Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751741AbdF3Piv (ORCPT <rfc822;w@1wt.eu>);
        Fri, 30 Jun 2017 11:38:51 -0400
Received: from mx2.suse.de ([195.135.220.15]:50035 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1750975AbdF3Piu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 30 Jun 2017 11:38:50 -0400
Date: Fri, 30 Jun 2017 17:38:46 +0200
Message-ID: <s5h1sq1cwop.wl-tiwai@suse.de>
From: Takashi Iwai <tiwai@suse.de>
To: intel-gfx@lists.freedesktop.org
Cc: Chris Wilson <chris@chris-wilson.co.uk>,
        Daniel Vetter <daniel.vetter@intel.com>,
        Jani Nikula <jani.nikula@linux.intel.com>,
        linux-kernel@vger.kernel.org
Subject: [REGRESSION 4.12] i915 Oops at intel_fbdev_invalidate()
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.2
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3385
Lines: 95

Hi,

I hit an Oops with the latest Linus tree (4.12-rc7+) on a HSW machine
like the following at boot:

 BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
 IP: intel_fbdev_invalidate.isra.3+0xc/0x40 [i915]
 Oops: 0000 [#1] PREEMPT SMP
 CPU: 2 PID: 833 Comm: X Not tainted 4.10.0-rc5-btest9+ #15
 Hardware name: Hewlett-Packard HP ProBook 430 G1/1946, BIOS L73 Ver. 08.05 2013/03/15
 task: ffff917313db8000 task.stack: ffffb6e70379c000
 RIP: 0010:intel_fbdev_invalidate.isra.3+0xc/0x40 [i915]
 RSP: 0018:ffffb6e70379fde0 EFLAGS: 00010246
 RAX: 0000000000000000 RBX: ffff9172f70e1c00 RCX: 0000000000000000
 RDX: ffff917313db8000 RSI: 0000000000000000 RDI: ffff91731934d040
 RBP: ffffb6e70379fdf0 R08: 0000000000000002 R09: ffff91731934ead0
 R10: ffff9173192f0368 R11: 0000000000000001 R12: ffff9173192f0000
 R13: ffff9172f71016e8 R14: ffff9173227c8480 R15: ffff9172f71016c8
 FS:  00007f8cc8c3fa00(0000) GS:ffff9173c0a80000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00000000000000b0 CR3: 000000006273b000 CR4: 00000000001406e0
 Call Trace:
  ? intel_fbdev_restore_mode+0x4e/0x70 [i915]
  i915_driver_lastclose+0xe/0x20 [i915]
  drm_lastclose+0x3b/0xf0 [drm]
  drm_release+0x2b8/0x360 [drm]
  __fput+0xd9/0x1e0
  ____fput+0xe/0x10
  task_work_run+0x83/0xa0
  exit_to_usermode_loop+0x59/0x85
  do_syscall_64+0xb3/0xd0
  entry_SYSCALL64_slow_path+0x25/0x25

And git bisection leaded to the commit 
fabef825626d7bd05a321e4427fdf31a169b5173
    drm/i915: Drop struct_mutex around frontbuffer flushes

The band-aid patch below seems fixing it.


thanks,

Takashi

-- 8< --
From: Takashi Iwai <tiwai@suse.de>
Subject: [PATCH] drm/i915: Fix NULL-dereference at intel_fbdev_invalidate()

The commit fabef825626d ("drm/i915: Drop struct_mutex around
frontbuffer flushes") caused an Oops at boot on a HSW machine like:

 BUG: unable to handle kernel NULL pointer dereference at 00000000000000b0
 IP: intel_fbdev_invalidate.isra.3+0xc/0x40 [i915]
 Oops: 0000 [#1] PREEMPT SMP
 CPU: 2 PID: 833 Comm: X Not tainted 4.10.0-rc5-btest9+ #15
 Hardware name: Hewlett-Packard HP ProBook 430 G1/1946, BIOS L73 Ver. 08.05 2013/03/15
 Call Trace:
  ? intel_fbdev_restore_mode+0x4e/0x70 [i915]
  i915_driver_lastclose+0xe/0x20 [i915]
  drm_lastclose+0x3b/0xf0 [drm]
  drm_release+0x2b8/0x360 [drm]
  __fput+0xd9/0x1e0
  ____fput+0xe/0x10
  task_work_run+0x83/0xa0
  exit_to_usermode_loop+0x59/0x85
  do_syscall_64+0xb3/0xd0
  entry_SYSCALL64_slow_path+0x25/0x25

As this is a simple NULL dereference, check it before reference as a
band-aid fix.

Fixes: fabef825626d ("drm/i915: Drop struct_mutex around frontbuffer flushes")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 drivers/gpu/drm/i915/intel_fbdev.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/intel_fbdev.c b/drivers/gpu/drm/i915/intel_fbdev.c
index 332254a8eebe..fdefe6941912 100644
--- a/drivers/gpu/drm/i915/intel_fbdev.c
+++ b/drivers/gpu/drm/i915/intel_fbdev.c
@@ -48,8 +48,10 @@
 static void intel_fbdev_invalidate(struct intel_fbdev *ifbdev)
 {
 	struct drm_i915_gem_object *obj = ifbdev->fb->obj;
-	unsigned int origin = ifbdev->vma->fence ? ORIGIN_GTT : ORIGIN_CPU;
+	unsigned int origin = ORIGIN_GTT;
 
+	if (ifbdev->vma && !ifbdev->vma->fence)
+		origin = ORIGIN_CPU;
 	intel_fb_obj_invalidate(obj, origin);
 }
 
-- 
2.13.2