[next] Null pointer dereference in nouveau_vm_map_sg

[next] Null pointer dereference in nouveau_vm_map_sg

[Martin Nyhus]

In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash
at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to
reproduce, so I can test patches if needed.

	Martin



[  216.546584] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0
[  216.546613] IP: [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130
[  216.546631] PGD 5b155067 PUD 5ab71067 PMD 0 
[  216.546647] Oops: 0000 [#1] SMP 
[  216.546659] CPU 1 
[  216.546664] Modules linked in: tun iwl4965 iwlegacy mac80211 cfg80211 tg3 psmouse rtc_cmos evdev ehci_hcd uhci_hcd usbcore usb_common [last unloaded: scsi_wait_scan]
[  216.546721] 
[  216.546727] Pid: 3327, comm: Xorg Not tainted 3.2.0-next-20120113 #56 Dell Inc. XPS M1330                       /0PU073
[  216.546749] RIP: 0010:[<ffffffff814a87ec>]  [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130
[  216.546770] RSP: 0018:ffff88005b0c9858  EFLAGS: 00010246
[  216.546780] RAX: ffff88005bf84620 RBX: ffff88005ab08d20 RCX: 0000000000000000
[  216.546791] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
[  216.546802] RBP: ffff88005b0c98a8 R08: 0000000000000000 R09: 0000000000000000
[  216.546813] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000004000
[  216.546823] R13: ffff88005bf84dc8 R14: ffff88007838c000 R15: 0000000000000000
[  216.546835] FS:  00007f5f728a8880(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
[  216.546848] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  216.546857] CR2: 00000000000000d0 CR3: 000000006c1bb000 CR4: 00000000000006e0
[  216.546869] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  216.546880] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  216.546892] Process Xorg (pid: 3327, threadinfo ffff88005b0c8000, task ffff8800655da180)
[  216.546904] Stack:
[  216.546909]  ffff88005b0c9960 ffff880037180368 0000000000000000 0000000000000000
[  216.546930]  ffff88005b0c98d8 ffff88005bf84dc8 ffff88005b0c9960 ffff88007838c240
[  216.546949]  ffff88007838c000 0000000000000000 ffff88005b0c98d8 ffffffff81481bdf
[  216.546969] Call Trace:
[  216.546979]  [<ffffffff81481bdf>] nouveau_bo_move_ntfy+0x7f/0xb0
[  216.546991]  [<ffffffff81470614>] ttm_bo_handle_move_mem+0x204/0x3d0
[  216.547003]  [<ffffffff8147099d>] ttm_bo_evict+0x1bd/0x2a0
[  216.547015]  [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0
[  216.547027]  [<ffffffff81470bf1>] ttm_mem_evict_first+0x171/0x230
[  216.547039]  [<ffffffff814714ed>] ttm_bo_mem_space+0x30d/0x420
[  216.547056]  [<ffffffff814716e8>] ttm_bo_move_buffer+0xe8/0x160
[  216.547069]  [<ffffffff8108df2b>] ? __lock_release+0x6b/0xe0
[  216.547080]  [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0
[  216.547091]  [<ffffffff81471847>] ttm_bo_validate+0xe7/0xf0
[  216.547102]  [<ffffffff81471a24>] ttm_bo_init+0x1d4/0x2a0
[  216.547113]  [<ffffffff81482481>] ? nouveau_bo_new+0x51/0x1c0
[  216.547124]  [<ffffffff8148258c>] nouveau_bo_new+0x15c/0x1c0
[  216.547135]  [<ffffffff81481eb0>] ? nouveau_ttm_tt_create+0x80/0x80
[  216.547148]  [<ffffffff81338bba>] ? avc_has_perm_noaudit+0xfa/0x290
[  216.547160]  [<ffffffff81485cf3>] nouveau_gem_new+0x53/0x120
[  216.548008]  [<ffffffff8108df81>] ? __lock_release+0xc1/0xe0
[  216.548008]  [<ffffffff81112a97>] ? might_fault+0x57/0xb0
[  216.548008]  [<ffffffff81485e29>] nouveau_gem_ioctl_new+0x69/0x170
[  216.548008]  [<ffffffff81112a97>] ? might_fault+0x57/0xb0
[  216.548008]  [<ffffffff814553e4>] drm_ioctl+0x444/0x510
[  216.548008]  [<ffffffff81485dc0>] ? nouveau_gem_new+0x120/0x120
[  216.548008]  [<ffffffff81150b17>] do_vfs_ioctl+0x87/0x330
[  216.548008]  [<ffffffff8133b528>] ? selinux_file_ioctl+0x68/0x140
[  216.548008]  [<ffffffff81150e51>] sys_ioctl+0x91/0xa0
[  216.555939]  [<ffffffff817c1722>] system_call_fastpath+0x16/0x1b
[  216.555939] Code: 48 89 e5 41 57 49 89 cf 41 56 41 55 49 89 fd 41 54 49 89 d4 ba 01 00 00 00 53 41 89 d3 48 83 ec 28 48 8b 47 20 48 8b 5f 18 31 ff <4c> 8b b1 d0 00 00 00 0f b6 48 30 44 8b 48 34 8b 83 20 01 00 00 
[  216.555939] RIP  [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130
[  216.555939]  RSP <ffff88005b0c9858>
[  216.555939] CR2: 00000000000000d0
[  216.581301] ---[ end trace 0d910003d5fb1cd8 ]---

Re: [next] Null pointer dereference in nouveau_vm_map_sg

[Jerome Glisse]

On Sun, Jan 15, 2012 at 10:31:08PM +0100, Martin Nyhus wrote:
> In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash
> at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to
> reproduce, so I can test patches if needed.
> 
> 	Martin
> 

How do you trigger this ?

Cheers,
Jerome

> 
> 
> [  216.546584] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0
> [  216.546613] IP: [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130
> [  216.546631] PGD 5b155067 PUD 5ab71067 PMD 0 
> [  216.546647] Oops: 0000 [#1] SMP 
> [  216.546659] CPU 1 
> [  216.546664] Modules linked in: tun iwl4965 iwlegacy mac80211 cfg80211 tg3 psmouse rtc_cmos evdev ehci_hcd uhci_hcd usbcore usb_common [last unloaded: scsi_wait_scan]
> [  216.546721] 
> [  216.546727] Pid: 3327, comm: Xorg Not tainted 3.2.0-next-20120113 #56 Dell Inc. XPS M1330                       /0PU073
> [  216.546749] RIP: 0010:[<ffffffff814a87ec>]  [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130
> [  216.546770] RSP: 0018:ffff88005b0c9858  EFLAGS: 00010246
> [  216.546780] RAX: ffff88005bf84620 RBX: ffff88005ab08d20 RCX: 0000000000000000
> [  216.546791] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
> [  216.546802] RBP: ffff88005b0c98a8 R08: 0000000000000000 R09: 0000000000000000
> [  216.546813] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000004000
> [  216.546823] R13: ffff88005bf84dc8 R14: ffff88007838c000 R15: 0000000000000000
> [  216.546835] FS:  00007f5f728a8880(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
> [  216.546848] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  216.546857] CR2: 00000000000000d0 CR3: 000000006c1bb000 CR4: 00000000000006e0
> [  216.546869] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [  216.546880] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [  216.546892] Process Xorg (pid: 3327, threadinfo ffff88005b0c8000, task ffff8800655da180)
> [  216.546904] Stack:
> [  216.546909]  ffff88005b0c9960 ffff880037180368 0000000000000000 0000000000000000
> [  216.546930]  ffff88005b0c98d8 ffff88005bf84dc8 ffff88005b0c9960 ffff88007838c240
> [  216.546949]  ffff88007838c000 0000000000000000 ffff88005b0c98d8 ffffffff81481bdf
> [  216.546969] Call Trace:
> [  216.546979]  [<ffffffff81481bdf>] nouveau_bo_move_ntfy+0x7f/0xb0
> [  216.546991]  [<ffffffff81470614>] ttm_bo_handle_move_mem+0x204/0x3d0
> [  216.547003]  [<ffffffff8147099d>] ttm_bo_evict+0x1bd/0x2a0
> [  216.547015]  [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0
> [  216.547027]  [<ffffffff81470bf1>] ttm_mem_evict_first+0x171/0x230
> [  216.547039]  [<ffffffff814714ed>] ttm_bo_mem_space+0x30d/0x420
> [  216.547056]  [<ffffffff814716e8>] ttm_bo_move_buffer+0xe8/0x160
> [  216.547069]  [<ffffffff8108df2b>] ? __lock_release+0x6b/0xe0
> [  216.547080]  [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0
> [  216.547091]  [<ffffffff81471847>] ttm_bo_validate+0xe7/0xf0
> [  216.547102]  [<ffffffff81471a24>] ttm_bo_init+0x1d4/0x2a0
> [  216.547113]  [<ffffffff81482481>] ? nouveau_bo_new+0x51/0x1c0
> [  216.547124]  [<ffffffff8148258c>] nouveau_bo_new+0x15c/0x1c0
> [  216.547135]  [<ffffffff81481eb0>] ? nouveau_ttm_tt_create+0x80/0x80
> [  216.547148]  [<ffffffff81338bba>] ? avc_has_perm_noaudit+0xfa/0x290
> [  216.547160]  [<ffffffff81485cf3>] nouveau_gem_new+0x53/0x120
> [  216.548008]  [<ffffffff8108df81>] ? __lock_release+0xc1/0xe0
> [  216.548008]  [<ffffffff81112a97>] ? might_fault+0x57/0xb0
> [  216.548008]  [<ffffffff81485e29>] nouveau_gem_ioctl_new+0x69/0x170
> [  216.548008]  [<ffffffff81112a97>] ? might_fault+0x57/0xb0
> [  216.548008]  [<ffffffff814553e4>] drm_ioctl+0x444/0x510
> [  216.548008]  [<ffffffff81485dc0>] ? nouveau_gem_new+0x120/0x120
> [  216.548008]  [<ffffffff81150b17>] do_vfs_ioctl+0x87/0x330
> [  216.548008]  [<ffffffff8133b528>] ? selinux_file_ioctl+0x68/0x140
> [  216.548008]  [<ffffffff81150e51>] sys_ioctl+0x91/0xa0
> [  216.555939]  [<ffffffff817c1722>] system_call_fastpath+0x16/0x1b
> [  216.555939] Code: 48 89 e5 41 57 49 89 cf 41 56 41 55 49 89 fd 41 54 49 89 d4 ba 01 00 00 00 53 41 89 d3 48 83 ec 28 48 8b 47 20 48 8b 5f 18 31 ff <4c> 8b b1 d0 00 00 00 0f b6 48 30 44 8b 48 34 8b 83 20 01 00 00 
> [  216.555939] RIP  [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130
> [  216.555939]  RSP <ffff88005b0c9858>
> [  216.555939] CR2: 00000000000000d0
> [  216.581301] ---[ end trace 0d910003d5fb1cd8 ]---
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [next] Null pointer dereference in nouveau_vm_map_sg

[Martin Nyhus]

On Monday 16. January 2012 21:30:59 Jerome Glisse wrote:
> On Sun, Jan 15, 2012 at 10:31:08PM +0100, Martin Nyhus wrote:
> > In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash
> > at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to
> > reproduce, so I can test patches if needed.
> How do you trigger this ?

Opening 10-15 high-res pictures in Firefox triggers it every time. Doing the 
same using Gimp does not, and neither does Firefox and lots of small images 
(eg. Google image search).

	Martin

Re: [next] Null pointer dereference in nouveau_vm_map_sg

[Konrad Rzeszutek Wilk]

On Tue, Jan 17, 2012 at 12:57:50AM +0100, Martin Nyhus wrote:
> On Monday 16. January 2012 21:30:59 Jerome Glisse wrote:
> > On Sun, Jan 15, 2012 at 10:31:08PM +0100, Martin Nyhus wrote:
> > > In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash
> > > at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to
> > > reproduce, so I can test patches if needed.
> > How do you trigger this ?
> 
> Opening 10-15 high-res pictures in Firefox triggers it every time. Doing the 
> same using Gimp does not, and neither does Firefox and lots of small images 
> (eg. Google image search).

I seem to be able to trigger this by using both Chrome and Firefox and 
seeing a YouTube video. I did at that time have a dual-head display, while
in the past to reproduce this I had only one monitor and it took a bit of
time before I hit it.

Re: [next] Null pointer dereference in nouveau_vm_map_sg

[Jerome Glisse]

[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]

On Sun, Jan 22, 2012 at 01:33:16PM -0500, Konrad Rzeszutek Wilk wrote:
> On Tue, Jan 17, 2012 at 12:57:50AM +0100, Martin Nyhus wrote:
> > On Monday 16. January 2012 21:30:59 Jerome Glisse wrote:
> > > On Sun, Jan 15, 2012 at 10:31:08PM +0100, Martin Nyhus wrote:
> > > > In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash
> > > > at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to
> > > > reproduce, so I can test patches if needed.
> > > How do you trigger this ?
> > 
> > Opening 10-15 high-res pictures in Firefox triggers it every time. Doing the 
> > same using Gimp does not, and neither does Firefox and lots of small images 
> > (eg. Google image search).
> 
> I seem to be able to trigger this by using both Chrome and Firefox and 
> seeing a YouTube video. I did at that time have a dual-head display, while
> in the past to reproduce this I had only one monitor and it took a bit of
> time before I hit it.

Can you please both test if attached patch fix it for you ?

Cheers,
Jerome

[-- Attachment #2: 0001-drm-nouveau-fix-move-notify-callback.patch --]
[-- Type: text/plain, Size: 1401 bytes --]

>From 67d4836e3511db2691c4ff2d3a23bf8c0e950edb Mon Sep 17 00:00:00 2001
From: John Doe <glisse@dhcp-189-215.bos.redhat.com>
Date: Tue, 24 Jan 2012 22:55:26 -0500
Subject: [PATCH] drm/nouveau: fix move notify callback

On vram buffer eviction the ttm_bo_move_accel_cleanup will the
mm_node field of struct ttm_mem_reg of new_mem placement to NULL.
As move notify call back is now call after ttm_bo_move_accel_cleanup
it was using NULL ptr for mm_node.

Signed-off-by: Jerome Glisse <jglisse@redhat.com>
---
 drivers/gpu/drm/nouveau/nouveau_bo.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c
index 724b41a..3a9d978 100644
--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
+++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
@@ -814,13 +814,13 @@ nouveau_bo_move_ntfy(struct ttm_buffer_object *bo, struct ttm_mem_reg *new_mem)
 
 	list_for_each_entry(vma, &nvbo->vma_list, head) {
 		if (new_mem && new_mem->mem_type == TTM_PL_VRAM) {
-			nouveau_vm_map(vma, new_mem->mm_node);
+			nouveau_vm_map(vma, bo->mem.mm_node);
 		} else
 		if (new_mem && new_mem->mem_type == TTM_PL_TT &&
 		    nvbo->page_shift == vma->vm->spg_shift) {
 			nouveau_vm_map_sg(vma, 0, new_mem->
 					  num_pages << PAGE_SHIFT,
-					  new_mem->mm_node);
+					  bo->mem.mm_node);
 		} else {
 			nouveau_vm_unmap(vma);
 		}
-- 
1.7.7.6

Re: [next] Null pointer dereference in nouveau_vm_map_sg

[Martin Nyhus]

On Tue, 24 Jan 2012 17:33:19 -0500 Jerome Glisse <j.glisse@gmail.com>
wrote:
> Can you please both test if attached patch fix it for you ?

Thanks. It looks good too me, but it crashes a little later due to vma->node
being invalid:

Jan 25 00:54:21 callisto kernel: [  119.038357] [drm] nouveau_vm_unmap vma ffff880057502f50
Jan 25 00:54:21 callisto kernel: [  119.038360] [drm] nouveau_vm_unmap vma->node ffff8800576b87a8
Jan 25 00:54:21 callisto kernel: [  119.038363] [drm] nouveau_vm_unmap vma->node->length 58
Jan 25 00:54:21 callisto kernel: [  119.038477] [drm] nouveau_vm_unmap vma ffff8800577beab8
Jan 25 00:54:21 callisto kernel: [  119.038479] [drm] nouveau_vm_unmap vma->node ffff8800577bf880
Jan 25 00:54:21 callisto kernel: [  119.038482] [drm] nouveau_vm_unmap vma->node->length 1
Jan 25 00:54:21 callisto kernel: [  119.078025] [drm] nouveau_vm_unmap vma ffffffff8148df45
Jan 25 00:54:21 callisto kernel: [  119.078029] [drm] nouveau_vm_unmap vma->node 8b48084b8b480000
Jan 25 00:54:21 callisto kernel: [  119.078040] general protection fault: 0000 [#1] SMP 
Jan 25 00:54:21 callisto kernel: [  119.078133] CPU 0 
Jan 25 00:54:21 callisto kernel: [  119.078138] Modules linked in: tun iwl4965 iwlegacy mac80211 cfg80211 tg3 psmouse rtc_cmos evdev ehci_hcd uhci_hcd usbcore usb_common [last unloaded: scsi_wait_scan]
Jan 25 00:54:21 callisto kernel: [  119.078542] 
Jan 25 00:54:21 callisto kernel: [  119.078914] Pid: 3220, comm: Xorg Tainted: G        W    3.3.0-rc1-00076-g44d4826-dirty #75 Dell Inc. XPS M1330 /0PU073
Jan 25 00:54:21 callisto kernel: [  119.079331] RIP: 0010:[<ffffffff814b2f7f>]  [<ffffffff814b2f7f>] nouveau_vm_unmap+0x4f/0x80
Jan 25 00:54:21 callisto kernel: [  119.079778] RSP: 0018:ffff88005c167868  EFLAGS: 00010292
Jan 25 00:54:21 callisto kernel: [  119.080266] RAX: 8b48084b8b480000 RBX: ffffffff8148df45 RCX: 0000000000000006
Jan 25 00:54:21 callisto kernel: [  119.080712] RDX: 0000000000000000 RSI: ffffffff81868740 RDI: ffffffff81a6e040
Jan 25 00:54:21 callisto kernel: [  119.081218] RBP: ffff88005c167878 R08: 0000000000000001 R09: 0000000000000000
Jan 25 00:54:21 callisto kernel: [  119.081320] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
Jan 25 00:54:21 callisto kernel: [  119.081320] R13: ffff88006c309c80 R14: ffff88006c309a40 R15: ffff880037180590
Jan 25 00:54:21 callisto kernel: [  119.081320] FS:  00007f141232f880(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
Jan 25 00:54:21 callisto kernel: [  119.081320] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jan 25 00:54:21 callisto kernel: [  119.081320] CR2: 00007fb09c1de000 CR3: 000000005ce28000 CR4: 00000000000006f0
Jan 25 00:54:21 callisto kernel: [  119.081320] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jan 25 00:54:21 callisto kernel: [  119.081320] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Jan 25 00:54:21 callisto kernel: [  119.081320] Process Xorg (pid: 3220, threadinfo ffff88005c166000, task ffff88005f502180)
Jan 25 00:54:21 callisto kernel: [  119.081320] Stack:
Jan 25 00:54:21 callisto kernel: [  119.081320]  ffff88005f502180 ffffffff8148df45 ffff88005c1678a8 ffffffff8148c0e8
Jan 25 00:54:21 callisto kernel: [  119.081320]  ffff88006c309a40 0000000000000002 ffff880037180b00 ffff880079ff5e68
Jan 25 00:54:21 callisto kernel: [  119.081320]  ffff88005c1678c8 ffffffff814792b1 ffff880079ff5e68 ffff88006c309a40
Jan 25 00:54:21 callisto kernel: [  119.081320] Call Trace:
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148df45>] ? nouveau_bo_move+0xb5/0x270
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148c0e8>] nouveau_bo_move_ntfy+0x38/0xc0
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff814792b1>] ttm_bo_cleanup_memtype_use+0x21/0xa0
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147a5b5>] ttm_bo_cleanup_refs_or_queue+0x165/0x190
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147a675>] ttm_bo_release+0x95/0xd0
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147a6ef>] ttm_bo_unref+0x3f/0x60
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147cae3>] ttm_bo_move_accel_cleanup+0x213/0x240
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148db28>] nouveau_bo_move_m2mf+0x148/0x1b0
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff817bfd49>] ? mutex_unlock+0x9/0x10
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148df45>] nouveau_bo_move+0xb5/0x270
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147ab66>] ttm_bo_handle_move_mem+0x1e6/0x3d0
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147bcba>] ttm_bo_move_buffer+0x14a/0x160
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147bdb7>] ttm_bo_validate+0xe7/0xf0
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148cbdd>] nouveau_bo_validate+0x1d/0x20
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148f2a0>] validate_list+0xc0/0x360
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148fafa>] nouveau_gem_pushbuf_validate+0x9a/0x210
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8149064d>] nouveau_gem_ioctl_pushbuf+0x1bd/0x8d0
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff810960c1>] ? __lock_release+0xc1/0xe0
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8145f994>] drm_ioctl+0x444/0x510
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff81490490>] ? nouveau_gem_ioctl_new+0x170/0x170
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff81152147>] do_vfs_ioctl+0x87/0x330
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff81344e78>] ? selinux_file_ioctl+0x68/0x140
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff81152481>] sys_ioctl+0x91/0xa0
Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff817cade2>] system_call_fastpath+0x16/0x1b
Jan 25 00:54:21 callisto kernel: [  119.081320] Code: 48 8b 53 20 48 c7 c6 40 87 86 81 48 c7 c7 17 3a a5 81 31 c0 e8 05 77 2f 00 48 8b 43 20 48 c7 c6 40 87 86 81 48 c7 c7 40 e0 a6 81 <8b> 50 38 31 c0 e8 e9 76 2f 00 48 8b 43 20 48 89 df 31 f6 8b 50 
Jan 25 00:54:21 callisto kernel: [  119.081320] RIP  [<ffffffff814b2f7f>] nouveau_vm_unmap+0x4f/0x80
Jan 25 00:54:21 callisto kernel: [  119.081320]  RSP <ffff88005c167868>
Jan 25 00:54:21 callisto kernel: [  119.128824] ---[ end trace a7919e7f17c0a727 ]---

The taint is because of a failing self test (debug_objects_selftest) and the
-dirty and extra lines at the start of the log are from this patch:

diff --git a/drivers/gpu/drm/nouveau/nouveau_vm.c b/drivers/gpu/drm/nouveau/nouveau_vm.c
index 2bf6c03..2b788c3 100644
--- a/drivers/gpu/drm/nouveau/nouveau_vm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_vm.c
@@ -150,6 +150,9 @@ nouveau_vm_unmap_at(struct nouveau_vma *vma, u64 delta, u64 length)
 void
 nouveau_vm_unmap(struct nouveau_vma *vma)
 {
+	DRM_INFO("%s vma %p\n", __func__, vma);
+	DRM_INFO("%s vma->node %p\n", __func__, vma->node);
+	DRM_INFO("%s vma->node->length %u\n", __func__, vma->node->length);
 	nouveau_vm_unmap_at(vma, 0, (u64)vma->node->length << 12);
 }

To reproduce I do exactly the same as before, it just takes a little longer
before it crashes.

	Martin

Re: [next] Null pointer dereference in nouveau_vm_map_sg

[Jerome Glisse]

On Tue, Jan 24, 2012 at 7:12 PM, Martin Nyhus <martin.nyhus@gmx.com> wrote:
> On Tue, 24 Jan 2012 17:33:19 -0500 Jerome Glisse <j.glisse@gmail.com>
> wrote:
>> Can you please both test if attached patch fix it for you ?
>
> Thanks. It looks good too me, but it crashes a little later due to vma->node
> being invalid:
>
> Jan 25 00:54:21 callisto kernel: [  119.038357] [drm] nouveau_vm_unmap vma ffff880057502f50
> Jan 25 00:54:21 callisto kernel: [  119.038360] [drm] nouveau_vm_unmap vma->node ffff8800576b87a8
> Jan 25 00:54:21 callisto kernel: [  119.038363] [drm] nouveau_vm_unmap vma->node->length 58
> Jan 25 00:54:21 callisto kernel: [  119.038477] [drm] nouveau_vm_unmap vma ffff8800577beab8
> Jan 25 00:54:21 callisto kernel: [  119.038479] [drm] nouveau_vm_unmap vma->node ffff8800577bf880
> Jan 25 00:54:21 callisto kernel: [  119.038482] [drm] nouveau_vm_unmap vma->node->length 1
> Jan 25 00:54:21 callisto kernel: [  119.078025] [drm] nouveau_vm_unmap vma ffffffff8148df45
> Jan 25 00:54:21 callisto kernel: [  119.078029] [drm] nouveau_vm_unmap vma->node 8b48084b8b480000
> Jan 25 00:54:21 callisto kernel: [  119.078040] general protection fault: 0000 [#1] SMP
> Jan 25 00:54:21 callisto kernel: [  119.078133] CPU 0
> Jan 25 00:54:21 callisto kernel: [  119.078138] Modules linked in: tun iwl4965 iwlegacy mac80211 cfg80211 tg3 psmouse rtc_cmos evdev ehci_hcd uhci_hcd usbcore usb_common [last unloaded: scsi_wait_scan]
> Jan 25 00:54:21 callisto kernel: [  119.078542]
> Jan 25 00:54:21 callisto kernel: [  119.078914] Pid: 3220, comm: Xorg Tainted: G        W    3.3.0-rc1-00076-g44d4826-dirty #75 Dell Inc. XPS M1330 /0PU073
> Jan 25 00:54:21 callisto kernel: [  119.079331] RIP: 0010:[<ffffffff814b2f7f>]  [<ffffffff814b2f7f>] nouveau_vm_unmap+0x4f/0x80
> Jan 25 00:54:21 callisto kernel: [  119.079778] RSP: 0018:ffff88005c167868  EFLAGS: 00010292
> Jan 25 00:54:21 callisto kernel: [  119.080266] RAX: 8b48084b8b480000 RBX: ffffffff8148df45 RCX: 0000000000000006
> Jan 25 00:54:21 callisto kernel: [  119.080712] RDX: 0000000000000000 RSI: ffffffff81868740 RDI: ffffffff81a6e040
> Jan 25 00:54:21 callisto kernel: [  119.081218] RBP: ffff88005c167878 R08: 0000000000000001 R09: 0000000000000000
> Jan 25 00:54:21 callisto kernel: [  119.081320] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
> Jan 25 00:54:21 callisto kernel: [  119.081320] R13: ffff88006c309c80 R14: ffff88006c309a40 R15: ffff880037180590
> Jan 25 00:54:21 callisto kernel: [  119.081320] FS:  00007f141232f880(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
> Jan 25 00:54:21 callisto kernel: [  119.081320] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> Jan 25 00:54:21 callisto kernel: [  119.081320] CR2: 00007fb09c1de000 CR3: 000000005ce28000 CR4: 00000000000006f0
> Jan 25 00:54:21 callisto kernel: [  119.081320] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> Jan 25 00:54:21 callisto kernel: [  119.081320] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Jan 25 00:54:21 callisto kernel: [  119.081320] Process Xorg (pid: 3220, threadinfo ffff88005c166000, task ffff88005f502180)
> Jan 25 00:54:21 callisto kernel: [  119.081320] Stack:
> Jan 25 00:54:21 callisto kernel: [  119.081320]  ffff88005f502180 ffffffff8148df45 ffff88005c1678a8 ffffffff8148c0e8
> Jan 25 00:54:21 callisto kernel: [  119.081320]  ffff88006c309a40 0000000000000002 ffff880037180b00 ffff880079ff5e68
> Jan 25 00:54:21 callisto kernel: [  119.081320]  ffff88005c1678c8 ffffffff814792b1 ffff880079ff5e68 ffff88006c309a40
> Jan 25 00:54:21 callisto kernel: [  119.081320] Call Trace:
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148df45>] ? nouveau_bo_move+0xb5/0x270
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148c0e8>] nouveau_bo_move_ntfy+0x38/0xc0
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff814792b1>] ttm_bo_cleanup_memtype_use+0x21/0xa0
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147a5b5>] ttm_bo_cleanup_refs_or_queue+0x165/0x190
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147a675>] ttm_bo_release+0x95/0xd0
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147a6ef>] ttm_bo_unref+0x3f/0x60
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147cae3>] ttm_bo_move_accel_cleanup+0x213/0x240
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148db28>] nouveau_bo_move_m2mf+0x148/0x1b0
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff817bfd49>] ? mutex_unlock+0x9/0x10
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148df45>] nouveau_bo_move+0xb5/0x270
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147ab66>] ttm_bo_handle_move_mem+0x1e6/0x3d0
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147bcba>] ttm_bo_move_buffer+0x14a/0x160
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8147bdb7>] ttm_bo_validate+0xe7/0xf0
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148cbdd>] nouveau_bo_validate+0x1d/0x20
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148f2a0>] validate_list+0xc0/0x360
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8148fafa>] nouveau_gem_pushbuf_validate+0x9a/0x210
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8149064d>] nouveau_gem_ioctl_pushbuf+0x1bd/0x8d0
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff810960c1>] ? __lock_release+0xc1/0xe0
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff8145f994>] drm_ioctl+0x444/0x510
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff81490490>] ? nouveau_gem_ioctl_new+0x170/0x170
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff81152147>] do_vfs_ioctl+0x87/0x330
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff81344e78>] ? selinux_file_ioctl+0x68/0x140
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff81152481>] sys_ioctl+0x91/0xa0
> Jan 25 00:54:21 callisto kernel: [  119.081320]  [<ffffffff817cade2>] system_call_fastpath+0x16/0x1b
> Jan 25 00:54:21 callisto kernel: [  119.081320] Code: 48 8b 53 20 48 c7 c6 40 87 86 81 48 c7 c7 17 3a a5 81 31 c0 e8 05 77 2f 00 48 8b 43 20 48 c7 c6 40 87 86 81 48 c7 c7 40 e0 a6 81 <8b> 50 38 31 c0 e8 e9 76 2f 00 48 8b 43 20 48 89 df 31 f6 8b 50
> Jan 25 00:54:21 callisto kernel: [  119.081320] RIP  [<ffffffff814b2f7f>] nouveau_vm_unmap+0x4f/0x80
> Jan 25 00:54:21 callisto kernel: [  119.081320]  RSP <ffff88005c167868>
> Jan 25 00:54:21 callisto kernel: [  119.128824] ---[ end trace a7919e7f17c0a727 ]---
>
> The taint is because of a failing self test (debug_objects_selftest) and the
> -dirty and extra lines at the start of the log are from this patch:
>
> diff --git a/drivers/gpu/drm/nouveau/nouveau_vm.c b/drivers/gpu/drm/nouveau/nouveau_vm.c
> index 2bf6c03..2b788c3 100644
> --- a/drivers/gpu/drm/nouveau/nouveau_vm.c
> +++ b/drivers/gpu/drm/nouveau/nouveau_vm.c
> @@ -150,6 +150,9 @@ nouveau_vm_unmap_at(struct nouveau_vma *vma, u64 delta, u64 length)
>  void
>  nouveau_vm_unmap(struct nouveau_vma *vma)
>  {
> +       DRM_INFO("%s vma %p\n", __func__, vma);
> +       DRM_INFO("%s vma->node %p\n", __func__, vma->node);
> +       DRM_INFO("%s vma->node->length %u\n", __func__, vma->node->length);
>        nouveau_vm_unmap_at(vma, 0, (u64)vma->node->length << 12);
>  }
>
> To reproduce I do exactly the same as before, it just takes a little longer
> before it crashes.
>
>        Martin

Ben posted a proper patch on dri-devel.

Cheers,
Jerome