Re: REGRESSION: in intel video driver following introduction of mm_struct.has_pinned

From: Peter Xu <peterx@redhat.com>
To: Tony Fischetti <tony.fischetti@gmail.com>
Cc: jani.nikula@linux.intel.com, joonas.lahtinen@linux.intel.com,
	rodrigo.vivi@intel.com, airlied@linux.ie,
	linux-kernel@vger.kernel.org
Subject: Re: REGRESSION: in intel video driver following introduction of mm_struct.has_pinned
Date: Mon, 28 Sep 2020 15:24:30 -0400	[thread overview]
Message-ID: <20200928192430.GD59869@xz-x1> (raw)
In-Reply-To: <CAOMV6SUP1=U3bqO=+f_HrnTYpaLLwvZY4muCdW-ixQU2M10_WQ@mail.gmail.com>

On Mon, Sep 28, 2020 at 02:14:16PM -0400, Tony Fischetti wrote:
> After a length git bisection, I determined the commit that introduced
> a change that ultimately caused a bug/oops null dereference (see below
> for relevant syslog entries) was 008cfe4418b3dbda2ff.. (mm: Introduce
> mm_struct.has_pinned)
> 
> The RIP (according to syslog) occurs in function
> `__get_user_pages_remote` and the last function to call it from the
> i915 code is `gem_userptr_get_pages_worker`
> More specifically, it appears to be the call to
> `pin_user_pages_remote` in `gem_userptr_get_pages_worker` in
> drivers/gpu/drm/i915/gem/i915_gem_userptr.c that directly leads to the
> oops.
> 
> Unfortunately, I don't know enough to try to fix and share the fix
> myself, but I hope the information I provided is helpful. Please let
> me know if there is any further information I can provide that might
> be of use.
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000054
> #PF: supervisor write access in kernel mode
> #PF: error_code(0x0002) - not-present page
> Oops: 0002 [#1] PREEMPT SMP NOPTI
> CPU: 8 PID: 497 Comm: kworker/u25:0 Not tainted
> 5.9.0-rc7-alice-investigate-3+ #2
> Hardware name: LENOVO 10ST001QUS/312A, BIOS M1UKT4BA 11/11/2019
> Workqueue: i915-userptr-acquire __i915_gem_userptr_get_pages_worker [i915]
> RIP: 0010:__get_user_pages_remote+0xa0/0x2d0
> Code: 85 e7 01 00 00 83 3b 01 0f 85 e0 01 00 00 f7 c1 00 00 04 00 0f
> 84 12 01 00 00 65 48 8b 04 25 00 6d 01 00 48 8b 80 58 03 00 00 <c7> 40
> 54 01 00 00 00 c6 04 24 00 4d 8d 6f 68 48 c7 44 24 10 00 00
> RSP: 0018:ffffa1a58086bde0 EFLAGS: 00010206
> RAX: 0000000000000000 RBX: ffffa1a58086be64 RCX: 0000000000040001
> RDX: 00000000000007e9 RSI: 00007f532f800000 RDI: ffff92f22d89c480
> RBP: 00007f532f800000 R08: ffff92f23a188000 R09: 0000000000000000
> R10: 0000000000000000 R11: ffffa1a58086bcfd R12: ffff92f23a188000
> R13: ffff92f22d89c480 R14: 0000000000042003 R15: ffff92f22d89c480
> FS:  0000000000000000(0000) GS:ffff92f23e400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000054 CR3: 0000000016c0a002 CR4: 00000000001706e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  __i915_gem_userptr_get_pages_worker+0x1ec/0x392 [i915]
>  process_one_work+0x1c7/0x310
>  worker_thread+0x28/0x3c0
>  ? set_worker_desc+0xb0/0xb0
>  kthread+0x123/0x140
>  ? kthread_use_mm+0xe0/0xe0
>  ret_from_fork+0x1f/0x30
> Modules linked in: snd_hda_codec_hdmi snd_hda_codec_realtek
> snd_hda_codec_generic ledtrig_audio iwlmvm mac80211 libarc4
> x86_pkg_temp_thermal intel_powerclamp iwlwifi coretemp i915
> crct10dif_pclmul crc32_pclmul crc32c_intel i2c_algo_bit
> ghash_clmulni_intel drm_kms_helper syscopyarea sysfillrect sysimgblt
> fb_sys_fops cec mei_hdcp wmi_bmof snd_hda_intel drm tpm_crb
> snd_intel_dspcfg intel_wmi_thunderbolt snd_hda_codec snd_hwdep
> aesni_intel crypto_simd glue_helper snd_hda_core cfg80211 i2c_i801
> snd_pcm intel_cstate pcspkr snd_timer mei_me i2c_smbus mei i2c_core
> thermal wmi tpm_tis tpm_tis_core tpm rng_core acpi_pad ppdev lp
> ip_tables x_tables
> CR2: 0000000000000054
> ---[ end trace 8d080e8b96289c9e ]---
> 

Hi, Tony,

This is also reported elsewhere and the proper fix should be here:

https://lore.kernel.org/intel-gfx/20200928134915.GA5904@xz-x1

Thanks for the report, and sorry for the trouble!

-- 
Peter Xu