iommu.lists.linux-foundation.org archive mirror
 help / color / mirror / Atom feed
* upstream boot error: general protection fault in swiotlb_map
@ 2020-08-06 10:46 syzbot
  2020-08-24 15:06 ` Is: virtio_gpu_object_shmem_init issues? Was:Re: " Konrad Rzeszutek Wilk
  0 siblings, 1 reply; 5+ messages in thread
From: syzbot @ 2020-08-06 10:46 UTC (permalink / raw)
  To: hch, iommu, konrad.wilk, linux-kernel, m.szyprowski,
	robin.murphy, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    47ec5303 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16fe1dea900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7c06047f622c5724
dashboard link: https://syzkaller.appspot.com/bug?extid=3f86afd0b1e4bf1cb64c
compiler:       gcc (GCC) 10.1.0-syz 20200507

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3f86afd0b1e4bf1cb64c@syzkaller.appspotmail.com

ceph: loaded (mds proto 32)
NET: Registered protocol family 38
async_tx: api initialized (async)
Key type asymmetric registered
Asymmetric key parser 'x509' registered
Asymmetric key parser 'pkcs8' registered
Key type pkcs7_test registered
Asymmetric key parser 'tpm_parser' registered
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 243)
io scheduler mq-deadline registered
io scheduler kyber registered
io scheduler bfq registered
hgafb: HGA card not detected.
hgafb: probe of hgafb.0 failed with error -22
usbcore: registered new interface driver udlfb
uvesafb: failed to execute /sbin/v86d
uvesafb: make sure that the v86d helper is installed and executable
uvesafb: Getting VBE info block failed (eax=0x4f00, err=-2)
uvesafb: vbe_init() failed with -22
uvesafb: probe of uvesafb.0 failed with error -22
vga16fb: mapped to 0x000000008aac772d
Console: switching to colour frame buffer device 80x30
fb0: VGA16 VGA frame buffer device
input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
ACPI: Power Button [PWRF]
ioatdma: Intel(R) QuickData Technology Driver 5.00
PCI Interrupt Link [GSIF] enabled at IRQ 21
PCI Interrupt Link [GSIG] enabled at IRQ 22
PCI Interrupt Link [GSIH] enabled at IRQ 23
N_HDLC line discipline registered with maxframe=4096
Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
Cyclades driver 2.6
Initializing Nozomi driver 2.1d
RocketPort device driver module, version 2.09, 12-June-2003
No rocketport ports found; unloading driver
Non-volatile memory driver v1.3
Linux agpgart interface v0.103
[drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
[drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
usbcore: registered new interface driver udl
[drm] pci: virtio-vga detected at 0000:00:01.0
fb0: switching to virtiodrmfb from VGA16 VGA
Console: switching to colour VGA+ 80x25
virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
Console: switching to colour dummy device 80x25
[drm] features: -virgl +edid
[drm] number of scanouts: 1
[drm] number of cap sets: 0
[drm] Initialized virtio_gpu 0.1.0 0 for virtio0 on minor 2
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 dma_direct_map_page include/linux/dma-direct.h:170 [inline]
 dma_direct_map_sg+0x3bb/0x670 kernel/dma/direct.c:368
 dma_map_sg_attrs+0xd0/0x160 kernel/dma/mapping.c:183
 drm_gem_shmem_get_pages_sgt drivers/gpu/drm/drm_gem_shmem_helper.c:700 [inline]
 drm_gem_shmem_get_pages_sgt+0x1fc/0x310 drivers/gpu/drm/drm_gem_shmem_helper.c:679
 virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:153 [inline]
 virtio_gpu_object_create+0x2fd/0xa70 drivers/gpu/drm/virtio/virtgpu_object.c:232
 virtio_gpu_gem_create drivers/gpu/drm/virtio/virtgpu_gem.c:45 [inline]
 virtio_gpu_mode_dumb_create+0x298/0x530 drivers/gpu/drm/virtio/virtgpu_gem.c:85
 drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
 drm_client_buffer_create drivers/gpu/drm/drm_client.c:267 [inline]
 drm_client_framebuffer_create+0x1b7/0x770 drivers/gpu/drm/drm_client.c:412
 drm_fb_helper_generic_probe+0x1e5/0x810 drivers/gpu/drm/drm_fb_helper.c:2086
 drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1635 [inline]
 __drm_fb_helper_initial_config_and_unlock+0xbc6/0x12d0 drivers/gpu/drm/drm_fb_helper.c:1793
 drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1888 [inline]
 drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1880 [inline]
 drm_fbdev_client_hotplug+0x2d4/0x580 drivers/gpu/drm/drm_fb_helper.c:2180
 drm_fbdev_generic_setup+0x1c8/0x450 drivers/gpu/drm/drm_fb_helper.c:2262
 virtio_gpu_probe+0x28f/0x2e0 drivers/gpu/drm/virtio/virtgpu_drv.c:127
 virtio_dev_probe+0x445/0x6f0 drivers/virtio/virtio.c:248
 really_probe+0x282/0x9f0 drivers/base/dd.c:553
 driver_probe_device+0xfe/0x1d0 drivers/base/dd.c:738
 device_driver_attach+0x228/0x290 drivers/base/dd.c:1013
 __driver_attach drivers/base/dd.c:1090 [inline]
 __driver_attach+0xda/0x240 drivers/base/dd.c:1044
 bus_for_each_dev+0x147/0x1d0 drivers/base/bus.c:305
 bus_add_driver+0x348/0x5a0 drivers/base/bus.c:622
 driver_register+0x220/0x3a0 drivers/base/driver.c:171
 do_one_initcall+0x10a/0x7b0 init/main.c:1201
 do_initcall_level init/main.c:1274 [inline]
 do_initcalls init/main.c:1290 [inline]
 do_basic_setup init/main.c:1310 [inline]
 kernel_init_freeable+0x589/0x638 init/main.c:1505
 kernel_init+0xd/0x1c0 init/main.c:1399
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Modules linked in:
---[ end trace 11a290451cfd19ed ]---
RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Is: virtio_gpu_object_shmem_init  issues? Was:Re: upstream boot error: general protection fault in swiotlb_map
  2020-08-06 10:46 upstream boot error: general protection fault in swiotlb_map syzbot
@ 2020-08-24 15:06 ` Konrad Rzeszutek Wilk
  2020-08-24 15:13   ` Christoph Hellwig
                     ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Konrad Rzeszutek Wilk @ 2020-08-24 15:06 UTC (permalink / raw)
  To: syzbot, thomas.tai, airlied, kraxel, virtualization, dri-devel
  Cc: syzkaller-bugs, linux-kernel, iommu, robin.murphy, hch

On Thu, Aug 06, 2020 at 03:46:23AM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    47ec5303 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16fe1dea900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=7c06047f622c5724
> dashboard link: https://syzkaller.appspot.com/bug?extid=3f86afd0b1e4bf1cb64c
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3f86afd0b1e4bf1cb64c@syzkaller.appspotmail.com
> 
> ceph: loaded (mds proto 32)
> NET: Registered protocol family 38
> async_tx: api initialized (async)
> Key type asymmetric registered
> Asymmetric key parser 'x509' registered
> Asymmetric key parser 'pkcs8' registered
> Key type pkcs7_test registered
> Asymmetric key parser 'tpm_parser' registered
> Block layer SCSI generic (bsg) driver version 0.4 loaded (major 243)
> io scheduler mq-deadline registered
> io scheduler kyber registered
> io scheduler bfq registered
> hgafb: HGA card not detected.
> hgafb: probe of hgafb.0 failed with error -22
> usbcore: registered new interface driver udlfb
> uvesafb: failed to execute /sbin/v86d
> uvesafb: make sure that the v86d helper is installed and executable
> uvesafb: Getting VBE info block failed (eax=0x4f00, err=-2)
> uvesafb: vbe_init() failed with -22
> uvesafb: probe of uvesafb.0 failed with error -22
> vga16fb: mapped to 0x000000008aac772d
> Console: switching to colour frame buffer device 80x30
> fb0: VGA16 VGA frame buffer device
> input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
> ACPI: Power Button [PWRF]
> ioatdma: Intel(R) QuickData Technology Driver 5.00
> PCI Interrupt Link [GSIF] enabled at IRQ 21
> PCI Interrupt Link [GSIG] enabled at IRQ 22
> PCI Interrupt Link [GSIH] enabled at IRQ 23
> N_HDLC line discipline registered with maxframe=4096
> Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
> 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
> Cyclades driver 2.6
> Initializing Nozomi driver 2.1d
> RocketPort device driver module, version 2.09, 12-June-2003
> No rocketport ports found; unloading driver
> Non-volatile memory driver v1.3
> Linux agpgart interface v0.103
> [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
> [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
> usbcore: registered new interface driver udl
> [drm] pci: virtio-vga detected at 0000:00:01.0
> fb0: switching to virtiodrmfb from VGA16 VGA
> Console: switching to colour VGA+ 80x25
> virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
> Console: switching to colour dummy device 80x25
> [drm] features: -virgl +edid
> [drm] number of scanouts: 1
> [drm] number of cap sets: 0
> [drm] Initialized virtio_gpu 0.1.0 0 for virtio0 on minor 2
> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-syzkaller #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
> Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
> RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
> RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
> RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
> FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  dma_direct_map_page include/linux/dma-direct.h:170 [inline]
>  dma_direct_map_sg+0x3bb/0x670 kernel/dma/direct.c:368
>  dma_map_sg_attrs+0xd0/0x160 kernel/dma/mapping.c:183
>  drm_gem_shmem_get_pages_sgt drivers/gpu/drm/drm_gem_shmem_helper.c:700 [inline]
>  drm_gem_shmem_get_pages_sgt+0x1fc/0x310 drivers/gpu/drm/drm_gem_shmem_helper.c:679
>  virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:153 [inline]
>  virtio_gpu_object_create+0x2fd/0xa70 drivers/gpu/drm/virtio/virtgpu_object.c:232
>  virtio_gpu_gem_create drivers/gpu/drm/virtio/virtgpu_gem.c:45 [inline]
>  virtio_gpu_mode_dumb_create+0x298/0x530 drivers/gpu/drm/virtio/virtgpu_gem.c:85
>  drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
>  drm_client_buffer_create drivers/gpu/drm/drm_client.c:267 [inline]
>  drm_client_framebuffer_create+0x1b7/0x770 drivers/gpu/drm/drm_client.c:412
>  drm_fb_helper_generic_probe+0x1e5/0x810 drivers/gpu/drm/drm_fb_helper.c:2086
>  drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1635 [inline]
>  __drm_fb_helper_initial_config_and_unlock+0xbc6/0x12d0 drivers/gpu/drm/drm_fb_helper.c:1793
>  drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1888 [inline]
>  drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1880 [inline]
>  drm_fbdev_client_hotplug+0x2d4/0x580 drivers/gpu/drm/drm_fb_helper.c:2180
>  drm_fbdev_generic_setup+0x1c8/0x450 drivers/gpu/drm/drm_fb_helper.c:2262
>  virtio_gpu_probe+0x28f/0x2e0 drivers/gpu/drm/virtio/virtgpu_drv.c:127
>  virtio_dev_probe+0x445/0x6f0 drivers/virtio/virtio.c:248
>  really_probe+0x282/0x9f0 drivers/base/dd.c:553
>  driver_probe_device+0xfe/0x1d0 drivers/base/dd.c:738
>  device_driver_attach+0x228/0x290 drivers/base/dd.c:1013
>  __driver_attach drivers/base/dd.c:1090 [inline]
>  __driver_attach+0xda/0x240 drivers/base/dd.c:1044
>  bus_for_each_dev+0x147/0x1d0 drivers/base/bus.c:305
>  bus_add_driver+0x348/0x5a0 drivers/base/bus.c:622
>  driver_register+0x220/0x3a0 drivers/base/driver.c:171
>  do_one_initcall+0x10a/0x7b0 init/main.c:1201
>  do_initcall_level init/main.c:1274 [inline]
>  do_initcalls init/main.c:1290 [inline]
>  do_basic_setup init/main.c:1310 [inline]
>  kernel_init_freeable+0x589/0x638 init/main.c:1505
>  kernel_init+0xd/0x1c0 init/main.c:1399
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
> Modules linked in:
> ---[ end trace 11a290451cfd19ed ]---
> RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
> Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
> RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
> RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
> RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
> FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

So it fails at

683                 dev_WARN_ONCE(dev, 1,                                           
684                         "swiotlb addr %pad+%zu overflow (mask %llx, bus limit %llx).\n",
685                         &dma_addr, size, *dev->dma_mask, dev->bus_dma_limit);   


which makes no sense to me as `dev` surely exists. I can see in the console log:

virtio-pci 0000:00:01.0: vgaarb: deactivate vga console

So what gives?

Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
is
All code
========
   0:   28 04 00                sub    %al,(%rax,%rax,1)
   3:   00 48 c1                add    %cl,-0x3f(%rax)
   6:   ea                      (bad)
   7:   03 80 3c 02 00 0f       add    0xf00023c(%rax),%eax
   d:   85 4d 01                test   %ecx,0x1(%rbp)
  10:   00 00                   add    %al,(%rax)
  12:   4c 8b a5 18 04 00 00    mov    0x418(%rbp),%r12
  19:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
  20:   fc ff df
  23:   4c 89 e2                mov    %r12,%rdx
  26:   48 c1 ea 03             shr    $0x3,%rdx
  2a:*  80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)               <-- trapping instruction
  2e:   0f 85 1e 01 00 00       jne    0x152
  34:   48 8d 7d 50             lea    0x50(%rbp),%rdi
  38:   4d 8b 24 24             mov    (%r12),%r12
  3c:   48                      rex.W
  3d:   b8                      .byte 0xb8

So %r12 was expected to have something valid, put in %rdx, and shifted by three (line 26). Then
we fetch from
base =  0000000000000000 (%rdx) + 0xdffffc0000000000(%rax)* scale 1.

and compare against 0 (if I am reading this right).

No clue here. 

I tried compiling the upstream kernel with the .config mentioned at the top
but sadly I can't find anything that similar to this code to figure out
what exactly it is trying to access and crash.

CC-ing a fellow engineer who is debugging this, but it looks to be related to VirtIO DRM.

> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Is: virtio_gpu_object_shmem_init  issues? Was:Re: upstream boot error: general protection fault in swiotlb_map
  2020-08-24 15:06 ` Is: virtio_gpu_object_shmem_init issues? Was:Re: " Konrad Rzeszutek Wilk
@ 2020-08-24 15:13   ` Christoph Hellwig
  2020-08-24 15:17   ` Dmitry Vyukov via iommu
  2020-08-27  1:37   ` Thomas Tai
  2 siblings, 0 replies; 5+ messages in thread
From: Christoph Hellwig @ 2020-08-24 15:13 UTC (permalink / raw)
  To: Konrad Rzeszutek Wilk
  Cc: thomas.tai, syzkaller-bugs, linux-kernel, dri-devel,
	virtualization, iommu, kraxel, airlied, robin.murphy, hch,
	syzbot

On Mon, Aug 24, 2020 at 11:06:51AM -0400, Konrad Rzeszutek Wilk wrote:
> So it fails at
> 
> 683                 dev_WARN_ONCE(dev, 1,                                           
> 684                         "swiotlb addr %pad+%zu overflow (mask %llx, bus limit %llx).\n",
> 685                         &dma_addr, size, *dev->dma_mask, dev->bus_dma_limit);   
> 
> 
> which makes no sense to me as `dev` surely exists. I can see in the console log:
> 
> virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
> 
> So what gives?

Well, look at the if around the WARN_ON - dma_capable failed on the
swiotlb buffer. This means the virtio drm thingy has a dma mask
(either the actual one set by the driver, or bus_dma_mask), which isn't
enough to address the swiotlb buffer.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Is: virtio_gpu_object_shmem_init issues? Was:Re: upstream boot error: general protection fault in swiotlb_map
  2020-08-24 15:06 ` Is: virtio_gpu_object_shmem_init issues? Was:Re: " Konrad Rzeszutek Wilk
  2020-08-24 15:13   ` Christoph Hellwig
@ 2020-08-24 15:17   ` Dmitry Vyukov via iommu
  2020-08-27  1:37   ` Thomas Tai
  2 siblings, 0 replies; 5+ messages in thread
From: Dmitry Vyukov via iommu @ 2020-08-24 15:17 UTC (permalink / raw)
  To: Konrad Rzeszutek Wilk
  Cc: thomas.tai, syzkaller-bugs, LKML, DRI, open list:VIRTIO CORE,
	NET...,
	iommu, Gerd Hoffmann, Dave Airlie, robin.murphy,
	Christoph Hellwig, syzbot

On Mon, Aug 24, 2020 at 5:07 PM Konrad Rzeszutek Wilk
<konrad.wilk@oracle.com> wrote:
>
> On Thu, Aug 06, 2020 at 03:46:23AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    47ec5303 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16fe1dea900000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=7c06047f622c5724
> > dashboard link: https://syzkaller.appspot.com/bug?extid=3f86afd0b1e4bf1cb64c
> > compiler:       gcc (GCC) 10.1.0-syz 20200507
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+3f86afd0b1e4bf1cb64c@syzkaller.appspotmail.com
> >
> > ceph: loaded (mds proto 32)
> > NET: Registered protocol family 38
> > async_tx: api initialized (async)
> > Key type asymmetric registered
> > Asymmetric key parser 'x509' registered
> > Asymmetric key parser 'pkcs8' registered
> > Key type pkcs7_test registered
> > Asymmetric key parser 'tpm_parser' registered
> > Block layer SCSI generic (bsg) driver version 0.4 loaded (major 243)
> > io scheduler mq-deadline registered
> > io scheduler kyber registered
> > io scheduler bfq registered
> > hgafb: HGA card not detected.
> > hgafb: probe of hgafb.0 failed with error -22
> > usbcore: registered new interface driver udlfb
> > uvesafb: failed to execute /sbin/v86d
> > uvesafb: make sure that the v86d helper is installed and executable
> > uvesafb: Getting VBE info block failed (eax=0x4f00, err=-2)
> > uvesafb: vbe_init() failed with -22
> > uvesafb: probe of uvesafb.0 failed with error -22
> > vga16fb: mapped to 0x000000008aac772d
> > Console: switching to colour frame buffer device 80x30
> > fb0: VGA16 VGA frame buffer device
> > input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
> > ACPI: Power Button [PWRF]
> > ioatdma: Intel(R) QuickData Technology Driver 5.00
> > PCI Interrupt Link [GSIF] enabled at IRQ 21
> > PCI Interrupt Link [GSIG] enabled at IRQ 22
> > PCI Interrupt Link [GSIH] enabled at IRQ 23
> > N_HDLC line discipline registered with maxframe=4096
> > Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
> > 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
> > Cyclades driver 2.6
> > Initializing Nozomi driver 2.1d
> > RocketPort device driver module, version 2.09, 12-June-2003
> > No rocketport ports found; unloading driver
> > Non-volatile memory driver v1.3
> > Linux agpgart interface v0.103
> > [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
> > [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
> > usbcore: registered new interface driver udl
> > [drm] pci: virtio-vga detected at 0000:00:01.0
> > fb0: switching to virtiodrmfb from VGA16 VGA
> > Console: switching to colour VGA+ 80x25
> > virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
> > Console: switching to colour dummy device 80x25
> > [drm] features: -virgl +edid
> > [drm] number of scanouts: 1
> > [drm] number of cap sets: 0
> > [drm] Initialized virtio_gpu 0.1.0 0 for virtio0 on minor 2
> > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-syzkaller #0
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> > RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
> > Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
> > RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
> > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
> > RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
> > RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
> > FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  dma_direct_map_page include/linux/dma-direct.h:170 [inline]
> >  dma_direct_map_sg+0x3bb/0x670 kernel/dma/direct.c:368
> >  dma_map_sg_attrs+0xd0/0x160 kernel/dma/mapping.c:183
> >  drm_gem_shmem_get_pages_sgt drivers/gpu/drm/drm_gem_shmem_helper.c:700 [inline]
> >  drm_gem_shmem_get_pages_sgt+0x1fc/0x310 drivers/gpu/drm/drm_gem_shmem_helper.c:679
> >  virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:153 [inline]
> >  virtio_gpu_object_create+0x2fd/0xa70 drivers/gpu/drm/virtio/virtgpu_object.c:232
> >  virtio_gpu_gem_create drivers/gpu/drm/virtio/virtgpu_gem.c:45 [inline]
> >  virtio_gpu_mode_dumb_create+0x298/0x530 drivers/gpu/drm/virtio/virtgpu_gem.c:85
> >  drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
> >  drm_client_buffer_create drivers/gpu/drm/drm_client.c:267 [inline]
> >  drm_client_framebuffer_create+0x1b7/0x770 drivers/gpu/drm/drm_client.c:412
> >  drm_fb_helper_generic_probe+0x1e5/0x810 drivers/gpu/drm/drm_fb_helper.c:2086
> >  drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1635 [inline]
> >  __drm_fb_helper_initial_config_and_unlock+0xbc6/0x12d0 drivers/gpu/drm/drm_fb_helper.c:1793
> >  drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1888 [inline]
> >  drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1880 [inline]
> >  drm_fbdev_client_hotplug+0x2d4/0x580 drivers/gpu/drm/drm_fb_helper.c:2180
> >  drm_fbdev_generic_setup+0x1c8/0x450 drivers/gpu/drm/drm_fb_helper.c:2262
> >  virtio_gpu_probe+0x28f/0x2e0 drivers/gpu/drm/virtio/virtgpu_drv.c:127
> >  virtio_dev_probe+0x445/0x6f0 drivers/virtio/virtio.c:248
> >  really_probe+0x282/0x9f0 drivers/base/dd.c:553
> >  driver_probe_device+0xfe/0x1d0 drivers/base/dd.c:738
> >  device_driver_attach+0x228/0x290 drivers/base/dd.c:1013
> >  __driver_attach drivers/base/dd.c:1090 [inline]
> >  __driver_attach+0xda/0x240 drivers/base/dd.c:1044
> >  bus_for_each_dev+0x147/0x1d0 drivers/base/bus.c:305
> >  bus_add_driver+0x348/0x5a0 drivers/base/bus.c:622
> >  driver_register+0x220/0x3a0 drivers/base/driver.c:171
> >  do_one_initcall+0x10a/0x7b0 init/main.c:1201
> >  do_initcall_level init/main.c:1274 [inline]
> >  do_initcalls init/main.c:1290 [inline]
> >  do_basic_setup init/main.c:1310 [inline]
> >  kernel_init_freeable+0x589/0x638 init/main.c:1505
> >  kernel_init+0xd/0x1c0 init/main.c:1399
> >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
> > Modules linked in:
> > ---[ end trace 11a290451cfd19ed ]---
> > RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
> > Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
> > RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
> > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
> > RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
> > RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
> > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
> > FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
> So it fails at
>
> 683                 dev_WARN_ONCE(dev, 1,
> 684                         "swiotlb addr %pad+%zu overflow (mask %llx, bus limit %llx).\n",
> 685                         &dma_addr, size, *dev->dma_mask, dev->bus_dma_limit);
>
>
> which makes no sense to me as `dev` surely exists. I can see in the console log:
>
> virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
>
> So what gives?
>
> Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
> is
> All code
> ========
>    0:   28 04 00                sub    %al,(%rax,%rax,1)
>    3:   00 48 c1                add    %cl,-0x3f(%rax)
>    6:   ea                      (bad)
>    7:   03 80 3c 02 00 0f       add    0xf00023c(%rax),%eax
>    d:   85 4d 01                test   %ecx,0x1(%rbp)
>   10:   00 00                   add    %al,(%rax)
>   12:   4c 8b a5 18 04 00 00    mov    0x418(%rbp),%r12
>   19:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
>   20:   fc ff df
>   23:   4c 89 e2                mov    %r12,%rdx
>   26:   48 c1 ea 03             shr    $0x3,%rdx
>   2a:*  80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)               <-- trapping instruction
>   2e:   0f 85 1e 01 00 00       jne    0x152
>   34:   48 8d 7d 50             lea    0x50(%rbp),%rdi
>   38:   4d 8b 24 24             mov    (%r12),%r12
>   3c:   48                      rex.W
>   3d:   b8                      .byte 0xb8
>
> So %r12 was expected to have something valid, put in %rdx, and shifted by three (line 26). Then
> we fetch from
> base =  0000000000000000 (%rdx) + 0xdffffc0000000000(%rax)* scale 1.
>
> and compare against 0 (if I am reading this right).
>
> No clue here.

Hi Konrad,

This 0xdffffc0000000000 access is KASAN instrumentation to check shadow memory.
Since KASAN did not produce any bug report, most likely it is irrelevant here.

> I tried compiling the upstream kernel with the .config mentioned at the top
> but sadly I can't find anything that similar to this code to figure out
> what exactly it is trying to access and crash.
>
> CC-ing a fellow engineer who is debugging this, but it looks to be related to VirtIO DRM.
>
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20200824150650.GD21321%40char.us.oracle.com.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: Is: virtio_gpu_object_shmem_init issues? Was:Re: upstream boot error: general protection fault in swiotlb_map
  2020-08-24 15:06 ` Is: virtio_gpu_object_shmem_init issues? Was:Re: " Konrad Rzeszutek Wilk
  2020-08-24 15:13   ` Christoph Hellwig
  2020-08-24 15:17   ` Dmitry Vyukov via iommu
@ 2020-08-27  1:37   ` Thomas Tai
  2 siblings, 0 replies; 5+ messages in thread
From: Thomas Tai @ 2020-08-27  1:37 UTC (permalink / raw)
  To: Konrad Rzeszutek Wilk, syzbot, airlied, kraxel, virtualization,
	dri-devel
  Cc: syzkaller-bugs, linux-kernel, iommu, robin.murphy, hch

Hello,
I had a similiar panic when booting an ARM VM with kernel v5.9-rc1. git 
bisect identified following bad commit. After reverting the bad commit, 
the VM boot ok. Maybe we should look into the following commit.

d323bb44e4d23802eb25d13de1f93f2335bd60d0 is the first bad commit
commit d323bb44e4d23802eb25d13de1f93f2335bd60d0
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Mon May 11 11:35:49 2020 +0200

     drm/virtio: Call the right shmem helpers

     drm_gem_shmem_get_sg_table is meant to implement
     obj->funcs->get_sg_table, for prime exporting. The one we want is
     drm_gem_shmem_get_pages_sgt, which also handles imported dma-buf, not
     just native objects.

     v2: Rebase, this stuff moved around in

     commit 2f2aa13724d56829d910b2fa8e80c502d388f106
     Author: Gerd Hoffmann <kraxel@redhat.com>
     Date:   Fri Feb 7 08:46:38 2020 +0100

         drm/virtio: move virtio_gpu_mem_entry initialization to new 
function

     Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
     Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
     Cc: David Airlie <airlied@linux.ie>
     Cc: Gerd Hoffmann <kraxel@redhat.com>
     Cc: virtualization@lists.linux-foundation.org
     Link: 
https://patchwork.freedesktop.org/patch/msgid/20200511093554.211493-5-daniel.vetter@ffwll.ch

Thank you,
Thomas


On 2020-08-24 11:06 a.m., Konrad Rzeszutek Wilk wrote:
> On Thu, Aug 06, 2020 at 03:46:23AM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    47ec5303 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=16fe1dea900000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=7c06047f622c5724
>> dashboard link: https://syzkaller.appspot.com/bug?extid=3f86afd0b1e4bf1cb64c
>> compiler:       gcc (GCC) 10.1.0-syz 20200507
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+3f86afd0b1e4bf1cb64c@syzkaller.appspotmail.com
>>
>> ceph: loaded (mds proto 32)
>> NET: Registered protocol family 38
>> async_tx: api initialized (async)
>> Key type asymmetric registered
>> Asymmetric key parser 'x509' registered
>> Asymmetric key parser 'pkcs8' registered
>> Key type pkcs7_test registered
>> Asymmetric key parser 'tpm_parser' registered
>> Block layer SCSI generic (bsg) driver version 0.4 loaded (major 243)
>> io scheduler mq-deadline registered
>> io scheduler kyber registered
>> io scheduler bfq registered
>> hgafb: HGA card not detected.
>> hgafb: probe of hgafb.0 failed with error -22
>> usbcore: registered new interface driver udlfb
>> uvesafb: failed to execute /sbin/v86d
>> uvesafb: make sure that the v86d helper is installed and executable
>> uvesafb: Getting VBE info block failed (eax=0x4f00, err=-2)
>> uvesafb: vbe_init() failed with -22
>> uvesafb: probe of uvesafb.0 failed with error -22
>> vga16fb: mapped to 0x000000008aac772d
>> Console: switching to colour frame buffer device 80x30
>> fb0: VGA16 VGA frame buffer device
>> input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
>> ACPI: Power Button [PWRF]
>> ioatdma: Intel(R) QuickData Technology Driver 5.00
>> PCI Interrupt Link [GSIF] enabled at IRQ 21
>> PCI Interrupt Link [GSIG] enabled at IRQ 22
>> PCI Interrupt Link [GSIH] enabled at IRQ 23
>> N_HDLC line discipline registered with maxframe=4096
>> Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
>> 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
>> Cyclades driver 2.6
>> Initializing Nozomi driver 2.1d
>> RocketPort device driver module, version 2.09, 12-June-2003
>> No rocketport ports found; unloading driver
>> Non-volatile memory driver v1.3
>> Linux agpgart interface v0.103
>> [drm] Initialized vgem 1.0.0 20120112 for vgem on minor 0
>> [drm] Initialized vkms 1.0.0 20180514 for vkms on minor 1
>> usbcore: registered new interface driver udl
>> [drm] pci: virtio-vga detected at 0000:00:01.0
>> fb0: switching to virtiodrmfb from VGA16 VGA
>> Console: switching to colour VGA+ 80x25
>> virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
>> Console: switching to colour dummy device 80x25
>> [drm] features: -virgl +edid
>> [drm] number of scanouts: 1
>> [drm] number of cap sets: 0
>> [drm] Initialized virtio_gpu 0.1.0 0 for virtio0 on minor 2
>> general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
>> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
>> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.8.0-syzkaller #0
>> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
>> RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
>> Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
>> RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
>> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
>> RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
>> RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
>> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
>> R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
>> FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>>   dma_direct_map_page include/linux/dma-direct.h:170 [inline]
>>   dma_direct_map_sg+0x3bb/0x670 kernel/dma/direct.c:368
>>   dma_map_sg_attrs+0xd0/0x160 kernel/dma/mapping.c:183
>>   drm_gem_shmem_get_pages_sgt drivers/gpu/drm/drm_gem_shmem_helper.c:700 [inline]
>>   drm_gem_shmem_get_pages_sgt+0x1fc/0x310 drivers/gpu/drm/drm_gem_shmem_helper.c:679
>>   virtio_gpu_object_shmem_init drivers/gpu/drm/virtio/virtgpu_object.c:153 [inline]
>>   virtio_gpu_object_create+0x2fd/0xa70 drivers/gpu/drm/virtio/virtgpu_object.c:232
>>   virtio_gpu_gem_create drivers/gpu/drm/virtio/virtgpu_gem.c:45 [inline]
>>   virtio_gpu_mode_dumb_create+0x298/0x530 drivers/gpu/drm/virtio/virtgpu_gem.c:85
>>   drm_mode_create_dumb+0x27c/0x300 drivers/gpu/drm/drm_dumb_buffers.c:94
>>   drm_client_buffer_create drivers/gpu/drm/drm_client.c:267 [inline]
>>   drm_client_framebuffer_create+0x1b7/0x770 drivers/gpu/drm/drm_client.c:412
>>   drm_fb_helper_generic_probe+0x1e5/0x810 drivers/gpu/drm/drm_fb_helper.c:2086
>>   drm_fb_helper_single_fb_probe drivers/gpu/drm/drm_fb_helper.c:1635 [inline]
>>   __drm_fb_helper_initial_config_and_unlock+0xbc6/0x12d0 drivers/gpu/drm/drm_fb_helper.c:1793
>>   drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1888 [inline]
>>   drm_fb_helper_initial_config drivers/gpu/drm/drm_fb_helper.c:1880 [inline]
>>   drm_fbdev_client_hotplug+0x2d4/0x580 drivers/gpu/drm/drm_fb_helper.c:2180
>>   drm_fbdev_generic_setup+0x1c8/0x450 drivers/gpu/drm/drm_fb_helper.c:2262
>>   virtio_gpu_probe+0x28f/0x2e0 drivers/gpu/drm/virtio/virtgpu_drv.c:127
>>   virtio_dev_probe+0x445/0x6f0 drivers/virtio/virtio.c:248
>>   really_probe+0x282/0x9f0 drivers/base/dd.c:553
>>   driver_probe_device+0xfe/0x1d0 drivers/base/dd.c:738
>>   device_driver_attach+0x228/0x290 drivers/base/dd.c:1013
>>   __driver_attach drivers/base/dd.c:1090 [inline]
>>   __driver_attach+0xda/0x240 drivers/base/dd.c:1044
>>   bus_for_each_dev+0x147/0x1d0 drivers/base/bus.c:305
>>   bus_add_driver+0x348/0x5a0 drivers/base/bus.c:622
>>   driver_register+0x220/0x3a0 drivers/base/driver.c:171
>>   do_one_initcall+0x10a/0x7b0 init/main.c:1201
>>   do_initcall_level init/main.c:1274 [inline]
>>   do_initcalls init/main.c:1290 [inline]
>>   do_basic_setup init/main.c:1310 [inline]
>>   kernel_init_freeable+0x589/0x638 init/main.c:1505
>>   kernel_init+0xd/0x1c0 init/main.c:1399
>>   ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>> Modules linked in:
>> ---[ end trace 11a290451cfd19ed ]---
>> RIP: 0010:swiotlb_map+0x5ac/0x700 kernel/dma/swiotlb.c:683
>> Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
>> RSP: 0000:ffffc9000034f3e0 EFLAGS: 00010246
>> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8162cc1d
>> RDX: 0000000000000000 RSI: ffffffff8162cc98 RDI: ffff88802971a470
>> RBP: ffff88802971a048 R08: 0000000000000001 R09: ffffffff8c5dba77
>> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
>> R13: 000000007ac00000 R14: dffffc0000000000 R15: 0000000000001000
>> FS:  0000000000000000(0000) GS:ffff88802ce00000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00000000ffffffff CR3: 0000000009a8d000 CR4: 0000000000350ef0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> 
> So it fails at
> 
> 683                 dev_WARN_ONCE(dev, 1,
> 684                         "swiotlb addr %pad+%zu overflow (mask %llx, bus limit %llx).\n",
> 685                         &dma_addr, size, *dev->dma_mask, dev->bus_dma_limit);
> 
> 
> which makes no sense to me as `dev` surely exists. I can see in the console log:
> 
> virtio-pci 0000:00:01.0: vgaarb: deactivate vga console
> 
> So what gives?
> 
> Code: 28 04 00 00 48 c1 ea 03 80 3c 02 00 0f 85 4d 01 00 00 4c 8b a5 18 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 1e 01 00 00 48 8d 7d 50 4d 8b 24 24 48 b8 00 00
> is
> All code
> ========
>     0:   28 04 00                sub    %al,(%rax,%rax,1)
>     3:   00 48 c1                add    %cl,-0x3f(%rax)
>     6:   ea                      (bad)
>     7:   03 80 3c 02 00 0f       add    0xf00023c(%rax),%eax
>     d:   85 4d 01                test   %ecx,0x1(%rbp)
>    10:   00 00                   add    %al,(%rax)
>    12:   4c 8b a5 18 04 00 00    mov    0x418(%rbp),%r12
>    19:   48 b8 00 00 00 00 00    movabs $0xdffffc0000000000,%rax
>    20:   fc ff df
>    23:   4c 89 e2                mov    %r12,%rdx
>    26:   48 c1 ea 03             shr    $0x3,%rdx
>    2a:*  80 3c 02 00             cmpb   $0x0,(%rdx,%rax,1)               <-- trapping instruction
>    2e:   0f 85 1e 01 00 00       jne    0x152
>    34:   48 8d 7d 50             lea    0x50(%rbp),%rdi
>    38:   4d 8b 24 24             mov    (%r12),%r12
>    3c:   48                      rex.W
>    3d:   b8                      .byte 0xb8
> 
> So %r12 was expected to have something valid, put in %rdx, and shifted by three (line 26). Then
> we fetch from
> base =  0000000000000000 (%rdx) + 0xdffffc0000000000(%rax)* scale 1.
> 
> and compare against 0 (if I am reading this right).
> 
> No clue here.
> 
> I tried compiling the upstream kernel with the .config mentioned at the top
> but sadly I can't find anything that similar to this code to figure out
> what exactly it is trying to access and crash.
> 
> CC-ing a fellow engineer who is debugging this, but it looks to be related to VirtIO DRM.
> 
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-27  2:08 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-06 10:46 upstream boot error: general protection fault in swiotlb_map syzbot
2020-08-24 15:06 ` Is: virtio_gpu_object_shmem_init issues? Was:Re: " Konrad Rzeszutek Wilk
2020-08-24 15:13   ` Christoph Hellwig
2020-08-24 15:17   ` Dmitry Vyukov via iommu
2020-08-27  1:37   ` Thomas Tai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).