[Bug 98506] New: Pagefault in gf100_vm_flush

[Bug 98506] New: Pagefault in gf100_vm_flush

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 1068 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=98506

            Bug ID: 98506
           Summary: Pagefault in gf100_vm_flush
           Product: xorg
           Version: git
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Driver/nouveau
          Assignee: nouveau-PD4FTy7X32lNgt0PjOBp9y5qC8QIuHrW@public.gmane.org
          Reporter: karolherbst-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
        QA Contact: xorg-team-go0+a7rfsptAfugRpC6u6w@public.gmane.org

Created attachment 127629
  --> https://bugs.freedesktop.org/attachment.cgi?id=127629&action=edit
kernel oops

got a pagefault today, attached below

gf100_vm_flush+0xc8 is
https://github.com/karolherbst/nouveau/blob/caab1df6e3b32d2eca7e82819a7dd4cb99911d71/drm/nouveau/nvkm/subdev/mmu/gf100.c#L183
-+ gdb mistake

was running chromium prime offloaded and civilisation 5 with mareks gl
threading branch

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2588 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 98506] Pagefault in gf100_vm_flush

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 1588 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=98506

--- Comment #1 from Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> ---
Karol, can you load up nouveau.ko and run "disassemble gf100_vm_flush" (to
completion) and include that?

All code
========
   0:   38 e1                   cmp    %ah,%cl
   2:   a9 00 00 ff 00          test   $0xff0000,%eax
   7:   74 cb                   je     0xffffffffffffffd4
   9:   48 81 fb ff 93 35 77    cmp    $0x773593ff,%rbx
  10:   0f 87 ae 00 00 00       ja     0xc4
  16:   49 8b 84 24 80 00 00    mov    0x80(%r12),%rax
  1d:   00 
  1e:   31 db                   xor    %ebx,%ebx
  20:   48 8d b0 b8 0c 10 00    lea    0x100cb8(%rax),%rsi
  27:   49 8b 46 10             mov    0x10(%r14),%rax
  2b:*  48 8b b8 90 00 00 00    mov    0x90(%rax),%rdi          <-- trapping
instruction
  32:   48 c1 ef 08             shr    $0x8,%rdi
  36:   e8 68 6f 38 e1          callq  0xffffffffe1386fa3
  3b:   49                      rex.WB
  3c:   8b                      .byte 0x8b
  3d:   84 24 80                test   %ah,(%rax,%rax,4)

Code starting with the faulting instruction
===========================================
   0:   48 8b b8 90 00 00 00    mov    0x90(%rax),%rdi
   7:   48 c1 ef 08             shr    $0x8,%rdi
   b:   e8 68 6f 38 e1          callq  0xffffffffe1386f78
  10:   49                      rex.WB
  11:   8b                      .byte 0x8b
  12:   84 24 80                test   %ah,(%rax,%rax,4)

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2311 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 98506] Pagefault in gf100_vm_flush

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 6018 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=98506

--- Comment #2 from Karol Herbst <karolherbst-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> ---
(gdb) disassemble gf100_vm_flush
Dump of assembler code for function gf100_vm_flush:
   0x0000000000050f60 <+0>:     push   %rbp
   0x0000000000050f61 <+1>:     mov    %rsp,%rbp
   0x0000000000050f64 <+4>:     push   %r15
   0x0000000000050f66 <+6>:     push   %r14
   0x0000000000050f68 <+8>:     push   %r13
   0x0000000000050f6a <+10>:    mov    %rdi,%r13
   0x0000000000050f6d <+13>:    push   %r12
   0x0000000000050f6f <+15>:    push   %rbx
   0x0000000000050f70 <+16>:    sub    $0x18,%rsp
   0x0000000000050f74 <+20>:    mov    0xb0(%rdi),%edx
   0x0000000000050f7a <+26>:    mov    (%rdi),%rax
   0x0000000000050f7d <+29>:    cmp    $0x1,%edx
   0x0000000000050f80 <+32>:    mov    0x10(%rax),%r12
   0x0000000000050f84 <+36>:    sbb    %ebx,%ebx
   0x0000000000050f86 <+38>:    add    $0x20,%rax
   0x0000000000050f8a <+42>:    mov    %rax,%rdi
   0x0000000000050f8d <+45>:    mov    %rax,-0x40(%rbp)
   0x0000000000050f91 <+49>:    and    $0xfffffffc,%ebx
   0x0000000000050f94 <+52>:    callq  0x50f99 <gf100_vm_flush+57>
   0x0000000000050f99 <+57>:    mov    0x60(%r13),%r14
   0x0000000000050f9d <+61>:    lea    0x60(%r13),%rax
   0x0000000000050fa1 <+65>:    add    $0x5,%ebx
   0x0000000000050fa4 <+68>:    or     $0x80000000,%ebx
   0x0000000000050faa <+74>:    mov    %rax,-0x30(%rbp)
   0x0000000000050fae <+78>:    mov    %ebx,-0x34(%rbp)
   0x0000000000050fb1 <+81>:    cmp    %rax,%r14
   0x0000000000050fb4 <+84>:    je     0x510a9 <gf100_vm_flush+329>
   0x0000000000050fba <+90>:    mov    0x198(%r12),%r13
   0x0000000000050fc2 <+98>:    xor    %ebx,%ebx
   0x0000000000050fc4 <+100>:   mov    %r13,%rdi
   0x0000000000050fc7 <+103>:   callq  0x50fcc <gf100_vm_flush+108>
   0x0000000000050fcc <+108>:   mov    %rax,%r15
   0x0000000000050fcf <+111>:   jmp    0x50feb <gf100_vm_flush+139>
   0x0000000000050fd1 <+113>:   mov    %r13,%rdi
   0x0000000000050fd4 <+116>:   callq  0x50fd9 <gf100_vm_flush+121>
   0x0000000000050fd9 <+121>:   sub    %r15,%rax
   0x0000000000050fdc <+124>:   mov    %rax,%rbx
   0x0000000000050fdf <+127>:   cmp    $0x773593ff,%rax
   0x0000000000050fe5 <+133>:   ja     0x510c1 <gf100_vm_flush+353>
   0x0000000000050feb <+139>:   mov    0x80(%r12),%rax
   0x0000000000050ff3 <+147>:   lea    0x100c80(%rax),%rdi
   0x0000000000050ffa <+154>:   callq  0x50fff <gf100_vm_flush+159>
   0x0000000000050fff <+159>:   test   $0xff0000,%eax
   0x0000000000051004 <+164>:   je     0x50fd1 <gf100_vm_flush+113>
   0x0000000000051006 <+166>:   cmp    $0x773593ff,%rbx
   0x000000000005100d <+173>:   ja     0x510c1 <gf100_vm_flush+353>
   0x0000000000051013 <+179>:   mov    0x80(%r12),%rax
   0x000000000005101b <+187>:   xor    %ebx,%ebx
   0x000000000005101d <+189>:   lea    0x100cb8(%rax),%rsi
   0x0000000000051024 <+196>:   mov    0x10(%r14),%rax
   0x0000000000051028 <+200>:   mov    0x90(%rax),%rdi
   0x000000000005102f <+207>:   shr    $0x8,%rdi
   0x0000000000051033 <+211>:   callq  0x51038 <gf100_vm_flush+216>
   0x0000000000051038 <+216>:   mov    0x80(%r12),%rax
   0x0000000000051040 <+224>:   mov    -0x34(%rbp),%edi
   0x0000000000051043 <+227>:   lea    0x100cbc(%rax),%rsi
   0x000000000005104a <+234>:   callq  0x5104f <gf100_vm_flush+239>
   0x000000000005104f <+239>:   mov    0x198(%r12),%r13
   0x0000000000051057 <+247>:   mov    %r13,%rdi
   0x000000000005105a <+250>:   callq  0x5105f <gf100_vm_flush+255>
   0x000000000005105f <+255>:   mov    %rax,%r15
   0x0000000000051062 <+258>:   jmp    0x5107a <gf100_vm_flush+282>
   0x0000000000051064 <+260>:   mov    %r13,%rdi
   0x0000000000051067 <+263>:   callq  0x5106c <gf100_vm_flush+268>
   0x000000000005106c <+268>:   sub    %r15,%rax
   0x000000000005106f <+271>:   mov    %rax,%rbx
   0x0000000000051072 <+274>:   cmp    $0x773593ff,%rax
   0x0000000000051078 <+280>:   ja     0x510ea <gf100_vm_flush+394>
   0x000000000005107a <+282>:   mov    0x80(%r12),%rax
   0x0000000000051082 <+290>:   lea    0x100c80(%rax),%rdi
   0x0000000000051089 <+297>:   callq  0x5108e <gf100_vm_flush+302>
   0x000000000005108e <+302>:   test   $0x80,%ah
   0x0000000000051091 <+305>:   je     0x51064 <gf100_vm_flush+260>
   0x0000000000051093 <+307>:   cmp    $0x773593ff,%rbx
   0x000000000005109a <+314>:   ja     0x510ea <gf100_vm_flush+394>
   0x000000000005109c <+316>:   mov    (%r14),%r14
   0x000000000005109f <+319>:   cmp    -0x30(%rbp),%r14
   0x00000000000510a3 <+323>:   jne    0x50fba <gf100_vm_flush+90>
   0x00000000000510a9 <+329>:   mov    -0x40(%rbp),%rdi
   0x00000000000510ad <+333>:   callq  0x510b2 <gf100_vm_flush+338>
   0x00000000000510b2 <+338>:   add    $0x18,%rsp
   0x00000000000510b6 <+342>:   pop    %rbx
   0x00000000000510b7 <+343>:   pop    %r12
   0x00000000000510b9 <+345>:   pop    %r13
   0x00000000000510bb <+347>:   pop    %r14
   0x00000000000510bd <+349>:   pop    %r15
   0x00000000000510bf <+351>:   pop    %rbp
   0x00000000000510c0 <+352>:   retq   
   0x00000000000510c1 <+353>:   mov    0x10(%r12),%rdi
   0x00000000000510c6 <+358>:   mov    $0x0,%r8
   0x00000000000510cd <+365>:   mov    $0xb5,%ecx
   0x00000000000510d2 <+370>:   mov    $0x0,%rdx
   0x00000000000510d9 <+377>:   mov    $0x0,%rsi
   0x00000000000510e0 <+384>:   callq  0x510e5 <gf100_vm_flush+389>
   0x00000000000510e5 <+389>:   jmpq   0x51013 <gf100_vm_flush+179>
   0x00000000000510ea <+394>:   mov    0x10(%r12),%rdi
   0x00000000000510ef <+399>:   mov    $0x0,%r8
   0x00000000000510f6 <+406>:   mov    $0xbe,%ecx
   0x00000000000510fb <+411>:   mov    $0x0,%rdx
   0x0000000000051102 <+418>:   mov    $0x0,%rsi
   0x0000000000051109 <+425>:   callq  0x5110e <gf100_vm_flush+430>
   0x000000000005110e <+430>:   jmp    0x5109c <gf100_vm_flush+316>

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 7483 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 98506] Pagefault in gf100_vm_flush

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 760 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=98506

--- Comment #3 from Ilia Mirkin <imirkin-FrUbXkNCsVf2fBVCVOL8/A@public.gmane.org> ---
OK, so it's very clearly this line:

nvkm_wr32(device, 0x100cb8, vpgd->obj->addr >> 8);

(note the shift by 8 that comes right after in the decoded code sequence), and
the issue is that vpgd->obj is bad:

RAX: 000000041ad09000
CR2: 000000041ad09090

where the faulting instruction is "mov    0x90(%rax),%rdi". It seems like obj
is a nvkm_gpuobj, which in turn is just a regular object that should come out
of kernel memory. However the RAX value doesn't seem like a usual kernel memory
address, which means it's uninitialized.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 1495 bytes --]

[-- Attachment #2: Type: text/plain, Size: 154 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau

[Bug 98506] Pagefault in gf100_vm_flush

[bugzilla-daemon-CC+yJ3UmIYqDUpFQwHEjaQ]

[-- Attachment #1.1: Type: text/plain, Size: 870 bytes --]

https://bugs.freedesktop.org/show_bug.cgi?id=98506

Martin Peres <martin.peres-GANU6spQydw@public.gmane.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |MOVED
             Status|NEW                         |RESOLVED

--- Comment #4 from Martin Peres <martin.peres-GANU6spQydw@public.gmane.org> ---
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been
closed from further activity.

You can subscribe and participate further through the new bug through this link
to our GitLab instance:
https://gitlab.freedesktop.org/xorg/driver/xf86-video-nouveau/issues/295.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #1.2: Type: text/html, Size: 2347 bytes --]

[-- Attachment #2: Type: text/plain, Size: 153 bytes --]

_______________________________________________
Nouveau mailing list
Nouveau@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/nouveau