RE: [PATCH] drm/i915: return DRIVER_NAME for the fence driver name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This fixes the NULL pointer dereference in i915_fence_get_driver_name(), 
but now it crashes in i915_fence_get_timeline with another NULL pointer
dereference. It attempts to use i915_gem_context.name, which apparently
also hasn't been initialized

static const char *i915_fence_get_timeline_name(struct dma_fence *fence)
{
    const struct i915_gem_context *ctx;

    /*
     * The timeline struct (as part of the ppgtt underneath a context)
     * may be freed when the request is no longer in use by the GPU.
     * We could extend the life of a context to beyond that of all
     * fences, possibly keeping the hw resource around indefinitely,
     * or we just give them a false name. Since
     * dma_fence_ops.get_timeline_name is a debug feature, the occasional
     * lie seems justifiable.
     */
    if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
        return "signaled";

    ctx = i915_request_gem_context(to_request(fence));
    if (!ctx)
        return "[" DRIVER_NAME "]";

    return ctx->name;
}

<1>[  414.327761] BUG: kernel NULL pointer dereference, address: 0000000000000020
<1>[  414.327766] #PF: supervisor read access in kernel mode
<1>[  414.327768] #PF: error_code(0x0000) - not-present page
<6>[  414.327769] PGD 0 P4D 0
<4>[  414.327772] Oops: 0000 [#1] PREEMPT SMP NOPTI
<4>[  414.327774] CPU: 3 PID: 1866 Comm: chrome Tainted: G     U            5.4.125 #2
<4>[  414.327776] Hardware name: Google Voxel/Voxel, BIOS Google_Voxel.13913.0.0 04/12/2021
<4>[  414.327781] RIP: 0010:i915_fence_get_timeline_name+0x1d/0x37
<4>[  414.327783] Code: 55 48 89 e5 48 c7 c0 ee d1 72 bd 5d c3 0f 1f 44 00 00 55 48 89 e5 48 8b 4f 30 48 c7 c0 b4 49 72 bd f6 c1 01 75 1c 48 8b 47 60 <48> 8b 40 20 48 85 c0 74 08 48 05 30 01 00 00 eb 07 48 c7 c0 79 7b
<4>[  414.327785] RSP: 0018:ffffa4a300d177b8 EFLAGS: 00010246
<4>[  414.327787] RAX: 0000000000000000 RBX: ffffffffbd7a8680 RCX: 0000000000000000
<4>[  414.327788] RDX: ffff9c27b3b0f4c0 RSI: ffff9c27b3b0f480 RDI: ffff9c27b3b0f480
<4>[  414.327789] RBP: ffffa4a300d177b8 R08: 0000000000000000 R09: 0000000000000004
<4>[  414.327791] R10: 0000000000000001 R11: ffffffffbca45536 R12: 0000000000000005
<4>[  414.327792] R13: 0000000000000004 R14: ffff9c27b6c79bb0 R15: ffff9c27b3b0f480
<4>[  414.327794] FS:  00007898a2965e00(0000) GS:ffff9c27b7f80000(0000) knlGS:0000000000000000
<4>[  414.327795] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[  414.327797] CR2: 0000000000000020 CR3: 000000022ded2006 CR4: 0000000000762ee0
<4>[  414.327798] PKRU: 55555554
<4>[  414.327799] Call Trace:
<4>[  414.327804]  trace_event_raw_event_dma_fence+0xc9/0x1e5
<4>[  414.327807]  dma_fence_init+0xa6/0xca
<4>[  414.327809]  __i915_request_ctor+0x7f/0xa9
<4>[  414.327812]  setup_object+0x88/0x8a
<4>[  414.327815]  new_slab+0x22e/0x429
<4>[  414.327817]  ___slab_alloc+0x2c8/0x42e
<4>[  414.327820]  ? __i915_request_create+0x68/0x238
<4>[  414.327822]  ? __i915_request_create+0x68/0x238
<4>[  414.327824]  __slab_alloc+0x3c/0x5f
<4>[  414.327826]  kmem_cache_alloc+0x19b/0x201
<4>[  414.327828]  __i915_request_create+0x68/0x238
<4>[  414.327830]  i915_request_create+0x8a/0xca
<4>[  414.327833]  i915_gem_do_execbuffer+0x12f9/0x1830
<4>[  414.327837]  i915_gem_execbuffer2_ioctl+0x157/0x398
<4>[  414.327839]  ? i915_gem_do_execbuffer+0x1830/0x1830
<4>[  414.327840]  drm_ioctl_kernel+0x94/0xf6
<4>[  414.327842]  drm_ioctl+0x276/0x39b
<4>[  414.327845]  ? i915_gem_do_execbuffer+0x1830/0x1830
<4>[  414.327847]  do_vfs_ioctl+0x4f4/0x771
<4>[  414.327849]  ksys_ioctl+0x58/0x83
<4>[  414.327851]  __x64_sys_ioctl+0x1a/0x1e
<4>[  414.327853]  do_syscall_64+0x54/0x7e
<4>[  414.327856]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
<4>[  414.327859] RIP: 0033:0x7898a2f88f07

> -----Original Message-----
> From: Auld, Matthew <matthew.auld@xxxxxxxxx>
> Sent: Wednesday, June 16, 2021 5:29 AM
> To: intel-gfx@xxxxxxxxxxxxxxxxxxxxx
> Cc: dri-devel@xxxxxxxxxxxxxxxxxxxxx; Mason, Michael W
> <michael.w.mason@xxxxxxxxx>; Daniel Vetter <daniel@xxxxxxxx>
> Subject: [PATCH] drm/i915: return DRIVER_NAME for the fence driver name
> 
> The first tracepoint for a request is trace_dma_fence_init which is called in
> the ctor before we have properly setup the request->engine. So if it's a non-
> recycled request the rq->engine might be NULL, or some garbage value,
> which leads to a crash.
> 
> Since we are not permitted to use kmem_cache_zalloc() here with
> SLAB_TYPESAFE_BY_RCU, one approach is simply to return DRIVER_NAME.
> We can then revisit this later if we decide to get rid of
> SLAB_TYPESAFE_BY_RCU.
> 
> Fixes: 855e39e65cfc ("drm/i915: Initialise basic fence before acquiring
> seqno")
> Signed-off-by: Matthew Auld <matthew.auld@xxxxxxxxx>
> Cc: Michael Mason <michael.w.mason@xxxxxxxxx>
> Cc: Daniel Vetter <daniel@xxxxxxxx>
> ---
>  drivers/gpu/drm/i915/i915_request.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_request.c
> b/drivers/gpu/drm/i915/i915_request.c
> index 1014c71cf7f5..55fa94bde22e 100644
> --- a/drivers/gpu/drm/i915/i915_request.c
> +++ b/drivers/gpu/drm/i915/i915_request.c
> @@ -61,7 +61,7 @@ static struct i915_global_request {
> 
>  static const char *i915_fence_get_driver_name(struct dma_fence *fence)  {
> -	return dev_name(to_request(fence)->engine->i915->drm.dev);
> +	return DRIVER_NAME;
>  }
> 
>  static const char *i915_fence_get_timeline_name(struct dma_fence
> *fence)
> --
> 2.26.3





[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux