From: Petr Cvek <petrcvekcz-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "Deucher,
Alexander" <Alexander.Deucher-5C7GfCeVMHo@public.gmane.org>,
"Koenig,
Christian" <christian.koenig-5C7GfCeVMHo@public.gmane.org>,
David1.Zhou-5C7GfCeVMHo@public.gmane.org,
sfr-3FnU+UHB4dNDw9hX6IcOSA@public.gmane.org,
jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org
Cc: "amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org"
<amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org>
Subject: [BUG, regression] Dereferencing of NULL pointer in radeon_mn_unregister()
Date: Sun, 1 Sep 2019 11:38:10 +0200 [thread overview]
Message-ID: <dad0e51a-0f06-e2b0-cef7-3587207c2045@gmail.com> (raw)
Hi,
kernel: 5.3.0-rc6-next
After starting Xorg and running xrandr the Xorg crashes with (not exactly useful, it is MIPS dump):
[ 28.842553] CPU 0 Unable to handle kernel paging request at virtual address 0000001c, epc == 808de6d4, ra == 804d32ec
[ 28.853387] Oops[#1]:
[ 28.855699] CPU: 0 PID: 692 Comm: Xorg Not tainted 5.3.0-rc6-next-20190826+ #59
[ 28.863104] $ 0 : 00000000 80b60000 00000011 87f1af00
[ 28.868407] $ 4 : 0000001c 00000002 00000002 ffff00fe
[ 28.873705] $ 8 : 865e9fe0 0000fc00 00000004 00000000
[ 28.879003] $12 : 87f1baf0 00000000 0000da9a 00000040
[ 28.884301] $16 : 86434450 86434400 00000000 0000001c
[ 28.889600] $20 : 865e9dbc 00000000 80912ee4 865e9dbc
[ 28.894898] $24 : 80add220 27cfd6fd
[ 28.900198] $28 : 865e8000 865e9cb8 00000009 804d32ec
[ 28.905499] Hi : 000091bb
[ 28.908414] Lo : ffff6e44
[ 28.911350] epc : 808de6d4 mutex_lock+0x8/0x44
[ 28.916045] ra : 804d32ec radeon_mn_unregister+0x3c/0xb0
[ 28.921687] Status: 1100fc03 KERNEL EXL IE
[ 28.925929] Cause : 00800008 (ExcCode 02)
[ 28.929987] BadVA : 0000001c
[ 28.932903] PrId : 00019655 (MIPS 24KEc)
[ 28.936961] Modules linked in: usbhid hid_generic hid evdev
[ 28.942635] Process Xorg (pid: 692, threadinfo=68a84c48, task=84477b53, tls=77e03da0)
[ 28.950566] Stack : 00000000 804d32e4 00000001 00000000 84d7b400 84d7b400 8784a078 86434450
[ 28.959043] 86632600 8663268c 803a4ed4 8041583c 00000000 803b6d94 865e9dbc 86434450
[ 28.967519] 86632600 86434400 86632600 803a451c 87912980 879129ac 80ae0000 00000007
[ 28.975996] 00000007 86632620 86632600 803a45d0 87ffc718 71a8f000 71a8f000 87ffc71c
[ 28.984472] 71a8efff 800d3c08 865eac00 86632600 00000000 803a5bf4 71a8f000 00000000
[ 28.992948] ...
[ 28.995425] Call Trace:
[ 28.997905] [<808de6d4>] mutex_lock+0x8/0x44
[ 29.002239] [<804d32ec>] radeon_mn_unregister+0x3c/0xb0
[ 29.007550] [<8041583c>] radeon_gem_object_free+0x18/0x2c
[ 29.013031] [<803a451c>] drm_gem_object_release_handle+0x74/0xac
[ 29.019122] [<803a45d0>] drm_gem_handle_delete+0x7c/0x128
[ 29.024599] [<803a5bf4>] drm_ioctl_kernel+0xb0/0x108
[ 29.029633] [<803a5e74>] drm_ioctl+0x200/0x3a8
[ 29.034154] [<803e07b4>] radeon_drm_ioctl+0x54/0xc0
[ 29.039110] [<801214dc>] do_vfs_ioctl+0x4e8/0x81c
[ 29.043880] [<80121864>] ksys_ioctl+0x54/0xb0
[ 29.048305] [<8001100c>] syscall_common+0x34/0x58
[ 29.053074] Code: 24050002 27bdfff8 8f830000 <c0850000> 14a00005 00000000 00600825 e0810000 1020fffa
but it seems there is NULL pointer at this line:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/drivers/gpu/drm/radeon/radeon_mn.c?h=next-20190830#n237
The code is:
struct radeon_mn *rmn = bo->mn;
...
mutex_lock(&rmn->lock); //<-crash
A quick assert proves the bo->mn returns NULL. The code worked in 4.19-rc and it seems the problematic patch is
drm/radeon: use mmu_notifier_get/put for struct radeon_mn
as it removes the NULL check.
Forcing -ENODEV in the register funtion (and immediate return in unregister as without CONFIG_MMU_NOTIFIER) works.
Petr
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
next reply other threads:[~2019-09-01 9:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-01 9:38 Petr Cvek [this message]
[not found] ` <dad0e51a-0f06-e2b0-cef7-3587207c2045-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2019-09-01 14:04 ` [BUG, regression] Dereferencing of NULL pointer in radeon_mn_unregister() Jason Gunthorpe
[not found] ` <20190901140409.GA1251-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org>
2019-09-01 15:48 ` Petr Cvek
[not found] ` <2fc7ef14-e89a-1f2d-381d-1c9b05da02d3-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2019-09-02 6:19 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dad0e51a-0f06-e2b0-cef7-3587207c2045@gmail.com \
--to=petrcvekcz-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=Alexander.Deucher-5C7GfCeVMHo@public.gmane.org \
--cc=David1.Zhou-5C7GfCeVMHo@public.gmane.org \
--cc=amd-gfx-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org \
--cc=christian.koenig-5C7GfCeVMHo@public.gmane.org \
--cc=jgg-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org \
--cc=sfr-3FnU+UHB4dNDw9hX6IcOSA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.