Radeon atombios power state can cause NULL pointer dereference

Clément Calmels clement.calmels at free.fr
Thu May 23 16:07:43 PDT 2013 

Hi,

My Packard Bell Dot M/A laptop (ATI x1200/rs690m) fails during resume:

[   73.033179] BUG: unable to handle kernel NULL pointer dereference at
0000000000000020 [   73.033184] IP: [<ffffffffa0418dc3>]
radeon_pm_resume+0xda/0x137 [radeon] [   73.033227] PGD 0 
[   73.033231] Oops: 0000 [#1] SMP 
[   73.033236] CPU 0 
[   73.033238] Modules linked in: cryptd aes_x86_64 aes_generic uinput
loop snd_hda_codec_realtek arc4 ath9k joydev snd_hda_intel radeon
ath9k_common ath9k_hw snd_hda_codec ath ttm snd_hwdep uvcvideo
drm_kms_helper mac80211 videodev snd_pcm snd_page_alloc snd_seq
snd_seq_device snd_timer drm v4l2_compat_ioctl32 media cfg80211
edac_mce_amd mperf acerhdf acer_wmi snd sp5100_tco sparse_keymap pcspkr
edac_core rfkill soundcore i2c_piix4 i2c_algo_bit k8temp psmouse
i2c_core evdev serio_raw video wmi shpchp processor ac battery
power_supply button ext4 crc16 jbd2 mbcache sg sd_mod crc_t10dif
ata_generic ahci libahci pata_atiixp libata ohci_hcd ehci_hcd usbcore
scsi_mod thermal thermal_sys r8169 mii usb_common [last unloaded:
scsi_wait_scan] [   73.033304] [   73.033310] Pid: 154, comm:
kworker/u:6 Not tainted 3.2.0-4-amd64 #1 Debian 3.2.41-2+deb7u2 Packard
Bell     DOTMA           /SJM11-YK [   73.033317] RIP:
0010:[<ffffffffa0418dc3>]  [<ffffffffa0418dc3>]
radeon_pm_resume+0xda/0x137 [radeon] [   73.033347] RSP:
0018:ffff880037631db0  EFLAGS: 00010297 [   73.033350] RAX:
ffff88006b8fa1d0 RBX: ffff88003715c000 RCX: 0000000000000000
[   73.033354] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
ffff88003715d3a8 [   73.033358] RBP: ffff88003715d3a8 R08:
0000000000000002 R09: 0000000000000028 [   73.033362] R10:
0000000000001700 R11: 0000000000001700 R12: 0000000000000000
[   73.033366] R13: ffffffff8142db90 R14: ffff88006d733c05 R15:
ffff88006b6156d0 [   73.033372] FS:  00007f96cf0ea700(0000)
GS:ffff88006fc00000(0000) knlGS:0000000000000000 [   73.033376] CS:
0010 DS: 0000 ES: 0000 CR0: 000000008005003b [   73.033380] CR2:
0000000000000020 CR3: 0000000001605000 CR4: 00000000000006f0
[   73.033385] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000 [   73.033389] DR3: 0000000000000000 DR6:
00000000ffff0ff0 DR7: 0000000000000400 [   73.033394] Process
kworker/u:6 (pid: 154, threadinfo ffff880037630000, task
ffff8800375415d0) [   73.033397] Stack: [   73.033399]
ffff88006b737000 ffff88003715c000 ffff88006b737000 ffffffffa03d5a26
[   73.033406]  ffff88006cc57090 0000000000000000 0000000000000000
ffffffff81255b88 [   73.033411]  ffff880037631d2c ffff88006cc57090
ffff88006cc570f0 0000000000000000 [   73.033417] Call Trace:
[   73.033439]  [<ffffffffa03d5a26>] ? radeon_resume_kms+0x82/0x114
[radeon] [   73.033448]  [<ffffffff81255b88>] ? pm_op+0xa1/0x141
[   73.033455]  [<ffffffff81255f4c>] ? device_resume+0xa2/0xfc
[   73.033461]  [<ffffffff81255fba>] ? async_resume+0x14/0x38
[   73.033469]  [<ffffffff810648cc>] ? async_run_entry_fn+0x96/0x142
[   73.033475]  [<ffffffff8105b22d>] ? process_one_work+0x161/0x264
[   73.033484]  [<ffffffff81059b3e>] ? need_to_create_worker+0x9/0x1c
[   73.033489]  [<ffffffff8105c1ee>] ? worker_thread+0xc2/0x145
[   73.033495]  [<ffffffff8105c12c>] ?
manage_workers.isra.25+0x15b/0x15b [   73.033502]
[<ffffffff8105f329>] ? kthread+0x76/0x7e [   73.033509]
[<ffffffff81354b34>] ? kernel_thread_helper+0x4/0x10 [   73.033515]
[<ffffffff8105f2b3>] ? kthread_worker_fn+0x139/0x139 [   73.033521]
[<ffffffff81354b30>] ? gs_change+0x13/0x13 [   73.033523] Code: 14 00
00 8b 93 38 14 00 00 89 83 14 14 00 00 48 6b c0 30 48 03 83 08 14 00 00
89 93 2c 14 00 00 83 bb 48 14 00 00 01 48 8b 50 08 <8b> 52 20 66 89 93
30 14 00 00 48 8b 40 08 66 8b 40 22 66 89 83 [   73.033565] RIP
[<ffffffffa0418dc3>] radeon_pm_resume+0xda/0x137 [radeon]
[   73.033593]  RSP <ffff880037631db0> [   73.033596] CR2:
0000000000000020

Digging a little bit, the issue can be highlighted with this patch:

--- drivers/gpu/drm/radeon/radeon_atombios.c.orig	2013-05-23
21:54:50.514665155 +0200
+++ drivers/gpu/drm/radeon/radeon_atombios.c	2013-05-24
00:20:43.149263167 +0200
@@ -2159,6 +2159,7 @@ static int radeon_atombios_parse_power_t
 	}
 	/* last mode is usually default */
 	if (rdev->pm.default_power_state_index == -1) {
+		WARN_ON(state_index == 0);
 		rdev->pm.power_state[state_index - 1].type =
 			POWER_STATE_TYPE_DEFAULT;
 		rdev->pm.default_power_state_index = state_index - 1;

In my case, the laptop report 0 for memory clock for all power states.
At the end of the for loop, state_index still equals 0, leading to a
wrong access in the rdev->pm.power_state array.
When switching memory clock in async mode (instead of sync mode)
within the bios, the laptop correctly reports its value (ie 333MHz).

Regards,
Clement

More information about the dri-devel mailing list