Re: nouveau crash due to missing channel (WAS: Re: [ANNOUNCE] 3.12.12-rt19)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Maarten Lankhorst <maarten.lankhorst@canonical.com>
To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	Fernando Lopez-Lezcano <nando@ccrma.Stanford.EDU>,
	Ben Skeggs <bskeggs@redhat.com>,
	Peter Hurley <peter@hurleysoftware.com>
Cc: linux-rt-users <linux-rt-users@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	rostedt@goodmis.org, dri-devel@lists.freedesktop.org,
	John Kacur <jkacur@redhat.com>,
	Thomas Gleixner <tglx@linutronix.de>
Subject: Re: nouveau crash due to missing channel (WAS: Re: [ANNOUNCE] 3.12.12-rt19)
Date: Fri, 07 Mar 2014 12:36:13 +0100	[thread overview]
Message-ID: <5319AF2D.2060004@canonical.com> (raw)
In-Reply-To: <20140307111848.GA8637@linutronix.de>

op 07-03-14 12:18, Sebastian Andrzej Siewior schreef:
> * Fernando Lopez-Lezcano | 2014-03-01 17:48:29 [-0800]:
>
>> On 02/23/2014 10:47 AM, Sebastian Andrzej Siewior wrote:
>>> Dear RT folks!
>>>
>>> I'm pleased to announce the v3.12.12-rt19 patch set.
>> Just hit this Oops in my desktop at home:
>>
>> [22328.388996] BUG: unable to handle kernel NULL pointer dereference
>> at 0000000000000008
>> [22328.389013] IP: [<ffffffffa011a912>]
>> nouveau_fence_wait_uevent.isra.2+0x22/0x440 [nouveau]
> This is
>
> | static int
> | nouveau_fence_wait_uevent(struct nouveau_fence *fence, bool intr)
> |
> | {
> |         struct nouveau_channel *chan = fence->channel;
> |         struct nouveau_fifo *pfifo = nouveau_fifo(chan->drm->device);
>
> and chan is NULL.
>
>> [22328.389046] RAX: 0000000000000000 RBX: ffff8807a68f8fa8 RCX:
>> 0000000000000000
>> [22328.389046] RDX: 0000000000000001 RSI: ffff8807a68f8fb0 RDI:
>> ffff8807a68f8fa8
>> [22328.389047] RBP: ffff8807c09bdca0 R08: 000000000000045e R09:
>> 000000000000e200
>> [22328.389047] R10: ffffffffa0157d80 R11: ffff8807c09bdde0 R12:
>> 0000000000000001
>> [22328.389047] R13: 0000000000000000 R14: ffff8807d8493a80 R15:
>> ffff8807a68f8fb0
>> [22328.389053] Call Trace:
>> [22328.389069]  [<ffffffffa011af56>] nouveau_fence_wait+0x86/0x1a0 [nouveau]
>> [22328.389081]  [<ffffffffa011ca35>] nouveau_bo_fence_wait+0x15/0x20
>> [nouveau]
>> [22328.389084]  [<ffffffffa00867c6>] ttm_bo_wait+0x96/0x1a0 [ttm]
>> [22328.389095]  [<ffffffffa0121dac>]
>> nouveau_gem_ioctl_cpu_prep+0x5c/0xf0 [nouveau]
>> [22328.389101]  [<ffffffffa002cd42>] drm_ioctl+0x502/0x630 [drm]
>> [22328.389114]  [<ffffffffa01180a1>] nouveau_drm_ioctl+0x51/0x90 [nouveau]
> I can't find any kind of locking so my question is what ensures that chan is
> not set to NULL between nouveau_fence_done() and
> nouveau_fence_wait_uevent()? There are just a few opcodes in between but
> nothing that pauses nouveau_fence_signal().
Absolutely nothing. :-) Worse still, there's no guarantee that channel isn't freed, but hopefully that is less likely to be an issue.

~Maarten

WARNING: multiple messages have this Message-ID (diff)

From: Maarten Lankhorst <maarten.lankhorst@canonical.com>
To: Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	Fernando Lopez-Lezcano <nando@ccrma.Stanford.EDU>,
	Ben Skeggs <bskeggs@redhat.com>,
	Peter Hurley <peter@hurleysoftware.com>
Cc: linux-rt-users <linux-rt-users@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	dri-devel@lists.freedesktop.org,
	Thomas Gleixner <tglx@linutronix.de>,
	rostedt@goodmis.org, John Kacur <jkacur@redhat.com>
Subject: Re: nouveau crash due to missing channel (WAS: Re: [ANNOUNCE] 3.12.12-rt19)
Date: Fri, 07 Mar 2014 12:36:13 +0100	[thread overview]
Message-ID: <5319AF2D.2060004@canonical.com> (raw)
In-Reply-To: <20140307111848.GA8637@linutronix.de>

op 07-03-14 12:18, Sebastian Andrzej Siewior schreef:
> * Fernando Lopez-Lezcano | 2014-03-01 17:48:29 [-0800]:
>
>> On 02/23/2014 10:47 AM, Sebastian Andrzej Siewior wrote:
>>> Dear RT folks!
>>>
>>> I'm pleased to announce the v3.12.12-rt19 patch set.
>> Just hit this Oops in my desktop at home:
>>
>> [22328.388996] BUG: unable to handle kernel NULL pointer dereference
>> at 0000000000000008
>> [22328.389013] IP: [<ffffffffa011a912>]
>> nouveau_fence_wait_uevent.isra.2+0x22/0x440 [nouveau]
> This is
>
> | static int
> | nouveau_fence_wait_uevent(struct nouveau_fence *fence, bool intr)
> |
> | {
> |         struct nouveau_channel *chan = fence->channel;
> |         struct nouveau_fifo *pfifo = nouveau_fifo(chan->drm->device);
>
> and chan is NULL.
>
>> [22328.389046] RAX: 0000000000000000 RBX: ffff8807a68f8fa8 RCX:
>> 0000000000000000
>> [22328.389046] RDX: 0000000000000001 RSI: ffff8807a68f8fb0 RDI:
>> ffff8807a68f8fa8
>> [22328.389047] RBP: ffff8807c09bdca0 R08: 000000000000045e R09:
>> 000000000000e200
>> [22328.389047] R10: ffffffffa0157d80 R11: ffff8807c09bdde0 R12:
>> 0000000000000001
>> [22328.389047] R13: 0000000000000000 R14: ffff8807d8493a80 R15:
>> ffff8807a68f8fb0
>> [22328.389053] Call Trace:
>> [22328.389069]  [<ffffffffa011af56>] nouveau_fence_wait+0x86/0x1a0 [nouveau]
>> [22328.389081]  [<ffffffffa011ca35>] nouveau_bo_fence_wait+0x15/0x20
>> [nouveau]
>> [22328.389084]  [<ffffffffa00867c6>] ttm_bo_wait+0x96/0x1a0 [ttm]
>> [22328.389095]  [<ffffffffa0121dac>]
>> nouveau_gem_ioctl_cpu_prep+0x5c/0xf0 [nouveau]
>> [22328.389101]  [<ffffffffa002cd42>] drm_ioctl+0x502/0x630 [drm]
>> [22328.389114]  [<ffffffffa01180a1>] nouveau_drm_ioctl+0x51/0x90 [nouveau]
> I can't find any kind of locking so my question is what ensures that chan is
> not set to NULL between nouveau_fence_done() and
> nouveau_fence_wait_uevent()? There are just a few opcodes in between but
> nothing that pauses nouveau_fence_signal().
Absolutely nothing. :-) Worse still, there's no guarantee that channel isn't freed, but hopefully that is less likely to be an issue.

~Maarten

next prev parent reply	other threads:[~2014-03-07 11:36 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-23 18:47 [ANNOUNCE] 3.12.12-rt19 Sebastian Andrzej Siewior
2014-02-23 19:13 ` Pavel Vasilyev
2014-02-23 19:29   ` Pavel Vasilyev
2014-02-23 21:13     ` Thomas Gleixner
2014-02-23 22:55       ` Pavel Vasilyev
2014-02-27  3:07         ` Steven Rostedt
2014-03-02  1:48 ` Fernando Lopez-Lezcano
2014-03-07 11:18   ` nouveau crash due to missing channel (WAS: Re: [ANNOUNCE] 3.12.12-rt19) Sebastian Andrzej Siewior
2014-03-07 11:36     ` Maarten Lankhorst [this message]
2014-03-07 11:36       ` Maarten Lankhorst
2014-03-07 11:53       ` Sebastian Andrzej Siewior

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5319AF2D.2060004@canonical.com \
    --to=maarten.lankhorst@canonical.com \
    --cc=bigeasy@linutronix.de \
    --cc=bskeggs@redhat.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=jkacur@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rt-users@vger.kernel.org \
    --cc=nando@ccrma.Stanford.EDU \
    --cc=peter@hurleysoftware.com \
    --cc=rostedt@goodmis.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.