intel_sprite_get_colorkey oops

Thu Mar 26 12:56:25 PDT 2015

Hello,

Trinity discovered oopses with the i915 colorkey ioctls, reproducible
on my system with this:

#include <unistd.h>
#include <inttypes.h>
#include <drm/i915_drm.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdio.h>

#define GET DRM_IOWR(DRM_COMMAND_BASE + DRM_I915_GET_SPRITE_COLORKEY,
struct drm_intel_sprite_colorkey)

int main(int argc, char **argv)
{
        int fd = open(argv[1], O_RDWR);
        if (fd < 0) {
                perror("open");
                return 1;
        }
        for (int i=0; i < 128; ++i) {
                printf("get=%d\n", i);
                struct drm_intel_sprite_colorkey colorkey = { .plane_id = i };
                ioctl(fd, GET, &colorkey);
        }
        for (int i=0; i < 128; ++i) {
                printf("set=%d\n", i);
                struct drm_intel_sprite_colorkey colorkey = { .plane_id = i };
                ioctl(fd, DRM_IOCTL_I915_SET_SPRITE_COLORKEY, &colorkey);
        }
        return 0;
}

$ ./main /dev/dri/card0
get=0
get=1
get=2
get=3
get=4
get=5
get=6
get=7
get=8
get=9
get=10
get=11
get=12
get=13
get=14
get=15
get=16
get=17

[   40.467123] BUG: unable to handle kernel NULL pointer dereference
at           (null)
[   40.475012] IP: [<          (null)>]           (null)
[   40.480094] PGD 1728cd067 PUD 17163c067 PMD 0
[   40.484589] Oops: 0010 [#1] SMP KASAN
[   40.488297] CPU: 0 PID: 2198 Comm: main Not tainted 4.0.0-rc5+ #87
[   40.501666] task: ffff8800c66cd380 ti: ffff880172790000 task.ti:
ffff880172790000
[   40.509179] RIP: 0010:[<0000000000000000>]  [<          (null)>]
       (null)
[   40.516702] RSP: 0018:ffff880172797d30  EFLAGS: 00010246
[   40.522037] RAX: ffffed002e7acbe2 RBX: ffff88017401d000 RCX: 0000000000000007
[   40.529200] RDX: 0000000000000000 RSI: ffff880172797dd8 RDI: ffff880173d65c00
[   40.536361] RBP: ffff880172797d68 R08: 0000000000000000 R09: 0000000000000000
[   40.543523] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   40.550686] R13: ffff880173d65cd8 R14: ffff880172797dd8 R15: ffff880173d65c00
[   40.557852] FS:  00007f09a72e6700(0000) GS:ffff880175c00000(0000)
knlGS:0000000000000000
[   40.565976] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   40.571744] CR2: 0000000000000000 CR3: 000000017261c000 CR4: 00000000000406f0
[   40.578907] Stack:
[   40.580926]  ffffffff81b4a437 ffff880172797d68 ffff88017401d000
ffff880171470000
[   40.588394]  0000000000000014 fffffffffffffff2 ffffffff8271c400
ffff880172797e88
[   40.595864]  ffffffff818acbbc ffff880172797e18 ffffffff8165d7c2
ffffffff8165d660
[   40.603335] Call Trace:
[   40.605797]  [<ffffffff81b4a437>] ? intel_sprite_get_colorkey+0x97/0xc0
[   40.612438]  [<ffffffff818acbbc>] drm_ioctl+0x27c/0x890
[   40.617687]  [<ffffffff8165d7c2>] ? avc_has_perm+0x182/0x320
[   40.623371]  [<ffffffff8165d660>] ? avc_has_perm+0x20/0x320
[   40.628966]  [<ffffffff81b4a3a0>] ? intel_sprite_set_colorkey+0x260/0x260
[   40.635785]  [<ffffffff8165ffac>] ? inode_has_perm.isra.28+0x7c/0xa0
[   40.642169]  [<ffffffff825dfe5b>] ? _raw_spin_unlock_irq+0x2b/0x40
[   40.648376]  [<ffffffff812f8caf>] do_vfs_ioctl+0x3cf/0x720
[   40.653887]  [<ffffffff81660caa>] ? selinux_file_ioctl+0x6a/0x130
[   40.660008]  [<ffffffff812f9081>] SyS_ioctl+0x81/0xa0
[   40.665083]  [<ffffffff825e0ab2>] system_call_fastpath+0x12/0x17
[   40.671112] Code:  Bad RIP value.
[   40.674465] RIP  [<          (null)>]           (null)
[   40.679634]  RSP <ffff880172797d30>
[   40.683134] CR2: 0000000000000000
[   40.686498] ---[ end trace 9292d9b4aba8dfe9 ]---