* [PATCH] drm/i915/selftests: Prevent background reaping of active objects
@ 2018-07-08 12:37 Chris Wilson
2018-07-08 12:48 ` ✗ Fi.CI.BAT: failure for " Patchwork
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Chris Wilson @ 2018-07-08 12:37 UTC (permalink / raw)
To: intel-gfx
igt_mmap_offset_exhaustion() wants to test what happens when the mmap
space is filled with zombie objects, objects discarded by userspace but
still active on the GPU. As they are only protected by the active
reference, we have to be certain that active reference is kept while we
peek into our dangling pointer. That active reference should not be
freed until we retire, but we do that retirement from a background
thread. This leaves us with a subtle timing problem, exacerbated and
highlighted by KASAN:
<3>[ 132.380399] BUG: KASAN: use-after-free in drm_gem_create_mmap_offset+0x8c/0xd0
<3>[ 132.380430] Read of size 8 at addr ffff8801e13245f8 by task drv_selftest/5822
<4>[ 132.380470] CPU: 0 PID: 5822 Comm: drv_selftest Tainted: G U 4.18.0-rc3-g7ae7763aa2be-kasan_48+ #1
<4>[ 132.380473] Hardware name: Dell Inc. XPS 8300 /0Y2MRG, BIOS A06 10/17/2011
<4>[ 132.380475] Call Trace:
<4>[ 132.380481] dump_stack+0x7c/0xbb
<4>[ 132.380487] print_address_description+0x65/0x270
<4>[ 132.380493] kasan_report+0x25b/0x380
<4>[ 132.380497] ? drm_gem_create_mmap_offset+0x8c/0xd0
<4>[ 132.380503] drm_gem_create_mmap_offset+0x8c/0xd0
<4>[ 132.380584] i915_gem_object_create_mmap_offset+0x6d/0x100 [i915]
<4>[ 132.380650] igt_mmap_offset_exhaustion+0x462/0x940 [i915]
<4>[ 132.380714] ? i915_gem_close_object+0x740/0x740 [i915]
<4>[ 132.380784] ? igt_gem_huge+0x269/0x3d0 [i915]
<4>[ 132.380865] __i915_subtests+0x5a/0x160 [i915]
<4>[ 132.380936] __run_selftests+0x1a2/0x2f0 [i915]
<4>[ 132.381008] i915_live_selftests+0x4e/0x80 [i915]
<4>[ 132.381071] i915_pci_probe+0xd8/0x1b0 [i915]
<4>[ 132.381077] pci_device_probe+0x1c5/0x3a0
<4>[ 132.381087] driver_probe_device+0x6b6/0xcb0
<4>[ 132.381094] __driver_attach+0x22d/0x2c0
<4>[ 132.381100] ? driver_probe_device+0xcb0/0xcb0
<4>[ 132.381103] bus_for_each_dev+0x113/0x1a0
<4>[ 132.381108] ? check_flags.part.24+0x450/0x450
<4>[ 132.381112] ? subsys_dev_iter_exit+0x10/0x10
<4>[ 132.381123] bus_add_driver+0x38b/0x6e0
<4>[ 132.381131] driver_register+0x189/0x400
<4>[ 132.381136] ? 0xffffffffc12d8000
<4>[ 132.381140] do_one_initcall+0xa0/0x4c0
<4>[ 132.381145] ? initcall_blacklisted+0x180/0x180
<4>[ 132.381152] ? do_init_module+0x4a/0x54c
<4>[ 132.381156] ? rcu_lockdep_current_cpu_online+0xdc/0x130
<4>[ 132.381161] ? kasan_unpoison_shadow+0x30/0x40
<4>[ 132.381169] do_init_module+0x1b5/0x54c
<4>[ 132.381177] load_module+0x619e/0x9b70
<4>[ 132.381202] ? module_frob_arch_sections+0x20/0x20
<4>[ 132.381211] ? vfs_read+0x257/0x2f0
<4>[ 132.381214] ? vfs_read+0x257/0x2f0
<4>[ 132.381221] ? kernel_read+0x8b/0x130
<4>[ 132.381231] ? copy_strings_kernel+0x120/0x120
<4>[ 132.381244] ? __se_sys_finit_module+0x17c/0x1a0
<4>[ 132.381248] __se_sys_finit_module+0x17c/0x1a0
<4>[ 132.381252] ? __ia32_sys_init_module+0xa0/0xa0
<4>[ 132.381261] ? __se_sys_newstat+0x77/0xd0
<4>[ 132.381265] ? cp_new_stat+0x590/0x590
<4>[ 132.381269] ? kmem_cache_free+0x2f0/0x340
<4>[ 132.381285] do_syscall_64+0x97/0x400
<4>[ 132.381292] entry_SYSCALL_64_after_hwframe+0x49/0xbe
<4>[ 132.381295] RIP: 0033:0x7eff4af46839
<4>[ 132.381297] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
<4>[ 132.381426] RSP: 002b:00007ffcd84f4cf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
<4>[ 132.381432] RAX: ffffffffffffffda RBX: 000055dfdeb429a0 RCX: 00007eff4af46839
<4>[ 132.381435] RDX: 0000000000000000 RSI: 000055dfdeb43670 RDI: 0000000000000004
<4>[ 132.381437] RBP: 000055dfdeb43670 R08: 0000000000000004 R09: 0000000000000000
<4>[ 132.381440] R10: 00007ffcd84f4e60 R11: 0000000000000246 R12: 0000000000000000
<4>[ 132.381442] R13: 000055dfdeb3bec0 R14: 0000000000000000 R15: 000000000000003b
<3>[ 132.381466] Allocated by task 5822:
<4>[ 132.381485] kmem_cache_alloc+0xdf/0x2e0
<4>[ 132.381546] i915_gem_object_create_internal+0x24/0x1e0 [i915]
<4>[ 132.381609] igt_mmap_offset_exhaustion+0x257/0x940 [i915]
<4>[ 132.381677] __i915_subtests+0x5a/0x160 [i915]
<4>[ 132.381742] __run_selftests+0x1a2/0x2f0 [i915]
<4>[ 132.381806] i915_live_selftests+0x4e/0x80 [i915]
<4>[ 132.381865] i915_pci_probe+0xd8/0x1b0 [i915]
<4>[ 132.381868] pci_device_probe+0x1c5/0x3a0
<4>[ 132.381871] driver_probe_device+0x6b6/0xcb0
<4>[ 132.381874] __driver_attach+0x22d/0x2c0
<4>[ 132.381877] bus_for_each_dev+0x113/0x1a0
<4>[ 132.381880] bus_add_driver+0x38b/0x6e0
<4>[ 132.381884] driver_register+0x189/0x400
<4>[ 132.381886] do_one_initcall+0xa0/0x4c0
<4>[ 132.381889] do_init_module+0x1b5/0x54c
<4>[ 132.381892] load_module+0x619e/0x9b70
<4>[ 132.381895] __se_sys_finit_module+0x17c/0x1a0
<4>[ 132.381898] do_syscall_64+0x97/0x400
<4>[ 132.381901] entry_SYSCALL_64_after_hwframe+0x49/0xbe
<3>[ 132.381914] Freed by task 150:
<4>[ 132.381931] kmem_cache_free+0xb7/0x340
<4>[ 132.381995] __i915_gem_free_objects+0x875/0xf50 [i915]
<4>[ 132.382054] __i915_gem_free_work+0x69/0xb0 [i915]
<4>[ 132.382058] process_one_work+0x78b/0x1740
<4>[ 132.382061] worker_thread+0x82/0xb80
<4>[ 132.382064] kthread+0x30c/0x3d0
<4>[ 132.382067] ret_from_fork+0x3a/0x50
<3>[ 132.382081] The buggy address belongs to the object at ffff8801e1324500
which belongs to the cache drm_i915_gem_object of size 1168
<3>[ 132.382133] The buggy address is located 248 bytes inside of
1168-byte region [ffff8801e1324500, ffff8801e1324990)
<3>[ 132.382179] The buggy address belongs to the page:
<0>[ 132.382202] page:ffffea000784c800 count:1 mapcount:0 mapping:ffff8801dedf6500 index:0xffff8801e1323ec0 compound_mapcount: 0
<0>[ 132.382251] flags: 0x8000000000008100(slab|head)
<1>[ 132.382274] raw: 8000000000008100 ffff8801d6317440 ffff8801d6317440 ffff8801dedf6500
<1>[ 132.382307] raw: ffff8801e1323ec0 0000000000140013 00000001ffffffff 0000000000000000
<1>[ 132.382339] page dumped because: kasan: bad access detected
<3>[ 132.382373] Memory state around the buggy address:
<3>[ 132.382395] ffff8801e1324480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
<3>[ 132.382426] ffff8801e1324500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
<3>[ 132.382457] >ffff8801e1324580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
<3>[ 132.382488] ^
<3>[ 132.382517] ffff8801e1324600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
<3>[ 132.382548] ffff8801e1324680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
This patch tricks the system into running without the background retire
thread, until after we finish the test. The only reaping should then be
performed by the mmap offset routine to reclaim the space as required.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
drivers/gpu/drm/i915/selftests/i915_gem_object.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/gpu/drm/i915/selftests/i915_gem_object.c b/drivers/gpu/drm/i915/selftests/i915_gem_object.c
index 25c2b2d433bd..d80713f32da2 100644
--- a/drivers/gpu/drm/i915/selftests/i915_gem_object.c
+++ b/drivers/gpu/drm/i915/selftests/i915_gem_object.c
@@ -548,6 +548,14 @@ static int igt_mmap_offset_exhaustion(void *arg)
i915_gem_object_put(obj);
+ /* Disable background reaper */
+ mutex_lock(&i915->drm.struct_mutex);
+ i915_gem_unpark(i915);
+ mutex_unlock(&i915->drm.struct_mutex);
+ cancel_delayed_work_sync(i915->gt.retire_work);
+ cancel_delayed_work_sync(i915->gt.idle_work);
+ GEM_BUG_ON(!i915->gt.awake);
+
/* Now fill with busy dead objects that we expect to reap */
for (loop = 0; loop < 3; loop++) {
if (i915_terminally_wedged(&i915->gpu_error))
@@ -580,6 +588,7 @@ static int igt_mmap_offset_exhaustion(void *arg)
out:
drm_mm_remove_node(&resv);
+ queue_delayed_work(i915->wq, &i915->gt.retire_work, 0);
return err;
err_obj:
i915_gem_object_put(obj);
--
2.18.0
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply related [flat|nested] 7+ messages in thread
* ✗ Fi.CI.BAT: failure for drm/i915/selftests: Prevent background reaping of active objects
2018-07-08 12:37 [PATCH] drm/i915/selftests: Prevent background reaping of active objects Chris Wilson
@ 2018-07-08 12:48 ` Patchwork
2018-07-08 15:36 ` [PATCH] " kbuild test robot
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Patchwork @ 2018-07-08 12:48 UTC (permalink / raw)
To: Chris Wilson; +Cc: intel-gfx
== Series Details ==
Series: drm/i915/selftests: Prevent background reaping of active objects
URL : https://patchwork.freedesktop.org/series/46124/
State : failure
== Summary ==
CALL scripts/checksyscalls.sh
DESCEND objtool
CHK include/generated/compile.h
CC [M] drivers/gpu/drm/i915/i915_gem.o
In file included from drivers/gpu/drm/i915/i915_gem.c:6153:0:
drivers/gpu/drm/i915/selftests/i915_gem_object.c: In function ‘igt_mmap_offset_exhaustion’:
drivers/gpu/drm/i915/selftests/i915_gem_object.c:555:27: error: incompatible type for argument 1 of ‘cancel_delayed_work_sync’
cancel_delayed_work_sync(i915->gt.retire_work);
^~~~
In file included from ./include/linux/srcu.h:34:0,
from ./include/linux/notifier.h:16,
from ./include/linux/memory_hotplug.h:7,
from ./include/linux/mmzone.h:777,
from ./include/linux/gfp.h:6,
from ./include/linux/idr.h:16,
from ./include/linux/kernfs.h:14,
from ./include/linux/sysfs.h:16,
from ./include/linux/kobject.h:20,
from ./include/linux/cdev.h:5,
from ./include/drm/drmP.h:36,
from drivers/gpu/drm/i915/i915_gem.c:28:
./include/linux/workqueue.h:484:13: note: expected ‘struct delayed_work *’ but argument is of type ‘struct delayed_work’
extern bool cancel_delayed_work_sync(struct delayed_work *dwork);
^~~~~~~~~~~~~~~~~~~~~~~~
In file included from drivers/gpu/drm/i915/i915_gem.c:6153:0:
drivers/gpu/drm/i915/selftests/i915_gem_object.c:556:27: error: incompatible type for argument 1 of ‘cancel_delayed_work_sync’
cancel_delayed_work_sync(i915->gt.idle_work);
^~~~
In file included from ./include/linux/srcu.h:34:0,
from ./include/linux/notifier.h:16,
from ./include/linux/memory_hotplug.h:7,
from ./include/linux/mmzone.h:777,
from ./include/linux/gfp.h:6,
from ./include/linux/idr.h:16,
from ./include/linux/kernfs.h:14,
from ./include/linux/sysfs.h:16,
from ./include/linux/kobject.h:20,
from ./include/linux/cdev.h:5,
from ./include/drm/drmP.h:36,
from drivers/gpu/drm/i915/i915_gem.c:28:
./include/linux/workqueue.h:484:13: note: expected ‘struct delayed_work *’ but argument is of type ‘struct delayed_work’
extern bool cancel_delayed_work_sync(struct delayed_work *dwork);
^~~~~~~~~~~~~~~~~~~~~~~~
scripts/Makefile.build:317: recipe for target 'drivers/gpu/drm/i915/i915_gem.o' failed
make[4]: *** [drivers/gpu/drm/i915/i915_gem.o] Error 1
scripts/Makefile.build:558: recipe for target 'drivers/gpu/drm/i915' failed
make[3]: *** [drivers/gpu/drm/i915] Error 2
scripts/Makefile.build:558: recipe for target 'drivers/gpu/drm' failed
make[2]: *** [drivers/gpu/drm] Error 2
scripts/Makefile.build:558: recipe for target 'drivers/gpu' failed
make[1]: *** [drivers/gpu] Error 2
Makefile:1034: recipe for target 'drivers' failed
make: *** [drivers] Error 2
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] drm/i915/selftests: Prevent background reaping of active objects
2018-07-08 12:37 [PATCH] drm/i915/selftests: Prevent background reaping of active objects Chris Wilson
2018-07-08 12:48 ` ✗ Fi.CI.BAT: failure for " Patchwork
@ 2018-07-08 15:36 ` kbuild test robot
2018-07-09 8:05 ` Chris Wilson
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: kbuild test robot @ 2018-07-08 15:36 UTC (permalink / raw)
To: Chris Wilson; +Cc: intel-gfx, kbuild-all
[-- Attachment #1: Type: text/plain, Size: 6654 bytes --]
Hi Chris,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on drm-intel/for-linux-next]
[also build test ERROR on v4.18-rc3 next-20180706]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
url: https://github.com/0day-ci/linux/commits/Chris-Wilson/drm-i915-selftests-Prevent-background-reaping-of-active-objects/20180708-204032
base: git://anongit.freedesktop.org/drm-intel for-linux-next
config: i386-randconfig-a1-201827 (attached as .config)
compiler: gcc-4.9 (Debian 4.9.4-2) 4.9.4
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
All errors (new ones prefixed by >>):
In file included from drivers/gpu/drm/i915/i915_gem.c:6153:0:
drivers/gpu/drm/i915/selftests/i915_gem_object.c: In function 'igt_mmap_offset_exhaustion':
>> drivers/gpu/drm/i915/selftests/i915_gem_object.c:555:2: error: incompatible type for argument 1 of 'cancel_delayed_work_sync'
cancel_delayed_work_sync(i915->gt.retire_work);
^
In file included from include/linux/srcu.h:34:0,
from include/linux/notifier.h:16,
from include/linux/memory_hotplug.h:7,
from include/linux/mmzone.h:777,
from include/linux/gfp.h:6,
from include/linux/idr.h:16,
from include/linux/kernfs.h:14,
from include/linux/sysfs.h:16,
from include/linux/kobject.h:20,
from include/linux/cdev.h:5,
from include/drm/drmP.h:36,
from drivers/gpu/drm/i915/i915_gem.c:28:
include/linux/workqueue.h:484:13: note: expected 'struct delayed_work *' but argument is of type 'struct delayed_work'
extern bool cancel_delayed_work_sync(struct delayed_work *dwork);
^
In file included from drivers/gpu/drm/i915/i915_gem.c:6153:0:
drivers/gpu/drm/i915/selftests/i915_gem_object.c:556:2: error: incompatible type for argument 1 of 'cancel_delayed_work_sync'
cancel_delayed_work_sync(i915->gt.idle_work);
^
In file included from include/linux/srcu.h:34:0,
from include/linux/notifier.h:16,
from include/linux/memory_hotplug.h:7,
from include/linux/mmzone.h:777,
from include/linux/gfp.h:6,
from include/linux/idr.h:16,
from include/linux/kernfs.h:14,
from include/linux/sysfs.h:16,
from include/linux/kobject.h:20,
from include/linux/cdev.h:5,
from include/drm/drmP.h:36,
from drivers/gpu/drm/i915/i915_gem.c:28:
include/linux/workqueue.h:484:13: note: expected 'struct delayed_work *' but argument is of type 'struct delayed_work'
extern bool cancel_delayed_work_sync(struct delayed_work *dwork);
^
vim +/cancel_delayed_work_sync +555 drivers/gpu/drm/i915/selftests/i915_gem_object.c
493
494 static int igt_mmap_offset_exhaustion(void *arg)
495 {
496 struct drm_i915_private *i915 = arg;
497 struct drm_mm *mm = &i915->drm.vma_offset_manager->vm_addr_space_mm;
498 struct drm_i915_gem_object *obj;
499 struct drm_mm_node resv, *hole;
500 u64 hole_start, hole_end;
501 int loop, err;
502
503 /* Trim the device mmap space to only a page */
504 memset(&resv, 0, sizeof(resv));
505 drm_mm_for_each_hole(hole, mm, hole_start, hole_end) {
506 resv.start = hole_start;
507 resv.size = hole_end - hole_start - 1; /* PAGE_SIZE units */
508 err = drm_mm_reserve_node(mm, &resv);
509 if (err) {
510 pr_err("Failed to trim VMA manager, err=%d\n", err);
511 return err;
512 }
513 break;
514 }
515
516 /* Just fits! */
517 if (!assert_mmap_offset(i915, PAGE_SIZE, 0)) {
518 pr_err("Unable to insert object into single page hole\n");
519 err = -EINVAL;
520 goto out;
521 }
522
523 /* Too large */
524 if (!assert_mmap_offset(i915, 2*PAGE_SIZE, -ENOSPC)) {
525 pr_err("Unexpectedly succeeded in inserting too large object into single page hole\n");
526 err = -EINVAL;
527 goto out;
528 }
529
530 /* Fill the hole, further allocation attempts should then fail */
531 obj = i915_gem_object_create_internal(i915, PAGE_SIZE);
532 if (IS_ERR(obj)) {
533 err = PTR_ERR(obj);
534 goto out;
535 }
536
537 err = i915_gem_object_create_mmap_offset(obj);
538 if (err) {
539 pr_err("Unable to insert object into reclaimed hole\n");
540 goto err_obj;
541 }
542
543 if (!assert_mmap_offset(i915, PAGE_SIZE, -ENOSPC)) {
544 pr_err("Unexpectedly succeeded in inserting object into no holes!\n");
545 err = -EINVAL;
546 goto err_obj;
547 }
548
549 i915_gem_object_put(obj);
550
551 /* Disable background reaper */
552 mutex_lock(&i915->drm.struct_mutex);
553 i915_gem_unpark(i915);
554 mutex_unlock(&i915->drm.struct_mutex);
> 555 cancel_delayed_work_sync(i915->gt.retire_work);
556 cancel_delayed_work_sync(i915->gt.idle_work);
557 GEM_BUG_ON(!i915->gt.awake);
558
559 /* Now fill with busy dead objects that we expect to reap */
560 for (loop = 0; loop < 3; loop++) {
561 if (i915_terminally_wedged(&i915->gpu_error))
562 break;
563
564 obj = i915_gem_object_create_internal(i915, PAGE_SIZE);
565 if (IS_ERR(obj)) {
566 err = PTR_ERR(obj);
567 goto out;
568 }
569
570 mutex_lock(&i915->drm.struct_mutex);
571 intel_runtime_pm_get(i915);
572 err = make_obj_busy(obj);
573 intel_runtime_pm_put(i915);
574 mutex_unlock(&i915->drm.struct_mutex);
575 if (err) {
576 pr_err("[loop %d] Failed to busy the object\n", loop);
577 goto err_obj;
578 }
579
580 GEM_BUG_ON(!i915_gem_object_is_active(obj));
581 err = i915_gem_object_create_mmap_offset(obj);
582 if (err) {
583 pr_err("[loop %d] i915_gem_object_create_mmap_offset failed with err=%d\n",
584 loop, err);
585 goto out;
586 }
587 }
588
589 out:
590 drm_mm_remove_node(&resv);
591 queue_delayed_work(i915->wq, &i915->gt.retire_work, 0);
592 return err;
593 err_obj:
594 i915_gem_object_put(obj);
595 goto out;
596 }
597
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 28080 bytes --]
[-- Attachment #3: Type: text/plain, Size: 160 bytes --]
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] drm/i915/selftests: Prevent background reaping of active objects
2018-07-08 12:37 [PATCH] drm/i915/selftests: Prevent background reaping of active objects Chris Wilson
2018-07-08 12:48 ` ✗ Fi.CI.BAT: failure for " Patchwork
2018-07-08 15:36 ` [PATCH] " kbuild test robot
@ 2018-07-09 8:05 ` Chris Wilson
2018-07-09 8:13 ` ✗ Fi.CI.CHECKPATCH: warning for drm/i915/selftests: Prevent background reaping of active objects (rev2) Patchwork
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Chris Wilson @ 2018-07-09 8:05 UTC (permalink / raw)
To: intel-gfx
igt_mmap_offset_exhaustion() wants to test what happens when the mmap
space is filled with zombie objects, objects discarded by userspace but
still active on the GPU. As they are only protected by the active
reference, we have to be certain that active reference is kept while we
peek into our dangling pointer. That active reference should not be
freed until we retire, but we do that retirement from a background
thread. This leaves us with a subtle timing problem, exacerbated and
highlighted by KASAN:
<3>[ 132.380399] BUG: KASAN: use-after-free in drm_gem_create_mmap_offset+0x8c/0xd0
<3>[ 132.380430] Read of size 8 at addr ffff8801e13245f8 by task drv_selftest/5822
<4>[ 132.380470] CPU: 0 PID: 5822 Comm: drv_selftest Tainted: G U 4.18.0-rc3-g7ae7763aa2be-kasan_48+ #1
<4>[ 132.380473] Hardware name: Dell Inc. XPS 8300 /0Y2MRG, BIOS A06 10/17/2011
<4>[ 132.380475] Call Trace:
<4>[ 132.380481] dump_stack+0x7c/0xbb
<4>[ 132.380487] print_address_description+0x65/0x270
<4>[ 132.380493] kasan_report+0x25b/0x380
<4>[ 132.380497] ? drm_gem_create_mmap_offset+0x8c/0xd0
<4>[ 132.380503] drm_gem_create_mmap_offset+0x8c/0xd0
<4>[ 132.380584] i915_gem_object_create_mmap_offset+0x6d/0x100 [i915]
<4>[ 132.380650] igt_mmap_offset_exhaustion+0x462/0x940 [i915]
<4>[ 132.380714] ? i915_gem_close_object+0x740/0x740 [i915]
<4>[ 132.380784] ? igt_gem_huge+0x269/0x3d0 [i915]
<4>[ 132.380865] __i915_subtests+0x5a/0x160 [i915]
<4>[ 132.380936] __run_selftests+0x1a2/0x2f0 [i915]
<4>[ 132.381008] i915_live_selftests+0x4e/0x80 [i915]
<4>[ 132.381071] i915_pci_probe+0xd8/0x1b0 [i915]
<4>[ 132.381077] pci_device_probe+0x1c5/0x3a0
<4>[ 132.381087] driver_probe_device+0x6b6/0xcb0
<4>[ 132.381094] __driver_attach+0x22d/0x2c0
<4>[ 132.381100] ? driver_probe_device+0xcb0/0xcb0
<4>[ 132.381103] bus_for_each_dev+0x113/0x1a0
<4>[ 132.381108] ? check_flags.part.24+0x450/0x450
<4>[ 132.381112] ? subsys_dev_iter_exit+0x10/0x10
<4>[ 132.381123] bus_add_driver+0x38b/0x6e0
<4>[ 132.381131] driver_register+0x189/0x400
<4>[ 132.381136] ? 0xffffffffc12d8000
<4>[ 132.381140] do_one_initcall+0xa0/0x4c0
<4>[ 132.381145] ? initcall_blacklisted+0x180/0x180
<4>[ 132.381152] ? do_init_module+0x4a/0x54c
<4>[ 132.381156] ? rcu_lockdep_current_cpu_online+0xdc/0x130
<4>[ 132.381161] ? kasan_unpoison_shadow+0x30/0x40
<4>[ 132.381169] do_init_module+0x1b5/0x54c
<4>[ 132.381177] load_module+0x619e/0x9b70
<4>[ 132.381202] ? module_frob_arch_sections+0x20/0x20
<4>[ 132.381211] ? vfs_read+0x257/0x2f0
<4>[ 132.381214] ? vfs_read+0x257/0x2f0
<4>[ 132.381221] ? kernel_read+0x8b/0x130
<4>[ 132.381231] ? copy_strings_kernel+0x120/0x120
<4>[ 132.381244] ? __se_sys_finit_module+0x17c/0x1a0
<4>[ 132.381248] __se_sys_finit_module+0x17c/0x1a0
<4>[ 132.381252] ? __ia32_sys_init_module+0xa0/0xa0
<4>[ 132.381261] ? __se_sys_newstat+0x77/0xd0
<4>[ 132.381265] ? cp_new_stat+0x590/0x590
<4>[ 132.381269] ? kmem_cache_free+0x2f0/0x340
<4>[ 132.381285] do_syscall_64+0x97/0x400
<4>[ 132.381292] entry_SYSCALL_64_after_hwframe+0x49/0xbe
<4>[ 132.381295] RIP: 0033:0x7eff4af46839
<4>[ 132.381297] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
<4>[ 132.381426] RSP: 002b:00007ffcd84f4cf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
<4>[ 132.381432] RAX: ffffffffffffffda RBX: 000055dfdeb429a0 RCX: 00007eff4af46839
<4>[ 132.381435] RDX: 0000000000000000 RSI: 000055dfdeb43670 RDI: 0000000000000004
<4>[ 132.381437] RBP: 000055dfdeb43670 R08: 0000000000000004 R09: 0000000000000000
<4>[ 132.381440] R10: 00007ffcd84f4e60 R11: 0000000000000246 R12: 0000000000000000
<4>[ 132.381442] R13: 000055dfdeb3bec0 R14: 0000000000000000 R15: 000000000000003b
<3>[ 132.381466] Allocated by task 5822:
<4>[ 132.381485] kmem_cache_alloc+0xdf/0x2e0
<4>[ 132.381546] i915_gem_object_create_internal+0x24/0x1e0 [i915]
<4>[ 132.381609] igt_mmap_offset_exhaustion+0x257/0x940 [i915]
<4>[ 132.381677] __i915_subtests+0x5a/0x160 [i915]
<4>[ 132.381742] __run_selftests+0x1a2/0x2f0 [i915]
<4>[ 132.381806] i915_live_selftests+0x4e/0x80 [i915]
<4>[ 132.381865] i915_pci_probe+0xd8/0x1b0 [i915]
<4>[ 132.381868] pci_device_probe+0x1c5/0x3a0
<4>[ 132.381871] driver_probe_device+0x6b6/0xcb0
<4>[ 132.381874] __driver_attach+0x22d/0x2c0
<4>[ 132.381877] bus_for_each_dev+0x113/0x1a0
<4>[ 132.381880] bus_add_driver+0x38b/0x6e0
<4>[ 132.381884] driver_register+0x189/0x400
<4>[ 132.381886] do_one_initcall+0xa0/0x4c0
<4>[ 132.381889] do_init_module+0x1b5/0x54c
<4>[ 132.381892] load_module+0x619e/0x9b70
<4>[ 132.381895] __se_sys_finit_module+0x17c/0x1a0
<4>[ 132.381898] do_syscall_64+0x97/0x400
<4>[ 132.381901] entry_SYSCALL_64_after_hwframe+0x49/0xbe
<3>[ 132.381914] Freed by task 150:
<4>[ 132.381931] kmem_cache_free+0xb7/0x340
<4>[ 132.381995] __i915_gem_free_objects+0x875/0xf50 [i915]
<4>[ 132.382054] __i915_gem_free_work+0x69/0xb0 [i915]
<4>[ 132.382058] process_one_work+0x78b/0x1740
<4>[ 132.382061] worker_thread+0x82/0xb80
<4>[ 132.382064] kthread+0x30c/0x3d0
<4>[ 132.382067] ret_from_fork+0x3a/0x50
<3>[ 132.382081] The buggy address belongs to the object at ffff8801e1324500
which belongs to the cache drm_i915_gem_object of size 1168
<3>[ 132.382133] The buggy address is located 248 bytes inside of
1168-byte region [ffff8801e1324500, ffff8801e1324990)
<3>[ 132.382179] The buggy address belongs to the page:
<0>[ 132.382202] page:ffffea000784c800 count:1 mapcount:0 mapping:ffff8801dedf6500 index:0xffff8801e1323ec0 compound_mapcount: 0
<0>[ 132.382251] flags: 0x8000000000008100(slab|head)
<1>[ 132.382274] raw: 8000000000008100 ffff8801d6317440 ffff8801d6317440 ffff8801dedf6500
<1>[ 132.382307] raw: ffff8801e1323ec0 0000000000140013 00000001ffffffff 0000000000000000
<1>[ 132.382339] page dumped because: kasan: bad access detected
<3>[ 132.382373] Memory state around the buggy address:
<3>[ 132.382395] ffff8801e1324480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
<3>[ 132.382426] ffff8801e1324500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
<3>[ 132.382457] >ffff8801e1324580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
<3>[ 132.382488] ^
<3>[ 132.382517] ffff8801e1324600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
<3>[ 132.382548] ffff8801e1324680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
This patch tricks the system into running without the background retire
thread, until after we finish the test. The only reaping should then be
performed by the mmap offset routine to reclaim the space as required.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
.../gpu/drm/i915/selftests/i915_gem_object.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/selftests/i915_gem_object.c b/drivers/gpu/drm/i915/selftests/i915_gem_object.c
index 25c2b2d433bd..20a30674e62b 100644
--- a/drivers/gpu/drm/i915/selftests/i915_gem_object.c
+++ b/drivers/gpu/drm/i915/selftests/i915_gem_object.c
@@ -500,6 +500,15 @@ static int igt_mmap_offset_exhaustion(void *arg)
u64 hole_start, hole_end;
int loop, err;
+ /* Disable background reaper */
+ mutex_lock(&i915->drm.struct_mutex);
+ if (!i915->gt.active_requests++)
+ i915_gem_unpark(i915);
+ mutex_unlock(&i915->drm.struct_mutex);
+ cancel_delayed_work_sync(&i915->gt.retire_work);
+ cancel_delayed_work_sync(&i915->gt.idle_work);
+ GEM_BUG_ON(!i915->gt.awake);
+
/* Trim the device mmap space to only a page */
memset(&resv, 0, sizeof(resv));
drm_mm_for_each_hole(hole, mm, hole_start, hole_end) {
@@ -508,7 +517,7 @@ static int igt_mmap_offset_exhaustion(void *arg)
err = drm_mm_reserve_node(mm, &resv);
if (err) {
pr_err("Failed to trim VMA manager, err=%d\n", err);
- return err;
+ goto out_park;
}
break;
}
@@ -569,6 +578,7 @@ static int igt_mmap_offset_exhaustion(void *arg)
goto err_obj;
}
+ /* NB we rely on the _active_ reference to access obj now */
GEM_BUG_ON(!i915_gem_object_is_active(obj));
err = i915_gem_object_create_mmap_offset(obj);
if (err) {
@@ -580,6 +590,13 @@ static int igt_mmap_offset_exhaustion(void *arg)
out:
drm_mm_remove_node(&resv);
+out_park:
+ mutex_lock(&i915->drm.struct_mutex);
+ if (--i915->gt.active_requests)
+ queue_delayed_work(i915->wq, &i915->gt.retire_work, 0);
+ else
+ queue_delayed_work(i915->wq, &i915->gt.idle_work, 0);
+ mutex_unlock(&i915->drm.struct_mutex);
return err;
err_obj:
i915_gem_object_put(obj);
--
2.18.0
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply related [flat|nested] 7+ messages in thread
* ✗ Fi.CI.CHECKPATCH: warning for drm/i915/selftests: Prevent background reaping of active objects (rev2)
2018-07-08 12:37 [PATCH] drm/i915/selftests: Prevent background reaping of active objects Chris Wilson
` (2 preceding siblings ...)
2018-07-09 8:05 ` Chris Wilson
@ 2018-07-09 8:13 ` Patchwork
2018-07-09 8:31 ` ✓ Fi.CI.BAT: success " Patchwork
2018-07-09 9:29 ` ✓ Fi.CI.IGT: " Patchwork
5 siblings, 0 replies; 7+ messages in thread
From: Patchwork @ 2018-07-09 8:13 UTC (permalink / raw)
To: Chris Wilson; +Cc: intel-gfx
== Series Details ==
Series: drm/i915/selftests: Prevent background reaping of active objects (rev2)
URL : https://patchwork.freedesktop.org/series/46124/
State : warning
== Summary ==
$ dim checkpatch origin/drm-tip
de95eb144288 drm/i915/selftests: Prevent background reaping of active objects
-:16: WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#16:
<3>[ 132.380399] BUG: KASAN: use-after-free in drm_gem_create_mmap_offset+0x8c/0xd0
total: 0 errors, 1 warnings, 0 checks, 43 lines checked
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
* ✓ Fi.CI.BAT: success for drm/i915/selftests: Prevent background reaping of active objects (rev2)
2018-07-08 12:37 [PATCH] drm/i915/selftests: Prevent background reaping of active objects Chris Wilson
` (3 preceding siblings ...)
2018-07-09 8:13 ` ✗ Fi.CI.CHECKPATCH: warning for drm/i915/selftests: Prevent background reaping of active objects (rev2) Patchwork
@ 2018-07-09 8:31 ` Patchwork
2018-07-09 9:29 ` ✓ Fi.CI.IGT: " Patchwork
5 siblings, 0 replies; 7+ messages in thread
From: Patchwork @ 2018-07-09 8:31 UTC (permalink / raw)
To: Chris Wilson; +Cc: intel-gfx
== Series Details ==
Series: drm/i915/selftests: Prevent background reaping of active objects (rev2)
URL : https://patchwork.freedesktop.org/series/46124/
State : success
== Summary ==
= CI Bug Log - changes from CI_DRM_4451 -> Patchwork_9585 =
== Summary - SUCCESS ==
No regressions found.
External URL: https://patchwork.freedesktop.org/api/1.0/series/46124/revisions/2/mbox/
== Known issues ==
Here are the changes found in Patchwork_9585 that come from known issues:
=== IGT changes ===
==== Issues hit ====
igt@kms_pipe_crc_basic@suspend-read-crc-pipe-a:
fi-snb-2520m: PASS -> INCOMPLETE (fdo#103713)
==== Possible fixes ====
igt@drv_module_reload@basic-reload:
fi-kbl-7560u: INCOMPLETE -> PASS
fdo#103713 https://bugs.freedesktop.org/show_bug.cgi?id=103713
== Participating hosts (46 -> 40) ==
Additional (1): fi-byt-j1900
Missing (7): fi-ilk-m540 fi-hsw-4200u fi-hsw-peppy fi-byt-squawks fi-bsw-cyan fi-ctg-p8600 fi-kbl-8809g
== Build changes ==
* Linux: CI_DRM_4451 -> Patchwork_9585
CI_DRM_4451: 7ae7763aa2be33d723ed891f0803f08a11f85633 @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_4543: 366eed37c7c71217e1cb1f3be5e26358a41f0001 @ git://anongit.freedesktop.org/xorg/app/intel-gpu-tools
Patchwork_9585: de95eb1442884275a9c5983df921ae3f52966798 @ git://anongit.freedesktop.org/gfx-ci/linux
== Linux commits ==
de95eb144288 drm/i915/selftests: Prevent background reaping of active objects
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_9585/issues.html
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
* ✓ Fi.CI.IGT: success for drm/i915/selftests: Prevent background reaping of active objects (rev2)
2018-07-08 12:37 [PATCH] drm/i915/selftests: Prevent background reaping of active objects Chris Wilson
` (4 preceding siblings ...)
2018-07-09 8:31 ` ✓ Fi.CI.BAT: success " Patchwork
@ 2018-07-09 9:29 ` Patchwork
5 siblings, 0 replies; 7+ messages in thread
From: Patchwork @ 2018-07-09 9:29 UTC (permalink / raw)
To: Chris Wilson; +Cc: intel-gfx
== Series Details ==
Series: drm/i915/selftests: Prevent background reaping of active objects (rev2)
URL : https://patchwork.freedesktop.org/series/46124/
State : success
== Summary ==
= CI Bug Log - changes from CI_DRM_4451_full -> Patchwork_9585_full =
== Summary - WARNING ==
Minor unknown changes coming with Patchwork_9585_full need to be verified
manually.
If you think the reported changes have nothing to do with the changes
introduced in Patchwork_9585_full, please notify your bug team to allow them
to document this new failure mode, which will reduce false positives in CI.
== Possible new issues ==
Here are the unknown changes that may have been introduced in Patchwork_9585_full:
=== IGT changes ===
==== Warnings ====
igt@gem_exec_schedule@deep-bsd1:
shard-kbl: SKIP -> PASS +3
== Known issues ==
Here are the changes found in Patchwork_9585_full that come from known issues:
=== IGT changes ===
==== Issues hit ====
igt@kms_flip@2x-flip-vs-blocking-wf-vblank:
shard-glk: PASS -> FAIL (fdo#100368)
igt@kms_flip@flip-vs-expired-vblank:
shard-glk: PASS -> FAIL (fdo#102887, fdo#105363)
igt@kms_flip_tiling@flip-to-y-tiled:
shard-glk: PASS -> FAIL (fdo#107161)
igt@kms_flip_tiling@flip-x-tiled:
shard-glk: PASS -> FAIL (fdo#103822, fdo#107161) +1
==== Possible fixes ====
igt@drv_suspend@shrink:
shard-snb: INCOMPLETE (fdo#105411) -> PASS
igt@kms_cursor_legacy@2x-nonblocking-modeset-vs-cursor-atomic:
shard-glk: FAIL (fdo#105454, fdo#106509) -> PASS
fdo#100368 https://bugs.freedesktop.org/show_bug.cgi?id=100368
fdo#102887 https://bugs.freedesktop.org/show_bug.cgi?id=102887
fdo#103822 https://bugs.freedesktop.org/show_bug.cgi?id=103822
fdo#105363 https://bugs.freedesktop.org/show_bug.cgi?id=105363
fdo#105411 https://bugs.freedesktop.org/show_bug.cgi?id=105411
fdo#105454 https://bugs.freedesktop.org/show_bug.cgi?id=105454
fdo#106509 https://bugs.freedesktop.org/show_bug.cgi?id=106509
fdo#107161 https://bugs.freedesktop.org/show_bug.cgi?id=107161
== Participating hosts (5 -> 5) ==
No changes in participating hosts
== Build changes ==
* Linux: CI_DRM_4451 -> Patchwork_9585
CI_DRM_4451: 7ae7763aa2be33d723ed891f0803f08a11f85633 @ git://anongit.freedesktop.org/gfx-ci/linux
IGT_4543: 366eed37c7c71217e1cb1f3be5e26358a41f0001 @ git://anongit.freedesktop.org/xorg/app/intel-gpu-tools
Patchwork_9585: de95eb1442884275a9c5983df921ae3f52966798 @ git://anongit.freedesktop.org/gfx-ci/linux
piglit_4509: fdc5a4ca11124ab8413c7988896eec4c97336694 @ git://anongit.freedesktop.org/piglit
== Logs ==
For more details see: https://intel-gfx-ci.01.org/tree/drm-tip/Patchwork_9585/shards.html
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-07-09 9:29 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-08 12:37 [PATCH] drm/i915/selftests: Prevent background reaping of active objects Chris Wilson
2018-07-08 12:48 ` ✗ Fi.CI.BAT: failure for " Patchwork
2018-07-08 15:36 ` [PATCH] " kbuild test robot
2018-07-09 8:05 ` Chris Wilson
2018-07-09 8:13 ` ✗ Fi.CI.CHECKPATCH: warning for drm/i915/selftests: Prevent background reaping of active objects (rev2) Patchwork
2018-07-09 8:31 ` ✓ Fi.CI.BAT: success " Patchwork
2018-07-09 9:29 ` ✓ Fi.CI.IGT: " Patchwork
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).