[next] Null pointer dereference in nouveau_vm_map_sg

Martin Nyhus martin.nyhus at gmx.com
Sun Jan 15 13:31:08 PST 2012 

In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash
at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to
reproduce, so I can test patches if needed.

	Martin



[  216.546584] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0
[  216.546613] IP: [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130
[  216.546631] PGD 5b155067 PUD 5ab71067 PMD 0 
[  216.546647] Oops: 0000 [#1] SMP 
[  216.546659] CPU 1 
[  216.546664] Modules linked in: tun iwl4965 iwlegacy mac80211 cfg80211 tg3 psmouse rtc_cmos evdev ehci_hcd uhci_hcd usbcore usb_common [last unloaded: scsi_wait_scan]
[  216.546721] 
[  216.546727] Pid: 3327, comm: Xorg Not tainted 3.2.0-next-20120113 #56 Dell Inc. XPS M1330                       /0PU073
[  216.546749] RIP: 0010:[<ffffffff814a87ec>]  [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130
[  216.546770] RSP: 0018:ffff88005b0c9858  EFLAGS: 00010246
[  216.546780] RAX: ffff88005bf84620 RBX: ffff88005ab08d20 RCX: 0000000000000000
[  216.546791] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
[  216.546802] RBP: ffff88005b0c98a8 R08: 0000000000000000 R09: 0000000000000000
[  216.546813] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000004000
[  216.546823] R13: ffff88005bf84dc8 R14: ffff88007838c000 R15: 0000000000000000
[  216.546835] FS:  00007f5f728a8880(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
[  216.546848] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  216.546857] CR2: 00000000000000d0 CR3: 000000006c1bb000 CR4: 00000000000006e0
[  216.546869] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  216.546880] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  216.546892] Process Xorg (pid: 3327, threadinfo ffff88005b0c8000, task ffff8800655da180)
[  216.546904] Stack:
[  216.546909]  ffff88005b0c9960 ffff880037180368 0000000000000000 0000000000000000
[  216.546930]  ffff88005b0c98d8 ffff88005bf84dc8 ffff88005b0c9960 ffff88007838c240
[  216.546949]  ffff88007838c000 0000000000000000 ffff88005b0c98d8 ffffffff81481bdf
[  216.546969] Call Trace:
[  216.546979]  [<ffffffff81481bdf>] nouveau_bo_move_ntfy+0x7f/0xb0
[  216.546991]  [<ffffffff81470614>] ttm_bo_handle_move_mem+0x204/0x3d0
[  216.547003]  [<ffffffff8147099d>] ttm_bo_evict+0x1bd/0x2a0
[  216.547015]  [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0
[  216.547027]  [<ffffffff81470bf1>] ttm_mem_evict_first+0x171/0x230
[  216.547039]  [<ffffffff814714ed>] ttm_bo_mem_space+0x30d/0x420
[  216.547056]  [<ffffffff814716e8>] ttm_bo_move_buffer+0xe8/0x160
[  216.547069]  [<ffffffff8108df2b>] ? __lock_release+0x6b/0xe0
[  216.547080]  [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0
[  216.547091]  [<ffffffff81471847>] ttm_bo_validate+0xe7/0xf0
[  216.547102]  [<ffffffff81471a24>] ttm_bo_init+0x1d4/0x2a0
[  216.547113]  [<ffffffff81482481>] ? nouveau_bo_new+0x51/0x1c0
[  216.547124]  [<ffffffff8148258c>] nouveau_bo_new+0x15c/0x1c0
[  216.547135]  [<ffffffff81481eb0>] ? nouveau_ttm_tt_create+0x80/0x80
[  216.547148]  [<ffffffff81338bba>] ? avc_has_perm_noaudit+0xfa/0x290
[  216.547160]  [<ffffffff81485cf3>] nouveau_gem_new+0x53/0x120
[  216.548008]  [<ffffffff8108df81>] ? __lock_release+0xc1/0xe0
[  216.548008]  [<ffffffff81112a97>] ? might_fault+0x57/0xb0
[  216.548008]  [<ffffffff81485e29>] nouveau_gem_ioctl_new+0x69/0x170
[  216.548008]  [<ffffffff81112a97>] ? might_fault+0x57/0xb0
[  216.548008]  [<ffffffff814553e4>] drm_ioctl+0x444/0x510
[  216.548008]  [<ffffffff81485dc0>] ? nouveau_gem_new+0x120/0x120
[  216.548008]  [<ffffffff81150b17>] do_vfs_ioctl+0x87/0x330
[  216.548008]  [<ffffffff8133b528>] ? selinux_file_ioctl+0x68/0x140
[  216.548008]  [<ffffffff81150e51>] sys_ioctl+0x91/0xa0
[  216.555939]  [<ffffffff817c1722>] system_call_fastpath+0x16/0x1b
[  216.555939] Code: 48 89 e5 41 57 49 89 cf 41 56 41 55 49 89 fd 41 54 49 89 d4 ba 01 00 00 00 53 41 89 d3 48 83 ec 28 48 8b 47 20 48 8b 5f 18 31 ff <4c> 8b b1 d0 00 00 00 0f b6 48 30 44 8b 48 34 8b 83 20 01 00 00 
[  216.555939] RIP  [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130
[  216.555939]  RSP <ffff88005b0c9858>
[  216.555939] CR2: 00000000000000d0
[  216.581301] ---[ end trace 0d910003d5fb1cd8 ]---

More information about the dri-devel mailing list