Mobility Radeon X1300 [RV515]: BUG: kernel NULL pointer dereference, address: 00000404, EIP: __ubsan_handle_out_of_bounds+0x30/0x7c (kernel 6.9-rc3)
I get this NULL pointer dereference every time at boot when CONFIG_UBSAN is enabled in kernel .config on my Thinkpad T60 (Mobility Radeon X1300). The stack trace hints the radeon module:
[...]
[drm] radeon: irq initialized.
[drm] Loading R500 Microcode
[drm] radeon: ring at 0x0000000008001000
[drm] ring test succeeded in 2 usecs
usb 5-2: new full-speed USB device number 2 using uhci_hcd
[drm] ib test succeeded in 0 usecs
BUG: kernel NULL pointer dereference, address: 00000404
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
*pdpt = 0000000003723001 *pde = 0000000000000000
Oops: 0002 [#1] SMP DEBUG_PAGEALLOC PTI
CPU: 1 PID: 187 Comm: (udev-worker) Not tainted 6.9.0-rc3-P3 #1
Hardware name: LENOVO 2007F2G/2007F2G, BIOS 79ETE7WW (2.27 ) 03/21/2011
EIP: __ubsan_handle_out_of_bounds+0x30/0x7c
Code: 83 ec 28 89 c6 64 a1 40 65 02 d4 83 b8 f0 04 00 00 00 75 1e 89 d7 8d 5d cc 89 d8 ba ff 00 00 00 b9 28 00 00 00 e8 3c 9d 31 00 <f0> 0f ba 6e 04 1f 73 0e 83 c4 28 5e 5f 5b 5d 31 c0 31 c9 31 d2 c3
EAX: c351d8b0 EBX: c351d8b0 ECX: 00000000 EDX: 00000000
ESI: 00000400 EDI: 00000010 EBP: c351d8e4 ESP: c351d8b0
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00210246
CR0: 80050033 CR2: 00000404 CR3: 01c44000 CR4: 000006f0
Call Trace:
? show_regs+0x4e/0x5c
? __die_body+0x11/0x4c
? __die+0x21/0x30
? page_fault_oops+0x218/0x244
? kernelmode_fixup_or_oops+0x92/0xa8
? __bad_area_nosemaphore+0x3d/0x1b4
? find_vma+0x17/0x24
? bad_area_nosemaphore+0xd/0x14
? exc_page_fault+0x2b0/0x328
? doublefault_shim+0x10c/0x10c
? handle_exception+0x101/0x101
? evergreen_startup+0x11ec/0x1394 [radeon]
? doublefault_shim+0x10c/0x10c
? __ubsan_handle_out_of_bounds+0x30/0x7c
? evergreen_startup+0x11ec/0x1394 [radeon]
? doublefault_shim+0x10c/0x10c
? __ubsan_handle_out_of_bounds+0x30/0x7c
radeon_get_atom_connector_info_from_supported_devices_table+0x2b8/0x568 [radeon]
radeon_modeset_init+0x404/0xba4 [radeon]
? pci_find_capability+0x3b/0x50
? radeon_driver_load_kms+0xbe/0x184 [radeon]
radeon_driver_load_kms+0xbe/0x184 [radeon]
drm_dev_register+0x132/0x1d8
radeon_pci_probe+0x8f/0xe4 [radeon]
pci_device_probe+0x80/0x100
really_probe+0xad/0x1fc
__driver_probe_device+0x6f/0x15c
? __cond_resched+0x13/0x38
driver_probe_device+0x1a/0x70
__driver_attach+0x7c/0xb8
bus_for_each_dev+0x63/0x8c
driver_attach+0x14/0x20
? driver_attach+0x20/0x20
bus_add_driver+0xdc/0x1cc
driver_register+0x50/0xd0
__pci_register_driver+0x5c/0x68
init_module+0x58/0x1000 [radeon]
do_one_initcall+0xb7/0x288
? alloc_debug_processing+0x38/0x124
? check_bytes_and_report+0x2d/0xf4
? check_bytes_and_report+0x2d/0xf4
? check_object+0x188/0x2b0
? check_object+0x1b7/0x2b0
? init_object+0x69/0xb0
? idr_get_free+0x2f4/0x320
? _raw_spin_unlock_irqrestore+0xb/0x18
? radix_tree_iter_tag_clear+0x18/0x28
? idr_alloc_u32+0x78/0x94
? idr_alloc_cyclic+0x38/0x7c
? __kernfs_new_node+0x117/0x164
? check_object+0x188/0x2b0
? check_bytes_and_report+0x2d/0xf4
? check_object+0x188/0x2b0
? check_object+0x1b7/0x2b0
? init_object+0x69/0xb0
? alloc_debug_processing+0x38/0x124
? _raw_spin_unlock_irqrestore+0xb/0x18
? ___slab_alloc+0x329/0x6b4
? 0xf8051000
do_init_module+0x65/0x1ec
load_module+0xcf1/0xe28
__ia32_sys_finit_module+0x16f/0x20c
? ieee80211_dynamic_ps_enable_work+0x4/0x19c [mac80211]
? ieee80211_dfs_cac_timer_work+0x5b/0x7c [mac80211]
__do_fast_syscall_32+0x9d/0xc4
? __ia32_sys_openat+0x19/0x24
? __do_fast_syscall_32+0xa7/0xc4
? switch_fpu_return+0x45/0x68
? irqentry_exit_to_user_mode+0xd8/0x104
do_fast_syscall_32+0x29/0x54
do_SYSENTER_32+0x12/0x18
entry_SYSENTER_32+0x98/0xf8
EIP: 0xb7f95539
Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 0f 1f 00 58 b8 77 00 00 00 cd 80 90 0f 1f
EAX: ffffffda EBX: 00000025 ECX: b7b8e4ac EDX: 00000000
ESI: 006f3280 EDI: 00000001 EBP: 00000007 ESP: bf8dfe2c
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00200246
Modules linked in: iwl3945 iwlegacy mac80211 radeon(+) libarc4 drm_suballoc_helper uhci_hcd i2c_algo_bit ehci_pci cfg80211 ehci_hcd drm_ttm_helper usbcore acpi_cpufreq ttm usb_common snd_hda_intel yenta_socket thinkpad_acpi drm_display_helper snd_intel_dspcfg pcmcia_core pcmcia_rsrc snd_hda_codec thermal nvram platform_profile ac rfkill snd_hwdep battery snd_hda_core video wmi snd_pcm backlight snd_timer snd button soundcore processor evdev joydev input_leds pkcs8_key_parser coretemp hwmon fuse loop configfs dm_mod
CR2: 0000000000000404
---[ end trace 0000000000000000 ]---
EIP: __ubsan_handle_out_of_bounds+0x30/0x7c
Code: 83 ec 28 89 c6 64 a1 40 65 02 d4 83 b8 f0 04 00 00 00 75 1e 89 d7 8d 5d cc 89 d8 ba ff 00 00 00 b9 28 00 00 00 e8 3c 9d 31 00 <f0> 0f ba 6e 04 1f 73 0e 83 c4 28 5e 5f 5b 5d 31 c0 31 c9 31 d2 c3
EAX: c351d8b0 EBX: c351d8b0 ECX: 00000000 EDX: 00000000
ESI: 00000400 EDI: 00000010 EBP: c351d8e4 ESP: c351d8b0
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00210246
CR0: 80050033 CR2: 00000404 CR3: 01c44000 CR4: 000006f0The machine boots up and is usable via ssh or VNC but on the screen I only get graphics corruption, no console either. Shown onscreen are fullscreen single colours (white, red, green, blue, grey, dark grey, dark grey to white vertically dithered, dark grey to white horizontally dithered, black) which get displayed about a sec and then cycle around in this order.
Some data about the machine:
# inxi -bz
System:
Kernel: 6.9.0-rc3-P3 arch: i686 bits: 32 Console: pty pts/0 Distro: Gentoo
Base System release 2.14
Machine:
Type: Laptop System: LENOVO product: 2007F2G v: ThinkPad T60
serial: <filter>
Mobo: LENOVO model: 2007F2G serial: <filter> BIOS: LENOVO
v: 79ETE7WW (2.27 ) date: 03/21/2011
Battery:
ID-1: BAT0 charge: 0 Wh (0.0%) condition: 35.7/56.2 Wh (63.6%) volts: 7.4
min: 10.8
CPU:
Info: dual core Intel T2400 [MCP] speed (MHz): avg: 1000 min/max: 1000/1833
Graphics:
Device-1: AMD RV515/M52 [Mobility Radeon X1300] driver: radeon v: kernel
Display: x11 server: X.org v: 1.21.1.11 driver: X: loaded: radeon
unloaded: fbdev,modesetting dri: r300 gpu: radeon
resolution: <missing: xdpyinfo/xrandr> resolution: 1024x768
API: OpenGL v: 4.5 vendor: mesa v: 24.0.4 renderer: llvmpipe (LLVM 17.0.6
128 bits)
Network:
Device-1: Intel 82573L Gigabit Ethernet driver: e1000e
Device-2: Intel PRO/Wireless 3945ABG [Golan] Network driver: iwl3945
Drives:
Local Storage: total: 465.76 GiB used: 10.26 GiB (2.2%)
Info:
Processes: 159 Uptime: 1m Memory: total: 3 GiB available: 2.95 GiB
used: 477.2 MiB (15.8%) igpu: 128 KiB Shell: Bash inxi: 3.3.30
# lscpu
Architecture: i686
CPU op-mode(s): 32-bit
Address sizes: 32 bits physical, 32 bits virtual
Byte Order: Little Endian
CPU(s): 2
On-line CPU(s) list: 0,1
Vendor ID: GenuineIntel
BIOS Vendor ID: GenuineIntel
Model name: Genuine Intel(R) CPU T2400 @ 1.83GHz
BIOS Model name: Genuine Intel(R) CPU CPU @ 1.8GHz
BIOS CPU family: 1
CPU family: 6
Model: 14
Thread(s) per core: 1
Core(s) per socket: 2
Socket(s): 1
Stepping: 8
CPU(s) scaling MHz: 54%
CPU max MHz: 1833,0000
CPU min MHz: 1000,0000
BogoMIPS: 3658,83
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov clflush
dts acpi mmx fxsr sse sse2 ht tm pbe nx constant_tsc arch_perfmon bts
cpuid aperfmperf pni monitor vmx est tm2 xtpr pdcm pti dtherm
Virtualization features:
Virtualization: VT-x
Caches (sum of all):
L1d: 64 KiB (2 instances)
L1i: 64 KiB (2 instances)
L2: 2 MiB (1 instance)
Vulnerabilities:
Gather data sampling: Not affected
Itlb multihit: Processor vulnerable
L1tf: Vulnerable
Mds: Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
Meltdown: Mitigation; PTI
Mmio stale data: Unknown: No mitigations
Reg file data sampling: Not affected
Retbleed: Not affected
Spec rstack overflow: Not affected
Spec store bypass: Not affected
Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Spectre v2: Mitigation; Retpolines, STIBP disabled, RSB filling, PBRSB-eIBRS Not a
ffected
Srbds: Not affected
Tsx async abort: Not affectedKernel .config and full dmesg attached.