From: Oleksandr Natalenko <oleksandr@natalenko.name>
To: Matthew Wilcox <willy@infradead.org>
Cc: "Thomas Zimmermann" <tzimmermann@suse.de>,
"Linux Regressions" <regressions@lists.linux.dev>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
"Christian König" <christian.koenig@amd.com>,
linaro-mm-sig@lists.linaro.org, linux-mm@kvack.org,
"Maxime Ripard" <mripard@kernel.org>,
"Bagas Sanjaya" <bagasdotme@gmail.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
linux-media@vger.kernel.org
Subject: Re: [REGRESSION] BUG: KFENCE: memory corruption in drm_gem_put_pages+0x186/0x250
Date: Thu, 05 Oct 2023 15:34:41 +0200 [thread overview]
Message-ID: <9175204.CDJkKcVGEf@natalenko.name> (raw)
In-Reply-To: <ZR60lylMtLO6ZGp7@casper.infradead.org>
[-- Attachment #1: Type: text/plain, Size: 2252 bytes --]
On čtvrtek 5. října 2023 15:05:27 CEST Matthew Wilcox wrote:
> On Thu, Oct 05, 2023 at 02:30:55PM +0200, Oleksandr Natalenko wrote:
> > No-no, sorry for possible confusion. Let me explain again:
> >
> > 1. we had an issue with i915, which was introduced by 0b62af28f249, and later was fixed by 863a8eb3f270
> > 2. now I've discovered another issue, which looks very similar to 1., but in a VM with Cirrus VGA, and it happens even while having 863a8eb3f270 applied
> > 3. I've tried reverting 3291e09a4638, after which I cannot reproduce the issue with Cirrus VGA, but clearly there was no fix for it discussed
> >
> > IOW, 863a8eb3f270 is the fix for 0b62af28f249, but not for 3291e09a4638. It looks like 3291e09a4638 requires a separate fix.
>
> Thank you! Sorry about the misunderstanding. Try this:
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 6129b89bb366..44a948b80ee1 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -540,7 +540,7 @@ struct page **drm_gem_get_pages(struct drm_gem_object *obj)
> struct page **pages;
> struct folio *folio;
> struct folio_batch fbatch;
> - int i, j, npages;
> + long i, j, npages;
>
> if (WARN_ON(!obj->filp))
> return ERR_PTR(-EINVAL);
> @@ -564,11 +564,13 @@ struct page **drm_gem_get_pages(struct drm_gem_object *obj)
>
> i = 0;
> while (i < npages) {
> + long nr;
> folio = shmem_read_folio_gfp(mapping, i,
> mapping_gfp_mask(mapping));
> if (IS_ERR(folio))
> goto fail;
> - for (j = 0; j < folio_nr_pages(folio); j++, i++)
> + nr = min(npages - i, folio_nr_pages(folio));
> + for (j = 0; j < nr; j++, i++)
> pages[i] = folio_file_page(folio, i);
>
> /* Make sure shmem keeps __GFP_DMA32 allocated pages in the
No issues after five reboots with this patch applied on top of v6.5.5.
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Link: https://lore.kernel.org/lkml/13360591.uLZWGnKmhe@natalenko.name/
Fixes: 3291e09a4638 ("drm: convert drm_gem_put_pages() to use a folio_batch")
Cc: stable@vger.kernel.org # 6.5.x
Thank you!
--
Oleksandr Natalenko (post-factum)
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Oleksandr Natalenko <oleksandr@natalenko.name>
To: Matthew Wilcox <willy@infradead.org>
Cc: "Linux Regressions" <regressions@lists.linux.dev>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
"Sumit Semwal" <sumit.semwal@linaro.org>,
linaro-mm-sig@lists.linaro.org, linux-mm@kvack.org,
"Andrew Morton" <akpm@linux-foundation.org>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Bagas Sanjaya" <bagasdotme@gmail.com>,
"Christian König" <christian.koenig@amd.com>,
linux-media@vger.kernel.org
Subject: Re: [REGRESSION] BUG: KFENCE: memory corruption in drm_gem_put_pages+0x186/0x250
Date: Thu, 05 Oct 2023 15:34:41 +0200 [thread overview]
Message-ID: <9175204.CDJkKcVGEf@natalenko.name> (raw)
In-Reply-To: <ZR60lylMtLO6ZGp7@casper.infradead.org>
[-- Attachment #1: Type: text/plain, Size: 2252 bytes --]
On čtvrtek 5. října 2023 15:05:27 CEST Matthew Wilcox wrote:
> On Thu, Oct 05, 2023 at 02:30:55PM +0200, Oleksandr Natalenko wrote:
> > No-no, sorry for possible confusion. Let me explain again:
> >
> > 1. we had an issue with i915, which was introduced by 0b62af28f249, and later was fixed by 863a8eb3f270
> > 2. now I've discovered another issue, which looks very similar to 1., but in a VM with Cirrus VGA, and it happens even while having 863a8eb3f270 applied
> > 3. I've tried reverting 3291e09a4638, after which I cannot reproduce the issue with Cirrus VGA, but clearly there was no fix for it discussed
> >
> > IOW, 863a8eb3f270 is the fix for 0b62af28f249, but not for 3291e09a4638. It looks like 3291e09a4638 requires a separate fix.
>
> Thank you! Sorry about the misunderstanding. Try this:
>
> diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c
> index 6129b89bb366..44a948b80ee1 100644
> --- a/drivers/gpu/drm/drm_gem.c
> +++ b/drivers/gpu/drm/drm_gem.c
> @@ -540,7 +540,7 @@ struct page **drm_gem_get_pages(struct drm_gem_object *obj)
> struct page **pages;
> struct folio *folio;
> struct folio_batch fbatch;
> - int i, j, npages;
> + long i, j, npages;
>
> if (WARN_ON(!obj->filp))
> return ERR_PTR(-EINVAL);
> @@ -564,11 +564,13 @@ struct page **drm_gem_get_pages(struct drm_gem_object *obj)
>
> i = 0;
> while (i < npages) {
> + long nr;
> folio = shmem_read_folio_gfp(mapping, i,
> mapping_gfp_mask(mapping));
> if (IS_ERR(folio))
> goto fail;
> - for (j = 0; j < folio_nr_pages(folio); j++, i++)
> + nr = min(npages - i, folio_nr_pages(folio));
> + for (j = 0; j < nr; j++, i++)
> pages[i] = folio_file_page(folio, i);
>
> /* Make sure shmem keeps __GFP_DMA32 allocated pages in the
No issues after five reboots with this patch applied on top of v6.5.5.
Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Link: https://lore.kernel.org/lkml/13360591.uLZWGnKmhe@natalenko.name/
Fixes: 3291e09a4638 ("drm: convert drm_gem_put_pages() to use a folio_batch")
Cc: stable@vger.kernel.org # 6.5.x
Thank you!
--
Oleksandr Natalenko (post-factum)
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2023-10-05 13:34 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-01 16:32 [REGRESSION] BUG: KFENCE: memory corruption in drm_gem_put_pages+0x186/0x250 Oleksandr Natalenko
2023-10-01 16:32 ` Oleksandr Natalenko
2023-10-01 23:45 ` Bagas Sanjaya
2023-10-01 23:45 ` Bagas Sanjaya
2023-10-02 6:20 ` Oleksandr Natalenko
2023-10-02 6:20 ` Oleksandr Natalenko
2023-10-02 10:42 ` Bagas Sanjaya
2023-10-02 10:42 ` Bagas Sanjaya
2023-10-02 11:02 ` Oleksandr Natalenko
2023-10-02 11:02 ` Oleksandr Natalenko
2023-10-02 14:32 ` Matthew Wilcox
2023-10-02 14:32 ` Matthew Wilcox
2023-10-02 15:38 ` Oleksandr Natalenko
2023-10-02 15:38 ` Oleksandr Natalenko
2023-10-05 7:44 ` Thomas Zimmermann
2023-10-05 7:44 ` Thomas Zimmermann
2023-10-05 7:56 ` Oleksandr Natalenko
2023-10-05 7:56 ` Oleksandr Natalenko
2023-10-05 12:19 ` Matthew Wilcox
2023-10-05 12:19 ` Matthew Wilcox
2023-10-05 12:30 ` Oleksandr Natalenko
2023-10-05 12:30 ` Oleksandr Natalenko
2023-10-05 13:05 ` Matthew Wilcox
2023-10-05 13:05 ` Matthew Wilcox
2023-10-05 13:34 ` Oleksandr Natalenko [this message]
2023-10-05 13:34 ` Oleksandr Natalenko
2023-10-02 10:40 ` Bagas Sanjaya
2023-10-02 10:40 ` Bagas Sanjaya
2023-10-05 7:42 ` Thomas Zimmermann
2023-10-05 7:42 ` Thomas Zimmermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9175204.CDJkKcVGEf@natalenko.name \
--to=oleksandr@natalenko.name \
--cc=akpm@linux-foundation.org \
--cc=bagasdotme@gmail.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mripard@kernel.org \
--cc=regressions@lists.linux.dev \
--cc=sumit.semwal@linaro.org \
--cc=tzimmermann@suse.de \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.