It's been happening every two days lately, so I've decided to look through the code, and the bug became obvious (though I don't know the proper solution).
The first stack trace shows a warning: WARNING: at /build/buildd/linux-3.5.0/drivers/gpu/drm/i915/i915_gem.c:3052 i915_gem_object_pin+0x15d/0x1b0 [i915]() [...] Call Trace: [<ffffffff81051c1f>] warn_slowpath_common+0x7f/0xc0 [<ffffffff81051c7a>] warn_slowpath_null+0x1a/0x20 [<ffffffffa00a094d>] i915_gem_object_pin+0x15d/0x1b0 [i915] [<ffffffffa00a0a28>] i915_gem_object_pin_to_display_plane+0x88/0x100 [i915] [<ffffffffa00b14c6>] intel_pin_and_fence_fb_obj+0x56/0x120 [i915] [<ffffffffa00b17b3>] intel_gen6_queue_flip+0x43/0x160 [i915] [<ffffffffa00b58a8>] ? intel_crtc_page_flip+0x58/0x330 [i915] [<ffffffffa00b58a8>] ? intel_crtc_page_flip+0x58/0x330 [i915] [<ffffffffa00b59c1>] intel_crtc_page_flip+0x171/0x330 [i915] [<ffffffffa002e559>] drm_mode_page_flip_ioctl+0x229/0x2b0 [drm] [<ffffffffa0028c56>] ? drm_mode_object_find+0x66/0x90 [drm] [<ffffffffa0028b21>] ? drm_crtc_convert_to_umode+0xd1/0x150 [drm] [<ffffffffa001b6d3>] drm_ioctl+0x4d3/0x580 [drm] [<ffffffffa002e330>] ? drm_mode_gamma_get_ioctl+0x120/0x120 [drm] [<ffffffff81193d59>] do_vfs_ioctl+0x99/0x590 [<ffffffff811942e9>] sys_ioctl+0x99/0xa0 [<ffffffff8168bd29>] system_call_fastpath+0x16/0x1b In the i915_gem_object_pin function, we see: if (WARN_ON(obj->pin_count == DRM_I915_GEM_OBJECT_MAX_PIN_COUNT)) return -EBUSY; So, the pin_count did not get incremented because it has reached the maximum. If we go up a few stack frames, to intel_crtc_page_flip, we'll see: crtc->fb = fb; [...] ret = dev_priv->display.queue_flip(dev, crtc, fb, obj); if (ret) goto cleanup_pending; So crtc->fb got set, but the page flip failed. Now, let's look at the second stack trace, with the actual bug: kernel BUG at /build/buildd/linux-3.5.0/drivers/gpu/drm/i915/i915_gem.c:3090! [...] Call Trace: [<ffffffffa00b15cc>] intel_unpin_fb_obj+0x3c/0x40 [i915] [<ffffffffa00b4a6c>] intel_crtc_disable+0x8c/0xb0 [i915] [<ffffffffa007a855>] drm_helper_disable_unused_functions+0x115/0x170 [drm_kms_helper] [<ffffffffa007c182>] drm_crtc_helper_set_config+0x952/0xb10 [drm_kms_helper] [<ffffffff81124726>] ? __generic_file_aio_write+0x236/0x440 [<ffffffff8132e5be>] ? radix_tree_lookup_slot+0xe/0x10 [<ffffffffa002987e>] drm_framebuffer_cleanup+0xfe/0x180 [drm] [<ffffffffa00aeee1>] intel_user_framebuffer_destroy+0x21/0x80 [i915] [<ffffffffa002d2c3>] drm_mode_rmfb+0x103/0x110 [drm] [<ffffffffa001b6d3>] drm_ioctl+0x4d3/0x580 [drm] [<ffffffffa002d1c0>] ? drm_mode_addfb2+0x6c0/0x6c0 [drm] [<ffffffff81181b16>] ? do_sync_write+0xe6/0x120 [<ffffffff811c0bbb>] ? fsnotify+0x24b/0x340 [<ffffffff81193d59>] do_vfs_ioctl+0x99/0x590 [<ffffffff811942e9>] sys_ioctl+0x99/0xa0 [<ffffffff8168bd29>] system_call_fastpath+0x16/0x1b In intel_crtc_disable, we see: if (crtc->fb) { mutex_lock(&dev->struct_mutex); intel_unpin_fb_obj(to_intel_framebuffer(crtc->fb)->obj); mutex_unlock(&dev->struct_mutex); } The condition is true, since crtc->fb got set earlier. So it calls intel_unpin_fb_obj, even though pin_count never got incremented! It will eventually reach 0 and cause the bug in i915_gem_object_unpin: BUG_ON(obj->pin_count == 0); Hope this is useful... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1100138 Title: Screen turned off and Xorg froze due to an intel video driver bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1100138/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs