* [next] Null pointer dereference in nouveau_vm_map_sg @ 2012-01-15 21:31 Martin Nyhus 2012-01-16 20:30 ` Jerome Glisse 0 siblings, 1 reply; 7+ messages in thread From: Martin Nyhus @ 2012-01-15 21:31 UTC (permalink / raw) To: Ben Skeggs; +Cc: David Airlie, dri-devel, linux-kernel In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to reproduce, so I can test patches if needed. Martin [ 216.546584] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0 [ 216.546613] IP: [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130 [ 216.546631] PGD 5b155067 PUD 5ab71067 PMD 0 [ 216.546647] Oops: 0000 [#1] SMP [ 216.546659] CPU 1 [ 216.546664] Modules linked in: tun iwl4965 iwlegacy mac80211 cfg80211 tg3 psmouse rtc_cmos evdev ehci_hcd uhci_hcd usbcore usb_common [last unloaded: scsi_wait_scan] [ 216.546721] [ 216.546727] Pid: 3327, comm: Xorg Not tainted 3.2.0-next-20120113 #56 Dell Inc. XPS M1330 /0PU073 [ 216.546749] RIP: 0010:[<ffffffff814a87ec>] [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130 [ 216.546770] RSP: 0018:ffff88005b0c9858 EFLAGS: 00010246 [ 216.546780] RAX: ffff88005bf84620 RBX: ffff88005ab08d20 RCX: 0000000000000000 [ 216.546791] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000 [ 216.546802] RBP: ffff88005b0c98a8 R08: 0000000000000000 R09: 0000000000000000 [ 216.546813] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000004000 [ 216.546823] R13: ffff88005bf84dc8 R14: ffff88007838c000 R15: 0000000000000000 [ 216.546835] FS: 00007f5f728a8880(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000 [ 216.546848] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 216.546857] CR2: 00000000000000d0 CR3: 000000006c1bb000 CR4: 00000000000006e0 [ 216.546869] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 216.546880] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 216.546892] Process Xorg (pid: 3327, threadinfo ffff88005b0c8000, task ffff8800655da180) [ 216.546904] Stack: [ 216.546909] ffff88005b0c9960 ffff880037180368 0000000000000000 0000000000000000 [ 216.546930] ffff88005b0c98d8 ffff88005bf84dc8 ffff88005b0c9960 ffff88007838c240 [ 216.546949] ffff88007838c000 0000000000000000 ffff88005b0c98d8 ffffffff81481bdf [ 216.546969] Call Trace: [ 216.546979] [<ffffffff81481bdf>] nouveau_bo_move_ntfy+0x7f/0xb0 [ 216.546991] [<ffffffff81470614>] ttm_bo_handle_move_mem+0x204/0x3d0 [ 216.547003] [<ffffffff8147099d>] ttm_bo_evict+0x1bd/0x2a0 [ 216.547015] [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0 [ 216.547027] [<ffffffff81470bf1>] ttm_mem_evict_first+0x171/0x230 [ 216.547039] [<ffffffff814714ed>] ttm_bo_mem_space+0x30d/0x420 [ 216.547056] [<ffffffff814716e8>] ttm_bo_move_buffer+0xe8/0x160 [ 216.547069] [<ffffffff8108df2b>] ? __lock_release+0x6b/0xe0 [ 216.547080] [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0 [ 216.547091] [<ffffffff81471847>] ttm_bo_validate+0xe7/0xf0 [ 216.547102] [<ffffffff81471a24>] ttm_bo_init+0x1d4/0x2a0 [ 216.547113] [<ffffffff81482481>] ? nouveau_bo_new+0x51/0x1c0 [ 216.547124] [<ffffffff8148258c>] nouveau_bo_new+0x15c/0x1c0 [ 216.547135] [<ffffffff81481eb0>] ? nouveau_ttm_tt_create+0x80/0x80 [ 216.547148] [<ffffffff81338bba>] ? avc_has_perm_noaudit+0xfa/0x290 [ 216.547160] [<ffffffff81485cf3>] nouveau_gem_new+0x53/0x120 [ 216.548008] [<ffffffff8108df81>] ? __lock_release+0xc1/0xe0 [ 216.548008] [<ffffffff81112a97>] ? might_fault+0x57/0xb0 [ 216.548008] [<ffffffff81485e29>] nouveau_gem_ioctl_new+0x69/0x170 [ 216.548008] [<ffffffff81112a97>] ? might_fault+0x57/0xb0 [ 216.548008] [<ffffffff814553e4>] drm_ioctl+0x444/0x510 [ 216.548008] [<ffffffff81485dc0>] ? nouveau_gem_new+0x120/0x120 [ 216.548008] [<ffffffff81150b17>] do_vfs_ioctl+0x87/0x330 [ 216.548008] [<ffffffff8133b528>] ? selinux_file_ioctl+0x68/0x140 [ 216.548008] [<ffffffff81150e51>] sys_ioctl+0x91/0xa0 [ 216.555939] [<ffffffff817c1722>] system_call_fastpath+0x16/0x1b [ 216.555939] Code: 48 89 e5 41 57 49 89 cf 41 56 41 55 49 89 fd 41 54 49 89 d4 ba 01 00 00 00 53 41 89 d3 48 83 ec 28 48 8b 47 20 48 8b 5f 18 31 ff <4c> 8b b1 d0 00 00 00 0f b6 48 30 44 8b 48 34 8b 83 20 01 00 00 [ 216.555939] RIP [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130 [ 216.555939] RSP <ffff88005b0c9858> [ 216.555939] CR2: 00000000000000d0 [ 216.581301] ---[ end trace 0d910003d5fb1cd8 ]--- ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [next] Null pointer dereference in nouveau_vm_map_sg 2012-01-15 21:31 [next] Null pointer dereference in nouveau_vm_map_sg Martin Nyhus @ 2012-01-16 20:30 ` Jerome Glisse 2012-01-16 23:57 ` Martin Nyhus 0 siblings, 1 reply; 7+ messages in thread From: Jerome Glisse @ 2012-01-16 20:30 UTC (permalink / raw) To: Martin Nyhus; +Cc: Ben Skeggs, David Airlie, dri-devel, linux-kernel On Sun, Jan 15, 2012 at 10:31:08PM +0100, Martin Nyhus wrote: > In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash > at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to > reproduce, so I can test patches if needed. > > Martin > How do you trigger this ? Cheers, Jerome > > > [ 216.546584] BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0 > [ 216.546613] IP: [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130 > [ 216.546631] PGD 5b155067 PUD 5ab71067 PMD 0 > [ 216.546647] Oops: 0000 [#1] SMP > [ 216.546659] CPU 1 > [ 216.546664] Modules linked in: tun iwl4965 iwlegacy mac80211 cfg80211 tg3 psmouse rtc_cmos evdev ehci_hcd uhci_hcd usbcore usb_common [last unloaded: scsi_wait_scan] > [ 216.546721] > [ 216.546727] Pid: 3327, comm: Xorg Not tainted 3.2.0-next-20120113 #56 Dell Inc. XPS M1330 /0PU073 > [ 216.546749] RIP: 0010:[<ffffffff814a87ec>] [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130 > [ 216.546770] RSP: 0018:ffff88005b0c9858 EFLAGS: 00010246 > [ 216.546780] RAX: ffff88005bf84620 RBX: ffff88005ab08d20 RCX: 0000000000000000 > [ 216.546791] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000 > [ 216.546802] RBP: ffff88005b0c98a8 R08: 0000000000000000 R09: 0000000000000000 > [ 216.546813] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000004000 > [ 216.546823] R13: ffff88005bf84dc8 R14: ffff88007838c000 R15: 0000000000000000 > [ 216.546835] FS: 00007f5f728a8880(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000 > [ 216.546848] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 216.546857] CR2: 00000000000000d0 CR3: 000000006c1bb000 CR4: 00000000000006e0 > [ 216.546869] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > [ 216.546880] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > [ 216.546892] Process Xorg (pid: 3327, threadinfo ffff88005b0c8000, task ffff8800655da180) > [ 216.546904] Stack: > [ 216.546909] ffff88005b0c9960 ffff880037180368 0000000000000000 0000000000000000 > [ 216.546930] ffff88005b0c98d8 ffff88005bf84dc8 ffff88005b0c9960 ffff88007838c240 > [ 216.546949] ffff88007838c000 0000000000000000 ffff88005b0c98d8 ffffffff81481bdf > [ 216.546969] Call Trace: > [ 216.546979] [<ffffffff81481bdf>] nouveau_bo_move_ntfy+0x7f/0xb0 > [ 216.546991] [<ffffffff81470614>] ttm_bo_handle_move_mem+0x204/0x3d0 > [ 216.547003] [<ffffffff8147099d>] ttm_bo_evict+0x1bd/0x2a0 > [ 216.547015] [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0 > [ 216.547027] [<ffffffff81470bf1>] ttm_mem_evict_first+0x171/0x230 > [ 216.547039] [<ffffffff814714ed>] ttm_bo_mem_space+0x30d/0x420 > [ 216.547056] [<ffffffff814716e8>] ttm_bo_move_buffer+0xe8/0x160 > [ 216.547069] [<ffffffff8108df2b>] ? __lock_release+0x6b/0xe0 > [ 216.547080] [<ffffffff81460de7>] ? drm_mm_kmalloc+0x37/0xd0 > [ 216.547091] [<ffffffff81471847>] ttm_bo_validate+0xe7/0xf0 > [ 216.547102] [<ffffffff81471a24>] ttm_bo_init+0x1d4/0x2a0 > [ 216.547113] [<ffffffff81482481>] ? nouveau_bo_new+0x51/0x1c0 > [ 216.547124] [<ffffffff8148258c>] nouveau_bo_new+0x15c/0x1c0 > [ 216.547135] [<ffffffff81481eb0>] ? nouveau_ttm_tt_create+0x80/0x80 > [ 216.547148] [<ffffffff81338bba>] ? avc_has_perm_noaudit+0xfa/0x290 > [ 216.547160] [<ffffffff81485cf3>] nouveau_gem_new+0x53/0x120 > [ 216.548008] [<ffffffff8108df81>] ? __lock_release+0xc1/0xe0 > [ 216.548008] [<ffffffff81112a97>] ? might_fault+0x57/0xb0 > [ 216.548008] [<ffffffff81485e29>] nouveau_gem_ioctl_new+0x69/0x170 > [ 216.548008] [<ffffffff81112a97>] ? might_fault+0x57/0xb0 > [ 216.548008] [<ffffffff814553e4>] drm_ioctl+0x444/0x510 > [ 216.548008] [<ffffffff81485dc0>] ? nouveau_gem_new+0x120/0x120 > [ 216.548008] [<ffffffff81150b17>] do_vfs_ioctl+0x87/0x330 > [ 216.548008] [<ffffffff8133b528>] ? selinux_file_ioctl+0x68/0x140 > [ 216.548008] [<ffffffff81150e51>] sys_ioctl+0x91/0xa0 > [ 216.555939] [<ffffffff817c1722>] system_call_fastpath+0x16/0x1b > [ 216.555939] Code: 48 89 e5 41 57 49 89 cf 41 56 41 55 49 89 fd 41 54 49 89 d4 ba 01 00 00 00 53 41 89 d3 48 83 ec 28 48 8b 47 20 48 8b 5f 18 31 ff <4c> 8b b1 d0 00 00 00 0f b6 48 30 44 8b 48 34 8b 83 20 01 00 00 > [ 216.555939] RIP [<ffffffff814a87ec>] nouveau_vm_map_sg+0x2c/0x130 > [ 216.555939] RSP <ffff88005b0c9858> > [ 216.555939] CR2: 00000000000000d0 > [ 216.581301] ---[ end trace 0d910003d5fb1cd8 ]--- > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [next] Null pointer dereference in nouveau_vm_map_sg 2012-01-16 20:30 ` Jerome Glisse @ 2012-01-16 23:57 ` Martin Nyhus 2012-01-22 18:33 ` Konrad Rzeszutek Wilk 0 siblings, 1 reply; 7+ messages in thread From: Martin Nyhus @ 2012-01-16 23:57 UTC (permalink / raw) To: Jerome Glisse; +Cc: Ben Skeggs, David Airlie, dri-devel, linux-kernel On Monday 16. January 2012 21:30:59 Jerome Glisse wrote: > On Sun, Jan 15, 2012 at 10:31:08PM +0100, Martin Nyhus wrote: > > In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash > > at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to > > reproduce, so I can test patches if needed. > How do you trigger this ? Opening 10-15 high-res pictures in Firefox triggers it every time. Doing the same using Gimp does not, and neither does Firefox and lots of small images (eg. Google image search). Martin ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [next] Null pointer dereference in nouveau_vm_map_sg 2012-01-16 23:57 ` Martin Nyhus @ 2012-01-22 18:33 ` Konrad Rzeszutek Wilk 2012-01-24 22:33 ` Jerome Glisse 0 siblings, 1 reply; 7+ messages in thread From: Konrad Rzeszutek Wilk @ 2012-01-22 18:33 UTC (permalink / raw) To: Martin Nyhus; +Cc: Jerome Glisse, Ben Skeggs, dri-devel, linux-kernel On Tue, Jan 17, 2012 at 12:57:50AM +0100, Martin Nyhus wrote: > On Monday 16. January 2012 21:30:59 Jerome Glisse wrote: > > On Sun, Jan 15, 2012 at 10:31:08PM +0100, Martin Nyhus wrote: > > > In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash > > > at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to > > > reproduce, so I can test patches if needed. > > How do you trigger this ? > > Opening 10-15 high-res pictures in Firefox triggers it every time. Doing the > same using Gimp does not, and neither does Firefox and lots of small images > (eg. Google image search). I seem to be able to trigger this by using both Chrome and Firefox and seeing a YouTube video. I did at that time have a dual-head display, while in the past to reproduce this I had only one monitor and it took a bit of time before I hit it. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [next] Null pointer dereference in nouveau_vm_map_sg 2012-01-22 18:33 ` Konrad Rzeszutek Wilk @ 2012-01-24 22:33 ` Jerome Glisse 2012-01-25 0:12 ` Martin Nyhus 0 siblings, 1 reply; 7+ messages in thread From: Jerome Glisse @ 2012-01-24 22:33 UTC (permalink / raw) To: Konrad Rzeszutek Wilk; +Cc: Martin Nyhus, Ben Skeggs, dri-devel, linux-kernel [-- Attachment #1: Type: text/plain, Size: 1042 bytes --] On Sun, Jan 22, 2012 at 01:33:16PM -0500, Konrad Rzeszutek Wilk wrote: > On Tue, Jan 17, 2012 at 12:57:50AM +0100, Martin Nyhus wrote: > > On Monday 16. January 2012 21:30:59 Jerome Glisse wrote: > > > On Sun, Jan 15, 2012 at 10:31:08PM +0100, Martin Nyhus wrote: > > > > In some cases mem will be null in nouveau_vm_map_sg, resulting in a crash > > > > at drivers/gpu/drm/nouveau/nouveau_vm.c:84. It seems to be easy enough to > > > > reproduce, so I can test patches if needed. > > > How do you trigger this ? > > > > Opening 10-15 high-res pictures in Firefox triggers it every time. Doing the > > same using Gimp does not, and neither does Firefox and lots of small images > > (eg. Google image search). > > I seem to be able to trigger this by using both Chrome and Firefox and > seeing a YouTube video. I did at that time have a dual-head display, while > in the past to reproduce this I had only one monitor and it took a bit of > time before I hit it. Can you please both test if attached patch fix it for you ? Cheers, Jerome [-- Attachment #2: 0001-drm-nouveau-fix-move-notify-callback.patch --] [-- Type: text/plain, Size: 1401 bytes --] >From 67d4836e3511db2691c4ff2d3a23bf8c0e950edb Mon Sep 17 00:00:00 2001 From: John Doe <glisse@dhcp-189-215.bos.redhat.com> Date: Tue, 24 Jan 2012 22:55:26 -0500 Subject: [PATCH] drm/nouveau: fix move notify callback On vram buffer eviction the ttm_bo_move_accel_cleanup will the mm_node field of struct ttm_mem_reg of new_mem placement to NULL. As move notify call back is now call after ttm_bo_move_accel_cleanup it was using NULL ptr for mm_node. Signed-off-by: Jerome Glisse <jglisse@redhat.com> --- drivers/gpu/drm/nouveau/nouveau_bo.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c index 724b41a..3a9d978 100644 --- a/drivers/gpu/drm/nouveau/nouveau_bo.c +++ b/drivers/gpu/drm/nouveau/nouveau_bo.c @@ -814,13 +814,13 @@ nouveau_bo_move_ntfy(struct ttm_buffer_object *bo, struct ttm_mem_reg *new_mem) list_for_each_entry(vma, &nvbo->vma_list, head) { if (new_mem && new_mem->mem_type == TTM_PL_VRAM) { - nouveau_vm_map(vma, new_mem->mm_node); + nouveau_vm_map(vma, bo->mem.mm_node); } else if (new_mem && new_mem->mem_type == TTM_PL_TT && nvbo->page_shift == vma->vm->spg_shift) { nouveau_vm_map_sg(vma, 0, new_mem-> num_pages << PAGE_SHIFT, - new_mem->mm_node); + bo->mem.mm_node); } else { nouveau_vm_unmap(vma); } -- 1.7.7.6 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [next] Null pointer dereference in nouveau_vm_map_sg 2012-01-24 22:33 ` Jerome Glisse @ 2012-01-25 0:12 ` Martin Nyhus 2012-01-25 16:54 ` Jerome Glisse 0 siblings, 1 reply; 7+ messages in thread From: Martin Nyhus @ 2012-01-25 0:12 UTC (permalink / raw) To: Jerome Glisse; +Cc: Konrad Rzeszutek Wilk, Ben Skeggs, dri-devel, linux-kernel On Tue, 24 Jan 2012 17:33:19 -0500 Jerome Glisse <j.glisse@gmail.com> wrote: > Can you please both test if attached patch fix it for you ? Thanks. It looks good too me, but it crashes a little later due to vma->node being invalid: Jan 25 00:54:21 callisto kernel: [ 119.038357] [drm] nouveau_vm_unmap vma ffff880057502f50 Jan 25 00:54:21 callisto kernel: [ 119.038360] [drm] nouveau_vm_unmap vma->node ffff8800576b87a8 Jan 25 00:54:21 callisto kernel: [ 119.038363] [drm] nouveau_vm_unmap vma->node->length 58 Jan 25 00:54:21 callisto kernel: [ 119.038477] [drm] nouveau_vm_unmap vma ffff8800577beab8 Jan 25 00:54:21 callisto kernel: [ 119.038479] [drm] nouveau_vm_unmap vma->node ffff8800577bf880 Jan 25 00:54:21 callisto kernel: [ 119.038482] [drm] nouveau_vm_unmap vma->node->length 1 Jan 25 00:54:21 callisto kernel: [ 119.078025] [drm] nouveau_vm_unmap vma ffffffff8148df45 Jan 25 00:54:21 callisto kernel: [ 119.078029] [drm] nouveau_vm_unmap vma->node 8b48084b8b480000 Jan 25 00:54:21 callisto kernel: [ 119.078040] general protection fault: 0000 [#1] SMP Jan 25 00:54:21 callisto kernel: [ 119.078133] CPU 0 Jan 25 00:54:21 callisto kernel: [ 119.078138] Modules linked in: tun iwl4965 iwlegacy mac80211 cfg80211 tg3 psmouse rtc_cmos evdev ehci_hcd uhci_hcd usbcore usb_common [last unloaded: scsi_wait_scan] Jan 25 00:54:21 callisto kernel: [ 119.078542] Jan 25 00:54:21 callisto kernel: [ 119.078914] Pid: 3220, comm: Xorg Tainted: G W 3.3.0-rc1-00076-g44d4826-dirty #75 Dell Inc. XPS M1330 /0PU073 Jan 25 00:54:21 callisto kernel: [ 119.079331] RIP: 0010:[<ffffffff814b2f7f>] [<ffffffff814b2f7f>] nouveau_vm_unmap+0x4f/0x80 Jan 25 00:54:21 callisto kernel: [ 119.079778] RSP: 0018:ffff88005c167868 EFLAGS: 00010292 Jan 25 00:54:21 callisto kernel: [ 119.080266] RAX: 8b48084b8b480000 RBX: ffffffff8148df45 RCX: 0000000000000006 Jan 25 00:54:21 callisto kernel: [ 119.080712] RDX: 0000000000000000 RSI: ffffffff81868740 RDI: ffffffff81a6e040 Jan 25 00:54:21 callisto kernel: [ 119.081218] RBP: ffff88005c167878 R08: 0000000000000001 R09: 0000000000000000 Jan 25 00:54:21 callisto kernel: [ 119.081320] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 Jan 25 00:54:21 callisto kernel: [ 119.081320] R13: ffff88006c309c80 R14: ffff88006c309a40 R15: ffff880037180590 Jan 25 00:54:21 callisto kernel: [ 119.081320] FS: 00007f141232f880(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000 Jan 25 00:54:21 callisto kernel: [ 119.081320] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jan 25 00:54:21 callisto kernel: [ 119.081320] CR2: 00007fb09c1de000 CR3: 000000005ce28000 CR4: 00000000000006f0 Jan 25 00:54:21 callisto kernel: [ 119.081320] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 Jan 25 00:54:21 callisto kernel: [ 119.081320] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Jan 25 00:54:21 callisto kernel: [ 119.081320] Process Xorg (pid: 3220, threadinfo ffff88005c166000, task ffff88005f502180) Jan 25 00:54:21 callisto kernel: [ 119.081320] Stack: Jan 25 00:54:21 callisto kernel: [ 119.081320] ffff88005f502180 ffffffff8148df45 ffff88005c1678a8 ffffffff8148c0e8 Jan 25 00:54:21 callisto kernel: [ 119.081320] ffff88006c309a40 0000000000000002 ffff880037180b00 ffff880079ff5e68 Jan 25 00:54:21 callisto kernel: [ 119.081320] ffff88005c1678c8 ffffffff814792b1 ffff880079ff5e68 ffff88006c309a40 Jan 25 00:54:21 callisto kernel: [ 119.081320] Call Trace: Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148df45>] ? nouveau_bo_move+0xb5/0x270 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148c0e8>] nouveau_bo_move_ntfy+0x38/0xc0 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff814792b1>] ttm_bo_cleanup_memtype_use+0x21/0xa0 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147a5b5>] ttm_bo_cleanup_refs_or_queue+0x165/0x190 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147a675>] ttm_bo_release+0x95/0xd0 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147a6ef>] ttm_bo_unref+0x3f/0x60 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147cae3>] ttm_bo_move_accel_cleanup+0x213/0x240 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148db28>] nouveau_bo_move_m2mf+0x148/0x1b0 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff817bfd49>] ? mutex_unlock+0x9/0x10 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148df45>] nouveau_bo_move+0xb5/0x270 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147ab66>] ttm_bo_handle_move_mem+0x1e6/0x3d0 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147bcba>] ttm_bo_move_buffer+0x14a/0x160 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147bdb7>] ttm_bo_validate+0xe7/0xf0 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148cbdd>] nouveau_bo_validate+0x1d/0x20 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148f2a0>] validate_list+0xc0/0x360 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148fafa>] nouveau_gem_pushbuf_validate+0x9a/0x210 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8149064d>] nouveau_gem_ioctl_pushbuf+0x1bd/0x8d0 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff810960c1>] ? __lock_release+0xc1/0xe0 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8145f994>] drm_ioctl+0x444/0x510 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff81490490>] ? nouveau_gem_ioctl_new+0x170/0x170 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff81152147>] do_vfs_ioctl+0x87/0x330 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff81344e78>] ? selinux_file_ioctl+0x68/0x140 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff81152481>] sys_ioctl+0x91/0xa0 Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff817cade2>] system_call_fastpath+0x16/0x1b Jan 25 00:54:21 callisto kernel: [ 119.081320] Code: 48 8b 53 20 48 c7 c6 40 87 86 81 48 c7 c7 17 3a a5 81 31 c0 e8 05 77 2f 00 48 8b 43 20 48 c7 c6 40 87 86 81 48 c7 c7 40 e0 a6 81 <8b> 50 38 31 c0 e8 e9 76 2f 00 48 8b 43 20 48 89 df 31 f6 8b 50 Jan 25 00:54:21 callisto kernel: [ 119.081320] RIP [<ffffffff814b2f7f>] nouveau_vm_unmap+0x4f/0x80 Jan 25 00:54:21 callisto kernel: [ 119.081320] RSP <ffff88005c167868> Jan 25 00:54:21 callisto kernel: [ 119.128824] ---[ end trace a7919e7f17c0a727 ]--- The taint is because of a failing self test (debug_objects_selftest) and the -dirty and extra lines at the start of the log are from this patch: diff --git a/drivers/gpu/drm/nouveau/nouveau_vm.c b/drivers/gpu/drm/nouveau/nouveau_vm.c index 2bf6c03..2b788c3 100644 --- a/drivers/gpu/drm/nouveau/nouveau_vm.c +++ b/drivers/gpu/drm/nouveau/nouveau_vm.c @@ -150,6 +150,9 @@ nouveau_vm_unmap_at(struct nouveau_vma *vma, u64 delta, u64 length) void nouveau_vm_unmap(struct nouveau_vma *vma) { + DRM_INFO("%s vma %p\n", __func__, vma); + DRM_INFO("%s vma->node %p\n", __func__, vma->node); + DRM_INFO("%s vma->node->length %u\n", __func__, vma->node->length); nouveau_vm_unmap_at(vma, 0, (u64)vma->node->length << 12); } To reproduce I do exactly the same as before, it just takes a little longer before it crashes. Martin ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [next] Null pointer dereference in nouveau_vm_map_sg 2012-01-25 0:12 ` Martin Nyhus @ 2012-01-25 16:54 ` Jerome Glisse 0 siblings, 0 replies; 7+ messages in thread From: Jerome Glisse @ 2012-01-25 16:54 UTC (permalink / raw) To: Martin Nyhus; +Cc: Konrad Rzeszutek Wilk, Ben Skeggs, dri-devel, linux-kernel On Tue, Jan 24, 2012 at 7:12 PM, Martin Nyhus <martin.nyhus@gmx.com> wrote: > On Tue, 24 Jan 2012 17:33:19 -0500 Jerome Glisse <j.glisse@gmail.com> > wrote: >> Can you please both test if attached patch fix it for you ? > > Thanks. It looks good too me, but it crashes a little later due to vma->node > being invalid: > > Jan 25 00:54:21 callisto kernel: [ 119.038357] [drm] nouveau_vm_unmap vma ffff880057502f50 > Jan 25 00:54:21 callisto kernel: [ 119.038360] [drm] nouveau_vm_unmap vma->node ffff8800576b87a8 > Jan 25 00:54:21 callisto kernel: [ 119.038363] [drm] nouveau_vm_unmap vma->node->length 58 > Jan 25 00:54:21 callisto kernel: [ 119.038477] [drm] nouveau_vm_unmap vma ffff8800577beab8 > Jan 25 00:54:21 callisto kernel: [ 119.038479] [drm] nouveau_vm_unmap vma->node ffff8800577bf880 > Jan 25 00:54:21 callisto kernel: [ 119.038482] [drm] nouveau_vm_unmap vma->node->length 1 > Jan 25 00:54:21 callisto kernel: [ 119.078025] [drm] nouveau_vm_unmap vma ffffffff8148df45 > Jan 25 00:54:21 callisto kernel: [ 119.078029] [drm] nouveau_vm_unmap vma->node 8b48084b8b480000 > Jan 25 00:54:21 callisto kernel: [ 119.078040] general protection fault: 0000 [#1] SMP > Jan 25 00:54:21 callisto kernel: [ 119.078133] CPU 0 > Jan 25 00:54:21 callisto kernel: [ 119.078138] Modules linked in: tun iwl4965 iwlegacy mac80211 cfg80211 tg3 psmouse rtc_cmos evdev ehci_hcd uhci_hcd usbcore usb_common [last unloaded: scsi_wait_scan] > Jan 25 00:54:21 callisto kernel: [ 119.078542] > Jan 25 00:54:21 callisto kernel: [ 119.078914] Pid: 3220, comm: Xorg Tainted: G W 3.3.0-rc1-00076-g44d4826-dirty #75 Dell Inc. XPS M1330 /0PU073 > Jan 25 00:54:21 callisto kernel: [ 119.079331] RIP: 0010:[<ffffffff814b2f7f>] [<ffffffff814b2f7f>] nouveau_vm_unmap+0x4f/0x80 > Jan 25 00:54:21 callisto kernel: [ 119.079778] RSP: 0018:ffff88005c167868 EFLAGS: 00010292 > Jan 25 00:54:21 callisto kernel: [ 119.080266] RAX: 8b48084b8b480000 RBX: ffffffff8148df45 RCX: 0000000000000006 > Jan 25 00:54:21 callisto kernel: [ 119.080712] RDX: 0000000000000000 RSI: ffffffff81868740 RDI: ffffffff81a6e040 > Jan 25 00:54:21 callisto kernel: [ 119.081218] RBP: ffff88005c167878 R08: 0000000000000001 R09: 0000000000000000 > Jan 25 00:54:21 callisto kernel: [ 119.081320] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 > Jan 25 00:54:21 callisto kernel: [ 119.081320] R13: ffff88006c309c80 R14: ffff88006c309a40 R15: ffff880037180590 > Jan 25 00:54:21 callisto kernel: [ 119.081320] FS: 00007f141232f880(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000 > Jan 25 00:54:21 callisto kernel: [ 119.081320] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > Jan 25 00:54:21 callisto kernel: [ 119.081320] CR2: 00007fb09c1de000 CR3: 000000005ce28000 CR4: 00000000000006f0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > Jan 25 00:54:21 callisto kernel: [ 119.081320] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Jan 25 00:54:21 callisto kernel: [ 119.081320] Process Xorg (pid: 3220, threadinfo ffff88005c166000, task ffff88005f502180) > Jan 25 00:54:21 callisto kernel: [ 119.081320] Stack: > Jan 25 00:54:21 callisto kernel: [ 119.081320] ffff88005f502180 ffffffff8148df45 ffff88005c1678a8 ffffffff8148c0e8 > Jan 25 00:54:21 callisto kernel: [ 119.081320] ffff88006c309a40 0000000000000002 ffff880037180b00 ffff880079ff5e68 > Jan 25 00:54:21 callisto kernel: [ 119.081320] ffff88005c1678c8 ffffffff814792b1 ffff880079ff5e68 ffff88006c309a40 > Jan 25 00:54:21 callisto kernel: [ 119.081320] Call Trace: > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148df45>] ? nouveau_bo_move+0xb5/0x270 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148c0e8>] nouveau_bo_move_ntfy+0x38/0xc0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff814792b1>] ttm_bo_cleanup_memtype_use+0x21/0xa0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147a5b5>] ttm_bo_cleanup_refs_or_queue+0x165/0x190 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147a675>] ttm_bo_release+0x95/0xd0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147a6ef>] ttm_bo_unref+0x3f/0x60 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147cae3>] ttm_bo_move_accel_cleanup+0x213/0x240 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148db28>] nouveau_bo_move_m2mf+0x148/0x1b0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff817bfd49>] ? mutex_unlock+0x9/0x10 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148df45>] nouveau_bo_move+0xb5/0x270 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147ab66>] ttm_bo_handle_move_mem+0x1e6/0x3d0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147bcba>] ttm_bo_move_buffer+0x14a/0x160 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8147bdb7>] ttm_bo_validate+0xe7/0xf0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148cbdd>] nouveau_bo_validate+0x1d/0x20 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148f2a0>] validate_list+0xc0/0x360 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8148fafa>] nouveau_gem_pushbuf_validate+0x9a/0x210 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8149064d>] nouveau_gem_ioctl_pushbuf+0x1bd/0x8d0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff810960c1>] ? __lock_release+0xc1/0xe0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff8145f994>] drm_ioctl+0x444/0x510 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff81490490>] ? nouveau_gem_ioctl_new+0x170/0x170 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff81152147>] do_vfs_ioctl+0x87/0x330 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff81344e78>] ? selinux_file_ioctl+0x68/0x140 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff81152481>] sys_ioctl+0x91/0xa0 > Jan 25 00:54:21 callisto kernel: [ 119.081320] [<ffffffff817cade2>] system_call_fastpath+0x16/0x1b > Jan 25 00:54:21 callisto kernel: [ 119.081320] Code: 48 8b 53 20 48 c7 c6 40 87 86 81 48 c7 c7 17 3a a5 81 31 c0 e8 05 77 2f 00 48 8b 43 20 48 c7 c6 40 87 86 81 48 c7 c7 40 e0 a6 81 <8b> 50 38 31 c0 e8 e9 76 2f 00 48 8b 43 20 48 89 df 31 f6 8b 50 > Jan 25 00:54:21 callisto kernel: [ 119.081320] RIP [<ffffffff814b2f7f>] nouveau_vm_unmap+0x4f/0x80 > Jan 25 00:54:21 callisto kernel: [ 119.081320] RSP <ffff88005c167868> > Jan 25 00:54:21 callisto kernel: [ 119.128824] ---[ end trace a7919e7f17c0a727 ]--- > > The taint is because of a failing self test (debug_objects_selftest) and the > -dirty and extra lines at the start of the log are from this patch: > > diff --git a/drivers/gpu/drm/nouveau/nouveau_vm.c b/drivers/gpu/drm/nouveau/nouveau_vm.c > index 2bf6c03..2b788c3 100644 > --- a/drivers/gpu/drm/nouveau/nouveau_vm.c > +++ b/drivers/gpu/drm/nouveau/nouveau_vm.c > @@ -150,6 +150,9 @@ nouveau_vm_unmap_at(struct nouveau_vma *vma, u64 delta, u64 length) > void > nouveau_vm_unmap(struct nouveau_vma *vma) > { > + DRM_INFO("%s vma %p\n", __func__, vma); > + DRM_INFO("%s vma->node %p\n", __func__, vma->node); > + DRM_INFO("%s vma->node->length %u\n", __func__, vma->node->length); > nouveau_vm_unmap_at(vma, 0, (u64)vma->node->length << 12); > } > > To reproduce I do exactly the same as before, it just takes a little longer > before it crashes. > > Martin Ben posted a proper patch on dri-devel. Cheers, Jerome ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2012-01-25 16:54 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-01-15 21:31 [next] Null pointer dereference in nouveau_vm_map_sg Martin Nyhus 2012-01-16 20:30 ` Jerome Glisse 2012-01-16 23:57 ` Martin Nyhus 2012-01-22 18:33 ` Konrad Rzeszutek Wilk 2012-01-24 22:33 ` Jerome Glisse 2012-01-25 0:12 ` Martin Nyhus 2012-01-25 16:54 ` Jerome Glisse
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox