From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark yao Subject: drm_mm crash with multi threads Date: Fri, 23 Dec 2016 12:07:55 +0800 Message-ID: <585CA31B.70501@rock-chips.com> References: <20161216192550.8352-1-chris@chris-wilson.co.uk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0136148429==" Return-path: In-Reply-To: <20161216192550.8352-1-chris@chris-wilson.co.uk> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Chris Wilson , dri-devel@lists.freedesktop.org Cc: intel-gfx@lists.freedesktop.org List-Id: intel-gfx@lists.freedesktop.org --===============0136148429== Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
Hi Chris Wilson

We port drm_mm to my internal kernel, with high load test, found following crash:

[49451.856244] ================================================================== [49451.856350] BUG: KASAN: wild-memory-access on address dead000000000108 [49451.856379] Write of size 8 by task Binder:218_4/683 [49451.856417] CPU: 2 PID: 683 Comm: Binder:218_4 Not tainted 4.4.36 #62 [49451.856443] Hardware name: Rockchip RK3399 Excavator Board edp (Android) (DT) [49451.856469] Call trace: [49451.856519] [<ffffff900808a9d0>] dump_backtrace+0x0/0x230 [49451.856556] [<ffffff900808ac14>] show_stack+0x14/0x1c [49451.856592] [<ffffff90084a4de0>] dump_stack+0xa0/0xc8 [49451.856633] [<ffffff900821b700>] kasan_report+0x110/0x4dc [49451.856670] [<ffffff900821aa84>] __asan_store8+0x24/0x7c [49451.856715] [<ffffff90086158c4>] drm_mm_insert_node_generic+0x2dc/0x464 [49451.856760] [<ffffff90086406a8>] rockchip_gem_iommu_map+0x60/0x158 [49451.856794] [<ffffff9008640bb4>] rockchip_gem_create_object+0x278/0x488 [49451.856827] [<ffffff9008641020>] rockchip_gem_create_with_handle+0x24/0x10c [49451.856862] [<ffffff9008641364>] rockchip_gem_create_ioctl+0x3c/0x50 [49451.856896] [<ffffff900860aee4>] drm_ioctl+0x354/0x52c [49451.856939] [<ffffff900823d948>] do_vfs_ioctl+0x670/0x78c [49451.856976] [<ffffff900823dac4>] SyS_ioctl+0x60/0x88 [49451.857009] [<ffffff9008082ef0>] el0_svc_naked+0x24/0x28
We only use drm_mm_insert_node_generic to alloc memory, and use drm_mm_remove_node to release memory

alloc/release maybe on difference threads.

Seem the problem is threads problem, drm_mm seems is not threads safe, we found drm_mm_insert_node_generic and drm_mm_remove_node
may access same resource with list ops, such as some mm->hole_stack.

After use mutex lock protect drm_mm_remove_node and drm_mm_insert_node_generic, the crash disappear.

I'm not familiar with drm mm, Do you know how to fix it?

Thanks.

On 2016年12月17日 03:25, Chris Wilson wrote:
With a lot of polish applied, Joonas has reviewed the series - all but
for [04/38] "lib: Add a simple prime number generator"
[lib/prime_numbers.c]. Anyone feel like poking around at a bit of number
theory?

Other than it would appear to be ready for Daniel to sort out the merge
between drm-misc/i915... Please do take a look and see if you can spot
anything else that needs fixing/improving.
-Chris

_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel



-- 
Mark Yao
--===============0136148429== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVs IG1haWxpbmcgbGlzdApkcmktZGV2ZWxAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlz dHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVsCg== --===============0136148429==--