Re: [PATCH] drm/i915: Rip out GET_SPRITE_COLORKEY ioctl

From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: Tommi Rantala <tt.rantala@gmail.com>
Cc: "Syrjala, Ville" <ville.syrjala@intel.com>,
	Daniel Vetter <daniel.vetter@ffwll.ch>,
	Intel Graphics Development <intel-gfx@lists.freedesktop.org>,
	DRI Development <dri-devel@lists.freedesktop.org>,
	"Barnes, Jesse" <jesse.barnes@intel.com>,
	Daniel Vetter <daniel.vetter@intel.com>
Subject: Re: [PATCH] drm/i915: Rip out GET_SPRITE_COLORKEY ioctl
Date: Fri, 27 Mar 2015 19:55:30 +0200	[thread overview]
Message-ID: <20150327175530.GE17410@intel.com> (raw)
In-Reply-To: <CA+ydwtoV8WTjZjbzVzwRexugtXyu2o+RtjkSEjx4Aa+ShPCU7Q@mail.gmail.com>

On Fri, Mar 27, 2015 at 07:40:43PM +0200, Tommi Rantala wrote:
> 2015-03-27 18:42 GMT+02:00 Jani Nikula <jani.nikula@linux.intel.com>:
> > On Fri, 27 Mar 2015, Daniel Vetter <daniel@ffwll.ch> wrote:
> >> On Fri, Mar 27, 2015 at 09:10:02AM +0100, Daniel Vetter wrote:
> >>> It's completely unused and Tommi noticed that the #define is borked
> >>> since forever. I've done a git search in userspace and only found
> >>> broken definitions and no users anywhere.
> >>>
> >>> Cc: Tommi Rantala <tt.rantala@gmail.com>
> >>> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> >>
> >> Hm Tommi discovered oopses in there, so I guess this should be
> >> cherry-picked to -fixes+cc: stable too? Jani?
> >
> > My OCD really wants to know why this blows up. The get/set functions
> > look so similar that it feels like the set should fail just the same...
> > Tommi, did you try just the set part of your test program [1]?
> 
> Yes, both the set and get ioctls crash:
> 
> [   20.868660] BUG: unable to handle kernel NULL pointer dereference
> at           (null)
> [   20.876527] IP: [<          (null)>]           (null)
> [   20.881573] PGD c4f7d067 PUD c2a6b067 PMD 0
> [   20.885866] Oops: 0010 [#1] SMP KASAN
> [   20.889549] CPU: 1 PID: 2207 Comm: main Not tainted 4.0.0-rc5+ #89
> [   20.902805] task: ffff8800c4fad380 ti: ffff8800c2b98000 task.ti:
> ffff8800c2b98000
> [   20.910257] RIP: 0010:[<0000000000000000>]  [<          (null)>]
>        (null)
> [   20.917722] RSP: 0018:ffff8800c2b9fd30  EFLAGS: 00010246
> [   20.923012] RAX: ffffed002e87c961 RBX: ffff88017463d000 RCX: 0000000000000006
> [   20.930116] RDX: dffffc0000000000 RSI: ffff8800c2b9fdd8 RDI: ffff8801743e4800
> [   20.937214] RBP: ffff8800c2b9fd68 R08: 0000000000000000 R09: 0000000000000000
> [   20.944318] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800c2b9fdd8
> [   20.951416] R13: ffff8801743e48d8 R14: 00000000fffffffe R15: ffff8801743e4800
> [   20.958524] FS:  00007f7139b3a700(0000) GS:ffff880175e00000(0000)
> knlGS:0000000000000000
> [   20.966575] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   20.972300] CR2: 0000000000000000 CR3: 00000000c2a67000 CR4: 00000000000406e0
> [   20.979407] Stack:
> [   20.981414]  ffffffff81b4a11d ffff8800c2b9fd68 ffff88017463d000
> ffff8800c4c50c00
> [   20.988838]  0000000000000014 fffffffffffffff2 ffffffff8271c3e0
> ffff8800c2b9fe88
> [   20.996238]  ffffffff818acbbc ffff8800c2b9fe18 ffffffff8165d7c2
> ffffffff8165d660
> [   21.003658] Call Trace:
> [   21.006110]  [<ffffffff81b4a11d>] ? intel_sprite_set_colorkey+0xad/0xf0
> [   21.012695]  [<ffffffff818acbbc>] drm_ioctl+0x27c/0x890
> [   21.017904]  [<ffffffff8165d7c2>] ? avc_has_perm+0x182/0x320
> [   21.023544]  [<ffffffff8165d660>] ? avc_has_perm+0x20/0x320
> [   21.029098]  [<ffffffff81b4a070>] ? intel_pre_disable_primary+0x90/0x90
> [   21.035690]  [<ffffffff8165ffac>] ? inode_has_perm.isra.28+0x7c/0xa0
> [   21.042023]  [<ffffffff812f8caf>] do_vfs_ioctl+0x3cf/0x720
> [   21.047488]  [<ffffffff81660caa>] ? selinux_file_ioctl+0x6a/0x130
> [   21.053558]  [<ffffffff812f9081>] SyS_ioctl+0x81/0xa0
> [   21.058595]  [<ffffffff825e08b2>] system_call_fastpath+0x12/0x17
> [   21.064580] Code:  Bad RIP value.
> [   21.067916] RIP  [<          (null)>]           (null)
> [   21.073048]  RSP <ffff8800c2b9fd30>
> [   21.076524] CR2: 0000000000000000
> [   21.079863] ---[ end trace 161ba639126f6a45 ]---
> 
> 
> [  274.286068] BUG: unable to handle kernel NULL pointer dereference
> at           (null)
> [  274.295149] IP: [<          (null)>]           (null)
> [  274.300242] PGD 171999067 PUD 171b93067 PMD 0
> [  274.304744] Oops: 0010 [#1] SMP KASAN
> [  274.308460] CPU: 0 PID: 2202 Comm: main Not tainted 4.0.0-rc5+ #89
> [  274.321856] task: ffff8801726914e0 ti: ffff880172928000 task.ti:
> ffff880172928000
> [  274.329383] RIP: 0010:[<0000000000000000>]  [<          (null)>]
>        (null)
> [  274.336924] RSP: 0018:ffff88017292fd30  EFLAGS: 00010246
> [  274.342267] RAX: ffffed002e7bc362 RBX: ffff88017442f000 RCX: 0000000000000007
> [  274.349446] RDX: 0000000000000000 RSI: ffff88017292fdd8 RDI: ffff880173de1800
> [  274.356624] RBP: ffff88017292fd68 R08: 0000000000000000 R09: 0000000000000000
> [  274.363803] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [  274.370979] R13: ffff880173de18d8 R14: ffff88017292fdd8 R15: ffff880173de1800
> [  274.378157] FS:  00007f48d6b16700(0000) GS:ffff880175c00000(0000)
> knlGS:0000000000000000
> [  274.386297] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  274.392078] CR2: 0000000000000000 CR3: 000000017188d000 CR4: 00000000000406f0
> [  274.399257] Stack:
> [  274.401280]  ffffffff81b4a1f7 ffff88017292fd68 ffff88017442f000
> ffff880172cc7c00
> [  274.408761]  0000000000000014 fffffffffffffff2 ffffffff8271c3c0
> ffff88017292fe88
> [  274.416244]  ffffffff818acbbc ffff88017292fe18 ffffffff8165d7c2
> ffffffff8165d660
> [  274.423727] Call Trace:
> [  274.426192]  [<ffffffff81b4a1f7>] ? intel_sprite_get_colorkey+0x97/0xc0
> [  274.432849]  [<ffffffff818acbbc>] drm_ioctl+0x27c/0x890
> [  274.438107]  [<ffffffff8165d7c2>] ? avc_has_perm+0x182/0x320
> [  274.443800]  [<ffffffff8165d660>] ? avc_has_perm+0x20/0x320
> [  274.449407]  [<ffffffff81b4a160>] ? intel_sprite_set_colorkey+0xf0/0xf0
> [  274.456065]  [<ffffffff8165ffac>] ? inode_has_perm.isra.28+0x7c/0xa0
> [  274.462462]  [<ffffffff812f8caf>] do_vfs_ioctl+0x3cf/0x720
> [  274.467984]  [<ffffffff81660caa>] ? selinux_file_ioctl+0x6a/0x130
> [  274.474115]  [<ffffffff812f9081>] SyS_ioctl+0x81/0xa0
> [  274.479199]  [<ffffffff825e08b2>] system_call_fastpath+0x12/0x17
> [  274.485240] Code:  Bad RIP value.
> [  274.488597] RIP  [<          (null)>]           (null)
> [  274.493776]  RSP <ffff88017292fd30>
> [  274.497283] CR2: 0000000000000000
> 
> 
> I debugged this a bit, and found that in intel_sprite_set_colorkey(),
> the "intel_plane->update_colorkey" function pointer is NULL, and in
> intel_sprite_get_colorkey(), the "intel_plane->get_colorkey" pointer
> is NULL. Hence the crash.
> 
> If I got it right, the pointers are not set for the "primary" and
> "cursor" planes, as initialized in intel_primary_plane_create() and
> intel_cursor_plane_create().

Ah true. So my patch to kill the rmw stuff should actually fix that
crash. Although we should not accept these ioctls for the
primary/cursor planes. I'll toss in a patch for that.

-- 
Ville Syrjälä
Intel OTC
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx