From: kernel test robot <oliver.sang@intel.com>
To: <w15303746062@163.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
<dri-devel@lists.freedesktop.org>,
<maarten.lankhorst@linux.intel.com>, <mripard@kernel.org>,
<tzimmermann@suse.de>, <airlied@gmail.com>, <simona@ffwll.ch>,
<sumit.semwal@linaro.org>, <christian.koenig@amd.com>,
<jeffy.chen@rock-chips.com>, <linux-kernel@vger.kernel.org>,
<linux-media@vger.kernel.org>, <linaro-mm-sig@lists.linaro.org>,
Mingyu Wang <25181214217@stu.xidian.edu.cn>,
<stable@vger.kernel.org>, <oliver.sang@intel.com>
Subject: Re: [PATCH] drm/prime: Fix unsupervised rb_tree corruption in drm_prime_remove_buf_handle
Date: Sun, 31 May 2026 15:54:09 +0800 [thread overview]
Message-ID: <202605310941.ddd52610-lkp@intel.com> (raw)
In-Reply-To: <20260528082912.1051262-1-w15303746062@163.com>
Hello,
kernel test robot noticed "WARNING:possible_recursive_locking_detected" on:
commit: 60a023d26c97753be2beee6062d71ce9416725b1 ("[PATCH] drm/prime: Fix unsupervised rb_tree corruption in drm_prime_remove_buf_handle")
url: https://github.com/intel-lab-lkp/linux/commits/w15303746062-163-com/drm-prime-Fix-unsupervised-rb_tree-corruption-in-drm_prime_remove_buf_handle/20260528-163356
base: https://gitlab.freedesktop.org/drm/misc/kernel.git drm-misc-next
patch link: https://lore.kernel.org/all/20260528082912.1051262-1-w15303746062@163.com/
patch subject: [PATCH] drm/prime: Fix unsupervised rb_tree corruption in drm_prime_remove_buf_handle
in testcase: boot
config: x86_64-rhel-9.4-bpf
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202605310941.ddd52610-lkp@intel.com
[ 86.630882][ T218] WARNING: possible recursive locking detected
[ 86.631312][ T218] 7.1.0-rc2+ #1 Not tainted
[ 86.631634][ T218] --------------------------------------------
[ 86.632065][ T218] (udev-worker)/218 is trying to acquire lock:
[ 86.632529][ T218] ffff8881ab017388 (&prime_fpriv->lock){+.+.}-{4:4}, at: drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.633434][ T218]
[ 86.633434][ T218] but task is already holding lock:
[ 86.633951][ T218] ffff8881ab017388 (&prime_fpriv->lock){+.+.}-{4:4}, at: drm_gem_object_release_handle (gpu/drm/drm_gem.c:377) drm
[ 86.638664][ T218]
[ 86.638664][ T218] other info that might help us debug this:
[ 86.639229][ T218] Possible unsafe locking scenario:
[ 86.639229][ T218]
[ 86.639769][ T218] CPU0
[ 86.640006][ T218] ----
[ 86.640243][ T218] lock(&prime_fpriv->lock);
[ 86.640581][ T218] lock(&prime_fpriv->lock);
[ 86.640916][ T218]
[ 86.640916][ T218] *** DEADLOCK ***
[ 86.640916][ T218]
[ 86.641480][ T218] May be due to missing lock nesting notation
[ 86.641480][ T218]
[ 86.642060][ T218] 4 locks held by (udev-worker)/218:
[ 86.642446][ T218] #0: ffff8881022921f8 (&dev->mutex){....}-{4:4}, at: __driver_attach (linux/device.h:1040 base/dd.c:1174 base/dd.c:1294)
[ 86.643133][ T218] #1: ffff8881ab020260 (&dev->clientlist_mutex){+.+.}-{4:4}, at: drm_client_register (gpu/drm/drm_client.c:129) drm
[ 86.644051][ T218] #2: ffff8882a2b58a70 (&helper->lock){+.+.}-{4:4}, at: drm_fb_helper_initial_config (gpu/drm/drm_fb_helper.c:1717 gpu/drm/drm_fb_helper.c:1710) drm_kms_helper
[ 86.644930][ T218] #3: ffff8881ab017388 (&prime_fpriv->lock){+.+.}-{4:4}, at: drm_gem_object_release_handle (gpu/drm/drm_gem.c:377) drm
[ 86.645880][ T218]
[ 86.645880][ T218] stack backtrace:
[ 86.646300][ T218] CPU: 1 UID: 0 PID: 218 Comm: (udev-worker) Not tainted 7.1.0-rc2+ #1 PREEMPT(full)
[ 86.646307][ T218] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 86.646311][ T218] Call Trace:
[ 86.646316][ T218] <TASK>
[ 86.646321][ T218] dump_stack_lvl (dump_stack.c:94 dump_stack.c:120)
[ 86.646333][ T218] print_deadlock_bug.cold (locking/lockdep.c:3041)
[ 86.646341][ T218] validate_chain (locking/lockdep.c:3093 locking/lockdep.c:3895)
[ 86.646350][ T218] __lock_acquire (locking/lockdep.c:5237)
[ 86.646366][ T218] lock_acquire (trace/events/lock.h:24 (discriminator 15) trace/events/lock.h:24 (discriminator 15) locking/lockdep.c:5831 (discriminator 15))
[ 86.646372][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.646516][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.646521][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.646659][ T218] ? lock_acquire (trace/events/lock.h:24 (discriminator 21) locking/lockdep.c:5831 (discriminator 21))
[ 86.646665][ T218] __mutex_lock (locking/mutex.c:646 locking/mutex.c:820)
[ 86.646675][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.646814][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.646952][ T218] ? __mutex_lock (locking/mutex.c:656 locking/mutex.c:820)
[ 86.646958][ T218] ? drm_gem_object_release_handle (gpu/drm/drm_gem.c:377) drm
[ 86.647103][ T218] ? __pfx___mutex_lock (locking/mutex.c:914)
[ 86.647109][ T218] ? __pfx___mutex_lock (locking/mutex.c:914)
[ 86.647116][ T218] ? idr_replace (idr.c:304)
[ 86.647124][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.647264][ T218] drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.647408][ T218] drm_gem_object_release_handle (gpu/drm/drm_gem.c:379) drm
[ 86.647555][ T218] drm_gem_handle_delete (gpu/drm/drm_gem.c:413) drm
[ 86.647700][ T218] drm_client_buffer_create_dumb (gpu/drm/drm_client.c:424) drm
[ 86.647840][ T218] ? __pfx_drm_client_buffer_create_dumb (gpu/drm/drm_client.c:267) drm
[ 86.647977][ T218] ? drm_fb_helper_single_fb_probe (gpu/drm/drm_fb_helper.c:1414 gpu/drm/drm_fb_helper.c:1445) drm_kms_helper
[ 86.648030][ T218] drm_fbdev_shmem_driver_fbdev_probe (gpu/drm/drm_fbdev_shmem.c:151) drm_shmem_helper
[ 86.648045][ T218] ? __pfx_drm_fbdev_shmem_driver_fbdev_probe (gpu/drm/drm_fbdev_shmem.c:119) drm_shmem_helper
[ 86.648055][ T218] ? __kmalloc_noprof (linux/local_lock_internal.h:62 slub.c:4771 slub.c:4883 slub.c:5294 slub.c:5307)
[ 86.648064][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648073][ T218] drm_fb_helper_single_fb_probe (gpu/drm/drm_fb_helper.c:1454) drm_kms_helper
[ 86.648121][ T218] ? __pfx_drm_fb_helper_single_fb_probe (gpu/drm/drm_fb_helper.c:1391) drm_kms_helper
[ 86.648167][ T218] ? fb_copy_cmap (video/fbdev/core/fbcmap.c:187)
[ 86.648174][ T218] ? fb_alloc_cmap_gfp (video/fbdev/core/fbcmap.c:124 (discriminator 1))
[ 86.648180][ T218] __drm_fb_helper_initial_config_and_unlock (gpu/drm/drm_fb_helper.c:1635) drm_kms_helper
[ 86.648230][ T218] drm_fbdev_client_hotplug (gpu/drm/clients/drm_fbdev_client.c:66) drm_client_lib
[ 86.648239][ T218] drm_client_register (gpu/drm/drm_client.c:143) drm
[ 86.648376][ T218] drm_fbdev_client_setup (gpu/drm/clients/drm_fbdev_client.c:168) drm_client_lib
[ 86.648383][ T218] drm_client_setup (gpu/drm/clients/drm_client_setup.c:46 gpu/drm/clients/drm_client_setup.c:35) drm_client_lib
[ 86.648390][ T218] bochs_pci_probe (gpu/drm/tiny/bochs.c:776 gpu/drm/tiny/bochs.c:747) bochs
[ 86.648405][ T218] ? __pfx_bochs_pci_probe (gpu/drm/tiny/bochs.c:254) bochs
[ 86.648413][ T218] local_pci_probe (pci/pci-driver.c:325)
[ 86.648422][ T218] pci_call_probe (pci/pci-driver.c:387)
[ 86.648427][ T218] ? __pfx_pci_call_probe (pci/pci-driver.c:653)
[ 86.648432][ T218] ? find_held_lock (locking/lockdep.c:5350)
[ 86.648439][ T218] ? pci_match_device (linux/spinlock.h:390 pci/pci-driver.c:156)
[ 86.648444][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648448][ T218] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 86.648452][ T218] ? pci_match_id (pci/pci.h:466 pci/pci.h:460 pci/pci-driver.c:110)
[ 86.648459][ T218] ? pci_match_device (pci/pci-driver.c:168)
[ 86.648465][ T218] pci_device_probe (pci/pci-driver.c:448 pci/pci-driver.c:482)
[ 86.648471][ T218] call_driver_probe (base/dd.c:631)
[ 86.648477][ T218] really_probe (base/dd.c:709)
[ 86.648484][ T218] __driver_probe_device (base/dd.c:871)
[ 86.648489][ T218] driver_probe_device (base/dd.c:901)
[ 86.648495][ T218] __driver_attach (base/dd.c:1295)
[ 86.648500][ T218] ? __pfx___driver_attach (base/dd.c:1004 (discriminator 1))
[ 86.648504][ T218] bus_for_each_dev (base/bus.c:383)
[ 86.648511][ T218] ? __pfx_bus_for_each_dev (base/bus.c:205)
[ 86.648516][ T218] ? bus_add_driver (base/bus.c:754)
[ 86.648520][ T218] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 86.648526][ T218] bus_add_driver (base/bus.c:756)
[ 86.648532][ T218] driver_register (base/driver.c:249)
[ 86.648538][ T218] ? __pfx_bochs_pci_driver_init (bochs.c:?) bochs
[ 86.648548][ T218] do_one_initcall (main.c:1392)
[ 86.648555][ T218] ? __pfx_do_one_initcall (trace/events/initcall.h:10)
[ 86.648561][ T218] ? kasan_unpoison (kasan/shadow.c:146 kasan/shadow.c:178)
[ 86.648568][ T218] ? __kasan_slab_alloc (kasan/common.c:336 kasan/common.c:366)
[ 86.648575][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648579][ T218] ? kasan_unpoison (kasan/shadow.c:146 kasan/shadow.c:178)
[ 86.648586][ T218] do_init_module (module/main.c:3106)
[ 86.648594][ T218] ? __pfx_do_init_module (trace/events/module.h:50 (discriminator 1))
[ 86.648599][ T218] ? load_module (module/main.c:2528 module/main.c:2523 module/main.c:3575)
[ 86.648603][ T218] ? kfree (linux/kasan.h:235 slub.c:2689 slub.c:6250 slub.c:6565)
[ 86.648611][ T218] load_module (module/main.c:3580)
[ 86.648620][ T218] ? __pfx_load_module (module/main.c:3020)
[ 86.648626][ T218] ? __pfx_kernel_read_file (??:?)
[ 86.648632][ T218] ? do_syscall_64 (linux/irq-entry-common.h:279 linux/entry-common.h:320 x86/entry/syscall_64.c:100)
[ 86.648640][ T218] init_module_from_file (module/main.c:3777)
[ 86.648646][ T218] ? __pfx_init_module_from_file (module/main.c:3634)
[ 86.648656][ T218] ? idempotent_init_module (linux/spinlock.h:390 module/main.c:3688 module/main.c:3788)
[ 86.648661][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648664][ T218] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 86.648669][ T218] ? preempt_count_sub (sched/core.c:5874 (discriminator 2) sched/core.c:5871 (discriminator 2) sched/core.c:5893 (discriminator 2))
[ 86.648676][ T218] idempotent_init_module (module/main.c:3789)
[ 86.648682][ T218] ? __pfx_idempotent_init_module (module/main.c:3778)
[ 86.648687][ T218] ? preempt_count_sub (sched/core.c:5874 (discriminator 2) sched/core.c:5871 (discriminator 2) sched/core.c:5893 (discriminator 2))
[ 86.648696][ T218] ? security_capable (security.c:660 (discriminator 20))
[ 86.648702][ T218] __x64_sys_finit_module (module/main.c:3815 module/main.c:3799 module/main.c:3799)
[ 86.648708][ T218] do_syscall_64 (x86/entry/syscall_64.c:63 x86/entry/syscall_64.c:94)
[ 86.648713][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648717][ T218] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 86.648720][ T218] ? do_syscall_64 (linux/randomize_kstack.h:58 x86/entry/syscall_64.c:92)
[ 86.648725][ T218] ? preempt_count_sub (sched/core.c:5874 (discriminator 2) sched/core.c:5871 (discriminator 2) sched/core.c:5893 (discriminator 2))
[ 86.648730][ T218] ? do_syscall_64 (linux/randomize_kstack.h:58 x86/entry/syscall_64.c:92)
[ 86.648734][ T218] ? irqentry_exit (linux/irq-entry-common.h:280 linux/irq-entry-common.h:325 entry/common.c:162)
[ 86.648740][ T218] entry_SYSCALL_64_after_hwframe (x86/entry/entry_64.S:121)
[ 86.648747][ T218] RIP: 0033:0x7f3757f90779
[ 86.648768][ T218] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 86 0d 00 f7 d8 64 89 01 48
All code
========
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d 4f 86 0d 00 mov 0xd864f(%rip),%rcx # 0xd8689
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260531/202605310941.ddd52610-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
prev parent reply other threads:[~2026-05-31 7:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 8:29 [PATCH] drm/prime: Fix unsupervised rb_tree corruption in drm_prime_remove_buf_handle w15303746062
2026-05-28 9:14 ` Christian König
2026-05-28 12:40 ` w15303746062
2026-05-28 13:29 ` [PATCH v2] drm/prime: fix dangling dmabuf entries after handle release w15303746062
2026-05-28 13:32 ` Christian König
2026-05-28 13:49 ` w15303746062
2026-05-29 6:45 ` Christian König
2026-05-29 11:45 ` w15303746062
2026-05-31 7:54 ` kernel test robot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202605310941.ddd52610-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=25181214217@stu.xidian.edu.cn \
--cc=airlied@gmail.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jeffy.chen@rock-chips.com \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=lkp@intel.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=oe-lkp@lists.linux.dev \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=tzimmermann@suse.de \
--cc=w15303746062@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.