From: kernel test robot <oliver.sang@intel.com>
To: <w15303746062@163.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
<dri-devel@lists.freedesktop.org>,
<maarten.lankhorst@linux.intel.com>, <mripard@kernel.org>,
<tzimmermann@suse.de>, <airlied@gmail.com>, <simona@ffwll.ch>,
<sumit.semwal@linaro.org>, <christian.koenig@amd.com>,
<jeffy.chen@rock-chips.com>, <linux-kernel@vger.kernel.org>,
<linux-media@vger.kernel.org>, <linaro-mm-sig@lists.linaro.org>,
Mingyu Wang <25181214217@stu.xidian.edu.cn>,
<stable@vger.kernel.org>, <oliver.sang@intel.com>
Subject: Re: [PATCH] drm/prime: Fix unsupervised rb_tree corruption in drm_prime_remove_buf_handle
Date: Sun, 31 May 2026 15:54:09 +0800 [thread overview]
Message-ID: <202605310941.ddd52610-lkp@intel.com> (raw)
In-Reply-To: <20260528082912.1051262-1-w15303746062@163.com>
Hello,
kernel test robot noticed "WARNING:possible_recursive_locking_detected" on:
commit: 60a023d26c97753be2beee6062d71ce9416725b1 ("[PATCH] drm/prime: Fix unsupervised rb_tree corruption in drm_prime_remove_buf_handle")
url: https://github.com/intel-lab-lkp/linux/commits/w15303746062-163-com/drm-prime-Fix-unsupervised-rb_tree-corruption-in-drm_prime_remove_buf_handle/20260528-163356
base: https://gitlab.freedesktop.org/drm/misc/kernel.git drm-misc-next
patch link: https://lore.kernel.org/all/20260528082912.1051262-1-w15303746062@163.com/
patch subject: [PATCH] drm/prime: Fix unsupervised rb_tree corruption in drm_prime_remove_buf_handle
in testcase: boot
config: x86_64-rhel-9.4-bpf
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202605310941.ddd52610-lkp@intel.com
[ 86.630882][ T218] WARNING: possible recursive locking detected
[ 86.631312][ T218] 7.1.0-rc2+ #1 Not tainted
[ 86.631634][ T218] --------------------------------------------
[ 86.632065][ T218] (udev-worker)/218 is trying to acquire lock:
[ 86.632529][ T218] ffff8881ab017388 (&prime_fpriv->lock){+.+.}-{4:4}, at: drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.633434][ T218]
[ 86.633434][ T218] but task is already holding lock:
[ 86.633951][ T218] ffff8881ab017388 (&prime_fpriv->lock){+.+.}-{4:4}, at: drm_gem_object_release_handle (gpu/drm/drm_gem.c:377) drm
[ 86.638664][ T218]
[ 86.638664][ T218] other info that might help us debug this:
[ 86.639229][ T218] Possible unsafe locking scenario:
[ 86.639229][ T218]
[ 86.639769][ T218] CPU0
[ 86.640006][ T218] ----
[ 86.640243][ T218] lock(&prime_fpriv->lock);
[ 86.640581][ T218] lock(&prime_fpriv->lock);
[ 86.640916][ T218]
[ 86.640916][ T218] *** DEADLOCK ***
[ 86.640916][ T218]
[ 86.641480][ T218] May be due to missing lock nesting notation
[ 86.641480][ T218]
[ 86.642060][ T218] 4 locks held by (udev-worker)/218:
[ 86.642446][ T218] #0: ffff8881022921f8 (&dev->mutex){....}-{4:4}, at: __driver_attach (linux/device.h:1040 base/dd.c:1174 base/dd.c:1294)
[ 86.643133][ T218] #1: ffff8881ab020260 (&dev->clientlist_mutex){+.+.}-{4:4}, at: drm_client_register (gpu/drm/drm_client.c:129) drm
[ 86.644051][ T218] #2: ffff8882a2b58a70 (&helper->lock){+.+.}-{4:4}, at: drm_fb_helper_initial_config (gpu/drm/drm_fb_helper.c:1717 gpu/drm/drm_fb_helper.c:1710) drm_kms_helper
[ 86.644930][ T218] #3: ffff8881ab017388 (&prime_fpriv->lock){+.+.}-{4:4}, at: drm_gem_object_release_handle (gpu/drm/drm_gem.c:377) drm
[ 86.645880][ T218]
[ 86.645880][ T218] stack backtrace:
[ 86.646300][ T218] CPU: 1 UID: 0 PID: 218 Comm: (udev-worker) Not tainted 7.1.0-rc2+ #1 PREEMPT(full)
[ 86.646307][ T218] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 86.646311][ T218] Call Trace:
[ 86.646316][ T218] <TASK>
[ 86.646321][ T218] dump_stack_lvl (dump_stack.c:94 dump_stack.c:120)
[ 86.646333][ T218] print_deadlock_bug.cold (locking/lockdep.c:3041)
[ 86.646341][ T218] validate_chain (locking/lockdep.c:3093 locking/lockdep.c:3895)
[ 86.646350][ T218] __lock_acquire (locking/lockdep.c:5237)
[ 86.646366][ T218] lock_acquire (trace/events/lock.h:24 (discriminator 15) trace/events/lock.h:24 (discriminator 15) locking/lockdep.c:5831 (discriminator 15))
[ 86.646372][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.646516][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.646521][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.646659][ T218] ? lock_acquire (trace/events/lock.h:24 (discriminator 21) locking/lockdep.c:5831 (discriminator 21))
[ 86.646665][ T218] __mutex_lock (locking/mutex.c:646 locking/mutex.c:820)
[ 86.646675][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.646814][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.646952][ T218] ? __mutex_lock (locking/mutex.c:656 locking/mutex.c:820)
[ 86.646958][ T218] ? drm_gem_object_release_handle (gpu/drm/drm_gem.c:377) drm
[ 86.647103][ T218] ? __pfx___mutex_lock (locking/mutex.c:914)
[ 86.647109][ T218] ? __pfx___mutex_lock (locking/mutex.c:914)
[ 86.647116][ T218] ? idr_replace (idr.c:304)
[ 86.647124][ T218] ? drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.647264][ T218] drm_prime_remove_buf_handle (gpu/drm/drm_prime.c:195) drm
[ 86.647408][ T218] drm_gem_object_release_handle (gpu/drm/drm_gem.c:379) drm
[ 86.647555][ T218] drm_gem_handle_delete (gpu/drm/drm_gem.c:413) drm
[ 86.647700][ T218] drm_client_buffer_create_dumb (gpu/drm/drm_client.c:424) drm
[ 86.647840][ T218] ? __pfx_drm_client_buffer_create_dumb (gpu/drm/drm_client.c:267) drm
[ 86.647977][ T218] ? drm_fb_helper_single_fb_probe (gpu/drm/drm_fb_helper.c:1414 gpu/drm/drm_fb_helper.c:1445) drm_kms_helper
[ 86.648030][ T218] drm_fbdev_shmem_driver_fbdev_probe (gpu/drm/drm_fbdev_shmem.c:151) drm_shmem_helper
[ 86.648045][ T218] ? __pfx_drm_fbdev_shmem_driver_fbdev_probe (gpu/drm/drm_fbdev_shmem.c:119) drm_shmem_helper
[ 86.648055][ T218] ? __kmalloc_noprof (linux/local_lock_internal.h:62 slub.c:4771 slub.c:4883 slub.c:5294 slub.c:5307)
[ 86.648064][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648073][ T218] drm_fb_helper_single_fb_probe (gpu/drm/drm_fb_helper.c:1454) drm_kms_helper
[ 86.648121][ T218] ? __pfx_drm_fb_helper_single_fb_probe (gpu/drm/drm_fb_helper.c:1391) drm_kms_helper
[ 86.648167][ T218] ? fb_copy_cmap (video/fbdev/core/fbcmap.c:187)
[ 86.648174][ T218] ? fb_alloc_cmap_gfp (video/fbdev/core/fbcmap.c:124 (discriminator 1))
[ 86.648180][ T218] __drm_fb_helper_initial_config_and_unlock (gpu/drm/drm_fb_helper.c:1635) drm_kms_helper
[ 86.648230][ T218] drm_fbdev_client_hotplug (gpu/drm/clients/drm_fbdev_client.c:66) drm_client_lib
[ 86.648239][ T218] drm_client_register (gpu/drm/drm_client.c:143) drm
[ 86.648376][ T218] drm_fbdev_client_setup (gpu/drm/clients/drm_fbdev_client.c:168) drm_client_lib
[ 86.648383][ T218] drm_client_setup (gpu/drm/clients/drm_client_setup.c:46 gpu/drm/clients/drm_client_setup.c:35) drm_client_lib
[ 86.648390][ T218] bochs_pci_probe (gpu/drm/tiny/bochs.c:776 gpu/drm/tiny/bochs.c:747) bochs
[ 86.648405][ T218] ? __pfx_bochs_pci_probe (gpu/drm/tiny/bochs.c:254) bochs
[ 86.648413][ T218] local_pci_probe (pci/pci-driver.c:325)
[ 86.648422][ T218] pci_call_probe (pci/pci-driver.c:387)
[ 86.648427][ T218] ? __pfx_pci_call_probe (pci/pci-driver.c:653)
[ 86.648432][ T218] ? find_held_lock (locking/lockdep.c:5350)
[ 86.648439][ T218] ? pci_match_device (linux/spinlock.h:390 pci/pci-driver.c:156)
[ 86.648444][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648448][ T218] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 86.648452][ T218] ? pci_match_id (pci/pci.h:466 pci/pci.h:460 pci/pci-driver.c:110)
[ 86.648459][ T218] ? pci_match_device (pci/pci-driver.c:168)
[ 86.648465][ T218] pci_device_probe (pci/pci-driver.c:448 pci/pci-driver.c:482)
[ 86.648471][ T218] call_driver_probe (base/dd.c:631)
[ 86.648477][ T218] really_probe (base/dd.c:709)
[ 86.648484][ T218] __driver_probe_device (base/dd.c:871)
[ 86.648489][ T218] driver_probe_device (base/dd.c:901)
[ 86.648495][ T218] __driver_attach (base/dd.c:1295)
[ 86.648500][ T218] ? __pfx___driver_attach (base/dd.c:1004 (discriminator 1))
[ 86.648504][ T218] bus_for_each_dev (base/bus.c:383)
[ 86.648511][ T218] ? __pfx_bus_for_each_dev (base/bus.c:205)
[ 86.648516][ T218] ? bus_add_driver (base/bus.c:754)
[ 86.648520][ T218] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 86.648526][ T218] bus_add_driver (base/bus.c:756)
[ 86.648532][ T218] driver_register (base/driver.c:249)
[ 86.648538][ T218] ? __pfx_bochs_pci_driver_init (bochs.c:?) bochs
[ 86.648548][ T218] do_one_initcall (main.c:1392)
[ 86.648555][ T218] ? __pfx_do_one_initcall (trace/events/initcall.h:10)
[ 86.648561][ T218] ? kasan_unpoison (kasan/shadow.c:146 kasan/shadow.c:178)
[ 86.648568][ T218] ? __kasan_slab_alloc (kasan/common.c:336 kasan/common.c:366)
[ 86.648575][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648579][ T218] ? kasan_unpoison (kasan/shadow.c:146 kasan/shadow.c:178)
[ 86.648586][ T218] do_init_module (module/main.c:3106)
[ 86.648594][ T218] ? __pfx_do_init_module (trace/events/module.h:50 (discriminator 1))
[ 86.648599][ T218] ? load_module (module/main.c:2528 module/main.c:2523 module/main.c:3575)
[ 86.648603][ T218] ? kfree (linux/kasan.h:235 slub.c:2689 slub.c:6250 slub.c:6565)
[ 86.648611][ T218] load_module (module/main.c:3580)
[ 86.648620][ T218] ? __pfx_load_module (module/main.c:3020)
[ 86.648626][ T218] ? __pfx_kernel_read_file (??:?)
[ 86.648632][ T218] ? do_syscall_64 (linux/irq-entry-common.h:279 linux/entry-common.h:320 x86/entry/syscall_64.c:100)
[ 86.648640][ T218] init_module_from_file (module/main.c:3777)
[ 86.648646][ T218] ? __pfx_init_module_from_file (module/main.c:3634)
[ 86.648656][ T218] ? idempotent_init_module (linux/spinlock.h:390 module/main.c:3688 module/main.c:3788)
[ 86.648661][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648664][ T218] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 86.648669][ T218] ? preempt_count_sub (sched/core.c:5874 (discriminator 2) sched/core.c:5871 (discriminator 2) sched/core.c:5893 (discriminator 2))
[ 86.648676][ T218] idempotent_init_module (module/main.c:3789)
[ 86.648682][ T218] ? __pfx_idempotent_init_module (module/main.c:3778)
[ 86.648687][ T218] ? preempt_count_sub (sched/core.c:5874 (discriminator 2) sched/core.c:5871 (discriminator 2) sched/core.c:5893 (discriminator 2))
[ 86.648696][ T218] ? security_capable (security.c:660 (discriminator 20))
[ 86.648702][ T218] __x64_sys_finit_module (module/main.c:3815 module/main.c:3799 module/main.c:3799)
[ 86.648708][ T218] do_syscall_64 (x86/entry/syscall_64.c:63 x86/entry/syscall_64.c:94)
[ 86.648713][ T218] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 86.648717][ T218] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 86.648720][ T218] ? do_syscall_64 (linux/randomize_kstack.h:58 x86/entry/syscall_64.c:92)
[ 86.648725][ T218] ? preempt_count_sub (sched/core.c:5874 (discriminator 2) sched/core.c:5871 (discriminator 2) sched/core.c:5893 (discriminator 2))
[ 86.648730][ T218] ? do_syscall_64 (linux/randomize_kstack.h:58 x86/entry/syscall_64.c:92)
[ 86.648734][ T218] ? irqentry_exit (linux/irq-entry-common.h:280 linux/irq-entry-common.h:325 entry/common.c:162)
[ 86.648740][ T218] entry_SYSCALL_64_after_hwframe (x86/entry/entry_64.S:121)
[ 86.648747][ T218] RIP: 0033:0x7f3757f90779
[ 86.648768][ T218] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 86 0d 00 f7 d8 64 89 01 48
All code
========
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d 4f 86 0d 00 mov 0xd864f(%rip),%rcx # 0xd8689
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260531/202605310941.ddd52610-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
prev parent reply other threads:[~2026-05-31 7:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 8:29 [PATCH] drm/prime: Fix unsupervised rb_tree corruption in drm_prime_remove_buf_handle w15303746062
2026-05-28 9:14 ` Christian König
2026-05-28 12:40 ` w15303746062
2026-05-28 13:29 ` [PATCH v2] drm/prime: fix dangling dmabuf entries after handle release w15303746062
2026-05-28 13:32 ` Christian König
2026-05-28 13:49 ` w15303746062
2026-05-29 6:45 ` Christian König
2026-05-29 11:45 ` w15303746062
2026-05-31 7:54 ` kernel test robot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202605310941.ddd52610-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=25181214217@stu.xidian.edu.cn \
--cc=airlied@gmail.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=jeffy.chen@rock-chips.com \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=lkp@intel.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=oe-lkp@lists.linux.dev \
--cc=simona@ffwll.ch \
--cc=stable@vger.kernel.org \
--cc=sumit.semwal@linaro.org \
--cc=tzimmermann@suse.de \
--cc=w15303746062@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox