Skip to content

Kernel NULL pointer dereference when hotplugging HDMI

An kernel NULL pointer dereference occurs when hotplugging passive DisplayPort adapter attached to HDMI plug, with the other end already connected to a screen. The machine has DisplayPort port on the docking station (with PS8121E level shifter between chipset and the port).

After it happens i915 is no longer usable (frozen screen) and cannot be unloaded, though machine is responsive over a serial console.

  • Machine: Lenovo ThinkPad X200 Tablet
  • Chipset: Cantiga (GM45)
  • Linux kernel: 6.6.8, 6.7.6, 6.7.9
BUG: kernel NULL pointer dereference, address: 000000000000000a
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 27 Comm: kworker/1:0 Tainted: G          I        6.7.9-arch1-1 #1 ad54415bbff2f0801422a3b76df850f68e71ecab
Hardware name: LENOVO 7453WQM/7453WQM, BIOS CBET4000 dfe6c8e 09/07/2016
Workqueue: i915-unordered i915_hotplug_work_func [i915]
RIP: 0010:intel_bios_encoder_supports_dp_dual_mode+0x9/0x60 [i915]
Code: 01 00 00 00 5b 5d 41 5c 41 5d c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 <0f> b7 57 0a 31 c0 89 d1 f7 d1 83 e1 14 74 05 c3 cc cc cc cc 80 e6
RSP: 0018:ffffaa3a400f3ca8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff998387e50000 RCX: 0000000000000001
RDX: fffffffffffffffa RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffffb785afa0 R09: 000000000000000a
R10: 0000000000000000 R11: 203a444920494d44 R12: ffff998387e57000
R13: ffff99838a578000 R14: ffff99838a578000 R15: ffff998387e57000
FS:  0000000000000000(0000) GS:ffff9984a6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000a CR3: 0000000102b80000 CR4: 00000000000406f0
Call Trace:
 <TASK>
 ? __die+0x23/0x70
 ? page_fault_oops+0x171/0x4e0
 ? exc_page_fault+0x7f/0x180
 ? asm_exc_page_fault+0x26/0x30
 ? intel_bios_encoder_supports_dp_dual_mode+0x9/0x60 [i915 28cfaf79ca322c7cd4b6fe4c8622bd762d7b83c9]
 intel_hdmi_set_edid+0x26d/0x2a0 [i915 28cfaf79ca322c7cd4b6fe4c8622bd762d7b83c9]
 intel_hdmi_detect+0xd6/0x170 [i915 28cfaf79ca322c7cd4b6fe4c8622bd762d7b83c9]
 drm_helper_probe_detect_ctx+0x9d/0x110
 intel_hotplug_detect_connector+0x43/0x110 [i915 28cfaf79ca322c7cd4b6fe4c8622bd762d7b83c9]
 intel_hdmi_hotplug+0x12/0x30 [i915 28cfaf79ca322c7cd4b6fe4c8622bd762d7b83c9]
 i915_hotplug_work_func+0x280/0x390 [i915 28cfaf79ca322c7cd4b6fe4c8622bd762d7b83c9]
 process_one_work+0x17b/0x350
 worker_thread+0x30f/0x450
 ? __pfx_worker_thread+0x10/0x10
 kthread+0xe8/0x120
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x34/0x50
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1b/0x30
 </TASK>
Modules linked in: ccm joydev serport uvcvideo ath9k ath9k_common videobuf2_vmalloc uvc videobuf2_memops ath9k_hw videobuf2_v4l2 videodev iTCO_wdt videobuf2_common intel_pmc_bxt ath mc mousedev iTCO_vendor_support mac80211 sha512_ssse3 sha1_ssse3 snd_hda_codec_conexant snd_hda_codec_generic snd_hda_intel ext4 snd_intel_dspcfg libarc4 snd_intel_sdw_acpi psmouse snd_hda_codec snd_hda_core acpi_cpufreq cfg80211 e1000e thinkpad_acpi i2c_i801 snd_hwdep crc16 i2c_smbus mbcache ledtrig_audio jbd2 snd_pcm lpc_ich ptp platform_profile pps_core intel_agp rfkill mac_hid snd_seq_dummy pkcs8_key_parser snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device snd_timer snd soundcore cuse kvm_intel kvm irqbypass ledtrig_timer wacom_w8001 i2c_dev auth_rpcgss sg crypto_user fuse loop dm_mod sunrpc nfnetlink ip_tables x_tables i915 i2c_algo_bit serio_raw drm_buddy sdhci_pci atkbd ttm cqhci libps2 intel_gtt sdhci coretemp vivaldi_fmap sha256_ssse3 drm_display_helper btrfs mmc_core i8042 cec blake2b_generic libcrc32c serio
 crc32c_generic video wmi xor raid6_pq
CR2: 000000000000000a
---[ end trace 0000000000000000 ]---
RIP: 0010:intel_bios_encoder_supports_dp_dual_mode+0x9/0x60 [i915]
Code: 01 00 00 00 5b 5d 41 5c 41 5d c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 <0f> b7 57 0a 31 c0 89 d1 f7 d1 83 e1 14 74 05 c3 cc cc cc cc 80 e6
RSP: 0018:ffffaa3a400f3ca8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff998387e50000 RCX: 0000000000000001
RDX: fffffffffffffffa RSI: 0000000000000001 RDI: 0000000000000000
RBP: 0000000000000001 R08: ffffffffb785afa0 R09: 000000000000000a
R10: 0000000000000000 R11: 203a444920494d44 R12: ffff998387e57000
R13: ffff99838a578000 R14: ffff99838a578000 R15: ffff998387e57000
FS:  0000000000000000(0000) GS:ffff9984a6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000000a CR3: 0000000102b80000 CR4: 00000000000406f0
note: kworker/1:0[27] exited with irqs disabled

drm_debug_0xe.txt

Edited by Swift Geek (Sebastian Grzywna)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information