NULL pointer dereference in i915 in i915_gem_do_execbuffer, eb_lookup_vmas

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I experience periodic crashes on HP Elite Dragonfly G2 (i7-1165G7)
which, I believe, are related to a bug in the i915 driver. I collected
a stacktrace and a kdump on 5.19.8 compiled with KASAN. This time the
screen was frozen, but I could SSH into the machine. Sometimes a
kernel panic happens.

I will appreciate it if this can be fixed. Please find the decoded
stack trace below:

[ +13,386280] general protection fault, probably for non-canonical
address 0xdffffc00000000ec: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
KASAN NOPTI
[  +0,000024] KASAN: null-ptr-deref in range
[0x0000000000000760-0x0000000000000767]
[  +0,000017] Hardware name: HP HP Elite Dragonfly G2 Notebook
PC/8716, BIOS T90 Ver. 01.01.04 01/03/2021
[   +0,000006] RIP: 0010:i915_gem_do_execbuffer
(./drivers/gpu/drm/i915/gem/i915_gem_object.h:632
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:921
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:3391) i915
[ +0,000207] Code: b8 00 00 00 48 89 f8 48 c1 e8 03 80 3c 28 00 0f 85
5d 3f 00 00 4d 8b af b8 00 00 00 49 8d bd 60 07 00 00 48 89 f8 48 c1
e8 03 <80> 3c 28 00 0f 85 34 3f 00 00 49 83 bd 60 07 00 00 00 74 6c 4c
89
All code
========
   0:    b8 00 00 00 48           mov    $0x48000000,%eax
   5:    89 f8                    mov    %edi,%eax
   7:    48 c1 e8 03              shr    $0x3,%rax
   b:    80 3c 28 00              cmpb   $0x0,(%rax,%rbp,1)
   f:    0f 85 5d 3f 00 00        jne    0x3f72
  15:    4d 8b af b8 00 00 00     mov    0xb8(%r15),%r13
  1c:    49 8d bd 60 07 00 00     lea    0x760(%r13),%rdi
  23:    48 89 f8                 mov    %rdi,%rax
  26:    48 c1 e8 03              shr    $0x3,%rax
  2a:*    80 3c 28 00              cmpb   $0x0,(%rax,%rbp,1)
<-- trapping instruction
  2e:    0f 85 34 3f 00 00        jne    0x3f68
  34:    49 83 bd 60 07 00 00     cmpq   $0x0,0x760(%r13)
  3b:    00
  3c:    74 6c                    je     0xaa
  3e:    4c                       rex.WR
  3f:    89                       .byte 0x89

Code starting with the faulting instruction
===========================================
   0:    80 3c 28 00              cmpb   $0x0,(%rax,%rbp,1)
   4:    0f 85 34 3f 00 00        jne    0x3f3e
   a:    49 83 bd 60 07 00 00     cmpq   $0x0,0x760(%r13)
  11:    00
  12:    74 6c                    je     0x80
  14:    4c                       rex.WR
  15:    89                       .byte 0x89
[  +0,000008] RSP: 0018:ffffc9000a74f7e8 EFLAGS: 00010202
[  +0,000009] RAX: 00000000000000ec RBX: 0000000000000008 RCX: 0000000000000000
[  +0,000006] RDX: 0000000000000001 RSI: ffffc9000a74f880 RDI: 0000000000000760
[  +0,000005] RBP: dffffc0000000000 R08: ffff888135ae8000 R09: 0000000000000000
[  +0,000005] R10: fffffbfff5b2f5a4 R11: ffffffffc16145cb R12: 0000000000000008
[  +0,000005] R13: 0000000000000000 R14: 000000000000001c R15: ffff88813513d640
[  +0,000005] FS:  00007f1329fced00(0000) GS:ffff888810000000(0000)
knlGS:0000000000000000
[  +0,000007] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  +0,000005] CR2: 00007f5c6ff8f80c CR3: 000000011493e005 CR4: 0000000000f70ef0
[  +0,000006] PKRU: 55555554
[  +0,000004] Call Trace:
[  +0,000005]  <TASK>
[   +0,000010] ? parse_timeline_fences
(drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:3292) i915
[   +0,000193] ? kernel_text_address (kernel/extable.c:125 kernel/extable.c:94)
[   +0,000039] ? reacquire_held_locks (kernel/locking/lockdep.c:5674)
[   +0,000009] ? __schedule_bug (kernel/sched/core.c:9820)
[   +0,000014] i915_gem_execbuffer2_ioctl
(drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:3543) i915
[   +0,000184] ? i915_gem_do_execbuffer
(drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:3503) i915
[   +0,000177] drm_ioctl_kernel (drivers/gpu/drm/drm_ioctl.c:782)
[   +0,000009] ? drm_version (drivers/gpu/drm/drm_ioctl.c:767)
[   +0,000011] drm_ioctl (drivers/gpu/drm/drm_ioctl.c:886)
[   +0,000008] ? i915_gem_do_execbuffer
(drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:3503) i915
[   +0,000174] ? drm_ioctl_kernel (drivers/gpu/drm/drm_ioctl.c:807)
[   +0,000006] ? lock_release (./include/trace/events/lock.h:69
kernel/locking/lockdep.c:5677)
[   +0,000008] ? lock_downgrade (kernel/locking/lockdep.c:5634)
[   +0,000007] ? ktime_get_coarse_real_ts64
(./include/linux/seqlock.h:274 kernel/time/timekeeping.c:2261)
[   +0,000019] __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:870
fs/ioctl.c:856 fs/ioctl.c:856)
[   +0,000009] do_syscall_64 (arch/x86/entry/common.c:50
arch/x86/entry/common.c:80)
[   +0,000008] ? do_syscall_64 (arch/x86/entry/common.c:87)
[   +0,000007] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[  +0,000008] RIP: 0033:0x7f132a9579ef
[ +0,000006] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10
00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00
0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00
00
All code
========
   0:    00 48 89                 add    %cl,-0x77(%rax)
   3:    44 24 18                 rex.R and $0x18,%al
   6:    31 c0                    xor    %eax,%eax
   8:    48 8d 44 24 60           lea    0x60(%rsp),%rax
   d:    c7 04 24 10 00 00 00     movl   $0x10,(%rsp)
  14:    48 89 44 24 08           mov    %rax,0x8(%rsp)
  19:    48 8d 44 24 20           lea    0x20(%rsp),%rax
  1e:    48 89 44 24 10           mov    %rax,0x10(%rsp)
  23:    b8 10 00 00 00           mov    $0x10,%eax
  28:    0f 05                    syscall
  2a:*    89 c2                    mov    %eax,%edx        <--
trapping instruction
  2c:    3d 00 f0 ff ff           cmp    $0xfffff000,%eax
  31:    77 18                    ja     0x4b
  33:    48 8b 44 24 18           mov    0x18(%rsp),%rax
  38:    64                       fs
  39:    48                       rex.W
  3a:    2b                       .byte 0x2b
  3b:    04 25                    add    $0x25,%al
  3d:    28 00                    sub    %al,(%rax)
    ...

Code starting with the faulting instruction
===========================================
   0:    89 c2                    mov    %eax,%edx
   2:    3d 00 f0 ff ff           cmp    $0xfffff000,%eax
   7:    77 18                    ja     0x21
   9:    48 8b 44 24 18           mov    0x18(%rsp),%rax
   e:    64                       fs
   f:    48                       rex.W
  10:    2b                       .byte 0x2b
  11:    04 25                    add    $0x25,%al
  13:    28 00                    sub    %al,(%rax)
    ...
[  +0,000007] RSP: 002b:00007ffdbe2d22a0 EFLAGS: 00000246 ORIG_RAX:
0000000000000010
[  +0,000008] RAX: ffffffffffffffda RBX: 000000000000000e RCX: 00007f132a9579ef
[  +0,000006] RDX: 00007ffdbe2d2360 RSI: 0000000040406469 RDI: 000000000000000e
[  +0,000005] RBP: 00007ffdbe2d23f0 R08: 000000000000000f R09: 0000564e1cdfd460
[  +0,000004] R10: 0000564e1db43990 R11: 0000000000000246 R12: 0000000000000000
[  +0,000005] R13: 00007ffdbe2d2360 R14: 0000564e1cdbe498 R15: 000000000000000f
[  +0,000012]  </TASK>
[  +0,000004] Modules linked in: uinput rfcomm ccm cmac algif_hash
algif_skcipher af_alg snd_ctl_led snd_soc_skl_hda_dsp
snd_soc_intel_hda_dsp_common snd_sof_probes snd_soc_hdac_hdmi
hid_sensor_custom_intel_hinge snd_hda_codec_hdmi snd_hda_codec_realtek
snd_soc_dmic snd_hda_codec_generic ledtrig_audio hid_sensor_gyro_3d
hid_sensor_als hid_sensor_accel_3d hid_sensor_incl_3d
hid_sensor_rotation hid_sensor_magn_3d snd_sof_pci_intel_tgl
hid_sensor_trigger industrialio_triggered_buffer
snd_sof_intel_hda_common kfifo_buf hid_sensor_iio_common industrialio
hid_sensor_custom soundwire_intel soundwire_generic_allocation
soundwire_cadence snd_sof_intel_hda snd_sof_pci bnep
snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda
hid_sensor_hub snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi
joydev iTCO_wdt soundwire_bus spi_nor intel_pmc_bxt intel_tcc_cooling
snd_soc_core x86_pkg_temp_thermal mousedev mtd iTCO_vendor_support
intel_powerclamp intel_ishtp_hid snd_compress wacom hp_wmi
[  +0,000140]  coretemp ac97_bus wmi_bmof platform_profile usbhid
snd_pcm_dmaengine snd_hda_intel hid_multitouch kvm_intel
snd_intel_dspcfg pmt_telemetry snd_intel_sdw_acpi mei_pxp mei_hdcp
uvcvideo intel_rapl_msr pmt_class kvm snd_hda_codec btusb
videobuf2_vmalloc snd_hda_core btrtl irqbypass videobuf2_memops
snd_hwdep btbcm videobuf2_v4l2 intel_cstate btintel snd_pcm
videobuf2_common intel_uncore btmtk pcspkr snd_timer videodev snd
i2c_i801 spi_intel_pci iosm soundcore bluetooth ucsi_acpi spi_intel
i2c_smbus mc typec_ucsi qrtr ecdh_generic typec crc16 iwlmvm roles wmi
int3403_thermal mac80211 soc_button_array i2c_hid_acpi i2c_hid libarc4
i915 iwlwifi vfat fat iwlmei processor_thermal_device_pci_legacy
drm_buddy processor_thermal_device processor_thermal_rfim video
processor_thermal_mbox cfg80211 intel_hid ttm mac_hid
processor_thermal_rapl sparse_keymap mei_me int3400_thermal
acpi_thermal_rel wireless_hotkey drm_display_helper rfkill
intel_rapl_common intel_lpss_pci intel_ish_ipc
[  +0,000187]  thunderbolt mei intel_lpss acpi_pad cec intel_ishtp
intel_vsec idma64 int340x_thermal_zone igen6_edac intel_gtt
intel_soc_dts_iosf dm_multipath sg crypto_user fuse ip_tables x_tables
btrfs blake2b_generic libcrc32c crc32c_generic xor raid6_pq dm_crypt
cbc encrypted_keys trusted asn1_encoder tee dm_mod crct10dif_pclmul
crc32_pclmul nvme crc32c_intel ghash_clmulni_intel serio_raw
aesni_intel atkbd nvme_core crypto_simd libps2 cryptd vivaldi_fmap vmd
xhci_pci xhci_pci_renesas i8042 serio tpm_crb tpm_tis tpm_tis_core tpm
rng_core
[  +0,000115] Unloaded tainted modules: acpi_cpufreq():1
acpi_cpufreq():1 pcc_cpufreq():1 acpi_cpufreq():1 acpi_cpufreq():1
acpi_cpufreq():1 pcc_cpufreq():1 acpi_cpufreq():1 acpi_cpufreq():1
pcc_cpufreq():1 acpi_cpufreq():1 pcc_cpufreq():1 acpi_cpufreq():1
pcc_cpufreq():1 acpi_cpufreq():1 acpi_cpufreq():1 pcc_cpufreq():1
acpi_cpufreq():1 pcc_cpufreq():1 acpi_cpufreq():1 pcc_cpufreq():1
acpi_cpufreq():1 acpi_cpufreq():1 acpi_cpufreq():1 pcc_cpufreq():1
pcc_cpufreq():1 acpi_cpufreq():1 pcc_cpufreq():1 acpi_cpufreq():1
pcc_cpufreq():1 acpi_cpufreq():1 pcc_cpufreq():1 fjes():1
pcc_cpufreq():1 fjes():1 acpi_cpufreq():1 pcc_cpufreq():1
asus_ec_sensors():1 acpi_cpufreq():1 fjes():1 pcc_cpufreq():1
acpi_cpufreq():1 pcc_cpufreq():1 acpi_cpufreq():1 fjes():1
acpi_cpufreq():1 pcc_cpufreq():1 fjes():1 pcc_cpufreq():1
acpi_cpufreq():1 fjes():1 acpi_cpufreq():1 pcc_cpufreq():1
pcc_cpufreq():1 fjes():1 acpi_cpufreq():1 asus_ec_sensors():1 fjes():1
pcc_cpufreq():1 acpi_cpufreq():1 acpi_cpufreq():1
[  +0,000168]  pcc_cpufreq():1 acpi_cpufreq():1 pcc_cpufreq():1
acpi_cpufreq():1 acpi_cpufreq():1
[  +0,000024] ---[ end trace 0000000000000000 ]---
[   +0,000006] RIP: 0010:i915_gem_do_execbuffer
(./drivers/gpu/drm/i915/gem/i915_gem_object.h:632
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:921
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:3391) i915
[ +0,000221] Code: b8 00 00 00 48 89 f8 48 c1 e8 03 80 3c 28 00 0f 85
5d 3f 00 00 4d 8b af b8 00 00 00 49 8d bd 60 07 00 00 48 89 f8 48 c1
e8 03 <80> 3c 28 00 0f 85 34 3f 00 00 49 83 bd 60 07 00 00 00 74 6c 4c
89
All code
========
   0:    b8 00 00 00 48           mov    $0x48000000,%eax
   5:    89 f8                    mov    %edi,%eax
   7:    48 c1 e8 03              shr    $0x3,%rax
   b:    80 3c 28 00              cmpb   $0x0,(%rax,%rbp,1)
   f:    0f 85 5d 3f 00 00        jne    0x3f72
  15:    4d 8b af b8 00 00 00     mov    0xb8(%r15),%r13
  1c:    49 8d bd 60 07 00 00     lea    0x760(%r13),%rdi
  23:    48 89 f8                 mov    %rdi,%rax
  26:    48 c1 e8 03              shr    $0x3,%rax
  2a:*    80 3c 28 00              cmpb   $0x0,(%rax,%rbp,1)
<-- trapping instruction
  2e:    0f 85 34 3f 00 00        jne    0x3f68
  34:    49 83 bd 60 07 00 00     cmpq   $0x0,0x760(%r13)
  3b:    00
  3c:    74 6c                    je     0xaa
  3e:    4c                       rex.WR
  3f:    89                       .byte 0x89

Code starting with the faulting instruction
===========================================
   0:    80 3c 28 00              cmpb   $0x0,(%rax,%rbp,1)
   4:    0f 85 34 3f 00 00        jne    0x3f3e
   a:    49 83 bd 60 07 00 00     cmpq   $0x0,0x760(%r13)
  11:    00
  12:    74 6c                    je     0x80
  14:    4c                       rex.WR
  15:    89                       .byte 0x89
[  +0,000007] RSP: 0018:ffffc9000a74f7e8 EFLAGS: 00010202
[  +0,000007] RAX: 00000000000000ec RBX: 0000000000000008 RCX: 0000000000000000
[  +0,000005] RDX: 0000000000000001 RSI: ffffc9000a74f880 RDI: 0000000000000760
[  +0,000006] RBP: dffffc0000000000 R08: ffff888135ae8000 R09: 0000000000000000
[  +0,000005] R10: fffffbfff5b2f5a4 R11: ffffffffc16145cb R12: 0000000000000008
[  +0,000004] R13: 0000000000000000 R14: 000000000000001c R15: ffff88813513d640
[  +0,000005] FS:  00007f1329fced00(0000) GS:ffff888810000000(0000)
knlGS:0000000000000000
[  +0,000006] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  +0,000006] CR2: 00007f5c6ff8f80c CR3: 000000011493e005 CR4: 0000000000f70ef0
[  +0,000005] PKRU: 55555554



[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux