dri-devel.lists.freedesktop.org archive mirror
 help / color / mirror / Atom feed
From: bugzilla-daemon@bugzilla.kernel.org
To: dri-devel@lists.freedesktop.org
Subject: [Bug 207383] [Regression] 5.7 amdgpu/polaris11 gpf: amdgpu_atomic_commit_tail
Date: Tue, 21 Jul 2020 20:49:36 +0000	[thread overview]
Message-ID: <bug-207383-2300-MmvKSPXnF9@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-207383-2300@https.bugzilla.kernel.org/>

https://bugzilla.kernel.org/show_bug.cgi?id=207383

--- Comment #77 from Kees Cook (kees@outflux.net) ---
(Midair collision... you saw the same about the structure layout as I did.
Here's my comment...)

(In reply to mnrzk from comment #30)
> I've been looking at this bug for a while now and I'll try to share what
> I've found about it.
> 
> In some conditions, when amdgpu_dm_atomic_commit_tail calls
> dm_atomic_get_new_state, dm_atomic_get_new_state returns a struct
> dm_atomic_state* with an garbage context pointer.

It looks like when amdgpu_dm_atomic_commit_tail() walks the private objects
list with for_each_new_private_obj_in_state(), it'll return the first object's
state when the function pointer tables match. This is a struct dm_atomic_state
allocation, which is 16 bytes:

struct drm_private_state {
        struct drm_atomic_state *state;
};

struct dm_atomic_state {
        struct drm_private_state base;
        struct dc_state *context;
};

If struct dm_atomic_state is being freed early, this would match the behavior
seen: before 3202fa62f, .base.state would be overwritten with a freelist
pointer. After 3202fa62f, .context will be overwritten.

In looking for all "kfree(.*state" patterns in
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c, I see a few suspicious
things, maybe. dm_crtc_destroy_state() and amdgpu_dm_connector_funcs_reset() do
an explicit kfree(state) -- should they use dm_atomic_destroy_state() instead?
Or nothing at all, since I'd expect "state" to be managed by the drm layer via
the .atomic_destroy_state callback?


> I've also found that this bug exclusively occurs when commit_work is on the
> workqueue. After forcing drm_atomic_helper_commit to run all of the commits
> without adding to the workqueue and running the OS, the issue seems to have
> disappeared. The system was stable for at least 1.5 hours before I manually
> shut it down (meanwhile it has usually crashed within 30-45 minutes).

Is this the async call to "commit_work" in drm_atomic_helper_commit()?

There's a big warning in there:

        /*
         * Everything below can be run asynchronously without the need to grab
         * any modeset locks at all under one condition: It must be guaranteed
         * that the asynchronous work has either been cancelled (if the driver
         * supports it, which at least requires that the framebuffers get
         * cleaned up with drm_atomic_helper_cleanup_planes()) or completed
         * before the new state gets committed on the software side with
         * drm_atomic_helper_swap_state().
         ...

I'm not sure how to determine if amdgpu_dm.c is doing this correctly?

I can't tell what can interfere with drm_atomic_helper_commit() -- I would
guess the race is between that and something else causing a kfree(), but I
don't know the APIs here at all...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

  parent reply	other threads:[~2020-07-21 20:49 UTC|newest]

Thread overview: 122+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-21  9:51 [Bug 207383] New: [Regression] 5.7-rc: amdgpu/polaris11 gpf: amdgpu_atomic_commit_tail bugzilla-daemon
2020-04-21  9:57 ` [Bug 207383] " bugzilla-daemon
2020-04-21 10:04 ` bugzilla-daemon
2020-04-23  4:59 ` bugzilla-daemon
2020-04-27 19:24 ` bugzilla-daemon
2020-04-27 19:42 ` bugzilla-daemon
2020-04-27 19:43 ` bugzilla-daemon
2020-05-01  8:20 ` bugzilla-daemon
2020-05-01  8:28 ` bugzilla-daemon
2020-05-02 16:03 ` bugzilla-daemon
2020-05-03 15:10 ` bugzilla-daemon
2020-05-05  4:23 ` bugzilla-daemon
2020-05-06 17:46 ` bugzilla-daemon
2020-05-06 22:06 ` bugzilla-daemon
2020-06-03  0:04 ` [Bug 207383] [Regression] 5.7 " bugzilla-daemon
2020-06-21  7:01 ` bugzilla-daemon
2020-06-22 15:20 ` bugzilla-daemon
2020-06-22 17:44 ` bugzilla-daemon
2020-06-22 17:57 ` bugzilla-daemon
2020-06-22 19:36 ` bugzilla-daemon
2020-06-22 20:00 ` bugzilla-daemon
2020-06-23 15:36 ` bugzilla-daemon
2020-06-23 23:41 ` bugzilla-daemon
2020-06-24  8:55 ` bugzilla-daemon
2020-06-27  4:37 ` bugzilla-daemon
2020-06-27  4:38 ` bugzilla-daemon
2020-06-27  5:16 ` bugzilla-daemon
2020-06-27  6:08 ` bugzilla-daemon
2020-06-27  7:07 ` bugzilla-daemon
2020-06-27 22:26 ` bugzilla-daemon
2020-06-28  1:12 ` bugzilla-daemon
2020-06-28 10:48 ` bugzilla-daemon
2020-06-28 15:30 ` bugzilla-daemon
2020-06-29  7:39 ` bugzilla-daemon
2020-06-29 22:09 ` bugzilla-daemon
2020-07-01 19:08 ` bugzilla-daemon
2020-07-04 19:57 ` bugzilla-daemon
2020-07-04 20:13 ` bugzilla-daemon
2020-07-05 16:58 ` bugzilla-daemon
2020-07-05 22:08 ` bugzilla-daemon
2020-07-06 16:24 ` bugzilla-daemon
2020-07-06 23:57 ` bugzilla-daemon
2020-07-07  0:37 ` bugzilla-daemon
2020-07-07  3:01 ` bugzilla-daemon
2020-07-07 11:01 ` bugzilla-daemon
2020-07-07 12:43 ` bugzilla-daemon
2020-07-07 15:27 ` bugzilla-daemon
2020-07-07 19:05 ` bugzilla-daemon
2020-07-08  0:25 ` bugzilla-daemon
2020-07-08  1:25 ` bugzilla-daemon
2020-07-08 20:16 ` bugzilla-daemon
2020-07-08 20:17 ` bugzilla-daemon
2020-07-09  7:45 ` bugzilla-daemon
2020-07-10  7:23 ` bugzilla-daemon
2020-07-10  7:36 ` bugzilla-daemon
2020-07-10  8:10 ` bugzilla-daemon
2020-07-10 10:55 ` bugzilla-daemon
2020-07-10 11:25 ` bugzilla-daemon
2020-07-10 14:31 ` bugzilla-daemon
2020-07-12  5:20 ` bugzilla-daemon
2020-07-12  5:47 ` bugzilla-daemon
2020-07-12  7:47 ` bugzilla-daemon
2020-07-14 23:36 ` bugzilla-daemon
2020-07-15 16:49 ` bugzilla-daemon
2020-07-15 17:12 ` bugzilla-daemon
2020-07-16  2:12 ` bugzilla-daemon
2020-07-16  6:37 ` bugzilla-daemon
2020-07-16  9:35 ` bugzilla-daemon
2020-07-16 10:24 ` bugzilla-daemon
2020-07-16 10:30 ` bugzilla-daemon
2020-07-16 10:32 ` bugzilla-daemon
2020-07-17 12:39 ` bugzilla-daemon
2020-07-20  2:20 ` bugzilla-daemon
2020-07-21 16:40 ` bugzilla-daemon
2020-07-21 16:57 ` bugzilla-daemon
2020-07-21 19:32 ` bugzilla-daemon
2020-07-21 20:33 ` bugzilla-daemon
2020-07-21 20:49 ` bugzilla-daemon [this message]
2020-07-21 20:56 ` bugzilla-daemon
2020-07-21 21:16 ` bugzilla-daemon
2020-07-22  2:03 ` bugzilla-daemon
2020-07-22  2:05 ` bugzilla-daemon
2020-07-22  3:37 ` bugzilla-daemon
2020-07-22  7:27 ` bugzilla-daemon
2020-07-22 13:04 ` bugzilla-daemon
2020-07-23  0:48 ` bugzilla-daemon
2020-07-23  5:46 ` bugzilla-daemon
2020-07-23 21:30 ` bugzilla-daemon
2020-07-23 21:34 ` bugzilla-daemon
2020-07-24  7:18 ` bugzilla-daemon
2020-07-24  7:24 ` bugzilla-daemon
2020-07-24 19:08 ` bugzilla-daemon
2020-07-24 21:00 ` bugzilla-daemon
2020-07-25  2:38 ` bugzilla-daemon
2020-07-26  6:47 ` bugzilla-daemon
2020-07-26 18:40 ` bugzilla-daemon
2020-07-26 19:55 ` bugzilla-daemon
2020-07-26 22:52 ` bugzilla-daemon
2020-07-26 23:30 ` bugzilla-daemon
2020-07-26 23:52 ` bugzilla-daemon
2020-07-27  6:11 ` bugzilla-daemon
2020-07-27 16:55 ` bugzilla-daemon
2020-07-28  2:29 ` bugzilla-daemon
2020-07-28  3:21 ` bugzilla-daemon
2020-07-28  3:39 ` bugzilla-daemon
2020-07-28  7:14 ` bugzilla-daemon
2020-07-29  2:33 ` bugzilla-daemon
2020-07-29  6:41 ` bugzilla-daemon
2020-07-29 16:02 ` bugzilla-daemon
2020-07-29 16:37 ` bugzilla-daemon
2020-07-29 16:45 ` bugzilla-daemon
2020-07-29 20:32 ` bugzilla-daemon
2020-07-31 16:38 ` bugzilla-daemon
2020-08-02  1:40 ` bugzilla-daemon
2020-08-02 13:06 ` bugzilla-daemon
2020-08-03 13:51 ` bugzilla-daemon
2020-08-05 16:10 ` bugzilla-daemon
2020-08-17  5:45 ` bugzilla-daemon
2021-01-06  6:36 ` bugzilla-daemon
2021-01-06 12:05 ` bugzilla-daemon
2021-01-06 18:59 ` bugzilla-daemon
2021-07-06  8:47 ` bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-207383-2300-MmvKSPXnF9@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=dri-devel@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).