[Bug 30645] Kernel NULL pointer crash when viewing big images in Firefox on Radeon XPress 200M

Wed Oct 13 01:32:52 PDT 2010

https://bugs.freedesktop.org/show_bug.cgi?id=30645

--- Comment #3 from Matthijs Kooijman <matthijs at stdin.nl> 2010-10-13 01:32:52 PDT ---
Thanks for your comments, they allowed me to look around the code a bit and add
some debugging instrumentation. I still don't understand the code or your
comments completely though.

Regarding your comments: How are you so sure the problem occurs because
bo->list.next is NULL? Couldn't it just as well be bo->list.prev, which is also
dereferenced in list_del_init? Also, couldn't it be other values, like bo
itself, or bo->rdev, etc. ?

I've tried to add some debugging output to my kernel to find out what codepaths
are taken exactly and confirm that it is indeed those list pointers causing the
problem. However, I've not been able to reproduce the exact same problem
anymore so far. Out of four tries, I've completely locked up the machine three
times, not allowing me to get at my debug output through SSH. The fourth time
the machine was still responsive, but the crash was different. Instead of a
NULL pointer, it encountered a BUG() in ttm_bo_vm_insert_rb (at ttm_bo.c:1614,
though your line numbers might be slightly different due to my patches).

I'm attaching the dmesg output of this crash, which also includes the patch I
applied at the bottom. Note that the "radeon_ttm_bo_destroy: Calling
list_del_init with bo->list.prev: %p and bo->list.next: %p\n" message is
useless, since I forget to actually pass in those arguments to printk.

I suspect that both of these are symptoms of the same underlying problem,
perhaps this helps to find that problem. If you have thoughts about possible
causes, please think aloud, I might be able to confirm or disprove any
suspicions with some instrumentation.

-- 
Configure bugmail: https://bugs.freedesktop.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.