Revision - f6619ef - drm/mgag200: fix kernel hang in cursor code.

Revision f6619ef7508261be2ba3ded313ccc46ce670d0d3 authored by Wang, Rui Y on 18 November 2015, 15:00:53 UTC, committed by Dave Airlie on 19 November 2015, 03:20:01 UTC

drm/mgag200: fix kernel hang in cursor code.

The machine hang completely with the following message on the console:

[  487.777538] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[  487.777554] IP: [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30
[  487.777557] PGD 42e9f7067 PUD 42f2fa067 PMD 0
[  487.777560] Oops: 0002 [#1] SMP
...
[  487.777618] CPU: 21 PID: 3190 Comm: Xorg Tainted: G            E   4.4.0-rc1-3-default+ #6
[  487.777620] Hardware name: Intel Corporation BRICKLAND/BRICKLAND, BIOS BRHSXSD1.86B.0059.R00.1501081238 01/08/2015
[  487.777621] task: ffff880853ae4680 ti: ffff8808696d4000 task.ti: ffff8808696d4000
[  487.777625] RIP: 0010:[<ffffffff8158aaee>]  [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30
[  487.777627] RSP: 0018:ffff8808696d79c0  EFLAGS: 00010246
[  487.777628] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  487.777629] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000060
[  487.777630] RBP: ffff8808696d79e0 R08: 0000000000000000 R09: ffff88086924a780
[  487.777631] R10: 000000000001bb40 R11: 0000000000003246 R12: 0000000000000000
[  487.777632] R13: ffff880463a27360 R14: ffff88046ca50218 R15: 0000000000000080
[  487.777634] FS:  00007f3f81c5a8c0(0000) GS:ffff88086f060000(0000) knlGS:0000000000000000
[  487.777635] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  487.777636] CR2: 0000000000000060 CR3: 000000042e678000 CR4: 00000000001406e0
[  487.777638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  487.777639] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  487.777639] Stack:
[  487.777642]  ffffffffa00eb5fa ffff8808696d7b60 ffff88086b87d800 0000000000000000
[  487.777644]  ffff8808696d7ac8 ffffffffa01694b6 ffff8808696d7ae8 ffffffff8109c8d5
[  487.777647]  ffff880469158740 ffff880463a27000 ffff88086b87d800 ffff88086b87d800
[  487.777647] Call Trace:
[  487.777674]  [<ffffffffa00eb5fa>] ? drm_gem_object_lookup+0x1a/0xa0 [drm]
[  487.777681]  [<ffffffffa01694b6>] mga_crtc_cursor_set+0xc6/0xb60 [mgag200]
[  487.777691]  [<ffffffff8109c8d5>] ? find_busiest_group+0x35/0x4a0
[  487.777696]  [<ffffffff81086294>] ? __might_sleep+0x44/0x80
[  487.777699]  [<ffffffff815888c2>] ? __ww_mutex_lock+0x22/0x9c
[  487.777722]  [<ffffffffa0104f64>] ? drm_modeset_lock+0x34/0xf0 [drm]
[  487.777733]  [<ffffffffa0148d9e>] restore_fbdev_mode+0xee/0x2a0 [drm_kms_helper]
[  487.777742]  [<ffffffffa014afce>] drm_fb_helper_restore_fbdev_mode_unlocked+0x2e/0x70 [drm_kms_helper]
[  487.777748]  [<ffffffffa014b037>] drm_fb_helper_set_par+0x27/0x50 [drm_kms_helper]
[  487.777752]  [<ffffffff8134560c>] fb_set_var+0x18c/0x3f0
[  487.777777]  [<ffffffffa02a9b0a>] ? __ext4_handle_dirty_metadata+0x8a/0x210 [ext4]
[  487.777783]  [<ffffffff8133cb97>] fbcon_blank+0x1b7/0x2b0
[  487.777790]  [<ffffffff813be2a3>] do_unblank_screen+0xb3/0x1c0
[  487.777795]  [<ffffffff813b5aba>] vt_ioctl+0x118a/0x1210
[  487.777801]  [<ffffffff813a8fe0>] tty_ioctl+0x3f0/0xc90
[  487.777808]  [<ffffffff81172018>] ? kzfree+0x28/0x30
[  487.777813]  [<ffffffff811e053f>] ? mntput+0x1f/0x30
[  487.777817]  [<ffffffff811d3f5d>] do_vfs_ioctl+0x30d/0x570
[  487.777822]  [<ffffffff8107ed3a>] ? task_work_run+0x8a/0xa0
[  487.777825]  [<ffffffff811d4234>] SyS_ioctl+0x74/0x80
[  487.777829]  [<ffffffff8158aeae>] entry_SYSCALL_64_fastpath+0x12/0x71
[  487.777851] Code: 65 ff 0d ce 02 a8 7e 5d c3 ba 01 00 00 00 f0 0f b1 17 85 c0 75 e8 b0 01 5d c3 0f 1f 00 65 ff 05 b1 02 a8 7e 31 c0 ba 01 00 00 00 <f0> 0f b1 17 85 c0 75 01 c3 55 89 c6 48 89 e5 e8 4e f5 b1 ff 5d
[  487.777854] RIP  [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30
[  487.777855]  RSP <ffff8808696d79c0>
[  487.777856] CR2: 0000000000000060
[  487.777860] ---[ end trace 672a2cd555e0ebd3 ]---

The cursor code may be entered with file_priv == NULL && handle == NULL.
The problem was introduced by:

"bf89209 drm/mga200g: Hold a proper reference for cursor_set"

which calls drm_gem_object_lookup(dev, file_priv...). Previously this wasn't
a problem because we checked the handle. Move the check early in the function
can fix the problem.

Signed-off-by: Rui Wang <rui.y.wang@intel.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>

1 parent e6c84ac

Files
Changes

Permalinks

File	Mode	Size
9p
adfs
affs
afs
autofs4
befs
bfs
btrfs
cachefiles
ceph
cifs
coda
configfs
cramfs
debugfs
devpts
dlm
ecryptfs
efivarfs
efs
exofs
exportfs
ext2
ext4
f2fs
fat
freevxfs
fscache
fuse
gfs2
hfs
hfsplus
hostfs
hpfs
hugetlbfs
isofs
jbd2
jffs2
jfs
kernfs
lockd
logfs
minix
ncpfs
nfs
nfs_common
nfsd
nilfs2
nls
notify
ntfs
ocfs2
omfs
openpromfs
overlayfs
proc
pstore
qnx4
qnx6
quota
ramfs
reiserfs
romfs
squashfs
sysfs
sysv
tracefs
ubifs
udf
ufs
xfs
Kconfig	-rw-r--r--	6.4 KB
Kconfig.binfmt	-rw-r--r--	7.0 KB
Makefile	-rw-r--r--	4.1 KB
aio.c	-rw-r--r--	43.0 KB
anon_inodes.c	-rw-r--r--	4.9 KB
attr.c	-rw-r--r--	7.9 KB
bad_inode.c	-rw-r--r--	4.7 KB
binfmt_aout.c	-rw-r--r--	10.8 KB
binfmt_elf.c	-rw-r--r--	60.6 KB
binfmt_elf_fdpic.c	-rw-r--r--	47.8 KB
binfmt_em86.c	-rw-r--r--	2.8 KB
binfmt_flat.c	-rw-r--r--	26.4 KB
binfmt_misc.c	-rw-r--r--	17.5 KB
binfmt_script.c	-rw-r--r--	3.0 KB
block_dev.c	-rw-r--r--	46.0 KB
buffer.c	-rw-r--r--	88.9 KB
char_dev.c	-rw-r--r--	13.3 KB
compat.c	-rw-r--r--	37.2 KB
compat_binfmt_elf.c	-rw-r--r--	3.7 KB
compat_ioctl.c	-rw-r--r--	45.5 KB
coredump.c	-rw-r--r--	19.2 KB
dax.c	-rw-r--r--	22.0 KB
dcache.c	-rw-r--r--	89.4 KB
dcookies.c	-rw-r--r--	6.9 KB
direct-io.c	-rw-r--r--	38.1 KB
drop_caches.c	-rw-r--r--	1.6 KB
eventfd.c	-rw-r--r--	11.2 KB
eventpoll.c	-rw-r--r--	59.0 KB
exec.c	-rw-r--r--	40.7 KB
fcntl.c	-rw-r--r--	16.6 KB
fhandle.c	-rw-r--r--	6.5 KB
file.c	-rw-r--r--	23.4 KB
file_table.c	-rw-r--r--	8.5 KB
filesystems.c	-rw-r--r--	6.4 KB
fs-writeback.c	-rw-r--r--	67.4 KB
fs_pin.c	-rw-r--r--	2.0 KB
fs_struct.c	-rw-r--r--	3.3 KB
inode.c	-rw-r--r--	52.9 KB
internal.h	-rw-r--r--	3.6 KB
ioctl.c	-rw-r--r--	15.7 KB
libfs.c	-rw-r--r--	30.4 KB
locks.c	-rw-r--r--	70.1 KB
mbcache.c	-rw-r--r--	24.1 KB
mount.h	-rw-r--r--	3.5 KB
mpage.c	-rw-r--r--	20.3 KB
namei.c	-rw-r--r--	114.6 KB
namespace.c	-rw-r--r--	81.5 KB
no-block.c	-rw-r--r--	688 bytes
nsfs.c	-rw-r--r--	3.7 KB
open.c	-rw-r--r--	26.9 KB
pipe.c	-rw-r--r--	25.0 KB
pnode.c	-rw-r--r--	11.2 KB
pnode.h	-rw-r--r--	1.8 KB
posix_acl.c	-rw-r--r--	19.9 KB
proc_namespace.c	-rw-r--r--	7.7 KB
read_write.c	-rw-r--r--	28.9 KB
readdir.c	-rw-r--r--	6.9 KB
select.c	-rw-r--r--	25.4 KB
seq_file.c	-rw-r--r--	22.4 KB
signalfd.c	-rw-r--r--	9.2 KB
splice.c	-rw-r--r--	46.2 KB
stack.c	-rw-r--r--	2.5 KB
stat.c	-rw-r--r--	11.9 KB
statfs.c	-rw-r--r--	5.3 KB
super.c	-rw-r--r--	35.0 KB
sync.c	-rw-r--r--	9.9 KB
timerfd.c	-rw-r--r--	13.0 KB
userfaultfd.c	-rw-r--r--	34.9 KB
utimes.c	-rw-r--r--	5.9 KB
xattr.c	-rw-r--r--	23.5 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...