Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1527936 - xorg-x11-drv-nouveau: kernel NULL pointer dereference
Summary: xorg-x11-drv-nouveau: kernel NULL pointer dereference
Keywords:
Status: CLOSED DUPLICATE of bug 1513150
Alias: None
Product: Fedora
Classification: Fedora
Component: xorg-x11-drv-nouveau
Version: 27
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Ben Skeggs
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-20 14:01 UTC by Wolfgang Denk
Modified: 2018-01-06 15:30 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-06 15:30:37 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
dmesg output (100.18 KB, text/plain)
2017-12-20 14:01 UTC, Wolfgang Denk 		no flags Details
View All

Description Wolfgang Denk 2017-12-20 14:01:22 UTC 
Created attachment 1370473 [details]
dmesg output

Description of problem:

Nouveau driver crashes with kernel NULL pointer dereference

Version-Release number of selected component (if applicable):

xorg-x11-drv-nouveau-1.0.15-3.fc27.x86_64


How reproducible:

Always.

Steps to Reproduce:
1. Boot the system.
2.
3.

Actual results:

...
[    3.896794] fb: switching to nouveaufb from EFI VGA
[    3.897259] Console: switching to colour dummy device 80x25
[    3.897384] nouveau 0000:42:00.0: NVIDIA GF119 (0d93d0a1)
[    4.058672] nouveau 0000:42:00.0: bios: version 75.19.9d.00.01
[    4.059245] nouveau 0000:42:00.0: fb: 1024 MiB DDR3
[    4.059849]  nvme0n1: p1 p2 p3 p4
[    4.059980]  nvme1n1: p1 p2 p3 p4
[    4.068643] pps pps0: new PPS source ptp0
[    4.068650] igb 0000:05:00.0: added PHC on eth0
[    4.068652] igb 0000:05:00.0: Intel(R) Gigabit Ethernet Network Connection
[    4.068656] igb 0000:05:00.0: eth0: (PCIe:2.5Gb/s:Width x1) 10:7b:44:93:ab:ba
[    4.068659] igb 0000:05:00.0: eth0: PBA No: FFFFFF-0FF
[    4.068661] igb 0000:05:00.0: Using MSI-X interrupts. 2 rx queue(s), 2 tx queue(s)
[    4.069583] igb 0000:05:00.0 enp5s0: renamed from eth0
[    4.085787] md/raid10:md4: active with 2 out of 2 devices
[    4.088040] md4: detected capacity change from 0 to 462391607296
[    4.099914] md/raid1:md2: active with 2 out of 2 mirrors
[    4.099933] md2: detected capacity change from 0 to 2147418112
[    4.723637] [TTM] Zone  kernel: Available graphics memory: 16431466 kiB
[    4.723642] [TTM] Zone   dma32: Available graphics memory: 2097152 kiB
[    4.723644] [TTM] Initializing pool allocator
[    4.723648] [TTM] Initializing DMA pool allocator
[    4.723666] nouveau 0000:42:00.0: DRM: VRAM: 1024 MiB
[    4.723668] nouveau 0000:42:00.0: DRM: GART: 1048576 MiB
[    4.723672] nouveau 0000:42:00.0: DRM: TMDS table version 2.0
[    4.723673] nouveau 0000:42:00.0: DRM: DCB version 4.0
[    4.723675] nouveau 0000:42:00.0: DRM: DCB outp 00: 028003a6 0f220010
[    4.723677] nouveau 0000:42:00.0: DRM: DCB outp 01: 02000362 00020010
[    4.723679] nouveau 0000:42:00.0: DRM: DCB outp 02: 048113b6 0f220010
[    4.723680] nouveau 0000:42:00.0: DRM: DCB outp 03: 04011372 00020010
[    4.723682] nouveau 0000:42:00.0: DRM: DCB conn 00: 00410146
[    4.723683] nouveau 0000:42:00.0: DRM: DCB conn 01: 00820246
[    4.746499] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
[    4.746501] [drm] Driver supports precise vblank timestamp query.
[    4.828956] nouveau 0000:42:00.0: DRM: MM: using COPY0 for buffer copies
[    4.915843] nouveau 0000:42:00.0: DRM: allocated 2560x1440 fb: 0x60000, bo ffff97b0fe775800
[    4.918324] fbcon: nouveaufb (fb0) is primary device
[    4.991670] BUG: unable to handle kernel NULL pointer dereference at           (null)
[    4.991672] IP:           (null)
[    4.991673] PGD 0 P4D 0 
[    4.991675] Oops: 0010 [#1] SMP
[    4.991676] Modules linked in: raid1 raid10 nouveau(+) video mxm_wmi drm_kms_helper igb ttm ptp drm nvme pps_core crc32c_intel nvme_core dca i2c_algo_bit wmi
[    4.991685] CPU: 16 PID: 325 Comm: kworker/u256:9 Tainted: G        W       4.14.6-300.fc27.x86_64 #1
[    4.991686] Hardware name: System manufacturer System Product Name/ROG STRIX X399-E GAMING, BIOS 0305 08/21/2017
[    4.991721] Workqueue: nvkm-disp gf119_disp_super [nouveau]
[    4.991722] task: ffff97b0fe620000 task.stack: ffffb4144688c000
[    4.991723] RIP: 0010:          (null)
[    4.991724] RSP: 0018:ffffb4144688fc38 EFLAGS: 00010206
[    4.991724] RAX: ffffffffc03da400 RBX: 0000000000000000 RCX: 0000000000000016
[    4.991725] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff97b0fa8fb960
[    4.991725] RBP: ffffb4144688fcc0 R08: 0000000000000000 R09: 0000000000000000
[    4.991725] R10: 0000000000000000 R11: 0000000000001000 R12: 0000000000000000
[    4.991726] R13: 0000000000000000 R14: ffff97b0fdd1fe00 R15: ffffb4144688fd60
[    4.991726] FS:  0000000000000000(0000) GS:ffff97b10ce00000(0000) knlGS:0000000000000000
[    4.991727] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    4.991728] CR2: 0000000000000000 CR3: 00000007fed74000 CR4: 00000000003406e0
[    4.991728] Call Trace:
[    4.991758]  ? nvkm_dp_train_drive+0x183/0x2c0 [nouveau]
[    4.991783]  nvkm_dp_acquire+0x4f3/0xcd0 [nouveau]
[    4.991810]  nv50_disp_super_2_2+0x5d/0x470 [nouveau]
[    4.991835]  ? nvkm_devinit_pll_set+0xf/0x20 [nouveau]
[    4.991860]  gf119_disp_super+0x19c/0x2f0 [nouveau]
[    4.991863]  process_one_work+0x193/0x3c0
[    4.991864]  worker_thread+0x35/0x3b0
[    4.991866]  kthread+0x125/0x140
[    4.991867]  ? process_one_work+0x3c0/0x3c0
[    4.991867]  ? kthread_park+0x60/0x60
[    4.991870]  ret_from_fork+0x25/0x30
[    4.991871] Code:  Bad RIP value.
[    4.991875] RIP:           (null) RSP: ffffb4144688fc38
[    4.991875] CR2: 0000000000000000
[    4.991876] ---[ end trace 34a340e164e591ab ]---
[    6.962340] nouveau 0000:42:00.0: DRM: EVO timeout
[    8.962369] nouveau 0000:42:00.0: DRM: base-0: timeout
[   10.963169] nouveau 0000:42:00.0: DRM: base-0: timeout
[   10.963901] Console: switching to colour frame buffer device 320x90
[   12.963955] nouveau 0000:42:00.0: DRM: base-0: timeout
[   15.011145] nouveau 0000:42:00.0: DRM: base-0: timeout
[   15.018479] nouveau 0000:42:00.0: fb0: nouveaufb frame buffer device
[   15.024102] [drm] Initialized nouveau 1.3.1 20120801 for 0000:42:00.0 on minor 0
[   17.021669] nouveau 0000:42:00.0: DRM: base-0: timeout

No working display then.

Adding "nomodeset" to the kernel command line prevents this problem, but display works only with 800x600 resolution.


Expected results:
No NULL pointer dereferences.

Additional info:
Base Board Information
        Manufacturer: ASUSTeK COMPUTER INC.
        Product Name: ROG STRIX X399-E GAMING
        Version: Rev 1.xx

Graphics card:
42:00.0 VGA compatible controller: NVIDIA Corporation GF119 [NVS 310] (rev a1) (prog-if 00 [VGA controller])
        Subsystem: NVIDIA Corporation Device 1154
        Flags: bus master, fast devsel, latency 0, IRQ 71
        Memory at ec000000 (32-bit, non-prefetchable) [size=16M]
        Memory at e0000000 (64-bit, prefetchable) [size=128M]
        Memory at e8000000 (64-bit, prefetchable) [size=32M]
        I/O ports at e000 [size=128]
        Expansion ROM at 000c0000 [disabled] [size=128K]
        Capabilities: [60] Power Management version 3
        Capabilities: [68] MSI: Enable+ Count=1/1 Maskable- 64bit+
        Capabilities: [78] Express Endpoint, MSI 00
        Capabilities: [b4] Vendor Specific Information: Len=14 <?>
        Capabilities: [100] Virtual Channel
        Capabilities: [128] Power Budgeting <?>
        Capabilities: [600] Vendor Specific Information: ID=0001 Rev=1 Len=024 <?>
        Kernel driver in use: nouveau
        Kernel modules: nouveau
Comment 1 Wolfgang Denk 2017-12-30 16:52:56 UTC 
The same problem happens on another system with a different mainboard and a slightly different graphics card:

Mainboard:
Base Board Information
        Manufacturer: MSI
        Product Name: X99A SLI PLUS(MS-7885)
        Version: 1.0

Graphics card:
03:00.0 VGA compatible controller: NVIDIA Corporation GF119 [NVS 315] (rev a1) (prog-if 00 [VGA controller])
        Subsystem: Hewlett-Packard Company Device 102f
        Physical Slot: 4
        Flags: bus master, fast devsel, latency 0, IRQ 11, NUMA node 0
        Memory at fa000000 (32-bit, non-prefetchable) [size=16M]
        Memory at f0000000 (64-bit, prefetchable) [size=128M]
        Memory at f8000000 (64-bit, prefetchable) [size=32M]
        I/O ports at e000 [size=128]
        Expansion ROM at 000c0000 [disabled] [size=128K]
        Capabilities: [60] Power Management version 3
        Capabilities: [68] MSI: Enable- Count=1/1 Maskable- 64bit+
        Capabilities: [78] Express Endpoint, MSI 00
        Capabilities: [b4] Vendor Specific Information: Len=14 <?>
        Capabilities: [100] Virtual Channel
        Capabilities: [128] Power Budgeting <?>
        Capabilities: [600] Vendor Specific Information: ID=0001 Rev=1 Len=024 <?>
        Kernel modules: nouveau
Comment 2 Wolfgang Denk 2017-12-30 16:56:23 UTC 
Can someone with edit permissions please set the severity to "urgent" ?
We have a number of machines with similar consifurations.

apparently this is a problem with later kernel versions - with older Fedora 26 kernels they work fine, but with recent Fedora 26 kernel the same problem appears as with Fedora 27, which means no current Fedora kernel works on these systems.

Running with "nomodeset" and lowest resolution on a 4k monitor is not really an acceptable workaround.

thanks!!
Comment 3 Laura Abbott 2018-01-02 17:29:41 UTC 
Moving this to the graphics team for appropriate tracking
Comment 4 Rob Clark 2018-01-06 15:30:37 UTC 
kernel nouveau bug.. I think I have a patch.  Dup of bz 1513150 so lets track there.

fwiw, upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=103421

*** This bug has been marked as a duplicate of bug 1513150 ***
Note You need to log in before you can comment on or make changes to this bug.