[Bug 12899] New: Crash in i915.ko: i915_driver_irq_handler

Fri, 20 Mar 2009 07:17:28 -0700 

http://bugzilla.kernel.org/show_bug.cgi?id=12899

           Summary: Crash in i915.ko: i915_driver_irq_handler
           Product: Drivers
           Version: 2.5
     KernelVersion: 2.6.29-rc8
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: high
          Priority: P1
         Component: Video(DRI)
        AssignedTo: drivers_video-...@kernel-bugs.osdl.org
        ReportedBy: helge.bahm...@secunet.com


linux-2.6.29-rc8, no kernel modesetting, X server running with legacy DRI

I observe frequent kernel NULL pointer dereferences in i915_driver_irq_handler
while switching from a running X server back into the VGA text console. Machine
locks hard very shortly afterwards, so all backtraces via serial console are
truncated, the last messages are at best:

[drm:gm45_get_vblank_counter] *ERROR* trying to get vblank count for disabled
pipe 0
BUG: unable to handle kernel NULL pointer dereference at 00000084
IP: [<f90b736b>] i915_driver_irq_handler+0x135/0x1b7 [i915]

>From the disassembly I guess that the culprit is:

        if (dev->primary->master) {
                master_priv = dev->primary->master->driver_priv;
                if (master_priv->sarea_priv)
                        master_priv->sarea_priv->last_dispatch =
                                READ_BREADCRUMB(dev_priv);    <---- CRASH
        }

and after applying the following small patch:

diff --git a/drivers/gpu/drm/i915/i915_irq.c b/drivers/gpu/drm/i915/i915_irq.c
index 87b6b60..d7fe821 100644
--- a/drivers/gpu/drm/i915/i915_irq.c
+++ b/drivers/gpu/drm/i915/i915_irq.c
@@ -249,7 +249,7 @@ irqreturn_t i915_driver_irq_handler(DRM_IRQ_ARGS)

                if (dev->primary->master) {
                        master_priv = dev->primary->master->driver_priv;
-                       if (master_priv->sarea_priv)
+                       if (master_priv->sarea_priv &&
dev_priv->hw_status_page)
                                master_priv->sarea_priv->last_dispatch =
                                        READ_BREADCRUMB(dev_priv);
                }


the problem goes away. The patch is most certainly *wrong*, but that it hides
the problem hints that there must somewhere be a race between clearing out
"->hw_status_page" and the interrupt handler. Someone with better understanding
of the driver should have a look.


-- 
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
--
_______________________________________________
Dri-devel mailing list
Dri-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dri-devel

Reply via email to