Nouveau failing during probe followed by GPF on 3.13-rc2
Ilia Mirkin
imirkin at alum.mit.edu
Wed Dec 4 12:37:54 PST 2013
On Wed, Dec 4, 2013 at 6:15 AM, Ilia Mirkin <imirkin at alum.mit.edu> wrote:
> On Wed, Dec 4, 2013 at 6:01 AM, Bruno Prémont <bonbons at linux-vserver.org> wrote:
>> [ 657.800140] nouveau E[ DRM] failed to create 0x80000080, -22
>> [ 657.802123] general protection fault: 0000 [#1] SMP
>> [ 657.802130] Modules linked in: nouveau(+) ttm drm_kms_helper
>> [ 657.802140] CPU: 0 PID: 2999 Comm: modprobe Not tainted 3.13.0-rc2-air+ #5
>> [ 657.802144] Hardware name: Apple Inc. MacBookAir2,1/Mac-F42D88C8, BIOS MBA21.88Z.0075.B03.0811141325 11/14/08
>> [ 657.802150] task: ffff88007f161520 ti: ffff88007defe000 task.ti: ffff88007defe000
>> [ 657.802154] RIP: 0010:[<ffffffff813d2af0>] [<ffffffff813d2af0>] device_del+0x10/0x1b0
>> [ 657.802165] RSP: 0018:ffff88007deff9f8 EFLAGS: 00010292
>> [ 657.802168] RAX: 0000000000000000 RBX: 6b6b6b6b6b6b6b6b RCX: ffffffff81a6f237
>> [ 657.802173] RDX: ffffffff81876dea RSI: ffffffff81a6e811 RDI: 6b6b6b6b6b6b6b6b
>> [ 657.802177] RBP: ffff88007deffa18 R08: 000000006b6b6b6b R09: 0000000000000000
>> [ 657.802181] R10: ffff880078801d00 R11: 000000000000002e R12: 6b6b6b6b6b6b6b6b
>> [ 657.802185] R13: ffff88007f5720f8 R14: ffffffffa010e7a0 R15: 00000000ffffffea
>> [ 657.802189] FS: 00007f3c23d75700(0000) GS:ffff88007b000000(0000) knlGS:0000000000000000
>> [ 657.802194] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
>> [ 657.802198] CR2: 00007f27436e40f0 CR3: 000000007db4e000 CR4: 00000000000007f0
>> [ 657.802201] Stack:
>> [ 657.802204] ffffffff8134fd0b 6b6b6b6b6b6b6b6b ffff88007f572060 ffff88007f5720f8
>> [ 657.802211] ffff88007deffa38 ffffffff813d2ca1 ffff88007d938058 ffff88007da01ca8
>> [ 657.802217] ffff88007deffa58 ffffffff813bdd6a ffff88007f572060 ffff88007da01ca8
>> [ 657.802224] Call Trace:
>> [ 657.802231] [<ffffffff8134fd0b>] ? acpi_pci_irq_disable+0x3c/0x49
>> [ 657.802237] [<ffffffff813d2ca1>] device_unregister+0x11/0x20
>> [ 657.802243] [<ffffffff813bdd6a>] drm_sysfs_device_remove+0x1a/0x30
>> [ 657.802249] [<ffffffff813b9dbd>] drm_unplug_minor+0x1d/0x40
>> [ 657.802255] [<ffffffff813ba0cd>] drm_put_minor+0x3d/0x50
>> [ 657.802260] [<ffffffff813ba0f8>] drm_dev_free+0x18/0x80
>> [ 657.802265] [<ffffffff813bc67f>] drm_get_pci_dev+0xaf/0x150
>> [ 657.802272] [<ffffffff8131d8ce>] ? pcibios_set_master+0x5e/0x90
>> [ 657.802315] [<ffffffffa00a7eba>] nouveau_drm_probe+0x24a/0x290 [nouveau]
>> [ 657.802321] [<ffffffff8131f36c>] pci_device_probe+0x9c/0xf0
>> [ 657.802328] [<ffffffff813d6046>] driver_probe_device+0x76/0x240
>> [ 657.802333] [<ffffffff813d62ab>] __driver_attach+0x9b/0xa0
>> [ 657.802339] [<ffffffff813d6210>] ? driver_probe_device+0x240/0x240
>> [ 657.802345] [<ffffffff813d43b5>] bus_for_each_dev+0x55/0x90
>> [ 657.802350] [<ffffffff813d5b79>] driver_attach+0x19/0x20
>> [ 657.802355] [<ffffffff813d577c>] bus_add_driver+0x10c/0x210
>> [ 657.802360] [<ffffffffa0133000>] ? 0xffffffffa0132fff
>> [ 657.802365] [<ffffffff813d692f>] driver_register+0x5f/0xf0
>> [ 657.802370] [<ffffffffa0133000>] ? 0xffffffffa0132fff
>> [ 657.802375] [<ffffffff8131e697>] __pci_register_driver+0x47/0x50
>> [ 657.802381] [<ffffffff813bc835>] drm_pci_init+0x115/0x130
>> [ 657.802386] [<ffffffffa0133000>] ? 0xffffffffa0132fff
>> [ 657.802390] [<ffffffffa0133000>] ? 0xffffffffa0132fff
>> [ 657.802414] [<ffffffffa0133043>] nouveau_drm_init+0x43/0x1000 [nouveau]
>> [ 657.802422] [<ffffffff8100034a>] do_one_initcall+0x11a/0x170
>> [ 657.802429] [<ffffffff81071e33>] ? set_memory_nx+0x43/0x50
>> [ 657.802435] [<ffffffff8113a132>] ? __vunmap+0xb2/0x100
>> [ 657.802441] [<ffffffff810eeb26>] load_module+0x1966/0x21b0
>> [ 657.802446] [<ffffffff810ec070>] ? show_initstate+0x50/0x50
>> [ 657.802453] [<ffffffff8115bc94>] ? vfs_read+0x114/0x160
>> [ 657.802458] [<ffffffff810ef4a6>] SyS_finit_module+0x86/0x90
>> [ 657.802465] [<ffffffff817235e2>] system_call_fastpath+0x16/0x1b
>> [ 657.802469] Code: 74 24 18 48 89 df e8 90 ff ff ff 48 8b 5d e8 4c 8b 65 f0 4c 8b 6d f8 c9 c3 66 90 55 48 89 e5 41 55 41 54 49 89 fc 53 48 83 ec 08 <48> 8b 87 88 00 00 00 4c 8b 2f 48 85 c0 74 1b 48 8b b8 90 00 00
>> [ 657.802514] RIP [<ffffffff813d2af0>] device_del+0x10/0x1b0
>> [ 657.802520] RSP <ffff88007deff9f8>
>> [ 657.802524] ---[ end trace 11e780c61d88afaf ]---
>>
>> I'm booting with efi stub and SYSFB=y, FB_SIMPLE=y, DRM_NOUVEAU=m
>> Same config did boot properly with 3.12. Above output contains complete
>> output from the time of calling modprobe nouveau.
>
> Hrm.... that is a separate bug that we should probably figure out.
> Looks like some use-after-free when nouveau fails to come up (note the
> poison 0x6b values in various registers). But the above patch will
> hopefully prevent that situation.
OK, so it looks like here's what happens:
nouveau_drm_probe -> drm_get_pci_dev -> drm_dev_register-> nouveau_drm_load
The load fails. In its cleanup path, drm_dev_register cleans up
dev->primary/render/control and propagates the error. Reasonable
enough.
drm_get_pci_dev, in turn, calls drm_dev_free. The first thing that
does is... clean up dev->primary/render/control. So that's the most
likely source of the double-free.
I'm not sufficiently familiar with the drm internals to know which
function shouldn't be cleaning up what, but it definitely seems like a
problem. Dave, I leave this in your capable hands :)
-ilia
More information about the dri-devel
mailing list