I met one kenel panic issue in iVGT, usually can be easily reproduced with multi-vms.

 

unable to handle kernel NULL pointer dereference at 00000000000000a0IP: [<

(d29) ffffffffa025a52b>] intel_fbdev_restore_mode+0x57/0x73 [i915]

 

The drm_device ->dev_private -> fbdev ->fb access function run before the initialization of it.

Since the “intel_fbdev_initial_config” run in “async_schedule”, before the ifbdev->fb initialization, one access from

drm_release -> drm_lastclose->i915_driver_lastclose-> intel_fbdev_restore_mode occurred, then got kernel panic.

Do we need to add NULL pointer or async_synchronize_cookie() to avoid this issue?

I also find similar issue in bugs.freedesktop

https://bugs.freedesktop.org/show_bug.cgi?id=93580

 

 

Below is the error log:

d29) init: failsafe main process (1412) killed by TERM signal

(d29) init: bluetooth main process (1574) terminated with status 1

(d29) init: bluetooth main process ended, respawning

(d29) init: bluetooth main process (1642) terminated with status 1

(d29) init: bluetooth main process ended, respawning

(d29) init: bluetooth main process (1689) terminated with status 1

(d29) init: bluetooth respawning too fast, stopped

(d29) e1000: eth3 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX

(d29) [drm] failed to retrieve link info, disabling eDP

(d29) i915 0000:00:02.0: Direct firmware load for i915/skl_guc_ver4.bin failed with e

(d29) rror -2SUBSYSTEM=pciDEVICE=+pci:0000:00:02.0

(d29) [drm:intel_guc_ucode_init [i915]] *ERROR* Failed to fetch GuC firmware from i91

(d29) 5/skl_guc_ver4.bin (error -2)

(d29) [drm] VGT ballooning configuration:

(d29) [drm] Mappable graphic memory: base 0x1e000000 size 131072KiB

(d29) [drm] Unmappable graphic memory: base 0x88000000 size 393216KiB

(d29) [drm] balloon space: range [ 0x40000000 - 0x88000000 ] 1179648 KiB.

(d29) [drm] balloon space: range [ 0xa0000000 - 0xfffff000 ] 1572860 KiB.

(d29) [drm] balloon space: range [ 0x0 - 0x1e000000 ] 491520 KiB.

(d29) [drm] balloon space: range [ 0x26000000 - 0x40000000 ] 425984 KiB.

(d29) [drm] VGT balloon successfully

[ 4506.568318] vGT info:(ring_pp_mode_write:744) EXECLIST enabling on ring 0.

[ 4506.576307] vGT-3: add to render run queue!

[ 4506.582888] vGT info:(ring_pp_mode_write:744) EXECLIST enabling on ring 1.

[ 4506.591714] vGT info:(ring_pp_mode_write:744) EXECLIST enabling on ring 2.

[ 4506.600092] vGT info:(ring_pp_mode_write:744) EXECLIST enabling on ring 3.

[ 4506.608928] vGT info:(ring_pp_mode_write:744) EXECLIST enabling on ring 4.

(d29) [drm:intel_opregion_init [i915]] *ERROR* No ACPI video bus found

(d29) [drm] Initialized i915 1.6.0 20151010 for 0000:00:02.0 on minor 0

(d29) BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0IP: [<

(d29) ffffffffa025a52b>] intel_fbdev_restore_mode+0x57/0x73 [i915]PGD 38a79067 PUD 38

(d29) a78067 PMD 0 Oops: 0000 [#1] SMP Modules linked in: fuse microcode parport_pc i

(d29) 915 drm_kms_helper i2c_algo_bit serio_raw acpi_cpufreq ppdev drm i2c_piix4 lp p

(d29) arport ext4 crc16 jbd2 mbcache e1000 uhci_hcd ata_generic pata_acpiCPU: 1 PID:

(d29) 1749 Comm: gpu-manager Tainted: G     U          4.3.0-rc6-vgt+ #1

(d29) Hardware name: Xen HVM domU, BIOS 4.6.0 01/15/2016

(d29) task: ffff88003be9d700 ti: ffff880038a80000 task.ti: ffff880038a80000

(d29) RIP: 0010:[<ffffffffa025a52b>]  [<ffffffffa025a52b>] intel_fbdev_restore_mode+0

(d29) x57/0x73 [i915]RSP: 0018:ffff880038a83d48  EFLAGS: 00010246

(d29) RAX: 0000000000000000 RBX: ffff8800357cb800 RCX: ffff88003d2c2400

(d29) RDX: 0000000080000000 RSI: 0000000000000000 RDI: ffff88003c139060

(d29) RBP: ffff880038a83d50 R08: 00000000ffffffff R09: ffff88003cc00000

(d29) R10: ffff88003cc001b0 R11: ffffffffa012c9a3 R12: ffff88003c139000

(d29) R13: ffff88003c139060 R14: ffff88003ba7d8e0 R15: ffff88003c139088

(d29) FS:  00007fd3bdce5740(0000) GS:ffff88003d620000(0000) knlGS:0000000000000000

(d29) CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033

(d29) CR2: 00000000000000a0 CR3: 0000000000078000 CR4: 00000000003406e0

(d29) DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

(d29) DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

(d29) Stack:

(d29)  ffff88003c139000 ffff880038a83d60 ffffffffa028696c ffff880038a83d80 ffffffffa0

(d29) 1170f7 0000000000000000 ffff88003c139000 ffff880038a83de0 ffffffffa0117592 ffff

(d29) 880038b87210 ffff88003c139198 0000000000000246Call Trace:

(d29)  [<ffffffffa028696c>] i915_driver_lastclose+0x9/0xb [i915]

(d29)  [<ffffffffa01170f7>] drm_lastclose+0x3a/0x103 [drm]

(d29)  [<ffffffffa0117592>] drm_release+0x3d2/0x40b [drm]

(d29)  [<ffffffff81147d26>] __fput+0xec/0x1a7

(d29)  [<ffffffff81147e0d>] ____fput+0x9/0xb

(d29)  [<ffffffff8106ac15>] task_work_run+0x62/0x78

(d29)  [<ffffffff8100380c>] prepare_exit_to_usermode+0x93/0xaf

(d29)  [<ffffffff8100398d>] syscall_return_slowpath+0x165/0x19e

(d29)  [<ffffffff81155125>] ? do_vfs_ioctl+0x360/0x41a

(d29)  [<ffffffff8106ab44>] ? task_work_add+0x3f/0x4e

(d29)  [<ffffffff81147e87>] ? fput+0x78/0x7f

(d29)  [<ffffffff81144f91>] ? filp_close+0x63/0x6d

(d29)  [<ffffffff814f09cc>] int_ret_from_sys_call+0x25/0x8f

(d29) Code: c6 9c 29 2f a0 48 c7 c7 90 24 2d a0 31 c0 e8 2e 0e ec ff eb 2f 48 8b 43 0

(d29) 8 48 8d 78 60 e8 68 49 29 e1 48 8b 83 a0 00 00 00 31 f6 <48> 8b b8 a0 00 00 00

(d29) e8 1b 5f ff ff 48 8b 7b 08 48 83 c7 60 e8 RIP  [<ffffffffa025a52b>] intel_fbdev

(d29) _restore_mode+0x57/0x73 [i915] RSP <ffff880038a83d48>

(d29) CR2: 00000000000000a0

(d29) ---[ end trace e656291822c44c35 ]---

(d29) Kernel panic - not syncing: Fatal exception

(d29) Kernel Offset: disabled

 

BRs,

Weinan Li