From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mikulas Patocka Date: Sun, 03 Jun 2018 14:40:58 +0000 Subject: [PATCH 05/21] udl-kms: fix a linked-list corruption when using fbdefio Message-Id: <20180603144220.849008093@twibright.com> List-Id: References: <20180603144053.875668929@twibright.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Mikulas Patocka , Bartlomiej Zolnierkiewicz , Dave Airlie , Bernie Thompson , Ladislav Michl Cc: linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org The udl driver crashes when fbdefio is used. The crash can be reproduced with this sequence: 1. echo 1 >/sys/module/udl/parameters/fb_defio 2. run some program that maps the framebuffer, such as 'links -g' or 'fbi' 3. allocate memory to the point where the machine starts swapping The reason for the crash is that udl_gem_get_pages calls drm_gem_get_pages and drm_gem_get_pages allocates the pages using shmem_read_mapping_page. The shmem pages are kept on the memory management lists using the page->lru entry. However, fbdefio reuses the page->lru entry for the list of pages that were modified, so the memory management lists are corrupted and the machine crashes when vmscan starts to scan memory. I fixed this crash by allocating pages with "alloc_page" instead. The pages allocated with "alloc_page" have page->lru unused, and thus the system doesn't crash when fbdefio uses it. Unable to handle kernel paging request at virtual address dead000000000200 Mem abort info: ESR = 0x96000044 Exception class = DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000044 CM = 0, WnR = 1 [dead000000000200] address between user and kernel address ranges Internal error: Oops: 96000044 [#1] PREEMPT SMP Modules linked in: ip6table_filter ip6_tables iptable_filter ip_tables x_tables af_packet autofs4 udl drm_kms_helper cfbfillrect syscopyarea cfbimgblt sysfillrect sysimgblt fb_sys_fops cfbcopyarea fb font drm drm_panel_orientation_quirks mousedev hid_generic usbhid hid binfmt_misc snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_pcm snd_timer snd soundcore ipv6 aes_ce_blk crypto_simd cryptd aes_ce_cipher crc32_ce ghash_ce gf128mul aes_arm64 sha2_ce sha256_arm64 sha1_ce sha1_generic xhci_plat_hcd xhci_hcd sd_mod usbcore usb_common mvpp2 unix CPU: 0 PID: 39 Comm: kswapd0 Not tainted 4.16.12 #3 Hardware name: Marvell 8040 MACHIATOBin (DT) pstate: 00000085 (nzcv daIf -PAN -UAO) pc : isolate_lru_pages.isra.16+0x23c/0x2b0 lr : isolate_lru_pages.isra.16+0x104/0x2b0 sp : ffffffc13a897ac0 x29: ffffffc13a897ac0 x28: 0000000000000003 x27: 0000000000000003 x26: 0000000000000004 x25: ffffff80087e84a0 x24: ffffffc13a897b68 x23: ffffffbf04cefc60 x22: ffffffc13a897e44 x21: 0000000000000009 x20: ffffffc13a897c00 x19: ffffffc13a897b40 x18: ffffffbf04d39000 x17: 00000000fffffff8 x16: ffffffbf00000000 x15: 0000000000000006 x14: 0000000000000000 x13: 00000000000001aa x12: 400000000004001c x11: 0000000000000001 x10: 0000000000000001 x9 : 00000000000ee3ac x8 : 00000000000004a0 x7 : ffffff80087e84a0 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000002 x3 : ffffff80087e84a0 x2 : 0000000000000200 x1 : dead000000000200 x0 : 400000000004001c Process kswapd0 (pid: 39, stack limit = 0x0000000097f25571) Call trace: isolate_lru_pages.isra.16+0x23c/0x2b0 shrink_inactive_list+0xe4/0x3b0 shrink_node_memcg.constprop.19+0x374/0x630 shrink_node+0x64/0x1c8 kswapd+0x340/0x568 kthread+0x118/0x120 ret_from_fork+0x10/0x18 Code: d2804002 f85e02e0 f85e02ec f9000461 (f9000023) ---[ end trace f9f3ad3856cb2ef3 ]--- note: kswapd0[39] exited with preempt_count 1 Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org --- drivers/gpu/drm/udl/udl_gem.c | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) Index: linux-4.16.12/drivers/gpu/drm/udl/udl_gem.c =================================--- linux-4.16.12.orig/drivers/gpu/drm/udl/udl_gem.c 2018-01-10 09:31:23.000000000 +0100 +++ linux-4.16.12/drivers/gpu/drm/udl/udl_gem.c 2018-05-29 17:46:10.000000000 +0200 @@ -130,28 +130,51 @@ int udl_gem_fault(struct vm_fault *vmf) int udl_gem_get_pages(struct udl_gem_object *obj) { struct page **pages; + int npages, i; if (obj->pages) return 0; - pages = drm_gem_get_pages(&obj->base); - if (IS_ERR(pages)) - return PTR_ERR(pages); + npages = obj->base.size >> PAGE_SHIFT; + + pages = kvmalloc_array(npages, sizeof(struct page *), GFP_KERNEL); + if (!pages) + return -ENOMEM; + + for (i = 0; i < npages; i++) { + struct page *p = alloc_page(GFP_KERNEL | __GFP_ZERO); + if (!p) + goto fail; + pages[i] = p; + } obj->pages = pages; return 0; + +fail: + while (i--) + put_page(pages[i]); + kvfree(pages); + return -ENOMEM; } void udl_gem_put_pages(struct udl_gem_object *obj) { + int npages, i; + if (obj->base.import_attach) { kvfree(obj->pages); obj->pages = NULL; return; } - drm_gem_put_pages(&obj->base, obj->pages, false, false); + npages = obj->base.size >> PAGE_SHIFT; + + for (i = 0; i < npages; i++) + put_page(obj->pages[i]); + + kvfree(obj->pages); obj->pages = NULL; } From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mikulas Patocka Subject: [PATCH 05/21] udl-kms: fix a linked-list corruption when using fbdefio Date: Sun, 03 Jun 2018 16:40:58 +0200 Message-ID: <20180603144220.849008093@twibright.com> References: <20180603144053.875668929@twibright.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from leontynka.twibright.com (109-183-129-149.tmcz.cz [109.183.129.149]) by gabe.freedesktop.org (Postfix) with ESMTPS id 08BB36E28C for ; Sun, 3 Jun 2018 15:19:28 +0000 (UTC) Content-Disposition: inline; filename=udlkms-alloc-pages.patch List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Mikulas Patocka , Bartlomiej Zolnierkiewicz , Dave Airlie , Bernie Thompson , Ladislav Michl Cc: linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org List-Id: dri-devel@lists.freedesktop.org VGhlIHVkbCBkcml2ZXIgY3Jhc2hlcyB3aGVuIGZiZGVmaW8gaXMgdXNlZC4gVGhlIGNyYXNoIGNh biBiZSByZXByb2R1Y2VkCndpdGggdGhpcyBzZXF1ZW5jZToKMS4gZWNobyAxID4vc3lzL21vZHVs ZS91ZGwvcGFyYW1ldGVycy9mYl9kZWZpbwoyLiBydW4gc29tZSBwcm9ncmFtIHRoYXQgbWFwcyB0 aGUgZnJhbWVidWZmZXIsIHN1Y2ggYXMgJ2xpbmtzIC1nJyBvciAnZmJpJwozLiBhbGxvY2F0ZSBt ZW1vcnkgdG8gdGhlIHBvaW50IHdoZXJlIHRoZSBtYWNoaW5lIHN0YXJ0cyBzd2FwcGluZwoKVGhl IHJlYXNvbiBmb3IgdGhlIGNyYXNoIGlzIHRoYXQgdWRsX2dlbV9nZXRfcGFnZXMgY2FsbHMgZHJt X2dlbV9nZXRfcGFnZXMKYW5kIGRybV9nZW1fZ2V0X3BhZ2VzIGFsbG9jYXRlcyB0aGUgcGFnZXMg dXNpbmcgc2htZW1fcmVhZF9tYXBwaW5nX3BhZ2UuClRoZSBzaG1lbSBwYWdlcyBhcmUga2VwdCBv biB0aGUgbWVtb3J5IG1hbmFnZW1lbnQgbGlzdHMgdXNpbmcgdGhlCnBhZ2UtPmxydSBlbnRyeS4K Ckhvd2V2ZXIsIGZiZGVmaW8gcmV1c2VzIHRoZSBwYWdlLT5scnUgZW50cnkgZm9yIHRoZSBsaXN0 IG9mIHBhZ2VzIHRoYXQKd2VyZSBtb2RpZmllZCwgc28gdGhlIG1lbW9yeSBtYW5hZ2VtZW50IGxp c3RzIGFyZSBjb3JydXB0ZWQgYW5kIHRoZQptYWNoaW5lIGNyYXNoZXMgd2hlbiB2bXNjYW4gc3Rh cnRzIHRvIHNjYW4gbWVtb3J5LgoKSSBmaXhlZCB0aGlzIGNyYXNoIGJ5IGFsbG9jYXRpbmcgcGFn ZXMgd2l0aCAiYWxsb2NfcGFnZSIgaW5zdGVhZC4gVGhlCnBhZ2VzIGFsbG9jYXRlZCB3aXRoICJh bGxvY19wYWdlIiBoYXZlIHBhZ2UtPmxydSB1bnVzZWQsIGFuZCB0aHVzIHRoZQpzeXN0ZW0gZG9l c24ndCBjcmFzaCB3aGVuIGZiZGVmaW8gdXNlcyBpdC4KClVuYWJsZSB0byBoYW5kbGUga2VybmVs IHBhZ2luZyByZXF1ZXN0IGF0IHZpcnR1YWwgYWRkcmVzcyBkZWFkMDAwMDAwMDAwMjAwCk1lbSBh Ym9ydCBpbmZvOgogIEVTUiA9IDB4OTYwMDAwNDQKICBFeGNlcHRpb24gY2xhc3MgPSBEQUJUIChj dXJyZW50IEVMKSwgSUwgPSAzMiBiaXRzCiAgU0VUID0gMCwgRm5WID0gMAogIEVBID0gMCwgUzFQ VFcgPSAwCkRhdGEgYWJvcnQgaW5mbzoKICBJU1YgPSAwLCBJU1MgPSAweDAwMDAwMDQ0CiAgQ00g PSAwLCBXblIgPSAxCltkZWFkMDAwMDAwMDAwMjAwXSBhZGRyZXNzIGJldHdlZW4gdXNlciBhbmQg a2VybmVsIGFkZHJlc3MgcmFuZ2VzCkludGVybmFsIGVycm9yOiBPb3BzOiA5NjAwMDA0NCBbIzFd IFBSRUVNUFQgU01QCk1vZHVsZXMgbGlua2VkIGluOiBpcDZ0YWJsZV9maWx0ZXIgaXA2X3RhYmxl cyBpcHRhYmxlX2ZpbHRlciBpcF90YWJsZXMgeF90YWJsZXMgYWZfcGFja2V0IGF1dG9mczQgdWRs IGRybV9rbXNfaGVscGVyIGNmYmZpbGxyZWN0IHN5c2NvcHlhcmVhIGNmYmltZ2JsdCBzeXNmaWxs cmVjdCBzeXNpbWdibHQgZmJfc3lzX2ZvcHMgY2ZiY29weWFyZWEgZmIgZm9udCBkcm0gZHJtX3Bh bmVsX29yaWVudGF0aW9uX3F1aXJrcyBtb3VzZWRldiBoaWRfZ2VuZXJpYyB1c2JoaWQgaGlkIGJp bmZtdF9taXNjIHNuZF91c2JfYXVkaW8gc25kX2h3ZGVwIHNuZF91c2JtaWRpX2xpYiBzbmRfcmF3 bWlkaSBzbmRfcGNtIHNuZF90aW1lciBzbmQgc291bmRjb3JlIGlwdjYgYWVzX2NlX2JsayBjcnlw dG9fc2ltZCBjcnlwdGQgYWVzX2NlX2NpcGhlciBjcmMzMl9jZSBnaGFzaF9jZSBnZjEyOG11bCBh ZXNfYXJtNjQgc2hhMl9jZSBzaGEyNTZfYXJtNjQgc2hhMV9jZSBzaGExX2dlbmVyaWMgeGhjaV9w bGF0X2hjZCB4aGNpX2hjZCBzZF9tb2QgdXNiY29yZSB1c2JfY29tbW9uIG12cHAyIHVuaXgKQ1BV OiAwIFBJRDogMzkgQ29tbToga3N3YXBkMCBOb3QgdGFpbnRlZCA0LjE2LjEyICMzCkhhcmR3YXJl IG5hbWU6IE1hcnZlbGwgODA0MCBNQUNISUFUT0JpbiAoRFQpCnBzdGF0ZTogMDAwMDAwODUgKG56 Y3YgZGFJZiAtUEFOIC1VQU8pCnBjIDogaXNvbGF0ZV9scnVfcGFnZXMuaXNyYS4xNisweDIzYy8w eDJiMApsciA6IGlzb2xhdGVfbHJ1X3BhZ2VzLmlzcmEuMTYrMHgxMDQvMHgyYjAKc3AgOiBmZmZm ZmZjMTNhODk3YWMwCngyOTogZmZmZmZmYzEzYTg5N2FjMCB4Mjg6IDAwMDAwMDAwMDAwMDAwMDMK eDI3OiAwMDAwMDAwMDAwMDAwMDAzIHgyNjogMDAwMDAwMDAwMDAwMDAwNAp4MjU6IGZmZmZmZjgw MDg3ZTg0YTAgeDI0OiBmZmZmZmZjMTNhODk3YjY4CngyMzogZmZmZmZmYmYwNGNlZmM2MCB4MjI6 IGZmZmZmZmMxM2E4OTdlNDQKeDIxOiAwMDAwMDAwMDAwMDAwMDA5IHgyMDogZmZmZmZmYzEzYTg5 N2MwMAp4MTk6IGZmZmZmZmMxM2E4OTdiNDAgeDE4OiBmZmZmZmZiZjA0ZDM5MDAwCngxNzogMDAw MDAwMDBmZmZmZmZmOCB4MTY6IGZmZmZmZmJmMDAwMDAwMDAKeDE1OiAwMDAwMDAwMDAwMDAwMDA2 IHgxNDogMDAwMDAwMDAwMDAwMDAwMAp4MTM6IDAwMDAwMDAwMDAwMDAxYWEgeDEyOiA0MDAwMDAw MDAwMDQwMDFjCngxMTogMDAwMDAwMDAwMDAwMDAwMSB4MTA6IDAwMDAwMDAwMDAwMDAwMDEKeDkg OiAwMDAwMDAwMDAwMGVlM2FjIHg4IDogMDAwMDAwMDAwMDAwMDRhMAp4NyA6IGZmZmZmZjgwMDg3 ZTg0YTAgeDYgOiAwMDAwMDAwMDAwMDAwMDAwCng1IDogMDAwMDAwMDAwMDAwMDAwMCB4NCA6IDAw MDAwMDAwMDAwMDAwMDIKeDMgOiBmZmZmZmY4MDA4N2U4NGEwIHgyIDogMDAwMDAwMDAwMDAwMDIw MAp4MSA6IGRlYWQwMDAwMDAwMDAyMDAgeDAgOiA0MDAwMDAwMDAwMDQwMDFjClByb2Nlc3Mga3N3 YXBkMCAocGlkOiAzOSwgc3RhY2sgbGltaXQgPSAweDAwMDAwMDAwOTdmMjU1NzEpCkNhbGwgdHJh Y2U6CiBpc29sYXRlX2xydV9wYWdlcy5pc3JhLjE2KzB4MjNjLzB4MmIwCiBzaHJpbmtfaW5hY3Rp dmVfbGlzdCsweGU0LzB4M2IwCiBzaHJpbmtfbm9kZV9tZW1jZy5jb25zdHByb3AuMTkrMHgzNzQv MHg2MzAKIHNocmlua19ub2RlKzB4NjQvMHgxYzgKIGtzd2FwZCsweDM0MC8weDU2OAoga3RocmVh ZCsweDExOC8weDEyMAogcmV0X2Zyb21fZm9yaysweDEwLzB4MTgKQ29kZTogZDI4MDQwMDIgZjg1 ZTAyZTAgZjg1ZTAyZWMgZjkwMDA0NjEgKGY5MDAwMDIzKQotLS1bIGVuZCB0cmFjZSBmOWYzYWQz ODU2Y2IyZWYzIF0tLS0Kbm90ZToga3N3YXBkMFszOV0gZXhpdGVkIHdpdGggcHJlZW1wdF9jb3Vu dCAxCgpTaWduZWQtb2ZmLWJ5OiBNaWt1bGFzIFBhdG9ja2EgPG1wYXRvY2thQHJlZGhhdC5jb20+ CkNjOiBzdGFibGVAdmdlci5rZXJuZWwub3JnCgotLS0KIGRyaXZlcnMvZ3B1L2RybS91ZGwvdWRs X2dlbS5jIHwgICAzMSArKysrKysrKysrKysrKysrKysrKysrKysrKystLS0tCiAxIGZpbGUgY2hh bmdlZCwgMjcgaW5zZXJ0aW9ucygrKSwgNCBkZWxldGlvbnMoLSkKCkluZGV4OiBsaW51eC00LjE2 LjEyL2RyaXZlcnMvZ3B1L2RybS91ZGwvdWRsX2dlbS5jCj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGxpbnV4LTQu MTYuMTIub3JpZy9kcml2ZXJzL2dwdS9kcm0vdWRsL3VkbF9nZW0uYwkyMDE4LTAxLTEwIDA5OjMx OjIzLjAwMDAwMDAwMCArMDEwMAorKysgbGludXgtNC4xNi4xMi9kcml2ZXJzL2dwdS9kcm0vdWRs L3VkbF9nZW0uYwkyMDE4LTA1LTI5IDE3OjQ2OjEwLjAwMDAwMDAwMCArMDIwMApAQCAtMTMwLDI4 ICsxMzAsNTEgQEAgaW50IHVkbF9nZW1fZmF1bHQoc3RydWN0IHZtX2ZhdWx0ICp2bWYpCiBpbnQg dWRsX2dlbV9nZXRfcGFnZXMoc3RydWN0IHVkbF9nZW1fb2JqZWN0ICpvYmopCiB7CiAJc3RydWN0 IHBhZ2UgKipwYWdlczsKKwlpbnQgbnBhZ2VzLCBpOwogCiAJaWYgKG9iai0+cGFnZXMpCiAJCXJl dHVybiAwOwogCi0JcGFnZXMgPSBkcm1fZ2VtX2dldF9wYWdlcygmb2JqLT5iYXNlKTsKLQlpZiAo SVNfRVJSKHBhZ2VzKSkKLQkJcmV0dXJuIFBUUl9FUlIocGFnZXMpOworCW5wYWdlcyA9IG9iai0+ YmFzZS5zaXplID4+IFBBR0VfU0hJRlQ7CisKKwlwYWdlcyA9IGt2bWFsbG9jX2FycmF5KG5wYWdl cywgc2l6ZW9mKHN0cnVjdCBwYWdlICopLCBHRlBfS0VSTkVMKTsKKwlpZiAoIXBhZ2VzKQorCQly ZXR1cm4gLUVOT01FTTsKKworCWZvciAoaSA9IDA7IGkgPCBucGFnZXM7IGkrKykgeworCQlzdHJ1 Y3QgcGFnZSAqcCA9IGFsbG9jX3BhZ2UoR0ZQX0tFUk5FTCB8IF9fR0ZQX1pFUk8pOworCQlpZiAo IXApCisJCQlnb3RvIGZhaWw7CisJCXBhZ2VzW2ldID0gcDsKKwl9CiAKIAlvYmotPnBhZ2VzID0g cGFnZXM7CiAKIAlyZXR1cm4gMDsKKworZmFpbDoKKwl3aGlsZSAoaS0tKQorCQlwdXRfcGFnZShw YWdlc1tpXSk7CisJa3ZmcmVlKHBhZ2VzKTsKKwlyZXR1cm4gLUVOT01FTTsKIH0KIAogdm9pZCB1 ZGxfZ2VtX3B1dF9wYWdlcyhzdHJ1Y3QgdWRsX2dlbV9vYmplY3QgKm9iaikKIHsKKwlpbnQgbnBh Z2VzLCBpOworCiAJaWYgKG9iai0+YmFzZS5pbXBvcnRfYXR0YWNoKSB7CiAJCWt2ZnJlZShvYmot PnBhZ2VzKTsKIAkJb2JqLT5wYWdlcyA9IE5VTEw7CiAJCXJldHVybjsKIAl9CiAKLQlkcm1fZ2Vt X3B1dF9wYWdlcygmb2JqLT5iYXNlLCBvYmotPnBhZ2VzLCBmYWxzZSwgZmFsc2UpOworCW5wYWdl cyA9IG9iai0+YmFzZS5zaXplID4+IFBBR0VfU0hJRlQ7CisKKwlmb3IgKGkgPSAwOyBpIDwgbnBh Z2VzOyBpKyspCisJCXB1dF9wYWdlKG9iai0+cGFnZXNbaV0pOworCisJa3ZmcmVlKG9iai0+cGFn ZXMpOwogCW9iai0+cGFnZXMgPSBOVUxMOwogfQogCgpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXwpkcmktZGV2ZWwgbWFpbGluZyBsaXN0CmRyaS1kZXZlbEBs aXN0cy5mcmVlZGVza3RvcC5vcmcKaHR0cHM6Ly9saXN0cy5mcmVlZGVza3RvcC5vcmcvbWFpbG1h bi9saXN0aW5mby9kcmktZGV2ZWwK