From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Vasily Gorbik <gor@linux.ibm.com>, Linux-MM <linux-mm@kvack.org>,
Jason Gunthorpe <jgg@ziepe.ca>,
Andrew Morton <akpm@linux-foundation.org>
Cc: intel-gfx@lists.freedesktop.org,
"open list:DRM DRIVERS" <dri-devel@lists.freedesktop.org>,
open list <linux-kernel@vger.kernel.org>,
Chris Wilson <chris@chris-wilson.co.uk>
Subject: Re: 5.9-rc7 null ptr deref in __i915_gem_userptr_get_pages_worker
Date: Mon, 28 Sep 2020 11:57:14 +0200 [thread overview]
Message-ID: <CAHmME9qPo_MNrVioY=qgOVNxYBVY1_i_eep5wzP-7Akq5fH1Xg@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9odvKzyAG7HgzSE-1gLOfiU=HL1MB5w4z=AwOsjz9WJPA@mail.gmail.com>
Increasing the CC list a bit, as i915 didn't really get much churn
rc6->rc7, but mm/gup.c did, and mm has had a lot of recent changes.
On Mon, Sep 28, 2020 at 11:39 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Seeing a new crash in 5.9-rc7 I didn't have in 5.9-rc6:
>
> [ 1311.596896] BUG: kernel NULL pointer dereference, address: 0000000000000064
> [ 1311.596898] #PF: supervisor write access in kernel mode
> [ 1311.596899] #PF: error_code(0x0002) - not-present page
> [ 1311.596899] PGD 0 P4D 0
> [ 1311.596901] Oops: 0002 [#1] SMP
> [ 1311.596902] CPU: 10 PID: 1431 Comm: kworker/u33:1 Tainted: P S U
> O 5.9.0-rc7+ #140
> [ 1311.596903] Hardware name: LENOVO 20QTCTO1WW/20QTCTO1WW, BIOS
> N2OET47W (1.34 ) 08/06/2020
> [ 1311.596955] Workqueue: i915-userptr-acquire
> __i915_gem_userptr_get_pages_worker [i915]
> [ 1311.596959] RIP: 0010:__get_user_pages_remote+0xd7/0x310
> [ 1311.596960] Code: f5 01 00 00 83 7d 00 01 0f 85 ed 01 00 00 f7 c1
> 00 00 04 00 0f 84 58 01 00 00 65 48 8b 04 25 00 6d 01 00 48 8b 80 40
> 03 00 00 <c7> 40 64 01 00 00 00 65 48 8b 04 25 00 6d 01 00 48 c7 44 24
> 18 00
> [ 1311.596961] RSP: 0018:ffff888fdfe47de0 EFLAGS: 00010206
> [ 1311.596962] RAX: 0000000000000000 RBX: 00007fe188531000 RCX: 0000000000040001
> [ 1311.596962] RDX: 0000000000000001 RSI: 00007fe188531000 RDI: ffff888ff0748f00
> [ 1311.596963] RBP: ffff888fdfe47e54 R08: ffff888fedc7d7c8 R09: 0000000000000000
> [ 1311.596963] R10: 0000000000000018 R11: fefefefefefefeff R12: ffff888ff0748f00
> [ 1311.596963] R13: ffff888fedc7d7c8 R14: ffff888f81fe3a40 R15: 0000000000042003
> [ 1311.596964] FS: 0000000000000000(0000) GS:ffff888ffc480000(0000)
> knlGS:0000000000000000
> [ 1311.596965] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 1311.596965] CR2: 0000000000000064 CR3: 0000000002009003 CR4: 00000000003706e0
> [ 1311.596966] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 1311.596966] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 1311.596967] Call Trace:
> [ 1311.596993] __i915_gem_userptr_get_pages_worker+0xc8/0x260 [i915]
> [ 1311.596996] process_one_work+0x1ca/0x390
> [ 1311.596997] worker_thread+0x48/0x3c0
> [ 1311.596998] ? rescuer_thread+0x3d0/0x3d0
> [ 1311.597000] kthread+0x114/0x130
> [ 1311.597001] ? kthread_create_worker_on_cpu+0x40/0x40
> [ 1311.597003] ret_from_fork+0x1f/0x30
> [ 1311.597031] CR2: 0000000000000064
> [ 1311.597033] ---[ end trace e2b8ddde994a6f6d ]---
next parent reply other threads:[~2020-09-28 9:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAHmME9odvKzyAG7HgzSE-1gLOfiU=HL1MB5w4z=AwOsjz9WJPA@mail.gmail.com>
2020-09-28 9:57 ` Jason A. Donenfeld [this message]
2020-09-28 10:17 ` Jason A. Donenfeld
2020-09-28 10:22 ` Jason A. Donenfeld
2020-09-28 10:35 ` [PATCH] mm: do not rely on mm == current->mm in __get_user_pages_locked Jason A. Donenfeld
2020-09-28 10:43 ` Chris Wilson
2020-09-28 11:59 ` Jason Gunthorpe
2020-09-28 13:49 ` Peter Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHmME9qPo_MNrVioY=qgOVNxYBVY1_i_eep5wzP-7Akq5fH1Xg@mail.gmail.com' \
--to=jason@zx2c4.com \
--cc=akpm@linux-foundation.org \
--cc=chris@chris-wilson.co.uk \
--cc=dri-devel@lists.freedesktop.org \
--cc=gor@linux.ibm.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jgg@ziepe.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox