 442.172505] BUG: unable to handle kernel NULL pointer dereference at
(null)
[ 442.179823] IP: [<dea2c6c6>] pramin_fini+0x6/0x30 [nouveau]
[ 442.180015] *pde = 00000000
[ 442.180015] Oops: 0000 [#1]
[ 442.180015] Modules linked in: nouveau(+) wmi ttm drm_kms_helper nfsv3
nfs_acl nfs lockd grace sunrpc
[ 442.180015] CPU: 0 PID: 1267 Comm: modprobe Not tainted 3.19.0-rc1-jupiter
#1
[ 442.180015] Hardware name: NVIDIA Corporation. nFORCE-MCP/MS-6373, BIOS 6.00
PG 04/12/2002
[ 442.180015] task: dc010c90 ti: dcfba000 task.ti: dcfba000
[ 442.180015] EIP: 0060:[<dea2c6c6>] EFLAGS: 00010286 CPU: 0
[ 442.180015] EIP is at pramin_fini+0x6/0x30 [nouveau]
[ 442.180015] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: dea2c6c0
[ 442.180015] ESI: dcfbb8a4 EDI: deacf670 EBP: dcfbb834 ESP: dcfbb830
[ 442.180015] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 442.180015] CR0: 8005003b CR2: 00000000 CR3: 1c042000 CR4: 000007d0
[ 442.180015] Stack:
[ 442.180015] dcedad90 dcfbb860 dea2c02e dcedad90 00000004 deaef771 deaef81b
00000000
[ 442.180015] deaf5320 dcfbb8a4 dcfbb884 dcfbb884 dcfbb994 dea2c2db dcfbb87c
c10dbf41
[ 442.180015] ddfcdb40 dd401180 dcedad90 00000000 dcfbb8a4 10000001 deaf54a0
00000000
[ 442.180015] Call Trace:
[ 442.180015] [<dea2c02e>] shadow_method+0x8e/0xe0 [nouveau]
[ 442.180015] [<dea2c2db>] nvbios_shadow+0x25b/0x360 [nouveau]
[ 442.180015] [<c10dbf41>] ? init_object+0x51/0x60
[ 442.180015] [<dea1f0eb>] nouveau_bios_ctor+0x4b/0x3b0 [nouveau]
[ 442.180015] [<c10dd62f>] ? kmem_cache_alloc_trace+0xcf/0x160
[ 442.180015] [<dea1cd25>] nouveau_object_ctor+0x35/0xd0 [nouveau]
[ 442.180015] [<dea64ebf>] nouveau_devobj_ctor+0x77f/0x880 [nouveau]
[ 442.180015] [<dea1cd25>] nouveau_object_ctor+0x35/0xd0 [nouveau]
[ 442.180015] [<dea1bb89>] nvkm_ioctl_new+0x229/0x300 [nouveau]
[ 442.180015] [<dea1c020>] nvkm_ioctl+0x2a0/0x340 [nouveau]
[ 442.180015] [<deaa913c>] nvkm_client_ioctl+0x1c/0x30 [nouveau]
[ 442.180015] [<dea9ccee>] nvif_object_ioctl+0x7e/0x90 [nouveau]
[ 442.180015] [<dea9d44a>] nvif_object_init+0x10a/0x130 [nouveau]
[ 442.180015] [<dea9d7a8>] nvif_device_init+0x28/0x50 [nouveau]
[ 442.180015] [<dea9f630>] nouveau_drm_load+0x2e0/0x560 [nouveau]
[ 442.180015] [<c12c6bff>] drm_dev_register+0x5f/0xe0
[ 442.180015] [<c12c9231>] drm_get_pci_dev+0xe1/0x1a0
[ 442.180015] [<c122e9f5>] ? pcibios_set_master+0x25/0x80
[ 442.180015] [<dea9f068>] nouveau_drm_probe+0x1a8/0x1d0 [nouveau]
[ 442.180015] [<c122fed5>] pci_device_probe+0x65/0xc0
[ 442.180015] [<c12e801d>] driver_probe_device+0x14d/0x330
[ 442.180015] [<c12e824d>] __driver_attach+0x4d/0x80
[ 442.180015] [<c12e8200>] ? driver_probe_device+0x330/0x330
[ 442.180015] [<c12e68dc>] bus_for_each_dev+0x3c/0x70
[ 442.180015] [<c12e7b7c>] driver_attach+0x1c/0x30
[ 442.180015] [<c12e8200>] ? driver_probe_device+0x330/0x330
[ 442.180015] [<c12e76ec>] bus_add_driver+0xdc/0x1f0
[ 442.180015] [<c12e89b7>] driver_register+0x87/0xc0
[ 442.180015] [<c10dffff>] ? migrate_page_copy+0x18f/0x250
[ 442.180015] [<c122ffb8>] __pci_register_driver+0x28/0x30
[ 442.180015] [<c12c933b>] drm_pci_init+0x4b/0xe0
[ 442.180015] [<deb39235>] nouveau_drm_init+0x235/0x1000 [nouveau]
[ 442.180015] [<c1000441>] ? do_one_initcall+0xb1/0x1d0
[ 442.180015] [<c10004b4>] do_one_initcall+0x124/0x1d0
[ 442.180015] [<deb39000>] ? 0xdeb39000
[ 442.180015] [<deb39000>] ? 0xdeb39000
[ 442.180015] [<c10dd344>] ? kfree+0x134/0x140
[ 442.180015] [<c10d52ac>] ? __vunmap+0xcc/0xe0
[ 442.180015] [<c10d52ac>] ? __vunmap+0xcc/0xe0
[ 442.180015] [<c10d52ac>] ? __vunmap+0xcc/0xe0
[ 442.180015] [<c10d52ac>] ? __vunmap+0xcc/0xe0
[ 442.180015] [<c107e125>] load_module+0x1035/0x16b0
[ 442.180015] [<c107e885>] SyS_init_module+0xe5/0xf0
[ 442.180015] [<c14c23d2>] sysenter_do_call+0x12/0x12
[ 442.180015] Code: 43 7f e2 39 5d f0 89 07 77 e3 eb 08 90 c7 45 ec 00 00 00
00 8b 45 ec 83 c4 08 5b 5e 5f 5d c3
[ 442.180015] EIP: [<dea2c6c6>] pramin_fini+0x6/0x30 [nouveau] SS:ESP
0068:dcfbb830
[ 442.180015] CR2: 0000000000000000
[ 442.555577] ---[ end trace 5944a013025347a6 ]---
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/nouveau/attachments/20141221/7131dc96/attachment.html>
bugzilla-daemon at freedesktop.org
2014-Dec-21 15:21 UTC
[Nouveau] [Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini
https://bugs.freedesktop.org/show_bug.cgi?id=87554
--- Comment #1 from Bruno <bonbons67 at internet.lu> ---
Matching objdump -d -S nouveau.ko:
000136c0 <pramin_fini>:
static void
pramin_fini(void *data)
{
136c0: 55 push %ebp
136c1: 89 e5 mov %esp,%ebp
136c3: 53 push %ebx
136c4: 89 c3 mov %eax,%ebx
static inline void
nv_wr32(void *obj, u32 addr, u32 data)
{
struct nouveau_subdev *subdev = nv_subdev(obj);
nv_spam(subdev, "nv_wr32 0x%06x 0x%08x\n", addr, data);
iowrite32_native(data, subdev->mmio + addr);
136c6: 8b 00 mov (%eax),%eax
136c8: 8b 50 24 mov 0x24(%eax),%edx
136cb: 8b 43 04 mov 0x4(%ebx),%eax
136ce: 81 c2 00 17 00 00 add $0x1700,%edx
136d4: e8 fc ff ff ff call 136d5 <pramin_fini+0x15>
struct priv *priv = data;
nv_wr32(priv->bios, 0x001700, priv->bar0);
kfree(priv);
136d9: 89 d8 mov %ebx,%eax
136db: e8 fc ff ff ff call 136dc <pramin_fini+0x1c>
}
136e0: 5b pop %ebx
136e1: 5d pop %ebp
136e2: c3 ret
136e3: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
136e9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
Source code:
static void
pramin_fini(void *data)
{
struct priv *priv = data;
nv_wr32(priv->bios, 0x001700, priv->bar0);
kfree(priv);
}
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/nouveau/attachments/20141221/0e9601de/attachment.html>
bugzilla-daemon at freedesktop.org
2014-Dec-21 15:59 UTC
[Nouveau] [Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini
https://bugs.freedesktop.org/show_bug.cgi?id=87554
--- Comment #2 from Bruno <bonbons67 at internet.lu> ---
Created attachment 111111
--> https://bugs.freedesktop.org/attachment.cgi?id=111111&action=edit
Consider ->init NULL return as a failure
Things are crashing because pramin_init returns NULL (and not a ERR_PTR).
Would the following change be a proper fix?:
static int
shadow_method(struct nouveau_bios *bios, struct shadow *mthd, const char
*name)
{
const struct nvbios_source *func = mthd->func;
if (func->name) {
nv_debug(bios, "trying %s...\n", name ? name :
func->name);
if (func->init) {
mthd->data = func->init(bios, name);
if (IS_ERR(mthd->data)) {
mthd->data = NULL;
return 0;
+ } else if (!mthd->data) {
+ return 0;
}
}
mthd->score = shadow_score(bios, mthd);
if (func->fini)
func->fini(mthd->data);
nv_debug(bios, "scored %d\n", mthd->score);
mthd->data = bios->data;
mthd->size = bios->size;
bios->data = NULL;
bios->size = 0;
}
return mthd->score;
}
If so, please apply attached patch.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/nouveau/attachments/20141221/5e0729b7/attachment.html>
bugzilla-daemon at freedesktop.org
2014-Dec-21 22:07 UTC
[Nouveau] [Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini
https://bugs.freedesktop.org/show_bug.cgi?id=87554 --- Comment #3 from Ilia Mirkin <imirkin at alum.mit.edu> --- http://cgit.freedesktop.org/~darktama/nouveau/commit/?id=b19dbc526bb963670dafc86da92d9fa2755b1997 -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.freedesktop.org/archives/nouveau/attachments/20141221/958bdb69/attachment.html>
bugzilla-daemon at freedesktop.org
2014-Dec-22 06:15 UTC
[Nouveau] [Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini
https://bugs.freedesktop.org/show_bug.cgi?id=87554
Ilia Mirkin <imirkin at alum.mit.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rjgleits at bellsouth.net
--- Comment #4 from Ilia Mirkin <imirkin at alum.mit.edu> ---
*** Bug 87576 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/nouveau/attachments/20141222/1376c742/attachment.html>
bugzilla-daemon at freedesktop.org
2014-Dec-23 16:18 UTC
[Nouveau] [Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini
https://bugs.freedesktop.org/show_bug.cgi?id=87554 --- Comment #5 from Tobias Klausmann <tobias.klausmann at mni.thm.de> --- *** Bug 87641 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.freedesktop.org/archives/nouveau/attachments/20141223/f2867844/attachment.html>
bugzilla-daemon at freedesktop.org
2015-Oct-22 05:08 UTC
[Nouveau] [Bug 87554] [NV1A] 3.19-rc1 NULL dereference on modprobe in pramin_fini
https://bugs.freedesktop.org/show_bug.cgi?id=87554
Ilia Mirkin <imirkin at alum.mit.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #6 from Ilia Mirkin <imirkin at alum.mit.edu> ---
Should be fixed in 3.19-final.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/nouveau/attachments/20151022/1bc5e792/attachment-0001.html>
Possibly Parallel Threads
- [Bug 87552] New: [NV1A] 3.18.1 BUG on modprobe nouveau in drivers/gpu/drm/nouveau/core/core/event.c:42
- [Bug 87576] New: Null dereference in npramin_finit
- [Bug 87641] New: Oops in 3.19.0-rc1 - nv40 and older - patch included
- [PATCH] drm/nouveau/fb: use correct ram oclass for nv1a hardware
- [Bug 99499] [REGRESSION, bisected] KMS hard-freezes around fbcon initialization on NV1A