NULL pointer dereference in trace_i915_context_free

NULL pointer dereference in trace_i915_context_free

[Ceraolo Spurio, Daniele]

[-- Attachment #1: Type: text/plain, Size: 1288 bytes --]

Hi,

I'm hitting a NULL pointer dereference when I enable the 
i915_context_free tracepoint (call trace attached). This is caused by 
the fact that the trace tries to access ctx->file_priv, which however 
may have already been deleted (even if the pointer is != NULL). I've 
used that trace extensively back when I've submitted it a few months ago 
without ecountering this issue, but it doesn't seem that there ever was 
a guarantee that the file_priv would be valid at ctx free time, so I'll 
put the blame on my original commit that introduced the trace:

	commit 198c974d7e80a5135fc4a2e69a07ba3e64122f8a
	Author: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
	Date:   Mon Nov 10 13:44:31 2014 +0000

     	drm/i915: Add tracepoints to track a vm during its lifetime

The trace doesn't specifically need the file_priv pointer, it just uses 
it to reach the drm_device pointer to get the device index. To fix the 
issue I've looked for another way to get the drm_device pointer from the 
ctx, but I couldn't find any that is valid for every GEN. Modifying the 
trace to add an extra parameter is out of the question for 2 reasons:
- The only variable available in i915_gem_context_free is the ctx ptr
- Modifying a tracepoint could break ABI

Ideas, anyone?

Thanks,
Daniele

[-- Attachment #2: BUG.dmsg --]
[-- Type: text/plain, Size: 4542 bytes --]

[   53.691790] BUG: unable to handle kernel paging request at ffffc9000124d000
[   53.698507] [drm:i915_gem_open] 
[   53.703445] IP: [<ffffffffa0260603>] ftrace_raw_event_i915_context+0x53/0x80 [i915]
[   53.712229] PGD 24688f067 PUD 2468a0067 PMD a9581067 PTE 0
[   53.718547] Oops: 0000 [#1] SMP 
[   53.722264] Modules linked in: binfmt_misc(E) cfg80211(E) nls_iso8859_1(E) snd_hda_codec_hdmi(E) asix(E) usbnet(E) mii(E) intel_rapl(E) snd_hda_intel(E) hid_generic(E) iosf_mbi(E) snd_hda_
codec(E) x86_pkg_temp_thermal(E) snd_hda_core(E) intel_powerclamp(E) snd_hwdep(E) coretemp(E) snd_pcm(E) kvm_intel(E) snd_seq_midi(E) kvm(E) snd_seq_midi_event(E) crct10dif_pclmul(E) snd_rawm
idi(E) crc32_pclmul(E) ghash_clmulni_intel(E) snd_seq(E) aesni_intel(E) snd_seq_device(E) snd_timer(E) aes_x86_64(E) i915(E) lrw(E) gf128mul(E) glue_helper(E) ablk_helper(E) cryptd(E) drm_kms
_helper(E) drm(E) serio_raw(E) i2c_algo_bit(E) snd(E) mei_me(E) mei(E) lpc_ich(E) soundcore(E) winbond_cir(E) rc_core(E) i2c_hid(E) dw_dmac(E) dw_dmac_core(E) video(E) 8250_dw(E) i2c_designwa
re_platform(E) i2c_designware_core(E) spi_pxa2xx_platform(E) acpi_pad(E) mac_hid(E) usbhid(E) hid(E) parport_pc(E) ppdev(E) lp(E) parport(E) autofs4(E) sdhci_acpi(E) ahci(E) libahci(E) sdhci(
E)
[   53.818335] CPU: 3 PID: 1487 Comm: compiz Tainted: G     U      E   4.1.0+ #3
[   53.826477] Hardware name: Intel Corporation Broadwell Client platform/WhiteTip Mountain 1, BIOS BDW-E1R1.86C.0080.R01.1406120446 06/12/2014
[   53.840824] task: ffff8800a998e440 ti: ffff880242214000 task.ti: ffff880242214000
[   53.849337] RIP: 0010:[<ffffffffa0260603>]  [<ffffffffa0260603>] ftrace_raw_event_i915_context+0x53/0x80 [i915]
[   53.860853] RSP: 0018:ffff880242217b98  EFLAGS: 00010282
[   53.866893] RAX: ffff88024573601c RBX: 0000000000000000 RCX: 0000000000000008
[   53.875009] RDX: ffffc9000124d000 RSI: 0000000000000000 RDI: ffff880242217b98
[   53.883124] RBP: ffff880242217be8 R08: ffff880245736010 R09: 000000000000002c
[   53.891240] R10: 0000000c80477c9c R11: 0000000000000008 R12: ffff880243f89058
[   53.899355] R13: ffff8802438bfa00 R14: ffff880242217c48 R15: ffff880243d31ef0
[   53.907471] FS:  00007f22043ea780(0000) GS:ffff88024f4c0000(0000) knlGS:0000000000000000
[   53.916673] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   53.924550] CR2: ffffc9000124d000 CR3: 00000002429e7000 CR4: 00000000003407e0
[   53.934011] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   53.943445] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   53.952870] Stack:
[   53.956465]  ffff880246806100 ffff880245736010 ffff880243f89058 ffff88024573601c
[   53.966240]  0000000000000296 ffff880200000000 ffff8802438bfa00 ffff880234586e20
[   53.976516]  ffff8802438bfa00 ffff880243d31ef0 ffff880242217c08 ffffffffa023ab3d
[   53.986286] Call Trace:
[   53.990392]  [<ffffffffa023ab3d>] i915_gem_context_free+0xbd/0x100 [i915]
[   53.999447]  [<ffffffffa0245fb0>] i915_gem_request_free+0xd0/0xe0 [i915]
[   54.008396]  [<ffffffffa0266bd8>] intel_execlists_retire_requests+0x188/0x1d0 [i915]
[   54.018537]  [<ffffffffa024879c>] i915_gem_retire_requests+0xfc/0x110 [i915]
[   54.027882]  [<ffffffffa025182e>] i915_gem_userptr_init__mmu_notifier+0xae/0x2e0 [i915]
[   54.038297]  [<ffffffffa0252732>] i915_gem_userptr_ioctl+0x252/0x320 [i915]
[   54.047512]  [<ffffffff81178a29>] ? unlock_page+0x69/0x70
[   54.054966]  [<ffffffffa0145c79>] drm_ioctl+0x349/0x670 [drm]
[   54.062799]  [<ffffffffa02524e0>] ? __i915_gem_userptr_get_pages_worker+0x2e0/0x2e0 [i915]
[   54.073482]  [<ffffffff811318cc>] ? acct_account_cputime+0x1c/0x20
[   54.081785]  [<ffffffff811f5998>] do_vfs_ioctl+0x2f8/0x510
[   54.089280]  [<ffffffff810d95b8>] ? rcu_eqs_enter+0x68/0x90
[   54.096851]  [<ffffffff811778e3>] ? context_tracking_user_exit+0x13/0x20
[   54.105714]  [<ffffffff811f5c31>] SyS_ioctl+0x81/0xa0
[   54.112692]  [<ffffffff81177a13>] ? context_tracking_user_enter+0x13/0x20
[   54.121652]  [<ffffffff81024bc5>] ? syscall_trace_leave+0xa5/0x120
[   54.129914]  [<ffffffff81797072>] system_call_fastpath+0x16/0x75
[   54.137972] Code: 7d b0 ba 20 00 00 00 4c 89 e6 e8 b9 06 ef e0 48 85 c0 74 28 4c 89 68 10 49 8b 55 38 48 8d 7d b0 48 89 50 18 49 8b 55 10 48 8b 12 <48> 8b 12 48 8b 52 38 8b 12 89 50 08 e8 
bc 22 ef e0 48 83 c4 38 
[   54.161431] RIP  [<ffffffffa0260603>] ftrace_raw_event_i915_context+0x53/0x80 [i915]
[   54.171571]  RSP <ffff880242217b98>
[   54.176849] CR2: ffffc9000124d000
[   54.190346] ---[ end trace 2590164a9e979a64 ]---


[-- Attachment #3: Type: text/plain, Size: 159 bytes --]

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: NULL pointer dereference in trace_i915_context_free

[Chris Wilson]

On Thu, Jul 09, 2015 at 10:08:08AM +0100, Ceraolo Spurio, Daniele wrote:
> Hi,
> 
> I'm hitting a NULL pointer dereference when I enable the
> i915_context_free tracepoint (call trace attached). This is caused
> by the fact that the trace tries to access ctx->file_priv, which
> however may have already been deleted (even if the pointer is !=
> NULL). I've used that trace extensively back when I've submitted it
> a few months ago without ecountering this issue, but it doesn't seem
> that there ever was a guarantee that the file_priv would be valid at
> ctx free time, so I'll put the blame on my original commit that
> introduced the trace:
> 
> 	commit 198c974d7e80a5135fc4a2e69a07ba3e64122f8a
> 	Author: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
> 	Date:   Mon Nov 10 13:44:31 2014 +0000
> 
>     	drm/i915: Add tracepoints to track a vm during its lifetime
> 
> The trace doesn't specifically need the file_priv pointer, it just
> uses it to reach the drm_device pointer to get the device index. To
> fix the issue I've looked for another way to get the drm_device
> pointer from the ctx, but I couldn't find any that is valid for
> every GEN. Modifying the trace to add an extra parameter is out of
> the question for 2 reasons:
> - The only variable available in i915_gem_context_free is the ctx ptr
> - Modifying a tracepoint could break ABI
> 
> Ideas, anyone?

http://patchwork.freedesktop.org/patch/48529/
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx